Commit 30c41d2191e9d726e3677c8af969f76d7669262c
Committed by
York Sun
York Sun
1 parent
4def378fab
Exists in
smarc_8mq_lf_v2020.04
and in
17 other branches
armv8: LS1088A_QSPI: SECURE_BOOT: Images validation
Validates PPA, MC, DPC, Bootscript, DPL and Kernel images in ESBC phase using esbc_validate command. Enable validation of boot.scr script prior to its execution dependent on "secureboot" flag in environment Add header address for PPA to be validated during ESBC phase for LS1088A platform based on LAyerscape Chasis 3. Moves sec_init prior to ppa_init as for validation of PPA sec must be initialised before the PPA is initialised. Signed-off-by: Udit Agarwal <udit.agarwal@nxp.com> Signed-off-by: Vinitha Pillai-B57223 <vinitha.pillai@nxp.com> Signed-off-by: Sumit Garg <sumit.garg@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com>
Showing 6 changed files with 64 additions and 19 deletions Side-by-side Diff
arch/arm/cpu/armv8/fsl-layerscape/Kconfig
| ... | ... | @@ -248,6 +248,7 @@ |
| 248 | 248 | default 0x40680000 if SYS_LS_PPA_FW_IN_XIP && ARCH_LS1012A |
| 249 | 249 | default 0x20680000 if SYS_LS_PPA_FW_IN_XIP && QSPI_BOOT && ARCH_LS2080A |
| 250 | 250 | default 0x580680000 if SYS_LS_PPA_FW_IN_XIP && ARCH_LS2080A |
| 251 | + default 0x20680000 if SYS_LS_PPA_FW_IN_XIP && ARCH_LS1088A | |
| 251 | 252 | default 0x680000 if SYS_LS_PPA_FW_IN_MMC |
| 252 | 253 | default 0x680000 if SYS_LS_PPA_FW_IN_NAND |
| 253 | 254 | help |
board/freescale/ls1088a/Kconfig
| ... | ... | @@ -12,6 +12,7 @@ |
| 12 | 12 | config SYS_CONFIG_NAME |
| 13 | 13 | default "ls1088aqds" |
| 14 | 14 | |
| 15 | +source "board/freescale/common/Kconfig" | |
| 15 | 16 | endif |
| 16 | 17 | |
| 17 | 18 | if TARGET_LS1088ARDB |
| ... | ... | @@ -28,5 +29,6 @@ |
| 28 | 29 | config SYS_CONFIG_NAME |
| 29 | 30 | default "ls1088ardb" |
| 30 | 31 | |
| 32 | +source "board/freescale/common/Kconfig" | |
| 31 | 33 | endif |
board/freescale/ls1088a/ls1088a.c
| ... | ... | @@ -315,6 +315,9 @@ |
| 315 | 315 | out_le32(irq_ccsr + IRQCR_OFFSET / 4, AQR105_IRQ_MASK); |
| 316 | 316 | #endif |
| 317 | 317 | |
| 318 | +#ifdef CONFIG_FSL_CAAM | |
| 319 | + sec_init(); | |
| 320 | +#endif | |
| 318 | 321 | #ifdef CONFIG_FSL_LS_PPA |
| 319 | 322 | ppa_init(); |
| 320 | 323 | #endif |
| ... | ... | @@ -337,9 +340,6 @@ |
| 337 | 340 | #if defined(CONFIG_ARCH_MISC_INIT) |
| 338 | 341 | int arch_misc_init(void) |
| 339 | 342 | { |
| 340 | -#ifdef CONFIG_FSL_CAAM | |
| 341 | - sec_init(); | |
| 342 | -#endif | |
| 343 | 343 | return 0; |
| 344 | 344 | } |
| 345 | 345 | #endif |
include/configs/ls1088a_common.h
| ... | ... | @@ -144,9 +144,6 @@ |
| 144 | 144 | #if defined(CONFIG_FSL_MC_ENET) |
| 145 | 145 | #define CONFIG_SYS_LS_MC_DRAM_BLOCK_MIN_SIZE (512UL * 1024 * 1024) |
| 146 | 146 | #endif |
| 147 | - | |
| 148 | -#define CONFIG_FSL_CAAM /* Enable SEC/CAAM */ | |
| 149 | - | |
| 150 | 147 | /* Command line configuration */ |
| 151 | 148 | #define CONFIG_CMD_GREPENV |
| 152 | 149 | #define CONFIG_CMD_CACHE |
include/configs/ls1088aqds.h
| ... | ... | @@ -335,6 +335,26 @@ |
| 335 | 335 | QIXIS_SDID_MASK) != QIXIS_ESDHC_NO_ADAPTER) |
| 336 | 336 | |
| 337 | 337 | /* Initial environment variables */ |
