imx: add status reporting for HAB status

Add functions to report the HAB (High Assurance Boot) status of e.g. i.MX6 CPUs. This is taken from git://git.freescale.com/imx/uboot-imx.git branch imx_v2009.08_3.0.35_4.0.0 cpu/arm_cortexa8/mx6/generic.c include/asm-arm/arch-mx6/mx6_secure.h Signed-off-by: Stefano Babic <sbabic@denx.de>

imx: add status reporting for HAB status
Add functions to report the HAB (High Assurance Boot) status of e.g. i.MX6 CPUs. This is taken from git://git.freescale.com/imx/uboot-imx.git branch imx_v2009.08_3.0.35_4.0.0 cpu/arm_cortexa8/mx6/generic.c include/asm-arm/arch-mx6/mx6_secure.h Signed-off-by: Stefano Babic <sbabic@denx.de>
Stefano Babic
1 parent 0187c985aa
Showing 4 changed files with 182 additions and 4 deletions Side-by-side Diff
arch/arm/cpu/armv7/mx6/Makefile
arch/arm/cpu/armv7/mx6/hab.c
arch/arm/include/asm/arch-mx6/hab.h
arch/arm/include/asm/arch-mx6/imx-regs.h
@@ -11,10 +11,11 @@
  
 LIB	= $(obj)lib$(SOC).o
  
-COBJS	= soc.o clock.o
+COBJS-y	= soc.o clock.o
+COBJS-$(CONFIG_SECURE_BOOT)	+= hab.o
  
-SRCS	:= $(SOBJS:.o=.S) $(COBJS:.o=.c)
-OBJS	:= $(addprefix $(obj),$(SOBJS) $(COBJS))
+SRCS	:= $(SOBJS:.o=.S) $(COBJS-y:.o=.c)
+OBJS	:= $(addprefix $(obj),$(SOBJS) $(COBJS-y))
  
 all:	$(obj).depend $(LIB)
  
