armv8: fsl-lsch3: Add new header for secure boot

For secure boot, a header is used to identify key table, signature and image address. A new header structure is added for lsch3. Currently key extension (IE) feature is not supported. Single key feature is not supported. Keys must be in table format. Hence, SRK (key table) must be present. Max key number has increase from 4 to 8. The 8th key is irrevocable. A new barker Code is used. Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Signed-off-by: Saksham Jain <saksham.jain@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com>

armv8: fsl-lsch3: Add new header for secure boot
For secure boot, a header is used to identify key table, signature and image address. A new header structure is added for lsch3. Currently key extension (IE) feature is not supported. Single key feature is not supported. Keys must be in table format. Hence, SRK (key table) must be present. Max key number has increase from 4 to 8. The 8th key is irrevocable. A new barker Code is used. Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Signed-off-by: Saksham Jain <saksham.jain@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com>
Saksham Jain · York Sun
1 parent 2827d64774
Showing 5 changed files with 91 additions and 14 deletions Side-by-side Diff
arch/arm/include/asm/arch-fsl-layerscape/config.h
arch/arm/include/asm/fsl_secure_boot.h
board/freescale/common/fsl_validate.c
include/fsl_secboot_err.h
include/fsl_validate.h
@@ -79,7 +79,8 @@
 /* Security Monitor */
 #define CONFIG_SYS_FSL_SEC_MON_LE
  
-
+/* Secure Boot */
+#define CONFIG_ESBC_HDR_LS
  
 /* Cache Coherent Interconnect */
 #define CCI_MN_BASE			0x04000000
@@ -35,7 +35,11 @@
  * The feature is only applicable in case of NOR boot and is
  * not applicable in case of RAMBOOT (NAND, SD, SPI).
  */
+#ifndef CONFIG_ESBC_HDR_LS
+/* Current Key EXT feature not available in LS ESBC Header */
 #define CONFIG_FSL_ISBC_KEY_EXT
+#endif
+
 #endif
  
 #ifdef CONFIG_LS1043A
@@ -35,7 +35,13 @@
 		};
  
 static u8 hash_val[SHA256_BYTES];
+
+#ifdef CONFIG_ESBC_HDR_LS
+/* New Barker Code for LS ESBC Header */
+static const u8 barker_code[ESBC_BARKER_LEN] = { 0x12, 0x19, 0x20, 0x01 };
+#else
 static const u8 barker_code[ESBC_BARKER_LEN] = { 0x68, 0x39, 0x27, 0x81 };
+#endif
  
 void branch_to_self(void) __attribute__ ((noreturn));
  
  
@@ -157,10 +163,15 @@
 /* This function checks srk_table_flag in header and set/reset srk_flag.*/
 static u32 check_srk(struct fsl_secboot_img_priv *img)
 {
+#ifdef CONFIG_ESBC_HDR_LS
+	/* In LS, No SRK Flag as SRK is always present*/
+	return 1;
+#else
 	if (img->hdr.len_kr.srk_table_flag & SRK_FLAG)
 		return 1;
  
 	return 0;
+#endif
 }
  
 /* This function returns ospr's key_revoc values.*/
@@ -223,6 +234,7 @@
 }
 #endif
  
+#ifndef CONFIG_ESBC_HDR_LS
 static u32 read_validate_single_key(struct fsl_secboot_img_priv *img)
 {
 	struct fsl_secboot_img_hdr *hdr = &img->hdr;
@@ -238,6 +250,7 @@
  
 	return 0;
 }
+#endif /* CONFIG_ESBC_HDR_LS */
  
 #if defined(CONFIG_FSL_ISBC_KEY_EXT)
 static u32 read_validate_ie_tbl(struct fsl_secboot_img_priv *img)
@@ -388,6 +401,7 @@
 	case ERROR_ESBC_CLIENT_HEADER_SIG_KEY_MOD:
 	case ERROR_ESBC_CLIENT_HEADER_SG_ESBC_EP:
 	case ERROR_ESBC_CLIENT_HEADER_SG_ENTIRES_BAD:
+	case ERROR_KEY_TABLE_NOT_FOUND:
 #ifdef CONFIG_KEY_REVOCATION
 	case ERROR_ESBC_CLIENT_HEADER_KEY_REVOKED:
 	case ERROR_ESBC_CLIENT_HEADER_INVALID_SRK_NUM_ENTRY:
  
