secure_boot: enable chain of trust for ARM platforms

Chain of Trust is enabled for ARM platforms (LS1021 and LS1043). In board_late_init(), fsl_setenv_chain_of_trust() is called which will perform the following: - If boot mode is non-secure, return (No Change) - If boot mode is secure, set the following environmet variables: bootdelay = 0 (To disable Boot Prompt) bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com>

secure_boot: enable chain of trust for ARM platforms
Chain of Trust is enabled for ARM platforms (LS1021 and LS1043). In board_late_init(), fsl_setenv_chain_of_trust() is called which will perform the following: - If boot mode is non-secure, return (No Change) - If boot mode is secure, set the following environmet variables: bootdelay = 0 (To disable Boot Prompt) bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com>
Aneesh Bansal · York Sun
1 parent 0a6b2714ad
Showing 6 changed files with 34 additions and 0 deletions Side-by-side Diff
arch/arm/cpu/armv8/fsl-layerscape/soc.c
board/freescale/common/Makefile
board/freescale/common/fsl_chain_of_trust.c
board/freescale/ls1021aqds/ls1021aqds.c
board/freescale/ls1021atwr/ls1021atwr.c
include/fsl_validate.h
@@ -12,6 +12,9 @@
 #include <asm/io.h>
 #include <asm/global_data.h>
 #include <asm/arch-fsl-layerscape/config.h>
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
  
 DECLARE_GLOBAL_DATA_PTR;
  
@@ -240,6 +243,9 @@
 {
 #ifdef CONFIG_SCSI_AHCI_PLAT
 	sata_init();
+#endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+	fsl_setenv_chain_of_trust();
 #endif
  
 	return 0;
@@ -76,6 +76,7 @@
 ifdef CONFIG_SECURE_BOOT
 obj-$(CONFIG_CMD_ESBC_VALIDATE) += fsl_validate.o cmd_esbc_validate.o
 endif
+obj-$(CONFIG_CHAIN_OF_TRUST) += fsl_chain_of_trust.o
  
 endif
@@ -51,4 +51,21 @@
 #endif
 	return 0;
 }
+
+int fsl_setenv_chain_of_trust(void)
+{
+	/* Check Boot Mode
+	 * If Boot Mode is Non-Secure, no changes are required
+	 */
+	if (fsl_check_boot_mode_secure() == 0)
+		return 0;
+
+	/* If Boot mode is Secure, set the environment variables
+	 * bootdelay = 0 (To disable Boot Prompt)
+	 * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
+	 */
+	setenv("bootdelay", "0");
+	setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD);
+	return 0;
+}
@@ -22,6 +22,7 @@
 #include <fsl_sec.h>
 #include <spl.h>
 #include <fsl_devdis.h>
+#include <fsl_validate.h>
  
 #include "../common/sleep.h"
 #include "../common/qixis.h"
@@ -368,6 +369,9 @@
 {
 #ifdef CONFIG_SCSI_AHCI_PLAT
 	ls1021a_sata_init();
+#endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+	fsl_setenv_chain_of_trust();
 #endif
  
 	return 0;
@@ -30,6 +30,7 @@
 #ifdef CONFIG_U_QE
 #include "../../../drivers/qe/qe.h"
 #endif
+#include <fsl_validate.h>
  
  
 DECLARE_GLOBAL_DATA_PTR;
@@ -548,6 +549,9 @@
 {
 #ifdef CONFIG_SCSI_AHCI_PLAT
 	ls1021a_sata_init();
+#endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+	fsl_setenv_chain_of_trust();
 #endif
  
 	return 0;
@@ -205,5 +205,7 @@
 int fsl_secboot_blob_decap(cmd_tbl_t *cmdtp, int flag, int argc,
 	char * const argv[]);
  
+int fsl_check_boot_mode_secure(void);
+int fsl_setenv_chain_of_trust(void);
 #endif
...	...	@@ -12,6 +12,9 @@
12	12	#include <asm/io.h>
13	13	#include <asm/global_data.h>
14	14	#include <asm/arch-fsl-layerscape/config.h>
	15	+#ifdef CONFIG_CHAIN_OF_TRUST
	16	+#include <fsl_validate.h>
	17	+#endif
15	18
16	19	DECLARE_GLOBAL_DATA_PTR;
17	20
...	...	@@ -240,6 +243,9 @@
240	243	{
241	244	#ifdef CONFIG_SCSI_AHCI_PLAT
242	245	sata_init();
	246	+#endif
	247	+#ifdef CONFIG_CHAIN_OF_TRUST
	248	+ fsl_setenv_chain_of_trust();
243	249	#endif
244	250
245	251	return 0;
...	...	@@ -76,6 +76,7 @@
76	76	ifdef CONFIG_SECURE_BOOT
77	77	obj-$(CONFIG_CMD_ESBC_VALIDATE) += fsl_validate.o cmd_esbc_validate.o
78	78	endif
	79	+obj-$(CONFIG_CHAIN_OF_TRUST) += fsl_chain_of_trust.o
79	80
80	81	endif
...	...	@@ -51,4 +51,21 @@
51	51	#endif
52	52	return 0;
53	53	}
	54	+
	55	+int fsl_setenv_chain_of_trust(void)
	56	+{
	57	+ /* Check Boot Mode
	58	+ * If Boot Mode is Non-Secure, no changes are required
	59	+ */
	60	+ if (fsl_check_boot_mode_secure() == 0)
	61	+ return 0;
	62	+
	63	+ /* If Boot mode is Secure, set the environment variables
	64	+ * bootdelay = 0 (To disable Boot Prompt)
	65	+ * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
	66	+ */
	67	+ setenv("bootdelay", "0");
	68	+ setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD);
	69	+ return 0;
	70	+}
...	...	@@ -22,6 +22,7 @@
22	22	#include <fsl_sec.h>
23	23	#include <spl.h>
24	24	#include <fsl_devdis.h>
	25	+#include <fsl_validate.h>
25	26
26	27	#include "../common/sleep.h"
27	28	#include "../common/qixis.h"
...	...	@@ -368,6 +369,9 @@
368	369	{
369	370	#ifdef CONFIG_SCSI_AHCI_PLAT
370	371	ls1021a_sata_init();
	372	+#endif
	373	+#ifdef CONFIG_CHAIN_OF_TRUST
	374	+ fsl_setenv_chain_of_trust();
371	375	#endif
372	376
373	377	return 0;
...	...	@@ -30,6 +30,7 @@
30	30	#ifdef CONFIG_U_QE
31	31	#include "../../../drivers/qe/qe.h"
32	32	#endif
	33	+#include <fsl_validate.h>
33	34
34	35
35	36	DECLARE_GLOBAL_DATA_PTR;
...	...	@@ -548,6 +549,9 @@
548	549	{
549	550	#ifdef CONFIG_SCSI_AHCI_PLAT
550	551	ls1021a_sata_init();
	552	+#endif
	553	+#ifdef CONFIG_CHAIN_OF_TRUST
	554	+ fsl_setenv_chain_of_trust();
551	555	#endif
552	556
553	557	return 0;
...	...	@@ -205,5 +205,7 @@
205	205	int fsl_secboot_blob_decap(cmd_tbl_t *cmdtp, int flag, int argc,
206	206	char * const argv[]);
207	207
	208	+int fsl_check_boot_mode_secure(void);
	209	+int fsl_setenv_chain_of_trust(void);
208	210	#endif