| 338 | +#ifdef CONFIG_SECURE_BOOT | |
| 339 | +#undef CONFIG_EXTRA_ENV_SETTINGS | |
| 340 | +#define CONFIG_EXTRA_ENV_SETTINGS \ | |
| 341 | + "hwconfig=fsl_ddr:bank_intlv=auto\0" \ | |
| 342 | + "loadaddr=0x90100000\0" \ | |
| 343 | + "kernel_addr=0x100000\0" \ | |
| 344 | + "ramdisk_addr=0x800000\0" \ | |
| 345 | + "ramdisk_size=0x2000000\0" \ | |
| 346 | + "fdt_high=0xa0000000\0" \ | |
| 347 | + "initrd_high=0xffffffffffffffff\0" \ | |
| 348 | + "kernel_start=0x1000000\0" \ | |
| 349 | + "kernel_load=0xa0000000\0" \ | |
| 350 | + "kernel_size=0x2800000\0" \ | |
| 351 | + "mcinitcmd=sf probe 0:0;sf read 0xa0a00000 0xa00000 0x100000;" \ | |
| 352 | + "sf read 0xa0700000 0x700000 0x4000; esbc_validate 0xa0700000;" \ | |
| 353 | + "sf read 0xa0e00000 0xe00000 0x100000;" \ | |
| 354 | + "sf read 0xa0740000 0x740000 0x4000;esbc_validate 0xa0740000;" \ | |
| 355 | + "fsl_mc start mc 0xa0a00000 0xa0e00000\0" \ | |
| 356 | + "mcmemsize=0x70000000 \0" | |
| 357 | +#else /* if !(CONFIG_SECURE_BOOT) */ | |
| 338 | 358 | #if defined(CONFIG_QSPI_BOOT) |
| 339 | 359 | #undef CONFIG_EXTRA_ENV_SETTINGS |
| 340 | 360 | #define CONFIG_EXTRA_ENV_SETTINGS \ |
| ... | ... | @@ -385,6 +405,7 @@ |
| 385 | 405 | "mcinitcmd=fsl_mc start mc 0x580A00000 0x580E00000\0" \ |
| 386 | 406 | "mcmemsize=0x70000000 \0" |
| 387 | 407 | #endif |
| 408 | +#endif /* CONFIG_SECURE_BOOT */ | |
| 388 | 409 | |
| 389 | 410 | #ifdef CONFIG_FSL_MC_ENET |
| 390 | 411 | #define CONFIG_FSL_MEMAC |
include/configs/ls1088ardb.h
| ... | ... | @@ -261,13 +261,23 @@ |
| 261 | 261 | #define MC_INIT_CMD \ |
| 262 | 262 | "mcinitcmd=sf probe 0:0;sf read 0x80000000 0xA00000 0x100000;" \ |
| 263 | 263 | "sf read 0x80100000 0xE00000 0x100000;" \ |
| 264 | - "fsl_mc start mc 0x80000000 0x80100000\0" \ | |
| 264 | + "env exists secureboot && " \ | |
| 265 | + "sf read 0x80700000 0x700000 0x40000 && " \ | |
| 266 | + "sf read 0x80740000 0x740000 0x40000 && " \ | |
| 267 | + "esbc_validate 0x80700000 && " \ | |
| 268 | + "esbc_validate 0x80740000 ;" \ | |
| 269 | + "fsl_mc start mc 0x80000000 0x80100000\0" \ | |
| 265 | 270 | "mcmemsize=0x70000000\0" |
| 266 | 271 | #elif defined(CONFIG_SD_BOOT) |
| 267 | 272 | #define MC_INIT_CMD \ |
| 268 | 273 | "mcinitcmd=mmcinfo;mmc read 0x80000000 0x5000 0x800;" \ |
| 269 | 274 | "mmc read 0x80100000 0x7000 0x800;" \ |
| 270 | - "fsl_mc start mc 0x80000000 0x80100000\0" \ | |
| 275 | + "env exists secureboot && " \ | |
| 276 | + "mmc read 0x80700000 0x3800 0x10 && " \ | |
| 277 | + "mmc read 0x80740000 0x3A00 0x10 && " \ | |
| 278 | + "esbc_validate 0x80700000 && " \ | |
| 279 | + "esbc_validate 0x80740000 ;" \ | |
| 280 | + "fsl_mc start mc 0x80000000 0x80100000\0" \ | |
| 271 | 281 | "mcmemsize=0x70000000\0" |
| 272 | 282 | #endif |
| 273 | 283 | |
| ... | ... | @@ -282,6 +292,7 @@ |
| 282 | 292 | "fdt_addr=0x64f00000\0" \ |
| 283 | 293 | "kernel_addr=0x1000000\0" \ |
| 284 | 294 | "kernel_addr_sd=0x8000\0" \ |
| 295 | + "kernelhdr_addr_sd=0x4000\0" \ | |
| 285 | 296 | "kernel_start=0x580100000\0" \ |
| 286 | 297 | "kernelheader_start=0x580800000\0" \ |
| 287 | 298 | "scriptaddr=0x80000000\0" \ |
| ... | ... | @@ -295,6 +306,7 @@ |
