[U-Boot,v3,5/7] enable chain of trust for ARM platforms

Message ID	1453460848-21808-6-git-send-email-aneesh.bansal@nxp.com
State	Accepted
Commit	d041288586b05164c84794a5956ddc5fb8939115
Delegated to:	York Sun
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.168.50 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net; From: Aneesh Bansal <aneesh.bansal@nxp.com> To: <u-boot@lists.denx.de> Date: Fri, 22 Jan 2016 16:37:26 +0530 Message-ID: <1453460848-21808-6-git-send-email-aneesh.bansal@nxp.com> In-Reply-To: <1453460848-21808-1-git-send-email-aneesh.bansal@nxp.com> References: <1453460848-21808-1-git-send-email-aneesh.bansal@nxp.com> MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: 787e42ec-a0ea-487c-644b-08d3231c9a13 X-Microsoft-Exchange-Diagnostics: 1; BL2PR03MB354; 2:eqO7rwlATzBxFyYd56uzGKYOxrl3DTlX2uz0zIL3kFwVJqNDLEF11kuci7zGidQ2SamfaL8Qap0RttzIKW+NC4zy0VG/8ToHslm68a2Iva2p2m0c7aV1CjRLNW2du/FFtJAG45bjz3KK7NGwCQZ0rR97blYoAIgvSm6OszBOD5GQY7i2f0pz7p3kVQ/8NxkG; 3:OcQ2G6x3LPhHZFBPBdIHCQT3sFMa4q16fKRndWouqk3G7ulGQPLN38ak3/doOWIxuHNLDwrp+K/vPJ5iBoKkVzPfFi9be4kNrNAUUw01r10H7Z8HG5O3nWcddlFDI/dHZrzOqRWWuDCaPgNPXtArEFw7O/5XNW9IsMHM6vUmBy70Fbxmd31S3R0rrP6wbeVt5pLHauxfNSEg46NVs4DUolIW3GPBgXYcts/P3CBG7a8=; 25:hQWY7dWWKkVKpW0Ux00CQmnwmkASn3XANsgCQmKvwn1Y7HOLB6SrTcXQXaRKDqGr+xbYlsO+RXSLjLYquoaMgqFeyOgfmXHMo1njaHX4gqRl65L2X58/LmpMqNZX2I78eC/CUxicOFaBgsMgsTPjH3u0rqiZzhr7NGwYV5v7keOYI+ssTp4CIbDYDAsd8imzJ9Wdgtbnk5Inv0Z+3cL217maSTSsTox5e1sgRBgx3xogOf2LShXOKIDvHPShs1+h SpamDiagnosticOutput: 1:23 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jan 2016 11:10:12.0890 (UTC) Cc: ruchika.gupta@nxp.com Subject: [U-Boot] [PATCH v3 5/7] enable chain of trust for ARM platforms Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Message ID

1453460848-21808-6-git-send-email-aneesh.bansal@nxp.com

State

Accepted

Commit

d041288586b05164c84794a5956ddc5fb8939115

Delegated to:

