========
If Secure Boot is executed, a separate U-Boot target is required which
must be compiled with a diffrent Text Base as compared to Non-Secure Boot.
There are some LAW and TLB settings which are required specifically for
Secure Boot scenario.
ARM:
====
ARM based SoC's have a fixed memory map and exit conditions from BootROM
are same irrespective of boot mode (Secure or Non-Secure).
Thus the current Secure Boot functionlity has been split into two parts:
CONFIG_CHAIN_OF_TRUST
========================
This will have the following functionality as part of U-Boot:
1. Enable commands like esbc_validate, esbc_halt
2. Change the environment settings based on bootmode (determined at run time):
- If bootmode is non-secure, no change
- If bootmode is secure, set the following:
- bootdelay = 0 (Don't give boot prompt)
- bootcmd = Validate and execute the bootscript.
CONFIG_SECURE_BOOT
=====================
This is defined only for creating a different compile time target for secure boot.
Traditionally, both these functionalities were defined under CONFIG_SECURE_BOOT
This patch is aimed at removing the requirement for a separate Secure Boot target
for ARM based SoC's. CONFIG_CHAIN_OF_TRUST will be defined and boot mode will be
determine at run time.
Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt
must not be picked from flash/external memory. This cannot be done based on bootmode
at run time in current U-Boot architecture. Once this dependency is resolved, no separate
SECURE_BOOT target will be required for ARM based SoC's.
Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining
CONFIG_ENV_IS_NOWHERE
Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
---
Changes in v2:
CONFIG_ENV_IS_NOWHERE is defined for Secure Boot
arch/arm/include/asm/fsl_secure_boot.h | 16 ++--
arch/powerpc/include/asm/fsl_secure_boot.h | 41 +++++-----
include/config_fsl_chain_trust.h | 101 +++++++++++++++++++++++++
include/config_fsl_secboot.h | 116 -----------------------------
4 files changed, 135 insertions(+), 139 deletions(-)
create mode 100644 include/config_fsl_chain_trust.h
delete mode 100644 include/config_fsl_secboot.h
@@ -8,6 +8,14 @@
#define __FSL_SECURE_BOOT_H
#ifdef CONFIG_SECURE_BOOT
+
+#ifndef CONFIG_FIT_SIGNATURE
+#define CONFIG_CHAIN_OF_TRUST
+#endif
+
+#endif
+
+#ifdef CONFIG_CHAIN_OF_TRUST
#define CONFIG_CMD_ESBC_VALIDATE
#define CONFIG_CMD_BLOB
#define CONFIG_FSL_SEC_MON
@@ -40,8 +48,6 @@
#define CONFIG_ESBC_ADDR_64BIT
#endif
-#ifndef CONFIG_FIT_SIGNATURE
-
#define CONFIG_EXTRA_ENV \
"setenv fdt_high 0xcfffffff;" \
"setenv initrd_high 0xcfffffff;" \
@@ -50,8 +56,6 @@
/* The address needs to be modified according to NOR memory map */
#define CONFIG_BOOTSCRIPT_HDR_ADDR 0x600a0000
-#include <config_fsl_secboot.h>
-#endif
-#endif
-
+#include <config_fsl_chain_trust.h>
+#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
#endif
@@ -9,19 +9,11 @@
#include <asm/config_mpc85xx.h>
#ifdef CONFIG_SECURE_BOOT
-#define CONFIG_CMD_ESBC_VALIDATE
-#define CONFIG_CMD_BLOB
-#define CONFIG_FSL_SEC_MON
-#define CONFIG_SHA_PROG_HW_ACCEL
-#define CONFIG_DM
-#define CONFIG_RSA
-#define CONFIG_RSA_FREESCALE_EXP
-#ifndef CONFIG_FSL_CAAM
-#define CONFIG_FSL_CAAM
-#endif
+
+#ifndef CONFIG_FIT_SIGNATURE
+#define CONFIG_CHAIN_OF_TRUST
#endif
-#ifdef CONFIG_SECURE_BOOT
#if defined(CONFIG_FSL_CORENET)
#define CONFIG_SYS_PBI_FLASH_BASE 0xc0000000
#elif defined(CONFIG_BSC9132QDS)
@@ -76,8 +68,25 @@
*/
#define CONFIG_FSL_ISBC_KEY_EXT
#endif
+#endif /* #ifdef CONFIG_SECURE_BOOT */
+
+#ifdef CONFIG_CHAIN_OF_TRUST
+
+#define CONFIG_CMD_ESBC_VALIDATE
+#define CONFIG_CMD_BLOB
+#define CONFIG_FSL_SEC_MON
+#define CONFIG_SHA_PROG_HW_ACCEL
+#define CONFIG_RSA
+#define CONFIG_RSA_FREESCALE_EXP
+
+#ifndef CONFIG_DM
+#define CONFIG_DM
+#endif
+
+#ifndef CONFIG_FSL_CAAM
+#define CONFIG_FSL_CAAM
+#endif
-#ifndef CONFIG_FIT_SIGNATURE
/* If Boot Script is not on NOR and is required to be copied on RAM */
#ifdef CONFIG_BOOTSCRIPT_COPY_RAM
#define CONFIG_BS_HDR_ADDR_RAM 0x00010000
@@ -105,10 +114,8 @@
#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee020000
#endif
-#endif
-
-#include <config_fsl_secboot.h>
-#endif
+#endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */
-#endif
+#include <config_fsl_chain_trust.h>
+#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
#endif
new file mode 100644
@@ -0,0 +1,101 @@
+/*
+ * Copyright 2015 Freescale Semiconductor, Inc.
