| Message ID | 20210226161105.2303-3-elly.siew.chin.lim@intel.com |
|---|---|
| State | Superseded |
| Delegated to: | Simon Goldschmidt |
| Headers | show |
| Series | Add Vendor Authorized Boot (VAB) support | expand |
> -----Original Message----- > From: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > Sent: Saturday, February 27, 2021 12:11 AM > To: u-boot@lists.denx.de > Cc: Marek Vasut <marex@denx.de>; Tan, Ley Foon > <ley.foon.tan@intel.com>; See, Chin Liang <chin.liang.see@intel.com>; > Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > <tien.fong.chee@intel.com>; Westergreen, Dalon > <dalon.westergreen@intel.com>; Simon Glass <sjg@chromium.org>; Gan, > Yau Wai <yau.wai.gan@intel.com>; Lim, Elly Siew Chin > <elly.siew.chin.lim@intel.com> > Subject: [v4 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB) > > Vendor Authorized Boot is a security feature for authenticating the images > such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and > etc loaded from FIT. After those images are loaded from FIT, the VAB > certificate and signature block appended at the end of each image are sent > to Secure Device Manager (SDM) for authentication. U-Boot will validate the > SHA384 of the image against the SHA384 hash stored in the VAB certificate > before sending the image to SDM for authentication. > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> > > --- > v4: > - Move function 'board_fit_image_post_process' and 'board_prep_linux' to > arch/arm/mach-socfpga/board.c > > v3: > - Add description for function 'socfpga_vendor_authentication'. > - Relocate vab certificate to first memory bank before trigger SMC call > to send mailbox command because ATF only able to access first memory > bank. > - Report error instead of bypass the authentication in SPL if > Secure Device Manager (SDM) does not support VAB. > - Print success string if VAB success. > - Replace #ifdef with if(IS_ENABLED(CONFIG_...)). > --- > arch/arm/mach-socfpga/Kconfig | 15 ++ > arch/arm/mach-socfpga/Makefile | 2 + > arch/arm/mach-socfpga/board.c | 43 +++++- > arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 + > arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 ++++++++ > arch/arm/mach-socfpga/secure_vab.c | 186 > +++++++++++++++++++++++ > common/Kconfig.boot | 2 +- > 7 files changed, 307 insertions(+), 5 deletions(-) create mode 100644 > arch/arm/mach-socfpga/include/mach/secure_vab.h > create mode 100644 arch/arm/mach-socfpga/secure_vab.c > > #include <common.h> > -#include <errno.h> > -#include <fdtdec.h> > -#include <init.h> > -#include <asm/arch/reset_manager.h> > #include <asm/arch/clock_manager.h> > #include <asm/arch/misc.h> > +#include <asm/arch/reset_manager.h> > +#include <asm/arch/secure_vab.h> > #include <asm/io.h> > +#include <errno.h> > +#include <fdtdec.h> > +#include <hang.h> > +#include <image.h> > +#include <init.h> > #include <log.h> > #include <usb.h> > #include <usb/dwc2_udc.h> > @@ -97,3 +100,35 @@ __weak int board_fit_config_name_match(const char > *name) > return 0; > } > #endif > + > +#if IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH) > +void board_fit_image_post_process(void **p_image, size_t *p_size) { > + if (socfpga_vendor_authentication(p_image, p_size)) > + hang(); > +} > + > +void board_prep_linux(bootm_headers_t *images) { Check CONFIG_SOCFPGA_SECURE_VAB_AUTH setting, then only include code below. > + if (!IS_ENABLED(CONFIG_SPL_BUILD)) { > + if > (!IS_ENABLED(CONFIG_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE)) { > + /* > + * Ensure the OS is always booted from FIT and with > + * VAB signed certificate > + */ > + if (!images->fit_uname_cfg) { > + printf("Please use FIT with VAB signed > images!\n"); > + hang(); > + } > + > + env_set_hex("fdt_addr", (ulong)images->ft_addr); > + debug("images->ft_addr = 0x%08lx\n", > (ulong)images->ft_addr); > + } > + > + if (IS_ENABLED(CONFIG_CADENCE_QSPI)) { > + if (env_get("linux_qspi_enable")) > + > run_command(env_get("linux_qspi_enable"), 0); Can always run " linux_qspi_enable" command for all target SOC64? Then can remove linux_qspi_enable from BOOTCOMMAND. Regards Ley Foon