York Sun

Headers

show

Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from theia.denx.de (theia.denx.de [85.214.87.163])
	by ozlabs.org (Postfix) with ESMTP id 8FEF914031B
	for <incoming@patchwork.ozlabs.org>;
	Fri, 22 Jan 2016 22:11:06 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 2CCA3A751C;
	Fri, 22 Jan 2016 12:10:46 +0100 (CET)
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id sonq39wOFtiA; Fri, 22 Jan 2016 12:10:45 +0100 (CET)
Received: from theia.denx.de (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 65A40A7528;
	Fri, 22 Jan 2016 12:10:30 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 1EF484BFC7
	for <u-boot@lists.denx.de>; Fri, 22 Jan 2016 12:10:25 +0100 (CET)
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 6DQfR0IQFNKQ for <u-boot@lists.denx.de>;
	Fri, 22 Jan 2016 12:10:25 +0100 (CET)
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
	NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested)
Received: from na01-by2-obe.outbound.protection.outlook.com
	(mail-by2on0094.outbound.protection.outlook.com [207.46.100.94])
	by theia.denx.de (Postfix) with ESMTPS id 11ECF4BECC
	for <u-boot@lists.denx.de>; Fri, 22 Jan 2016 12:10:17 +0100 (CET)
Received: from BLUPR03CA008.namprd03.prod.outlook.com (10.255.124.25) by
	BL2PR03MB354.namprd03.prod.outlook.com (10.141.89.22) with Microsoft
	SMTP Server (TLS) id 15.1.365.19; Fri, 22 Jan 2016 11:10:15 +0000
Received: from BY2FFO11FD024.protection.gbl (10.255.124.4) by
	BLUPR03CA008.outlook.office365.com (10.255.124.25) with Microsoft
	SMTP Server (TLS) id 15.1.390.13 via Frontend Transport;
	Fri, 22 Jan 2016 11:10:15 +0000
Authentication-Results: spf=fail (sender IP is 192.88.168.50)
	smtp.mailfrom=nxp.com; nxp.com; dkim=none (message not signed)
	header.d=none;nxp.com; dmarc=none action=none header.from=nxp.com;
Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not
	designate 192.88.168.50 as permitted sender)
	receiver=protection.outlook.com; 
	client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net;
Received: from tx30smr01.am.freescale.net (192.88.168.50) by
	BY2FFO11FD024.mail.protection.outlook.com (10.1.15.213) with