+/*
+ * Copyright (C) 2010-2013 Freescale Semiconductor, Inc.
+ *
+ * SPDX-License-Identifier:    GPL-2.0+
+ */
+
+#include <common.h>
+#include <asm/io.h>
+#include <asm/arch/hab.h>
+
+/* -------- start of HAB API updates ------------*/
+#define hab_rvt_report_event ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT)
+#define hab_rvt_report_status ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS)
+#define hab_rvt_authenticate_image \
+	((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE)
+#define hab_rvt_entry ((hab_rvt_entry_t *)HAB_RVT_ENTRY)
+#define hab_rvt_exit ((hab_rvt_exit_t *)HAB_RVT_EXIT)
+#define hab_rvt_clock_init HAB_RVT_CLOCK_INIT
+
+bool is_hab_enabled(void)
+{
+	struct ocotp_regs *ocotp = (struct ocotp_regs *)OCOTP_BASE_ADDR;
+	struct fuse_bank *bank = &ocotp->bank[0];
+	struct fuse_bank0_regs *fuse =
+		(struct fuse_bank0_regs *)bank->fuse_regs;
+	uint32_t reg = readl(&fuse->cfg5);
+
+	return (reg & 0x2) == 0x2;
+}
+
+void display_event(uint8_t *event_data, size_t bytes)
+{
+	uint32_t i;
+
+	if (!(event_data && bytes > 0))
+		return;
+
+	for (i = 0; i < bytes; i++) {
+		if (i == 0)
+			printf("\t0x%02x", event_data[i]);
+		else if ((i % 8) == 0)
+			printf("\n\t0x%02x", event_data[i]);
+		else
+			printf(" 0x%02x", event_data[i]);
+	}
+}
+
+int get_hab_status(void)
+{
+	uint32_t index = 0; /* Loop index */
+	uint8_t event_data[128]; /* Event data buffer */
+	size_t bytes = sizeof(event_data); /* Event size in bytes */
+	enum hab_config config = 0;
+	enum hab_state state = 0;
+
+	if (is_hab_enabled())
+		puts("\nSecure boot enabled\n");
+	else
+		puts("\nSecure boot disabled\n");
+
+	/* Check HAB status */
+	if (hab_rvt_report_status(&config, &state) != HAB_SUCCESS) {
+		printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n",
+		       config, state);
+
+		/* Display HAB Error events */
+		while (hab_rvt_report_event(HAB_FAILURE, index, event_data,
+					&bytes) == HAB_SUCCESS) {
+			puts("\n");
+			printf("--------- HAB Event %d -----------------\n",
+			       index + 1);
+			puts("event data:\n");
+			display_event(event_data, bytes);
+			puts("\n");
+			bytes = sizeof(event_data);
+			index++;
+		}
+	}
+	/* Display message if no HAB events are found */
+	else {
+		printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n",
+		       config, state);
+		puts("No HAB Events Found!\n\n");
+	}
+	return 0;
+}
+
+int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
+{
+	if ((argc != 1)) {
+		cmd_usage(cmdtp);
+		return 1;
+	}
+
+	get_hab_status();
+
+	return 0;
+}
+
+U_BOOT_CMD(
+		hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,
+		"display HAB status",
+		""
+	  );
+/*
+ * Copyright (C) 2012 Freescale Semiconductor, Inc. All Rights Reserved.
+ *
+ * SPDX-License-Identifier:    GPL-2.0+
+ *
+*/
+
+#ifndef __SECURE_MX6Q_H__
+#define __SECURE_MX6Q_H__
+
+#include <linux/types.h>
+
+/* -------- start of HAB API updates ------------*/
+/* The following are taken from HAB4 SIS */
+
+/* Status definitions */
+enum hab_status {
+	HAB_STS_ANY = 0x00,
+	HAB_FAILURE = 0x33,
+	HAB_WARNING = 0x69,
+	HAB_SUCCESS = 0xf0
+};
+
+/* Security Configuration definitions */
+enum hab_config {
+	HAB_CFG_RETURN = 0x33, /**< Field Return IC */
+	HAB_CFG_OPEN = 0xf0, /**< Non-secure IC */
+	HAB_CFG_CLOSED = 0xcc /**< Secure IC */
+};
+
+/* State definitions */
+enum hab_state {
+	HAB_STATE_INITIAL = 0x33, /**< Initialising state (transitory) */
+	HAB_STATE_CHECK = 0x55, /**< Check state (non-secure) */
+	HAB_STATE_NONSECURE = 0x66, /**< Non-secure state */
+	HAB_STATE_TRUSTED = 0x99, /**< Trusted state */
+	HAB_STATE_SECURE = 0xaa, /**< Secure state */
+	HAB_STATE_FAIL_SOFT = 0xcc, /**< Soft fail state */
+	HAB_STATE_FAIL_HARD = 0xff, /**< Hard fail state (terminal) */
+	HAB_STATE_NONE = 0xf0, /**< No security state machine */
+	HAB_STATE_MAX
+};
+
+/*Function prototype description*/
+typedef enum hab_status hab_rvt_report_event_t(enum hab_status, uint32_t,
+		uint8_t* , size_t*);
+typedef enum hab_status hab_rvt_report_status_t(enum hab_config *,
+		enum hab_state *);
+typedef enum hab_status hab_loader_callback_f_t(void**, size_t*, const void*);
+typedef enum hab_status hab_rvt_entry_t(void);
+typedef enum hab_status hab_rvt_exit_t(void);
+typedef void *hab_rvt_authenticate_image_t(uint8_t, ptrdiff_t,
+		void **, size_t *, hab_loader_callback_f_t);
+typedef void hapi_clock_init_t(void);
+
+#define HAB_RVT_REPORT_EVENT (*(uint32_t *)0x000000B4)
+#define HAB_RVT_REPORT_STATUS (*(uint32_t *)0x000000B8)
+#define HAB_RVT_AUTHENTICATE_IMAGE (*(uint32_t *)0x000000A4)
+#define HAB_RVT_ENTRY (*(uint32_t *)0x00000098)
+#define HAB_RVT_EXIT (*(uint32_t *)0x0000009C)
+#define HAB_RVT_CLOCK_INIT ((hapi_clock_init_t *)0x0000024D)
+
+#define HAB_CID_ROM 0 /**< ROM Caller ID */
+#define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/
+/* ----------- end of HAB API updates ------------*/
+
+#endif
@@ -456,7 +456,13 @@
 	u32	uid_low;
 	u32	rsvd1[3];
 	u32	uid_high;
-	u32	rsvd2[0x17];
+	u32	rsvd2[3];
+	u32	rsvd3[4];
+	u32	rsvd4[4];
+	u32	rsvd5[4];
+	u32	cfg5;
+	u32	rsvd6[3];
+	u32	rsvd7[4];
 };
  