+ *
+ * SPDX-License-Identifier: GPL-2.0+
+ */
+
+#ifndef __CONFIG_FSL_CHAIN_TRUST_H
+#define __CONFIG_FSL_CHAIN_TRUST_H
+
+/* For secure boot, since ENVIRONMENT in flash/external memories is
+ * not verified, undef CONFIG_ENV_xxx and set default env
+ * (CONFIG_ENV_IS_NOWHERE)
+ */
+#ifdef CONFIG_SECURE_BOOT
+
+#undef CONFIG_ENV_IS_IN_EEPROM
+#undef CONFIG_ENV_IS_IN_NAND
+#undef CONFIG_ENV_IS_IN_MMC
+#undef CONFIG_ENV_IS_IN_SPI_FLASH
+#undef CONFIG_ENV_IS_IN_FLASH
+
+#define CONFIG_ENV_IS_NOWHERE
+
+#endif
+
+#ifdef CONFIG_CHAIN_OF_TRUST
+
+#ifndef CONFIG_EXTRA_ENV
+#define CONFIG_EXTRA_ENV ""
+#endif
+
+/*
+ * Control should not reach back to uboot after validation of images
+ * for secure boot flow and therefore bootscript should have
+ * the bootm command. If control reaches back to uboot anyhow
+ * after validating images, core should just spin.
+ */
+
+/*
+ * Define the key hash for boot script here if public/private key pair used to
+ * sign bootscript are different from the SRK hash put in the fuse
+ * Example of defining KEY_HASH is
+ * #define CONFIG_BOOTSCRIPT_KEY_HASH \
+ * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+
+#ifdef CONFIG_BOOTSCRIPT_KEY_HASH
+#define CONFIG_SECBOOT \
+ "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
+ "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \
+ "ramdisk_size=600000\';" \
+ CONFIG_EXTRA_ENV \
+ "esbc_validate $bs_hdraddr " \
+ __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";" \
+ "source $img_addr;" \
+ "esbc_halt\0"
+#else
+#define CONFIG_SECBOOT \
+ "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
+ "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \
+ "ramdisk_size=600000\';" \
+ CONFIG_EXTRA_ENV \
+ "esbc_validate $bs_hdraddr;" \
+ "source $img_addr;" \
+ "esbc_halt\0"
+#endif
+
+/* For secure boot flow, default environment used will be used */
+#if defined(CONFIG_SYS_RAMBOOT)
+#ifdef CONFIG_BOOTSCRIPT_COPY_RAM
+#define CONFIG_BS_COPY_ENV \
+ "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \
+ "setenv bs_hdr_flash " __stringify(CONFIG_BS_HDR_ADDR_FLASH)";" \
+ "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \
+ "setenv bs_ram " __stringify(CONFIG_BS_ADDR_RAM)";" \
+ "setenv bs_flash " __stringify(CONFIG_BS_ADDR_FLASH)";" \
+ "setenv bs_size " __stringify(CONFIG_BS_SIZE)";"
+
+#if defined(CONFIG_RAMBOOT_NAND)
+#define CONFIG_BS_COPY_CMD \
+ "nand read $bs_hdr_ram $bs_hdr_flash $bs_hdr_size ;" \
+ "nand read $bs_ram $bs_flash $bs_size ;"
+#endif /* CONFIG_RAMBOOT_NAND */
+#endif /* CONFIG_BOOTSCRIPT_COPY_RAM */
+
+#endif
+
+#ifndef CONFIG_BS_COPY_ENV
+#define CONFIG_BS_COPY_ENV
+#endif
+
+#ifndef CONFIG_BS_COPY_CMD
+#define CONFIG_BS_COPY_CMD
+#endif
+
+#define CONFIG_CHAIN_BOOT_CMD CONFIG_BS_COPY_ENV \
+ CONFIG_BS_COPY_CMD \
+ CONFIG_SECBOOT
+
+#endif
+#endif
deleted file mode 100644
@@ -1,116 +0,0 @@
-/*
- * Copyright 2015 Freescale Semiconductor, Inc.