	Microsoft SMTP Server (TLS) id 15.1.355.15 via Frontend Transport;
	Fri, 22 Jan 2016 11:10:12 +0000
Received: from perf-idc04.ap.freescale.net (perf-idc04.ap.freescale.net
	[10.232.14.49])
	by tx30smr01.am.freescale.net (8.14.3/8.14.0) with ESMTP id
	u0MB9kOU028813; Fri, 22 Jan 2016 04:10:09 -0700
From: Aneesh Bansal <aneesh.bansal@nxp.com>
To: <u-boot@lists.denx.de>
Date: Fri, 22 Jan 2016 16:37:26 +0530
Message-ID: <1453460848-21808-6-git-send-email-aneesh.bansal@nxp.com>
X-Mailer: git-send-email 1.8.1.4
In-Reply-To: <1453460848-21808-1-git-send-email-aneesh.bansal@nxp.com>
References: <1453460848-21808-1-git-send-email-aneesh.bansal@nxp.com>
X-EOPAttributedMessage: 0
X-Matching-Connectors: 130979346140390475;
	(91ab9b29-cfa4-454e-5278-08d120cd25b8); ()
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11FD024;
	1:xhiXMVWsyE2+PBfJPUG4vaU6FiixnhdJMCopmO10d8uhLzR0UDMjhCoNhiEN7Kv1qXAXXX3LCMUARdEeg4apZiqnSD5mqklvWLtO1yFfVfiCgZsfNQ5Jyuj5FfQL+V7MTfX7BpKwu38ORws0pXvzHkdstb5YvTzzR+XyZjXwNPlPBioZvPgyp2lTqettRb0PsLBwWsE82AZ4zVQdgsXkU3NsKKyFjvuZDUpCBV6zsjzG0vivUP2zljNj1HDWWDNU6ya0iFfqPBXUOg82DzDnywJwhFTZYriiAATyz40Sl7Y2I/ygY89SRp9SfRiFhlfnDOvY/0iesIbj5Qhaliyug/8KQ0T6VmK8qNUqpIXqWh3oiNb3cxno8AqbgeU5RyOPJpdV0cWQzYdD/b9hTv+pOnHZmGn6v/EAfAIBJvJqZwMriK4lQJ8tjLynJJJxuq02Sbyhvopv15Zuxm7pTUhqMDRZl20jfgbtiy3sQ/aO3ls9WM5enkQGZTxmb54spv3ZHleRyfyQDoylzVYQYgJJE+uc+IvvFEe9OK90KKAPz/nFbWYEcVxXzY4TWylm9XrfVn8dgyJytHCdElsRbTxFwA==
X-Forefront-Antispam-Report: CIP:192.88.168.50; CTRY:US; IPV:NLI; EFV:NLI;
	SFV:NSPM;
	SFS:(10009020)(6009001)(2980300002)(1109001)(1110001)(339900001)(199003)(189002)(5003940100001)(81156007)(1220700001)(11100500001)(4326007)(1096002)(48376002)(5008740100001)(2906002)(36756003)(5001960100002)(97736004)(104016004)(586003)(19580405001)(50466002)(92566002)(85426001)(19580395003)(105606002)(2351001)(50226001)(189998001)(50986999)(47776003)(110136002)(76176999)(229853001)(6806005)(33646002)(2950100001)(77096005)(106466001)(87936001)(86362001)(7059030);
	DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB354;
	H:tx30smr01.am.freescale.net; 
	FPR:; SPF:Fail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; 