 struct fuse_bank4_regs {
...	...	@@ -11,10 +11,11 @@
11	11
12	12	LIB = $(obj)lib$(SOC).o
13	13
14		-COBJS = soc.o clock.o
	14	+COBJS-y = soc.o clock.o
	15	+COBJS-$(CONFIG_SECURE_BOOT) += hab.o
15	16
16		-SRCS := $(SOBJS:.o=.S) $(COBJS:.o=.c)
17		-OBJS := $(addprefix $(obj),$(SOBJS) $(COBJS))
	17	+SRCS := $(SOBJS:.o=.S) $(COBJS-y:.o=.c)
	18	+OBJS := $(addprefix $(obj),$(SOBJS) $(COBJS-y))
18	19
19	20	all: $(obj).depend $(LIB)
20	21
	1	+/*
	2	+ * Copyright (C) 2010-2013 Freescale Semiconductor, Inc.
	3	+ *
	4	+ * SPDX-License-Identifier: GPL-2.0+
	5	+ */
	6	+
	7	+#include <common.h>
	8	+#include <asm/io.h>
	9	+#include <asm/arch/hab.h>
	10	+
	11	+/* -------- start of HAB API updates ------------*/
	12	+#define hab_rvt_report_event ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT)
	13	+#define hab_rvt_report_status ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS)
	14	+#define hab_rvt_authenticate_image \
	15	+ ((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE)
	16	+#define hab_rvt_entry ((hab_rvt_entry_t *)HAB_RVT_ENTRY)
	17	+#define hab_rvt_exit ((hab_rvt_exit_t *)HAB_RVT_EXIT)
	18	+#define hab_rvt_clock_init HAB_RVT_CLOCK_INIT
	19	+
	20	+bool is_hab_enabled(void)
	21	+{
	22	+ struct ocotp_regs ocotp = (struct ocotp_regs )OCOTP_BASE_ADDR;
	23	+ struct fuse_bank *bank = &ocotp->bank[0];
	24	+ struct fuse_bank0_regs *fuse =
	25	+ (struct fuse_bank0_regs *)bank->fuse_regs;
	26	+ uint32_t reg = readl(&fuse->cfg5);
	27	+
	28	+ return (reg & 0x2) == 0x2;
	29	+}
	30	+
	31	+void display_event(uint8_t *event_data, size_t bytes)
	32	+{
	33	+ uint32_t i;
	34	+
	35	+ if (!(event_data && bytes > 0))
	36	+ return;
	37	+
	38	+ for (i = 0; i < bytes; i++) {
	39	+ if (i == 0)
	40	+ printf("\t0x%02x", event_data[i]);
	41	+ else if ((i % 8) == 0)
	42	+ printf("\n\t0x%02x", event_data[i]);
	43	+ else
	44	+ printf(" 0x%02x", event_data[i]);
	45	+ }
	46	+}
	47	+
	48	+int get_hab_status(void)
	49	+{
	50	+ uint32_t index = 0; /* Loop index */
	51	+ uint8_t event_data[128]; /* Event data buffer */
	52	+ size_t bytes = sizeof(event_data); /* Event size in bytes */
	53	+ enum hab_config config = 0;
	54	+ enum hab_state state = 0;
	55	+
	56	+ if (is_hab_enabled())
	57	+ puts("\nSecure boot enabled\n");
	58	+ else
	59	+ puts("\nSecure boot disabled\n");
	60	+
	61	+ /* Check HAB status */
	62	+ if (hab_rvt_report_status(&config, &state) != HAB_SUCCESS) {
	63	+ printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n",
	64	+ config, state);
	65	+
	66	+ /* Display HAB Error events */
	67	+ while (hab_rvt_report_event(HAB_FAILURE, index, event_data,
	68	+ &bytes) == HAB_SUCCESS) {
	69	+ puts("\n");
	70	+ printf("--------- HAB Event %d -----------------\n",
	71	+ index + 1);
	72	+ puts("event data:\n");
	73	+ display_event(event_data, bytes);
	74	+ puts("\n");
	75	+ bytes = sizeof(event_data);
	76	+ index++;
	77	+ }
	78	+ }
	79	+ /* Display message if no HAB events are found */
	80	+ else {
	81	+ printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n",
	82	+ config, state);
	83	+ puts("No HAB Events Found!\n\n");
	84	+ }
	85	+ return 0;
	86	+}
	87	+