Hi Ley Foon, > -----Original Message----- > From: Tan, Ley Foon <ley.foon.tan@intel.com> > Sent: Monday, March 1, 2021 9:56 AM > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com>; u-boot@lists.denx.de > Cc: Marek Vasut <marex@denx.de>; See, Chin Liang > <chin.liang.see@intel.com>; Simon Goldschmidt > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > <tien.fong.chee@intel.com>; Westergreen, Dalon > <dalon.westergreen@intel.com>; Simon Glass <sjg@chromium.org>; Gan, > Yau Wai <yau.wai.gan@intel.com> > Subject: RE: [v4 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot > (VAB) > > > > > -----Original Message----- > > From: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > Sent: Saturday, February 27, 2021 12:11 AM > > To: u-boot@lists.denx.de > > Cc: Marek Vasut <marex@denx.de>; Tan, Ley Foon > > <ley.foon.tan@intel.com>; See, Chin Liang <chin.liang.see@intel.com>; > > Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > <dalon.westergreen@intel.com>; Simon Glass <sjg@chromium.org>; Gan, > > Yau Wai <yau.wai.gan@intel.com>; Lim, Elly Siew Chin > > <elly.siew.chin.lim@intel.com> > > Subject: [v4 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot > > (VAB) > > > > Vendor Authorized Boot is a security feature for authenticating the > > images such as U-Boot, ARM trusted Firmware, Linux kernel, device tree > > blob and etc loaded from FIT. After those images are loaded from FIT, > > the VAB certificate and signature block appended at the end of each > > image are sent to Secure Device Manager (SDM) for authentication. > > U-Boot will validate the > > SHA384 of the image against the SHA384 hash stored in the VAB > > certificate before sending the image to SDM for authentication. > > > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> > > > > --- > > v4: > > - Move function 'board_fit_image_post_process' and 'board_prep_linux' > to > > arch/arm/mach-socfpga/board.c > > > > v3: > > - Add description for function 'socfpga_vendor_authentication'. > > - Relocate vab certificate to first memory bank before trigger SMC call > > to send mailbox command because ATF only able to access first memory > > bank. > > - Report error instead of bypass the authentication in SPL if > > Secure Device Manager (SDM) does not support VAB. > > - Print success string if VAB success. > > - Replace #ifdef with if(IS_ENABLED(CONFIG_...)). > > --- > > arch/arm/mach-socfpga/Kconfig | 15 ++ > > arch/arm/mach-socfpga/Makefile | 2 + > > arch/arm/mach-socfpga/board.c | 43 +++++- > > arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 + > > arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 ++++++++ > > arch/arm/mach-socfpga/secure_vab.c | 186 > > +++++++++++++++++++++++ > > common/Kconfig.boot | 2 +- > > 7 files changed, 307 insertions(+), 5 deletions(-) create mode > > 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h > > create mode 100644 arch/arm/mach-socfpga/secure_vab.c > > > > #include <common.h> > > -#include <errno.h> > > -#include <fdtdec.h> > > -#include <init.h> > > -#include <asm/arch/reset_manager.h> > > #include <asm/arch/clock_manager.h> > > #include <asm/arch/misc.h> > > +#include <asm/arch/reset_manager.h> > > +#include <asm/arch/secure_vab.h> > > #include <asm/io.h> > > +#include <errno.h> > > +#include <fdtdec.h> > > +#include <hang.h> > > +#include <image.h> > > +#include <init.h> > > #include <log.h> > > #include <usb.h> > > #include <usb/dwc2_udc.h> > > @@ -97,3 +100,35 @@ __weak int board_fit_config_name_match(const > char > > *name) > > return 0; > > } > > #endif > > + > > +#if IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH) > > +void board_fit_image_post_process(void **p_image, size_t *p_size) { > > + if (socfpga_vendor_authentication(p_image, p_size)) > > + hang(); > > +} > > + > > +void board_prep_linux(bootm_headers_t *images) { > > Check CONFIG_SOCFPGA_SECURE_VAB_AUTH setting, then only include > code below. > > > + if (!IS_ENABLED(CONFIG_SPL_BUILD)) { > > + if > > (!IS_ENABLED(CONFIG_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE)) { > > + /* > > + * Ensure the OS is always booted from FIT and with > > + * VAB signed certificate > > + */ > > + if (!images->fit_uname_cfg) { > > + printf("Please use FIT with VAB signed > > images!\n"); > > + hang(); > > + } > > + > > + env_set_hex("fdt_addr", (ulong)images->ft_addr); > > + debug("images->ft_addr = 0x%08lx\n", > > (ulong)images->ft_addr); > > + } > > + > > + if (IS_ENABLED(CONFIG_CADENCE_QSPI)) { > > + if (env_get("linux_qspi_enable")) > > + > > run_command(env_get("linux_qspi_enable"), 0); > Can always run " linux_qspi_enable" command for all target SOC64? Then can > remove linux_qspi_enable from BOOTCOMMAND. board_prep_linux will only be called when we use "bootm" to boot to Linux. Only SOC64 VAB flow is using "bootm" now. We still need linux_qspi_enable in BOOTCOMMAND for ATF and non-ATF boot flow. > > Regards > Ley Foon
> -----Original Message----- > From: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > Sent: Monday, March 1, 2021 2:43 PM > To: Tan, Ley Foon <ley.foon.tan@intel.com>; u-boot@lists.denx.de > Cc: Marek Vasut <marex@denx.de>; See, Chin Liang > <chin.liang.see@intel.com>; Simon Goldschmidt > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > <tien.fong.chee@intel.com>; Westergreen, Dalon > <dalon.westergreen@intel.com>; Simon Glass <sjg@chromium.org>; Gan, > Yau Wai <yau.wai.gan@intel.com> > Subject: RE: [v4 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot > (VAB) > > Hi Ley Foon, > > > -----Original Message----- > > From: Tan, Ley Foon <ley.foon.tan@intel.com> > > Sent: Monday, March 1, 2021 9:56 AM > > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com>; > > u-boot@lists.denx.de > > Cc: Marek Vasut <marex@denx.de>; See, Chin Liang > > <chin.liang.see@intel.com>; Simon Goldschmidt > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > <dalon.westergreen@intel.com>; Simon Glass <sjg@chromium.org>; Gan, > > Yau Wai <yau.wai.gan@intel.com> > > Subject: RE: [v4 2/7] arm: socfpga: soc64: Support Vendor Authorized > > Boot > > (VAB) > > > > > > > > > -----Original Message----- > > > From: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > > Sent: Saturday, February 27, 2021 12:11 AM > > > To: u-boot@lists.denx.de > > > Cc: Marek Vasut <marex@denx.de>; Tan, Ley Foon > > > <ley.foon.tan@intel.com>; See, Chin Liang > > > <chin.liang.see@intel.com>; Simon Goldschmidt > > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > > <dalon.westergreen@intel.com>; Simon Glass <sjg@chromium.org>; > Gan, > > > Yau Wai <yau.wai.gan@intel.com>; Lim, Elly Siew Chin > > > <elly.siew.chin.lim@intel.com> > > > Subject: [v4 2/7] arm: socfpga: soc64: Support Vendor Authorized > > > Boot > > > (VAB) > > > > > > Vendor Authorized Boot is a security feature for authenticating the > > > images such as U-Boot, ARM trusted Firmware, Linux kernel, device > > > tree blob and etc loaded from FIT. After those images