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 787e42ec-a0ea-487c-644b-08d3231c9a13
X-Microsoft-Exchange-Diagnostics: 1; BL2PR03MB354;
	2:eqO7rwlATzBxFyYd56uzGKYOxrl3DTlX2uz0zIL3kFwVJqNDLEF11kuci7zGidQ2SamfaL8Qap0RttzIKW+NC4zy0VG/8ToHslm68a2Iva2p2m0c7aV1CjRLNW2du/FFtJAG45bjz3KK7NGwCQZ0rR97blYoAIgvSm6OszBOD5GQY7i2f0pz7p3kVQ/8NxkG;
	3:OcQ2G6x3LPhHZFBPBdIHCQT3sFMa4q16fKRndWouqk3G7ulGQPLN38ak3/doOWIxuHNLDwrp+K/vPJ5iBoKkVzPfFi9be4kNrNAUUw01r10H7Z8HG5O3nWcddlFDI/dHZrzOqRWWuDCaPgNPXtArEFw7O/5XNW9IsMHM6vUmBy70Fbxmd31S3R0rrP6wbeVt5pLHauxfNSEg46NVs4DUolIW3GPBgXYcts/P3CBG7a8=;
	25:hQWY7dWWKkVKpW0Ux00CQmnwmkASn3XANsgCQmKvwn1Y7HOLB6SrTcXQXaRKDqGr+xbYlsO+RXSLjLYquoaMgqFeyOgfmXHMo1njaHX4gqRl65L2X58/LmpMqNZX2I78eC/CUxicOFaBgsMgsTPjH3u0rqiZzhr7NGwYV5v7keOYI+ssTp4CIbDYDAsd8imzJ9Wdgtbnk5Inv0Z+3cL217maSTSsTox5e1sgRBgx3xogOf2LShXOKIDvHPShs1+h
X-Exchange-Antispam-Report-Test: UriScan:; BCL:0; PCL:0; RULEID:;
	SRVR:BL2PR03MB354; UriScan:(185117386973197); 
X-Microsoft-Antispam-PRVS: <BL2PR03MB35462A1B8C76B4944455B10FAC40@BL2PR03MB354.namprd03.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(601004)(2401047)(8121501046)(13017025)(13024025)(520078)(13023025)(13015025)(13018025)(5005006)(3002001)(10201501046);
	SRVR:BL2PR03MB354; BCL:0; PCL:0; RULEID:(400006); SRVR:BL2PR03MB354; 
X-Microsoft-Exchange-Diagnostics: 1; BL2PR03MB354;
	4:5RMvfSUm4ct82mGKVJGFEZHWhwUWTcI6W6yCIIM/4y74OctQbCaQo7RFqW9El88/oclbdYfvTVrah0wrghWlvqK5WbZL/7keZkdfhr503REPmLV19D5cKdn2ezquE6OGAB885a63x+8zOPyNh63JuuToe5y+PVMFBg9EhdSI0nfK41maTCBGZQJgT9iremVULkH8Ip7rKGuOcottBueIHTm3Rvc80J25M36tk0HgIsdpnZBt2h2gV9CO+WEaff4HMGmoTdS21LtmUt0Se4KPGMY1jO0MvShMT+QljUjGyjle+xy3fGKEJGZxHsRWDC7HTZ0yb4Wj5QOrQ9Odfi1ZJ4JF6P28yU9O3yr0IbUywVyVNEbNq8Msh0z4WtOnWoxA/D4QiS5aaZbiAgj8BH/YAzSCOUfBZELvcRyeJbP5K4Dd2ReKLRTIJS8rBxAtB8drCCgx3EozLVafk/KC0G3scoNIibnYLiBlpem5U7JEeimDEXm6t6sjHF5G5qV6l3GoB7kEwmkpLZBXiPmX5+quBg==
X-Forefront-PRVS: 08296C9B35
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BL2PR03MB354;
	23:KwliWvMU7rRUUqQdi/sWt6D54DfwiyiVL6SaMKQHPt?=
	=?us-ascii?Q?SVcqs+jWWZiDhDw+kNmSlhpiBYR78mNWY5IFS5LuSGgsaRbPUlYrtTOMpCkr?=