	88	+int do_hab_status(cmd_tbl_t cmdtp, int flag, int argc, char const argv[])
	89	+{
	90	+ if ((argc != 1)) {
	91	+ cmd_usage(cmdtp);
	92	+ return 1;
	93	+ }
	94	+
	95	+ get_hab_status();
	96	+
	97	+ return 0;
	98	+}
	99	+
	100	+U_BOOT_CMD(
	101	+ hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,
	102	+ "display HAB status",
	103	+ ""
	104	+ );
	1	+/*
	2	+ * Copyright (C) 2012 Freescale Semiconductor, Inc. All Rights Reserved.
	3	+ *
	4	+ * SPDX-License-Identifier: GPL-2.0+
	5	+ *
	6	+*/
	7	+
	8	+#ifndef __SECURE_MX6Q_H__
	9	+#define __SECURE_MX6Q_H__
	10	+
	11	+#include <linux/types.h>
	12	+
	13	+/* -------- start of HAB API updates ------------*/
	14	+/* The following are taken from HAB4 SIS */
	15	+
	16	+/* Status definitions */
	17	+enum hab_status {
	18	+ HAB_STS_ANY = 0x00,
	19	+ HAB_FAILURE = 0x33,
	20	+ HAB_WARNING = 0x69,
	21	+ HAB_SUCCESS = 0xf0
	22	+};
	23	+
	24	+/* Security Configuration definitions */
	25	+enum hab_config {
	26	+ HAB_CFG_RETURN = 0x33, /*< Field Return IC /
	27	+ HAB_CFG_OPEN = 0xf0, /*< Non-secure IC /
	28	+ HAB_CFG_CLOSED = 0xcc /*< Secure IC /
	29	+};
	30	+
	31	+/* State definitions */
	32	+enum hab_state {
	33	+ HAB_STATE_INITIAL = 0x33, /*< Initialising state (transitory) /
	34	+ HAB_STATE_CHECK = 0x55, /*< Check state (non-secure) /
	35	+ HAB_STATE_NONSECURE = 0x66, /*< Non-secure state /
	36	+ HAB_STATE_TRUSTED = 0x99, /*< Trusted state /
	37	+ HAB_STATE_SECURE = 0xaa, /*< Secure state /
	38	+ HAB_STATE_FAIL_SOFT = 0xcc, /*< Soft fail state /
	39	+ HAB_STATE_FAIL_HARD = 0xff, /*< Hard fail state (terminal) /
	40	+ HAB_STATE_NONE = 0xf0, /*< No security state machine /
	41	+ HAB_STATE_MAX
	42	+};
	43	+
	44	+/Function prototype description/
	45	+typedef enum hab_status hab_rvt_report_event_t(enum hab_status, uint32_t,
	46	+ uint8_t* , size_t*);
	47	+typedef enum hab_status hab_rvt_report_status_t(enum hab_config *,
	48	+ enum hab_state *);
	49	+typedef enum hab_status hab_loader_callback_f_t(void*, size_t, const void*);
	50	+typedef enum hab_status hab_rvt_entry_t(void);
	51	+typedef enum hab_status hab_rvt_exit_t(void);
	52	+typedef void *hab_rvt_authenticate_image_t(uint8_t, ptrdiff_t,
	53	+ void *, size_t , hab_loader_callback_f_t);
	54	+typedef void hapi_clock_init_t(void);
	55	+
	56	+#define HAB_RVT_REPORT_EVENT ((uint32_t )0x000000B4)
	57	+#define HAB_RVT_REPORT_STATUS ((uint32_t )0x000000B8)
	58	+#define HAB_RVT_AUTHENTICATE_IMAGE ((uint32_t )0x000000A4)
	59	+#define HAB_RVT_ENTRY ((uint32_t )0x00000098)
	60	+#define HAB_RVT_EXIT ((uint32_t )0x0000009C)
	61	+#define HAB_RVT_CLOCK_INIT ((hapi_clock_init_t *)0x0000024D)
	62	+
	63	+#define HAB_CID_ROM 0 /*< ROM Caller ID /
	64	+#define HAB_CID_UBOOT 1 /*< UBOOT Caller ID/
	65	+/* ----------- end of HAB API updates ------------*/
	66	+
	67	+#endif
...	...	@@ -456,7 +456,13 @@
456	456	u32 uid_low;
457	457	u32 rsvd1[3];
458	458	u32 uid_high;
459		- u32 rsvd2[0x17];
	459	+ u32 rsvd2[3];
	460	+ u32 rsvd3[4];
	461	+ u32 rsvd4[4];
	462	+ u32 rsvd5[4];
	463	+ u32 cfg5;
	464	+ u32 rsvd6[3];
	465	+ u32 rsvd7[4];
460	466	};
461	467
462	468	struct fuse_bank4_regs {