  
@@ -536,11 +550,18 @@
 	if (!key_hash && check_ie(img))
 		key_hash = 1;
 #endif
-	if (!key_hash)
+#ifndef CONFIG_ESBC_HDR_LS
+/* No single key support in LS ESBC header */
+	if (!key_hash) {
 		ret = algo->hash_update(algo, ctx,
 			img->img_key, img->hdr.key_len, 0);
+		key_hash = 1;
+	}
+#endif
 	if (ret)
 		return ret;
+	if (!key_hash)
+		return ERROR_KEY_TABLE_NOT_FOUND;
  
 	/* Update hash for actual Image */
 	ret = algo->hash_update(algo, ctx,
@@ -626,8 +647,6 @@
 	u8 *k, *s;
 	u32 ret = 0;
  
-#ifdef CONFIG_KEY_REVOCATION
-#endif
 	int  key_found = 0;
  
 	/* check barker code */
  
@@ -671,13 +690,17 @@
 		key_found = 1;
 	}
 #endif
-
+#ifndef CONFIG_ESBC_HDR_LS
+/* Single Key Feature not available in LS ESBC Header */
 	if (key_found == 0) {
 		ret = read_validate_single_key(img);
 		if (ret != 0)
 			return ret;
 		key_found = 1;
 	}
+#endif
+	if (!key_found)
+		return ERROR_KEY_TABLE_NOT_FOUND;
  
 	/* check signaure */
 	if (get_key_len(img) == 2 * hdr->sign_len) {
  
@@ -691,10 +714,12 @@
 	}
  
 	memcpy(&img->img_sign, esbc + hdr->psign, hdr->sign_len);
-
+/* No SG support in LS-CH3 */
+#ifndef CONFIG_ESBC_HDR_LS
 	/* No SG support */
 	if (hdr->sg_flag)
 		return ERROR_ESBC_CLIENT_HEADER_SG;
+#endif
  
 	/* modulus most significant bit should be set */
 	k = (u8 *)&img->img_key;
@@ -29,6 +29,7 @@
 #define ERROR_ESBC_CLIENT_HEADER_INV_IE_ENTRY_KEYLEN		0x18
 #define ERROR_IE_TABLE_NOT_FOUND				0x19
 #define ERROR_ESBC_CLIENT_HEADER_KEY_LEN_NOT_TWICE_SIG_LEN	0x20
+#define ERROR_KEY_TABLE_NOT_FOUND				0x21
 #define ERROR_ESBC_CLIENT_HEADER_KEY_MOD_1			0x40
 #define ERROR_ESBC_CLIENT_HEADER_KEY_MOD_2			0x80
 #define ERROR_ESBC_CLIENT_HEADER_SIG_KEY_MOD			0x100
@@ -121,6 +122,8 @@
 		"Wrong IE public key len in header" },
 	{ ERROR_IE_TABLE_NOT_FOUND,
 		"Information about IE Table missing" },
+	{ ERROR_KEY_TABLE_NOT_FOUND,
+		"No Key/ Key Table Found in header"},
 	{ ERROR_ESBC_CLIENT_MAX, "NULL" }
 };
  
@@ -21,14 +21,6 @@
  
 extern struct jobring jr;
  
-#ifdef CONFIG_KEY_REVOCATION
-/* Srk table and key revocation check */
-#define SRK_FLAG	0x01
-#define UNREVOCABLE_KEY	4
-#define ALIGN_REVOC_KEY 3
-#define MAX_KEY_ENTRIES 4
-#endif
-
 /* Barker code size in bytes */
 #define ESBC_BARKER_LEN	4	/* barker code length in ESBC uboot client */
 				/* header */
@@ -39,6 +31,47 @@
 /* Maximum number of SG entries allowed */
 #define MAX_SG_ENTRIES	8
  