	=?us-ascii?Q?jcPYaGyx0AI8KLvdCmKl03zmsy2mX2djIDjWW3z+zhcuq66v/7rVyqhP6se9?=
	=?us-ascii?Q?Ywb5akEplnGZlLcs33arwXBogD/JawXJnCFfYzApRp7XAxVaxB5H/isOHw0U?=
	=?us-ascii?Q?ZE5R0AK6ZBph6WMJ/zoJduZtTVWAHBD1yCwXt5uAuoYtgwyd9h5zVtWlWXxD?=
	=?us-ascii?Q?V9IstB4XdlXNiNBudJJPlUk7ctafeSHs5DvNAM2pwVlticJb1ccymXZYVCj8?=
	=?us-ascii?Q?l6wOm9UE1r14aVPHOHXzD97UquMGg+fYjtkXJZ59XgnlPjV+6M3Fw82qICqq?=
	=?us-ascii?Q?Iew3KXVH9qCVvCBVrFlfgnQpQPToii6ukeVyZ6JRekWEVGioOnU+DQ3N06BV?=
	=?us-ascii?Q?JpkzHu+OMY3ZoibMQr24s/fjWfaG70P1AfV1/v4widOJ9xf/qezemkNEkqbD?=
	=?us-ascii?Q?waarfAdt9xkqoza2JHA5sU0QaSCKyBtKe5h7v0kDeTxqohD1ifd44/DTMFgk?=
	=?us-ascii?Q?nY5Idq9b2CfOL6lpJChJ9L89RLpga/5rdTO9ujGKOQZm0foXBoWYrvUzks8N?=
	=?us-ascii?Q?cLIr/FOi35ksSk6SHtrkbUbRZTp15UPbv5hjKu0e511BeUz3WDWUAqbVI6IL?=
	=?us-ascii?Q?iNZbT48d4FhsKtohuExh00xSWQXXRj6bwJ0bdXwKxb1hNw0pCR/RG1Ngyoqm?=
	=?us-ascii?Q?3rfktVRTvygW1miYmkADl8FBgmAQXKFwLQqks96eRalkESFlAjVInHekJhAP?=
	=?us-ascii?Q?ff7qa5Q9SlbyW4O9la3KlFZqMSh5O14Sou79QR77OoC/BDQEJqZdJLRXwhBh?=
	=?us-ascii?Q?CvRq78AiMzj1TEWnqvivXu0JGJ3/9qxgkSIUPZa0Jq9JUdTi6gsXhcbyaoY3?=
	=?us-ascii?Q?z5C96xRymXNJZkX9kN1JEbfGtqK03hOR+5hVkL/VI+vruzL6mP9ptNu7GNNW?=
	=?us-ascii?Q?t/OXjX3nrSRWchWXytEe0arOEGu0TjBRc54ZOC/xOTl8EP57pYXo9AQs4qFt?=
	=?us-ascii?Q?m/HH/3dFlSStZnzVd4wMuLMtl9JVKo/XbRR0xZtoBRQ6jq77wIVoigMmOAFA?=
	=?us-ascii?Q?cgo8yyO40=3D?=
X-Microsoft-Exchange-Diagnostics: 1; BL2PR03MB354;
	5:ZEcXRDZOstgQ7rmO2EHeMamqxLqJlUytXeaLxefKmh7Jjej8AYHNlTrIeAysiPViYz5A8ISp9DnhYDiQ944WRHKjZA900ZnosKHyyOtuPZgMlxWDB47OHXEHF3p1/Zqb7uzwfSvlByejAc3SL1BNYFKUcOVc1+ZaKnrQfZdifrw=;
	24:F1JLk/X33LLpNTcd9tGj/WGhf8jVfZAeqjY7zrnIxdOGVuGxvmktzkeZNrZRl43kEgHR06CiSr9WCXLtBhqqSNcUhGTNdH+gj566br3eUtQ=
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jan 2016 11:10:12.0890
	(UTC)
X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e;
	Ip=[192.88.168.50]; 
	Helo=[tx30smr01.am.freescale.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB354
Cc: ruchika.gupta@nxp.com
Subject: [U-Boot] [PATCH v3 5/7] enable chain of trust for ARM platforms
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <http://lists.denx.de/mailman/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Commit Message