- *
- * SPDX-License-Identifier: GPL-2.0+
- */
-
-#ifndef __CONFIG_FSL_SECBOOT_H
-#define __CONFIG_FSL_SECBOOT_H
-
-#ifdef CONFIG_SECURE_BOOT
-
-#ifndef CONFIG_CMD_ESBC_VALIDATE
-#define CONFIG_CMD_ESBC_VALIDATE
-#endif
-
-#ifndef CONFIG_EXTRA_ENV
-#define CONFIG_EXTRA_ENV ""
-#endif
-
-/*
- * Control should not reach back to uboot after validation of images
- * for secure boot flow and therefore bootscript should have
- * the bootm command. If control reaches back to uboot anyhow
- * after validating images, core should just spin.
- */
-
-/*
- * Define the key hash for boot script here if public/private key pair used to
- * sign bootscript are different from the SRK hash put in the fuse
- * Example of defining KEY_HASH is
- * #define CONFIG_BOOTSCRIPT_KEY_HASH \
- * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
- */
-
-#ifdef CONFIG_BOOTSCRIPT_KEY_HASH
-#define CONFIG_SECBOOT \
- "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
- "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \
- "ramdisk_size=600000\';" \
- CONFIG_EXTRA_ENV \
- "esbc_validate $bs_hdraddr " \
- __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";" \
- "source $img_addr;" \
- "esbc_halt\0"
-#else
-#define CONFIG_SECBOOT \
- "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
- "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \
- "ramdisk_size=600000\';" \
- CONFIG_EXTRA_ENV \
- "esbc_validate $bs_hdraddr;" \
- "source $img_addr;" \
- "esbc_halt\0"
-#endif
-
-/* For secure boot flow, default environment used will be used */
-#if defined(CONFIG_SYS_RAMBOOT)
-#ifdef CONFIG_BOOTSCRIPT_COPY_RAM
-#define CONFIG_BS_COPY_ENV \
- "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \
- "setenv bs_hdr_flash " __stringify(CONFIG_BS_HDR_ADDR_FLASH)";" \
- "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \
- "setenv bs_ram " __stringify(CONFIG_BS_ADDR_RAM)";" \
- "setenv bs_flash " __stringify(CONFIG_BS_ADDR_FLASH)";" \
- "setenv bs_size " __stringify(CONFIG_BS_SIZE)";"
-
-#if defined(CONFIG_RAMBOOT_NAND)
-#define CONFIG_BS_COPY_CMD \
- "nand read $bs_hdr_ram $bs_hdr_flash $bs_hdr_size ;" \
- "nand read $bs_ram $bs_flash $bs_size ;"
-#endif /* CONFIG_RAMBOOT_NAND */
-#endif /* CONFIG_BOOTSCRIPT_COPY_RAM */
-
-#if defined(CONFIG_RAMBOOT_SPIFLASH)
-#undef CONFIG_ENV_IS_IN_SPI_FLASH
-#elif defined(CONFIG_RAMBOOT_NAND)
-#undef CONFIG_ENV_IS_IN_NAND
-#elif defined(CONFIG_RAMBOOT_SDCARD)
-#undef CONFIG_ENV_IS_IN_MMC
-#endif
-#else /*CONFIG_SYS_RAMBOOT*/
-#undef CONFIG_ENV_IS_IN_FLASH
-#endif
-
-#define CONFIG_ENV_IS_NOWHERE
-
-#ifndef CONFIG_BS_COPY_ENV
-#define CONFIG_BS_COPY_ENV
-#endif
-
-#ifndef CONFIG_BS_COPY_CMD
-#define CONFIG_BS_COPY_CMD
-#endif
-
-#define CONFIG_SECBOOT_CMD CONFIG_BS_COPY_ENV \
- CONFIG_BS_COPY_CMD \
- CONFIG_SECBOOT
-/*
- * We don't want boot delay for secure boot flow
- * before autoboot starts
- */
-#undef CONFIG_BOOTDELAY
-#define CONFIG_BOOTDELAY 0
-#undef CONFIG_BOOTCOMMAND
-#define CONFIG_BOOTCOMMAND CONFIG_SECBOOT_CMD
-
-/*
- * CONFIG_ZERO_BOOTDELAY_CHECK should not be defined for
- * secure boot flow as defining this would enable a user to
- * reach uboot prompt by pressing some key before start of
- * autoboot
- */
-#undef CONFIG_ZERO_BOOTDELAY_CHECK
-
-#endif
-#endif