are loaded > > > from FIT, the VAB certificate and signature block appended at the > > > end of each image are sent to Secure Device Manager (SDM) for > authentication. > > > U-Boot will validate the > > > SHA384 of the image against the SHA384 hash stored in the VAB > > > certificate before sending the image to SDM for authentication. > > > > > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> > > > > > > --- > > > v4: > > > - Move function 'board_fit_image_post_process' and 'board_prep_linux' > > to > > > arch/arm/mach-socfpga/board.c > > > > > > v3: > > > - Add description for function 'socfpga_vendor_authentication'. > > > - Relocate vab certificate to first memory bank before trigger SMC call > > > to send mailbox command because ATF only able to access first > > > memory bank. > > > - Report error instead of bypass the authentication in SPL if > > > Secure Device Manager (SDM) does not support VAB. > > > - Print success string if VAB success. > > > - Replace #ifdef with if(IS_ENABLED(CONFIG_...)). > > > --- > > > arch/arm/mach-socfpga/Kconfig | 15 ++ > > > arch/arm/mach-socfpga/Makefile | 2 + > > > arch/arm/mach-socfpga/board.c | 43 +++++- > > > arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 + > > > arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 ++++++++ > > > arch/arm/mach-socfpga/secure_vab.c | 186 > > > +++++++++++++++++++++++ > > > common/Kconfig.boot | 2 +- > > > 7 files changed, 307 insertions(+), 5 deletions(-) create mode > > > 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h > > > create mode 100644 arch/arm/mach-socfpga/secure_vab.c > > > > > > #include <common.h> > > > -#include <errno.h> > > > -#include <fdtdec.h> > > > -#include <init.h> > > > -#include <asm/arch/reset_manager.h> #include > > > <asm/arch/clock_manager.h> #include <asm/arch/misc.h> > > > +#include <asm/arch/reset_manager.h> #include > > > +<asm/arch/secure_vab.h> > > > #include <asm/io.h> > > > +#include <errno.h> > > > +#include <fdtdec.h> > > > +#include <hang.h> > > > +#include <image.h> > > > +#include <init.h> > > > #include <log.h> > > > #include <usb.h> > > > #include <usb/dwc2_udc.h> > > > @@ -97,3 +100,35 @@ __weak int board_fit_config_name_match(const > > char > > > *name) > > > return 0; > > > } > > > #endif > > > + > > > +#if IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH) > > > +void board_fit_image_post_process(void **p_image, size_t *p_size) { > > > + if (socfpga_vendor_authentication(p_image, p_size)) > > > + hang(); > > > +} > > > + > > > +void board_prep_linux(bootm_headers_t *images) { > > > > Check CONFIG_SOCFPGA_SECURE_VAB_AUTH setting, then only include > code > > below. > > > > > + if (!IS_ENABLED(CONFIG_SPL_BUILD)) { > > > + if > > > (!IS_ENABLED(CONFIG_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE)) > { > > > + /* > > > + * Ensure the OS is always booted from FIT and with > > > + * VAB signed certificate > > > + */ > > > + if (!images->fit_uname_cfg) { > > > + printf("Please use FIT with VAB signed > > > images!\n"); > > > + hang(); > > > + } > > > + > > > + env_set_hex("fdt_addr", (ulong)images->ft_addr); > > > + debug("images->ft_addr = 0x%08lx\n", > > > (ulong)images->ft_addr); > > > + } > > > + > > > + if (IS_ENABLED(CONFIG_CADENCE_QSPI)) { > > > + if (env_get("linux_qspi_enable")) > > > + > > > run_command(env_get("linux_qspi_enable"), 0); > > Can always run " linux_qspi_enable" command for all target SOC64? Then > > can remove linux_qspi_enable from BOOTCOMMAND. > > board_prep_linux will only be called when we use "bootm" to boot to Linux. > Only SOC64 VAB flow is using "bootm" now. We still need linux_qspi_enable > in BOOTCOMMAND for ATF and non-ATF boot flow. Okay.