+/* Different Header Struct for LS-CH3 */
+#ifdef CONFIG_ESBC_HDR_LS
+struct fsl_secboot_img_hdr {
+	u8 barker[ESBC_BARKER_LEN];	/* barker code */
+	u32 srk_tbl_off;
+	struct {
+		u8 num_srk;
+		u8 srk_sel;
+		u8 reserve;
+		u8 ie_flag;
+	} len_kr;
+
+	u32 uid_flag;
+
+	u32 psign;		/* signature offset */
+	u32 sign_len;		/* length of the signature in bytes */
+
+	u64 pimg64;		/* 64 bit pointer to ESBC Image */
+	u32 img_size;		/* ESBC client image size in bytes */
+	u32 ie_key_sel;
+
+	u32 fsl_uid_0;
+	u32 fsl_uid_1;
+	u32 oem_uid_0;
+	u32 oem_uid_1;
+	u32 oem_uid_2;
+	u32 oem_uid_3;
+	u32 oem_uid_4;
+	u32 reserved1[3];
+};
+
+#ifdef CONFIG_KEY_REVOCATION
+/* Srk table and key revocation check */
+#define UNREVOCABLE_KEY	8
+#define ALIGN_REVOC_KEY 7
+#define MAX_KEY_ENTRIES 8
+#endif
+
+
+#else /* CONFIG_ESBC_HDR_LS */
+
 /*
  * ESBC uboot client header structure.
  * The struct contain the following fields
@@ -108,6 +141,17 @@
 	u32 ie_flag;
 	u32 ie_key_sel;
 };
+
+#ifdef CONFIG_KEY_REVOCATION
+/* Srk table and key revocation check */
+#define SRK_FLAG	0x01
+#define UNREVOCABLE_KEY	4
+#define ALIGN_REVOC_KEY 3
+#define MAX_KEY_ENTRIES 4
+#endif
+
+#endif /* CONFIG_ESBC_HDR_LS */
+
  
