Message ID | 1453460848-21808-6-git-send-email-aneesh.bansal@nxp.com |
---|---|
State | Accepted |
Commit | d041288586b05164c84794a5956ddc5fb8939115 |
Delegated to: | York Sun |
Headers | show |
> -----Original Message----- > From: Aneesh Bansal [mailto:aneesh.bansal@nxp.com] > Sent: Friday, January 22, 2016 4:37 PM > To: u-boot@lists.denx.de > Cc: york sun <york.sun@nxp.com>; Ruchika Gupta > <ruchika.gupta@nxp.com>; Prabhakar Kushwaha > <prabhakar.kushwaha@nxp.com>; Aneesh Bansal > <aneesh.bansal@nxp.com> > Subject: [PATCH v3 5/7] enable chain of trust for ARM platforms > > Chain of Trust is enabled for ARM platforms (LS1021 and LS1043). > In board_late_init(), fsl_setenv_chain_of_trust() is called which will perform > the following: > - If boot mode is non-secure, return (No Change) > - If boot mode is secure, set the following environmet variables: > bootdelay = 0 (To disable Boot Prompt) > bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) > > Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> > --- > Changes in v3: > Protect the inclusion of file fsl_validate.h with macro > CONFIG_CHAIN_OF_TRUST > > Changes in v2: > Defconfigs for Secure Boot Target are not removed. > > arch/arm/cpu/armv8/fsl-layerscape/soc.c | 6 ++++++ > board/freescale/common/Makefile | 1 + > board/freescale/common/fsl_chain_of_trust.c | 17 +++++++++++++++++ > board/freescale/ls1021aqds/ls1021aqds.c | 4 ++++ > board/freescale/ls1021atwr/ls1021atwr.c | 4 ++++ > include/fsl_validate.h | 2 ++ > 6 files changed, 34 insertions(+) > > diff --git a/arch/arm/cpu/armv8/fsl-layerscape/soc.c > b/arch/arm/cpu/armv8/fsl-layerscape/soc.c > index 23d6b73..d97a445 100644 > --- a/arch/arm/cpu/armv8/fsl-layerscape/soc.c > +++ b/arch/arm/cpu/armv8/fsl-layerscape/soc.c > @@ -12,6 +12,9 @@ > #include <asm/io.h> > #include <asm/global_data.h> > #include <asm/arch-fsl-layerscape/config.h> > +#ifdef CONFIG_CHAIN_OF_TRUST > +#include <fsl_validate.h> > +#endif > > DECLARE_GLOBAL_DATA_PTR; > > @@ -241,6 +244,9 @@ int board_late_init(void) #ifdef > CONFIG_SCSI_AHCI_PLAT > sata_init(); > #endif > +#ifdef CONFIG_CHAIN_OF_TRUST > + fsl_setenv_chain_of_trust(); > +#endif > > return 0; > } > diff --git a/board/freescale/common/Makefile > b/board/freescale/common/Makefile index 51d2814..be114ce 100644 > --- a/board/freescale/common/Makefile > +++ b/board/freescale/common/Makefile > @@ -76,5 +76,6 @@ obj-$(CONFIG_LAYERSCAPE_NS_ACCESS) += > ns_access.o > ifdef CONFIG_SECURE_BOOT > obj-$(CONFIG_CMD_ESBC_VALIDATE) += fsl_validate.o cmd_esbc_validate.o > endif > +obj-$(CONFIG_CHAIN_OF_TRUST) += fsl_chain_of_trust.o > > endif > diff --git a/board/freescale/common/fsl_chain_of_trust.c > b/board/freescale/common/fsl_chain_of_trust.c > index ff67bd7..ecfcc82 100644 > --- a/board/freescale/common/fsl_chain_of_trust.c > +++ b/board/freescale/common/fsl_chain_of_trust.c > @@ -51,3 +51,20 @@ int fsl_check_boot_mode_secure(void) #endif > return 0; > } > + > +int fsl_setenv_chain_of_trust(void) > +{ > + /* Check Boot Mode > + * If Boot Mode is Non-Secure, no changes are required > + */ > + if (fsl_check_boot_mode_secure() == 0) > + return 0; > + > + /* If Boot mode is Secure, set the environment variables > + * bootdelay = 0 (To disable Boot Prompt) > + * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute > Boot script) > + */ > + setenv("bootdelay", "0"); > + setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD); > + return 