| 295 | 306 | "load_addr=0xa0000000\0" \ |
| 296 | 307 | "kernel_size=0x2800000\0" \ |
| 297 | 308 | "kernel_size_sd=0x14000\0" \ |
| 309 | + "kernelhdr_size_sd=0x10\0" \ | |
| 298 | 310 | MC_INIT_CMD \ |
| 299 | 311 | BOOTENV \ |
| 300 | 312 | "boot_scripts=ls1088ardb_boot.scr\0" \ |
| 301 | 313 | |
| 302 | 314 | |
| 303 | 315 | |
| 304 | 316 | |
| ... | ... | @@ -331,29 +343,41 @@ |
| 331 | 343 | "bootm $load_addr#ls1088ardb\0" \ |
| 332 | 344 | "qspi_bootcmd=echo Trying load from qspi..;" \ |
| 333 | 345 | "sf probe && sf read $load_addr " \ |
| 334 | - "$kernel_addr $kernel_size &&" \ | |
| 346 | + "$kernel_addr $kernel_size ; env exists secureboot " \ | |
| 347 | + "&& sf read $kernelheader_addr_r $kernelheader_addr " \ | |
| 348 | + "$kernelheader_size && esbc_validate ${kernelheader_addr_r}; "\ | |
| 335 | 349 | "bootm $load_addr#$BOARD\0" \ |
| 336 | - "sd_bootcmd=echo Trying load from sd card..;" \ | |
| 350 | + "sd_bootcmd=echo Trying load from sd card..;" \ | |
| 337 | 351 | "mmcinfo; mmc read $load_addr " \ |
| 338 | 352 | "$kernel_addr_sd $kernel_size_sd ;" \ |
| 353 | + "env exists secureboot && mmc read $kernelheader_addr_r "\ | |
| 354 | + "$kernelhdr_addr_sd $kernelhdr_size_sd " \ | |
| 355 | + " && esbc_validate ${kernelheader_addr_r};" \ | |
| 339 | 356 | "bootm $load_addr#$BOARD\0" |
| 340 | 357 | |
| 341 | 358 | #undef CONFIG_BOOTCOMMAND |
| 342 | 359 | #if defined(CONFIG_QSPI_BOOT) |
| 343 | 360 | /* Try to boot an on-QSPI kernel first, then do normal distro boot */ |
| 344 | 361 | #define CONFIG_BOOTCOMMAND \ |
| 345 | - "env exists mcinitcmd && run mcinitcmd && " \ | |
| 346 | - "sf read 0x80200000 0xd00000 0x100000;" \ | |
| 347 | - " fsl_mc apply dpl 0x80200000;" \ | |
| 348 | - "run distro_bootcmd;run qspi_bootcmd" | |
| 362 | + "sf read 0x80200000 0xd00000 0x100000;" \ | |
| 363 | + "env exists mcinitcmd && env exists secureboot " \ | |
| 364 | + " && sf read 0x80780000 0x780000 0x100000 " \ | |
| 365 | + "&& esbc_validate 0x80780000;env exists mcinitcmd " \ | |
| 366 | + "&& fsl_mc apply dpl 0x80200000;" \ | |
| 367 | + "run distro_bootcmd;run qspi_bootcmd;" \ | |
| 368 | + "env exists secureboot && esbc_halt;" | |
| 369 | + | |
| 349 | 370 | /* Try to boot an on-SD kernel first, then do normal distro boot */ |
| 350 | 371 | #elif defined(CONFIG_SD_BOOT) |
| 351 | 372 | #define CONFIG_BOOTCOMMAND \ |
| 352 | - "env exists mcinitcmd && run mcinitcmd ;" \ | |
| 353 | - "&& env exists mcinitcmd && mmcinfo; " \ | |
| 354 | - "mmc read 0x88000000 0x6800 0x800; " \ | |
| 355 | - "&& fsl_mc apply dpl 0x88000000;" \ | |
| 356 | - "run distro_bootcmd;run sd_bootcmd" | |
| 373 | + "env exists mcinitcmd && mmcinfo; " \ | |
| 374 | + "mmc read 0x80200000 0x6800 0x800; " \ | |
| 375 | + "env exists mcinitcmd && env exists secureboot " \ | |
| 376 | + " && mmc read 0x80780000 0x3800 0x10 " \ | |
| 377 | + "&& esbc_validate 0x80780000;env exists mcinitcmd " \ | |
| 378 | + "&& fsl_mc apply dpl 0x80200000;" \ | |
| 379 | + "run distro_bootcmd;run sd_bootcmd;" \ | |
| 380 | + "env exists secureboot && esbc_halt;" | |
| 357 | 381 | #endif |
| 358 | 382 | |
| 359 | 383 | /* MAC/PHY configuration */ |