diff --git a/arch/arm/mach-socfpga/Kconfig b/arch/arm/mach-socfpga/Kconfig index 9b1abdaabd..0c35406232 100644 --- a/arch/arm/mach-socfpga/Kconfig +++ b/arch/arm/mach-socfpga/Kconfig @@ -6,6 +6,21 @@ config ERR_PTR_OFFSET config NR_DRAM_BANKS default 1 +config SOCFPGA_SECURE_VAB_AUTH + bool "Enable boot image authentication with Secure Device Manager" + depends on TARGET_SOCFPGA_AGILEX + select FIT_IMAGE_POST_PROCESS + select SHA384 + select SHA512_ALGO + select SPL_FIT_IMAGE_POST_PROCESS + help + All images loaded from FIT will be authenticated by Secure Device + Manager. + +config SOCFPGA_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE + bool "Allow non-FIT VAB signed images" + depends on SOCFPGA_SECURE_VAB_AUTH + config SPL_SIZE_LIMIT default 0x10000 if TARGET_SOCFPGA_GEN5 diff --git a/arch/arm/mach-socfpga/Makefile b/arch/arm/mach-socfpga/Makefile index 82b681d870..1f1e21766d 100644 --- a/arch/arm/mach-socfpga/Makefile +++ b/arch/arm/mach-socfpga/Makefile @@ -4,6 +4,7 @@ # Wolfgang Denk, DENX Software Engineering, wd@denx.de. # # Copyright (C) 2012-2017 Altera Corporation <www.altera.com> +# Copyright (C) 2017-2020 Intel Corporation <www.intel.com> obj-y += board.o obj-y += clock_manager.o @@ -47,6 +48,7 @@ obj-y += mailbox_s10.o obj-y += misc_s10.o obj-y += mmu-arm64_s10.o obj-y += reset_manager_s10.o +obj-$(CONFIG_SOCFPGA_SECURE_VAB_AUTH) += secure_vab.o obj-y += system_manager_s10.o obj-y += timer_s10.o obj-y += wrap_pinmux_config_s10.o diff --git a/arch/arm/mach-socfpga/board.c b/arch/arm/mach-socfpga/board.c index 7993c27646..9f60f2fc05 100644 --- a/arch/arm/mach-socfpga/board.c +++ b/arch/arm/mach-socfpga/board.c @@ -6,13 +6,16 @@ */ #include <common.h> -#include <errno.h> -#include <fdtdec.h> -#include <init.h> -#include <asm/arch/reset_manager.h> #include <asm/arch/clock_manager.h> #include <asm/arch/misc.h> +#include <asm/arch/reset_manager.h> +#include <asm/arch/secure_vab.h> #include <asm/io.h> +#include <errno.h> +#include <fdtdec.h> +#include <hang.h> +#include <image.h> +#include <init.h> #include <log.h> #include <usb.h> #include <usb/dwc2_udc.h> @@ -97,3 +100,35 @@ __weak int board_fit_config_name_match(const char *name) return 0; } #endif + +#if IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH) +void board_fit_image_post_process(void **p_image, size_t *p_size) +{ + if (socfpga_vendor_authentication(p_image, p_size)) + hang(); +} + +void board_prep_linux(bootm_headers_t *images) +{ + if (!IS_ENABLED(CONFIG_SPL_BUILD)) { + if (!IS_ENABLED(CONFIG_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE)) { + /* + * Ensure the OS is always booted from FIT and with + * VAB signed certificate + */ + if (!images->fit_uname_cfg) { + printf("Please use FIT with VAB signed images!\n"); + hang(); + } + + env_set_hex("fdt_addr", (ulong)images->ft_addr); + debug("images->ft_addr = 0x%08lx\n", (ulong)images->ft_addr); + } + + if (IS_ENABLED(CONFIG_CADENCE_QSPI)) { + if (env_get("linux_qspi_enable")) + run_command(env_get("linux_qspi_enable"), 0); + } + } +} +#endif diff --git a/arch/arm/mach-socfpga/include/mach/mailbox_s10.h b/arch/arm/mach-socfpga/include/mach/mailbox_s10.h index 4d783119ea..fbaf11597e 100644 --- a/arch/arm/mach-socfpga/include/mach/mailbox_s10.h +++ b/arch/arm/mach-socfpga/include/mach/mailbox_s10.h @@ -118,6 +118,7 @@ enum ALT_SDM_MBOX_RESP_CODE { #define MBOX_RECONFIG_MSEL 7 #define MBOX_RECONFIG_DATA 8 #define MBOX_RECONFIG_STATUS 9 +#define MBOX_VAB_SRC_CERT 11 #define MBOX_QSPI_OPEN 50 #define MBOX_QSPI_CLOSE 51 #define MBOX_QSPI_DIRECT 59 diff --git a/arch/arm/mach-socfpga/include/mach/secure_vab.h b/arch/arm/mach-socfpga/include/mach/secure_vab.h new file mode 100644 index 0000000000..42588588e8 --- /dev/null +++ b/arch/arm/mach-socfpga/include/mach/secure_vab.h @@ -0,0 +1,63 @@ +/* SPDX-License-Identifier: GPL-2.0 + * + * Copyright (C) 2020 Intel Corporation <www.intel.com> + * + */ + +#ifndef _SECURE_VAB_H_ +#define _SECURE_VAB_H_ + +#include <linux/sizes.h> +#include <linux/stddef.h> +#include <u-boot/sha512.h> + +#define VAB_DATA_SZ 64 + +#define SDM_CERT_MAGIC_NUM 0x25D04E7F +#define FCS_HPS_VAB_MAGIC_NUM 0xD0564142 + +#define MAX_CERT_SIZE (SZ_4K) + +/* + * struct fcs_hps_vab_certificate_data + * @vab_cert_magic_num: VAB Certificate Magic Word (0xD0564142) + * @flags: TBD + * @fcs_data: Data words being certificate signed. + * @cert_sign_keychain: Certificate Signing Keychain + */ +struct fcs_hps_vab_certificate_data { + u32 vab_cert_magic_num; /* offset 0x10 */ + u32 flags; + u8 rsvd0_1[8]; + u8 fcs_sha384[SHA384_SUM_LEN]; /* offset 0x20 */ +}; + +/* + * struct fcs_hps_vab_certificate_header + * @cert_magic_num: Certificate Magic Word (0x25D04E7F) + * @cert_data_sz: size of this certificate header (0x80) + * Includes magic number all the way to the certificate + * signing keychain (excludes cert. signing keychain) + * @cert_ver: Certificate Version + * @cert_type: Certificate Type + * @data: VAB HPS Image Certificate data + */ +struct fcs_hps_vab_certificate_header { + u32 cert_magic_num; /* offset 0 */ + u32 cert_data_sz; + u32 cert_ver; + u32 cert_type; + struct fcs_hps_vab_certificate_data d; /* offset 0x10 */ + /* keychain starts at offset 0x50 */ +}; + +#define VAB_CERT_HEADER_SIZE sizeof(struct fcs_hps_vab_certificate_header) +#define VAB_CERT_MAGIC_OFFSET offsetof \ + (struct fcs_hps_vab_certificate_header, d) +#define VAB_CERT_FIT_SHA384_OFFSET offsetof \ + (struct fcs_hps_vab_certificate_data, \ + fcs_sha384[0]) + +int socfpga_vendor_authentication(void **p_image, size_t *p_size); + +#endif /* _SECURE_VAB_H_ */ diff --git a/arch/arm/mach-socfpga/secure_vab.c b/arch/arm/mach-socfpga/secure_vab.c new file mode 100644 index 0000000000..e2db588506 --- /dev/null +++ b/arch/arm/mach-socfpga/secure_vab.c @@ -0,0 +1,186 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2020 Intel Corporation <www.intel.com> + * + */ + +#include <asm/arch/mailbox_s10.h> +#include <asm/arch/secure_vab.h> +#include <asm/arch/smc_api.h> +#include <asm/unaligned.h> +#include <common.h> +#include <exports.h> +#include <linux/errno.h> +#include <linux/intel-smc.h> +#include <log.h> + +#define CHUNKSZ_PER_WD_RESET (256 * SZ_1K) + +/* + * Read the length of the VAB certificate from the end of image + * and calculate the actual image size (excluding the VAB certificate). + */ +static size_t get_img_size(u8 *img_buf, size_t img_buf_sz) +{ + u8 *img_buf_end = img_buf + img_buf_sz; + u32 cert_sz = get_unaligned_le32(img_buf_end - sizeof(u32)); + u8 *p = img_buf_end - cert_sz - sizeof(u32); + + /* Ensure p is pointing within the img_buf */ + if (p < img_buf || p > (img_buf_end - VAB_CERT_HEADER_SIZE)) + return 0; + + if (get_unaligned_le32(p) == SDM_CERT_MAGIC_NUM) + return (size_t)(p - img_buf); + + return 0; +} + +/* + * Vendor Authorized Boot (VAB) is a security feature for authenticating + * the images such as U-Boot, ARM trusted Firmware, Linux kernel, + * device tree blob and etc loaded from FIT. User can also trigger + * the VAB authentication from U-Boot command. + * + * This function extracts the VAB certificate and signature block + * appended at the end of the image, then send to Secure Device Manager + * (SDM) for authentication. This function will validate the SHA384 + * of the image against the SHA384 hash stored in the VAB certificate + * before sending the VAB certificate to SDM for authentication. + * + * RETURN + * 0 if authentication success or + * if authentication is not required and bypassed on a non-secure device + * negative error code if authentication fail + */ +int socfpga_vendor_authentication(void **p_image, size_t *p_size) +{ + int retry_count = 20; + u8 hash384[SHA384_SUM_LEN]; + u64 img_addr, mbox_data_addr; + size_t img_sz, mbox_data_sz; + u8 *cert_hash_ptr, *mbox_relocate_data_addr; + u32 resp = 0, resp_len = 1; + int ret; + + img_addr = (uintptr_t)*p_image; + + debug("Authenticating image at address 0x%016llx (%ld bytes)\n", + img_addr, *p_size); + + img_sz = get_img_size((u8 *)img_addr, *p_size); + debug("img_sz = %ld\n", img_sz); + + if (!img_sz) { + puts("VAB certificate not found in image!\n"); + return -ENOKEY; + } + + if (!IS_ALIGNED(img_sz, sizeof(u32))) { + printf("Image size (%ld bytes) not aliged to 4 bytes!\n", + img_sz); + return -EBFONT; + } + + /* Generate HASH384 from the image */ + sha384_csum_wd((u8 *)img_addr, img_sz, hash384, CHUNKSZ_PER_WD_RESET); + + cert_hash_ptr = (u8 *)(img_addr + img_sz + VAB_CERT_MAGIC_OFFSET + + VAB_CERT_FIT_SHA384_OFFSET); + + /* + * Compare the SHA384 found in certificate against the SHA384 + * calculated from image + */ + if (memcmp(hash384, cert_hash_ptr, SHA384_SUM_LEN)) { + puts("SHA384 not match!\n"); + return -EKEYREJECTED; + } + + mbox_data_addr = img_addr + img_sz - sizeof(u32); + /* Size in word (32bits) */ + mbox_data_sz = (ALIGN(*p_size - img_sz, sizeof(u32))) >> 2; + + debug("mbox_data_addr = 0x%016llx\n", mbox_data_addr); + debug("mbox_data_sz = %ld words\n", mbox_data_sz); + + /* + * Relocate certificate to first memory block before trigger SMC call + * to send mailbox command because ATF only able to access first + * memory block. + */ + mbox_relocate_data_addr = (u8 *)malloc(mbox_data_sz * sizeof(u32)); + if (!mbox_relocate_data_addr) { + puts("Out of memory for VAB certificate relocation!\n"); + return -ENOMEM; + } + + memcpy(mbox_relocate_data_addr, (u8 *)mbox_data_addr, mbox_data_sz * sizeof(u32)); + *(u32 *)mbox_relocate_data_addr = 0; + + debug("mbox_relocate_data_addr = 0x%p\n", mbox_relocate_data_addr); + + do { + if (!IS_ENABLED(CONFIG_SPL_BUILD) && IS_ENABLED(CONFIG_SPL_ATF)) { + /* Invoke SMC call to ATF to send the VAB certificate to SDM */ + ret = smc_send_mailbox(MBOX_VAB_SRC_CERT, mbox_data_sz, + (u32 *)mbox_relocate_data_addr, 0, &resp_len, + &resp); + } else { + /* Send the VAB certficate to SDM for authentication */ + ret = mbox_send_cmd(MBOX_ID_UBOOT, MBOX_VAB_SRC_CERT, + MBOX_CMD_DIRECT, mbox_data_sz, + (u32 *)mbox_relocate_data_addr, 0, &resp_len, + &resp); + } + /* If SDM is