0; > +} > diff --git a/board/freescale/ls1021aqds/ls1021aqds.c > b/board/freescale/ls1021aqds/ls1021aqds.c > index ca1ea61..6e82232 100644 > --- a/board/freescale/ls1021aqds/ls1021aqds.c > +++ b/board/freescale/ls1021aqds/ls1021aqds.c > @@ -22,6 +22,7 @@ > #include <fsl_sec.h> > #include <spl.h> > #include <fsl_devdis.h> > +#include <fsl_validate.h> > > #include "../common/sleep.h" > #include "../common/qixis.h" > @@ -369,6 +370,9 @@ int board_late_init(void) #ifdef > CONFIG_SCSI_AHCI_PLAT > ls1021a_sata_init(); > #endif > +#ifdef CONFIG_CHAIN_OF_TRUST > + fsl_setenv_chain_of_trust(); > +#endif > > return 0; > } > diff --git a/board/freescale/ls1021atwr/ls1021atwr.c > b/board/freescale/ls1021atwr/ls1021atwr.c > index ae62bca..054cc3d 100644 > --- a/board/freescale/ls1021atwr/ls1021atwr.c > +++ b/board/freescale/ls1021atwr/ls1021atwr.c > @@ -30,6 +30,7 @@ > #ifdef CONFIG_U_QE > #include "../../../drivers/qe/qe.h" > #endif > +#include <fsl_validate.h> > > > DECLARE_GLOBAL_DATA_PTR; > @@ -553,6 +554,9 @@ int board_late_init(void) #ifdef > CONFIG_SCSI_AHCI_PLAT > ls1021a_sata_init(); > #endif > +#ifdef CONFIG_CHAIN_OF_TRUST > + fsl_setenv_chain_of_trust(); > +#endif > > return 0; > } > diff --git a/include/fsl_validate.h b/include/fsl_validate.h index > ad14867..83efcf4 100644 > --- a/include/fsl_validate.h > +++ b/include/fsl_validate.h > @@ -205,4 +205,6 @@ int fsl_secboot_blob_encap(cmd_tbl_t *cmdtp, int > flag, int argc, int fsl_secboot_blob_decap(cmd_tbl_t *cmdtp, int flag, int > argc, > char * const argv[]); > > +int fsl_check_boot_mode_secure(void); > +int fsl_setenv_chain_of_trust(void); > #endif > -- > 1.8.1.4 Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com>
On 01/22/2016 03:10 AM, Aneesh Bansal wrote: > Chain of Trust is enabled for ARM platforms (LS1021 and LS1043). > In board_late_init(), fsl_setenv_chain_of_trust() is called which > will perform the following: > - If boot mode is non-secure, return (No Change) > - If boot mode is secure, set the following environmet variables: > bootdelay = 0 (To disable Boot Prompt) > bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) > > Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> > --- > Changes in v3: > Protect the inclusion of file fsl_validate.h with macro CONFIG_CHAIN_OF_TRUST > > Changes in v2: > Defconfigs for Secure Boot Target are not removed. > > arch/arm/cpu/armv8/fsl-layerscape/soc.c | 6 ++++++ > board/freescale/common/Makefile | 1 + > board/freescale/common/fsl_chain_of_trust.c | 17 +++++++++++++++++ > board/freescale/ls1021aqds/ls1021aqds.c | 4 ++++ > board/freescale/ls1021atwr/ls1021atwr.c | 4 ++++ > include/fsl_validate.h | 2 ++ > 6 files changed, 34 insertions(+) Prefix subject with "secure_boot:". Applied to u-boot-fsl-qoriq master. Awaiting upstream. Thanks. York
diff --git a/arch/arm/cpu/armv8/fsl-layerscape/soc.c b/arch/arm/cpu/armv8/fsl-layerscape/soc.c index 23d6b73..d97a445 100644 --- a/arch/arm/cpu/armv8/fsl-layerscape/soc.c +++ b/arch/arm/cpu/armv8/fsl-layerscape/soc.c @@ -12,6 +12,9 @@ #include <asm/io.h> #include <asm/global_data.h> #include <asm/arch-fsl-layerscape/config.h> +#ifdef CONFIG_CHAIN_OF_TRUST +#include <fsl_validate.h> +#endif DECLARE_GLOBAL_DATA_PTR; @@ -241,6 +244,9 @@ int board_late_init(void) #ifdef CONFIG_SCSI_AHCI_PLAT sata_init(); #endif +#ifdef CONFIG_CHAIN_OF_TRUST + fsl_setenv_chain_of_trust(); +#endif return 0; } diff --git a/board/freescale/common/Makefile