 #if defined(CONFIG_FSL_ISBC_KEY_EXT)
 struct ie_key_table {
...	...	@@ -79,7 +79,8 @@
79	79	/* Security Monitor */
80	80	#define CONFIG_SYS_FSL_SEC_MON_LE
81	81
82		-
	82	+/* Secure Boot */
	83	+#define CONFIG_ESBC_HDR_LS
83	84
84	85	/* Cache Coherent Interconnect */
85	86	#define CCI_MN_BASE 0x04000000
...	...	@@ -35,7 +35,11 @@
35	35	* The feature is only applicable in case of NOR boot and is
36	36	* not applicable in case of RAMBOOT (NAND, SD, SPI).
37	37	*/
	38	+#ifndef CONFIG_ESBC_HDR_LS
	39	+/* Current Key EXT feature not available in LS ESBC Header */
38	40	#define CONFIG_FSL_ISBC_KEY_EXT
	41	+#endif
	42	+
39	43	#endif
40	44
41	45	#ifdef CONFIG_LS1043A
...	...	@@ -35,7 +35,13 @@
35	35	};
36	36
37	37	static u8 hash_val[SHA256_BYTES];
	38	+
	39	+#ifdef CONFIG_ESBC_HDR_LS
	40	+/* New Barker Code for LS ESBC Header */
	41	+static const u8 barker_code[ESBC_BARKER_LEN] = { 0x12, 0x19, 0x20, 0x01 };
	42	+#else
38	43	static const u8 barker_code[ESBC_BARKER_LEN] = { 0x68, 0x39, 0x27, 0x81 };
	44	+#endif
39	45
40	46	void branch_to_self(void) __attribute__ ((noreturn));
41	47
42	48
...	...	@@ -157,10 +163,15 @@
157	163	/* This function checks srk_table_flag in header and set/reset srk_flag.*/
158	164	static u32 check_srk(struct fsl_secboot_img_priv *img)
159	165	{
	166	+#ifdef CONFIG_ESBC_HDR_LS
	167	+ /* In LS, No SRK Flag as SRK is always present*/
	168	+ return 1;
	169	+#else
160	170	if (img->hdr.len_kr.srk_table_flag & SRK_FLAG)
161	171	return 1;
162	172
163	173	return 0;
	174	+#endif
164	175	}
165	176
166	177	/* This function returns ospr's key_revoc values.*/
...	...	@@ -223,6 +234,7 @@
223	234	}
224	235	#endif
225	236
	237	+#ifndef CONFIG_ESBC_HDR_LS
226	238	static u32 read_validate_single_key(struct fsl_secboot_img_priv *img)
227	239	{
228	240	struct fsl_secboot_img_hdr *hdr = &img->hdr;
...	...	@@ -238,6 +250,7 @@
238	250
239	251	return 0;
240	252	}
	253	+#endif /* CONFIG_ESBC_HDR_LS */
241	254
242	255	#if defined(CONFIG_FSL_ISBC_KEY_EXT)
243	256	static u32 read_validate_ie_tbl(struct fsl_secboot_img_priv *img)
...	...	@@ -388,6 +401,7 @@
388	401	case ERROR_ESBC_CLIENT_HEADER_SIG_KEY_MOD:
389	402	case ERROR_ESBC_CLIENT_HEADER_SG_ESBC_EP:
390	403	case ERROR_ESBC_CLIENT_HEADER_SG_ENTIRES_BAD:
	404	+ case ERROR_KEY_TABLE_NOT_FOUND:
391	405	#ifdef CONFIG_KEY_REVOCATION
392	406	case ERROR_ESBC_CLIENT_HEADER_KEY_REVOKED:
393	407	case ERROR_ESBC_CLIENT_HEADER_INVALID_SRK_NUM_ENTRY:
394	408
395	409
...	...	@@ -536,11 +550,18 @@
536	550	if (!key_hash && check_ie(img))
537	551	key_hash = 1;
538	552	#endif
539		- if (!key_hash)
	553	+#ifndef CONFIG_ESBC_HDR_LS
	554	+/* No single key support in LS ESBC header */
	555	+ if (!key_hash) {
540	556	ret = algo->hash_update(algo, ctx,
541	557	img->img_key, img->hdr.key_len, 0);
	558	+ key_hash = 1;
	559	+ }
	560	+#endif
542	561	if (ret)
543	562	return ret;
	563	+ if (!key_hash)
	564	+ return ERROR_KEY_TABLE_NOT_FOUND;
544	565
545	566	/* Update hash for actual Image */
546	567	ret = algo->hash_update(algo, ctx,
...	...	@@ -626,8 +647,6 @@
626	647	u8 k, s;
627	648	u32 ret = 0;
628	649
629		-#ifdef CONFIG_KEY_REVOCATION
630		-#endif
631	650	int key_found = 0;
632	651
633	652	/* check barker code */
634	653
...	...	@@ -671,13 +690,17 @@
671	690	key_found = 1;
672	691	}
673	692	#endif
674		-
	693	+#ifndef CONFIG_ESBC_HDR_LS
	694	+/* Single Key Feature not available in LS ESBC Header */
675	695	if (key_found == 0) {
676	696	ret = read_validate_single_key(img);