not available, just delay 50ms and retry again */ + if (ret == MBOX_RESP_DEVICE_BUSY) + mdelay(50); + else + break; + } while (--retry_count); + + /* Free the relocate certificate memory space */ + free(mbox_relocate_data_addr); + + /* Exclude the size of the VAB certificate from image size */ + *p_size = img_sz; + + debug("ret = 0x%08x, resp = 0x%08x, resp_len = %d\n", ret, resp, + resp_len); + + if (ret) { + /* + * Unsupported mailbox command or device not in the + * owned/secure state + */ + if (ret == MBOX_RESP_NOT_ALLOWED_UNDER_SECURITY_SETTINGS) { + /* SDM bypass authentication */ + printf("%s 0x%016llx (%ld bytes)\n", + "Image Authentication bypassed at address", + img_addr, img_sz); + return 0; + } + puts("VAB certificate authentication failed in SDM"); + if (ret == MBOX_RESP_DEVICE_BUSY) { + puts(" (SDM busy timeout)\n"); + return -ETIMEDOUT; + } else if (ret == MBOX_RESP_UNKNOWN) { + puts(" (Not supported)\n"); + return -ESRCH; + } + puts("\n"); + return -EKEYREJECTED; + } else { + /* If Certificate Process Status has error */ + if (resp) { + puts("VAB certificate process failed\n"); + return -ENOEXEC; + } + } + + printf("%s 0x%016llx (%ld bytes)\n", + "Image Authentication passed at address", img_addr, img_sz); + + return 0; +} diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 5eaabdfc27..7b94f402fd 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -128,7 +128,7 @@ config FIT_BEST_MATCH config FIT_IMAGE_POST_PROCESS bool "Enable post-processing of FIT artifacts after loading by U-Boot" - depends on TI_SECURE_DEVICE + depends on TI_SECURE_DEVICE || SOCFPGA_SECURE_VAB_AUTH help Allows doing any sort of manipulation to blobs after they got extracted from FIT images like stripping off headers or modifying the size of the
Vendor Authorized Boot is a security feature for authenticating the images such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and etc loaded from FIT. After those images are loaded from FIT, the VAB certificate and signature block appended at the end of each image are sent to Secure Device Manager (SDM) for authentication. U-Boot will validate the SHA384 of the image against the SHA384 hash stored in the VAB certificate before sending the image to SDM for authentication. Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> --- v4: - Move function 'board_fit_image_post_process' and 'board_prep_linux' to arch/arm/mach-socfpga/board.c v3: - Add description for function 'socfpga_vendor_authentication'. - Relocate vab certificate to first memory bank before trigger SMC call to send mailbox command because ATF only able to access first memory bank. - Report error instead of bypass the authentication in SPL if Secure Device Manager (SDM) does not support VAB. - Print success string if VAB success. - Replace #ifdef with if(IS_ENABLED(CONFIG_...)). --- arch/arm/mach-socfpga/Kconfig | 15 ++ arch/arm/mach-socfpga/Makefile | 2 + arch/arm/mach-socfpga/board.c | 43 +++++- arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 + arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 ++++++++ arch/arm/mach-socfpga/secure_vab.c | 186 +++++++++++++++++++++++ common/Kconfig.boot | 2 +- 7 files changed, 307 insertions(+), 5 deletions(-) create mode 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h create mode 100644 arch/arm/mach-socfpga/secure_vab.c