b/board/freescale/common/Makefile index 51d2814..be114ce 100644 --- a/board/freescale/common/Makefile +++ b/board/freescale/common/Makefile @@ -76,5 +76,6 @@ obj-$(CONFIG_LAYERSCAPE_NS_ACCESS) += ns_access.o ifdef CONFIG_SECURE_BOOT obj-$(CONFIG_CMD_ESBC_VALIDATE) += fsl_validate.o cmd_esbc_validate.o endif +obj-$(CONFIG_CHAIN_OF_TRUST) += fsl_chain_of_trust.o endif diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c index ff67bd7..ecfcc82 100644 --- a/board/freescale/common/fsl_chain_of_trust.c +++ b/board/freescale/common/fsl_chain_of_trust.c @@ -51,3 +51,20 @@ int fsl_check_boot_mode_secure(void) #endif return 0; } + +int fsl_setenv_chain_of_trust(void) +{ + /* Check Boot Mode + * If Boot Mode is Non-Secure, no changes are required + */ + if (fsl_check_boot_mode_secure() == 0) + return 0; + + /* If Boot mode is Secure, set the environment variables + * bootdelay = 0 (To disable Boot Prompt) + * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) + */ + setenv("bootdelay", "0"); + setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD); + return 0; +} diff --git a/board/freescale/ls1021aqds/ls1021aqds.c b/board/freescale/ls1021aqds/ls1021aqds.c index ca1ea61..6e82232 100644 --- a/board/freescale/ls1021aqds/ls1021aqds.c +++ b/board/freescale/ls1021aqds/ls1021aqds.c @@ -22,6 +22,7 @@ #include <fsl_sec.h> #include <spl.h> #include <fsl_devdis.h> +#include <fsl_validate.h> #include "../common/sleep.h" #include "../common/qixis.h" @@ -369,6 +370,9 @@ int board_late_init(void) #ifdef CONFIG_SCSI_AHCI_PLAT ls1021a_sata_init(); #endif +#ifdef CONFIG_CHAIN_OF_TRUST + fsl_setenv_chain_of_trust(); +#endif return 0; } diff --git a/board/freescale/ls1021atwr/ls1021atwr.c b/board/freescale/ls1021atwr/ls1021atwr.c index ae62bca..054cc3d 100644 --- a/board/freescale/ls1021atwr/ls1021atwr.c +++ b/board/freescale/ls1021atwr/ls1021atwr.c @@ -30,6 +30,7 @@ #ifdef CONFIG_U_QE #include "../../../drivers/qe/qe.h" #endif +#include <fsl_validate.h> DECLARE_GLOBAL_DATA_PTR; @@ -553,6 +554,9 @@ int board_late_init(void) #ifdef CONFIG_SCSI_AHCI_PLAT ls1021a_sata_init(); #endif +#ifdef CONFIG_CHAIN_OF_TRUST + fsl_setenv_chain_of_trust(); +#endif return 0; } diff --git a/include/fsl_validate.h b/include/fsl_validate.h index ad14867..83efcf4 100644 --- a/include/fsl_validate.h +++ b/include/fsl_validate.h @@ -205,4 +205,6 @@ int fsl_secboot_blob_encap(cmd_tbl_t *cmdtp, int flag, int argc, int fsl_secboot_blob_decap(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]); +int fsl_check_boot_mode_secure(void); +int fsl_setenv_chain_of_trust(void); #endif
Chain of Trust is enabled for ARM platforms (LS1021 and LS1043). In board_late_init(), fsl_setenv_chain_of_trust() is called which will perform the following: - If boot mode is non-secure, return (No Change) - If boot mode is secure, set the following environmet variables: bootdelay = 0 (To disable Boot Prompt) bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> --- Changes in v3: Protect the inclusion of file fsl_validate.h with macro CONFIG_CHAIN_OF_TRUST Changes in v2: Defconfigs for Secure Boot Target are not removed. arch/arm/cpu/armv8/fsl-layerscape/soc.c | 6 ++++++ board/freescale/common/Makefile | 1 + board/freescale/common/fsl_chain_of_trust.c | 17 +++++++++++++++++ board/freescale/ls1021aqds/ls1021aqds.c | 4 ++++ board/freescale/ls1021atwr/ls1021atwr.c | 4 ++++ include/fsl_validate.h | 2 ++ 6 files changed, 34 insertions(+)