677	697	if (ret != 0)
678	698	return ret;
679	699	key_found = 1;
680	700	}
	701	+#endif
	702	+ if (!key_found)
	703	+ return ERROR_KEY_TABLE_NOT_FOUND;
681	704
682	705	/* check signaure */
683	706	if (get_key_len(img) == 2 * hdr->sign_len) {
684	707
...	...	@@ -691,10 +714,12 @@
691	714	}
692	715
693	716	memcpy(&img->img_sign, esbc + hdr->psign, hdr->sign_len);
694		-
	717	+/* No SG support in LS-CH3 */
	718	+#ifndef CONFIG_ESBC_HDR_LS
695	719	/* No SG support */
696	720	if (hdr->sg_flag)
697	721	return ERROR_ESBC_CLIENT_HEADER_SG;
	722	+#endif
698	723
699	724	/* modulus most significant bit should be set */
700	725	k = (u8 *)&img->img_key;
...	...	@@ -29,6 +29,7 @@
29	29	#define ERROR_ESBC_CLIENT_HEADER_INV_IE_ENTRY_KEYLEN 0x18
30	30	#define ERROR_IE_TABLE_NOT_FOUND 0x19
31	31	#define ERROR_ESBC_CLIENT_HEADER_KEY_LEN_NOT_TWICE_SIG_LEN 0x20
	32	+#define ERROR_KEY_TABLE_NOT_FOUND 0x21
32	33	#define ERROR_ESBC_CLIENT_HEADER_KEY_MOD_1 0x40
33	34	#define ERROR_ESBC_CLIENT_HEADER_KEY_MOD_2 0x80
34	35	#define ERROR_ESBC_CLIENT_HEADER_SIG_KEY_MOD 0x100
...	...	@@ -121,6 +122,8 @@
121	122	"Wrong IE public key len in header" },
122	123	{ ERROR_IE_TABLE_NOT_FOUND,
123	124	"Information about IE Table missing" },
	125	+ { ERROR_KEY_TABLE_NOT_FOUND,
	126	+ "No Key/ Key Table Found in header"},
124	127	{ ERROR_ESBC_CLIENT_MAX, "NULL" }
125	128	};
126	129
...	...	@@ -21,14 +21,6 @@
21	21
22	22	extern struct jobring jr;
23	23
24		-#ifdef CONFIG_KEY_REVOCATION
25		-/* Srk table and key revocation check */
26		-#define SRK_FLAG 0x01
27		-#define UNREVOCABLE_KEY 4
28		-#define ALIGN_REVOC_KEY 3
29		-#define MAX_KEY_ENTRIES 4
30		-#endif
31		-
32	24	/* Barker code size in bytes */
33	25	#define ESBC_BARKER_LEN 4 /* barker code length in ESBC uboot client */
34	26	/* header */
...	...	@@ -39,6 +31,47 @@
39	31	/* Maximum number of SG entries allowed */
40	32	#define MAX_SG_ENTRIES 8
41	33
	34	+/* Different Header Struct for LS-CH3 */
	35	+#ifdef CONFIG_ESBC_HDR_LS
	36	+struct fsl_secboot_img_hdr {
	37	+ u8 barker[ESBC_BARKER_LEN]; /* barker code */
	38	+ u32 srk_tbl_off;
	39	+ struct {
	40	+ u8 num_srk;
	41	+ u8 srk_sel;
	42	+ u8 reserve;
	43	+ u8 ie_flag;
	44	+ } len_kr;
	45	+
	46	+ u32 uid_flag;
	47	+
	48	+ u32 psign; /* signature offset */
	49	+ u32 sign_len; /* length of the signature in bytes */
	50	+
	51	+ u64 pimg64; /* 64 bit pointer to ESBC Image */
	52	+ u32 img_size; /* ESBC client image size in bytes */
	53	+ u32 ie_key_sel;
	54	+
	55	+ u32 fsl_uid_0;
	56	+ u32 fsl_uid_1;
	57	+ u32 oem_uid_0;
	58	+ u32 oem_uid_1;
	59	+ u32 oem_uid_2;
	60	+ u32 oem_uid_3;
	61	+ u32 oem_uid_4;
	62	+ u32 reserved1[3];
	63	+};
	64	+
	65	+#ifdef CONFIG_KEY_REVOCATION
	66	+/* Srk table and key revocation check */
	67	+#define UNREVOCABLE_KEY 8
	68	+#define ALIGN_REVOC_KEY 7
	69	+#define MAX_KEY_ENTRIES 8
	70	+#endif
	71	+
	72	+
	73	+#else /* CONFIG_ESBC_HDR_LS */
	74	+
42	75	/*
43	76	* ESBC uboot client header structure.
44	77	* The struct contain the following fields
...	...	@@ -108,6 +141,17 @@
108	141	u32 ie_flag;
109	142	u32 ie_key_sel;
110	143	};
	144	+
	145	+#ifdef CONFIG_KEY_REVOCATION
	146	+/* Srk table and key revocation check */
	147	+#define SRK_FLAG 0x01
	148	+#define UNREVOCABLE_KEY 4
	149	+#define ALIGN_REVOC_KEY 3
	150	+#define MAX_KEY_ENTRIES 4
	151	+#endif
	152	+
	153	+#endif /* CONFIG_ESBC_HDR_LS */
	154	+
111	155
112	156	#if defined(CONFIG_FSL_ISBC_KEY_EXT)
113	157	struct ie_key_table {