Aneesh Bansal Jan. 22, 2016, 11:07 a.m. UTC

Chain of Trust is enabled for ARM platforms (LS1021 and LS1043).
In board_late_init(), fsl_setenv_chain_of_trust() is called which
will perform the following:
- If boot mode is non-secure, return (No Change)
- If boot mode is secure, set the following environmet variables:
   bootdelay = 0 (To disable Boot Prompt)
   bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)

Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
---
Changes in v3:
Protect the inclusion of file fsl_validate.h with macro CONFIG_CHAIN_OF_TRUST

Changes in v2:
Defconfigs for Secure Boot Target are not removed.

 arch/arm/cpu/armv8/fsl-layerscape/soc.c     |  6 ++++++
 board/freescale/common/Makefile             |  1 +
 board/freescale/common/fsl_chain_of_trust.c | 17 +++++++++++++++++
 board/freescale/ls1021aqds/ls1021aqds.c     |  4 ++++
 board/freescale/ls1021atwr/ls1021atwr.c     |  4 ++++
 include/fsl_validate.h                      |  2 ++
 6 files changed, 34 insertions(+)

Comments

Ruchika Gupta Jan. 27, 2016, 12:02 p.m. UTC | #1

> -----Original Message-----
> From: Aneesh Bansal [mailto:aneesh.bansal@nxp.com]
> Sent: Friday, January 22, 2016 4:37 PM
> To: u-boot@lists.denx.de
> Cc: york sun <york.sun@nxp.com>; Ruchika Gupta
> <ruchika.gupta@nxp.com>; Prabhakar Kushwaha
> <prabhakar.kushwaha@nxp.com>; Aneesh Bansal
> <aneesh.bansal@nxp.com>
> Subject: [PATCH v3 5/7] enable chain of trust for ARM platforms
> 
> Chain of Trust is enabled for ARM platforms (LS1021 and LS1043).
> In board_late_init(), fsl_setenv_chain_of_trust() is called which will perform
> the following:
> - If boot mode is non-secure, return (No Change)
> - If boot mode is secure, set the following environmet variables:
>    bootdelay = 0 (To disable Boot Prompt)
>    bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
> 
> Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
> ---
> Changes in v3:
> Protect the inclusion of file fsl_validate.h with macro
> CONFIG_CHAIN_OF_TRUST
> 
> Changes in v2:
> Defconfigs for Secure Boot Target are not removed.
> 
>  arch/arm/cpu/armv8/fsl-layerscape/soc.c     |  6 ++++++
>  board/freescale/common/Makefile             |  1 +
>  board/freescale/common/fsl_chain_of_trust.c | 17 +++++++++++++++++
>  board/freescale/ls1021aqds/ls1021aqds.c     |  4 ++++
>  board/freescale/ls1021atwr/ls1021atwr.c     |  4 ++++
>  include/fsl_validate.h                      |  2 ++
>  6 files changed, 34 insertions(+)
> 
> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/soc.c
> b/arch/arm/cpu/armv8/fsl-layerscape/soc.c
> index 23d6b73..d97a445 100644
> --- a/arch/arm/cpu/armv8/fsl-layerscape/soc.c
> +++ b/arch/arm/cpu/armv8/fsl-layerscape/soc.c
> @@ -12,6 +12,9 @@
>  #include <asm/io.h>
>  #include <asm/global_data.h>
>  #include <asm/arch-fsl-layerscape/config.h>
> +#ifdef CONFIG_CHAIN_OF_TRUST
> +#include <fsl_validate.h>
> +#endif
> 
>  DECLARE_GLOBAL_DATA_PTR;
> 
> @@ -241,6 +244,9 @@ int board_late_init(void)  #ifdef
> CONFIG_SCSI_AHCI_PLAT
>  	sata_init();
>  #endif
> +#ifdef CONFIG_CHAIN_OF_TRUST
> +	fsl_setenv_chain_of_trust();
> +#endif
> 
>  	return 0;
>  }
> diff --git a/board/freescale/common/Makefile
> b/board/freescale/common/Makefile index 51d2814..be114ce 100644
> --- a/board/freescale/common/Makefile
> +++ b/board/freescale/common/Makefile
> @@ -76,5 +76,6 @@ obj-$(CONFIG_LAYERSCAPE_NS_ACCESS)	+=
> ns_access.o
>  ifdef CONFIG_SECURE_BOOT
>  obj-$(CONFIG_CMD_ESBC_VALIDATE) += fsl_validate.o cmd_esbc_validate.o
> endif
> +obj-$(CONFIG_CHAIN_OF_TRUST) += fsl_chain_of_trust.o
> 
>  endif
> diff --git a/board/freescale/common/fsl_chain_of_trust.c
> b/board/freescale/common/fsl_chain_of_trust.c
> index ff67bd7..ecfcc82 100644
> --- a/board/freescale/common/fsl_chain_of_trust.c
> +++ b/board/freescale/common/fsl_chain_of_trust.c
> @@ -51,3 +51,20 @@ int fsl_check_boot_mode_secure(void)  #endif
>  	return 0;
>  }
> +
> +int fsl_setenv_chain_of_trust(void)
> +{
> +	/* Check Boot Mode
> +	 * If Boot Mode is Non-Secure, no changes are required
> +	 */
> +	if (fsl_check_boot_mode_secure() == 0)
> +		return 0;
> +
> +	/* If Boot mode is Secure, set the environment variables
> +	 * bootdelay = 0 (To disable Boot Prompt)
> +	 * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute
> Boot script)
> +	 */
> +	setenv("bootdelay", "0");
> +	setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD);
> +	return 0;
> +}
> diff --git a/board/freescale/ls1021aqds/ls1021aqds.c
> b/board/freescale/ls1021aqds/ls1021aqds.c
> index ca1ea61..6e82232 100644
> --- a/board/freescale/ls1021aqds/ls1021aqds.c
> +++ b/board/freescale/ls1021aqds/ls1021aqds.c
> @@ -22,6 +22,7 @@
>  #include <fsl_sec.h>
>  #include <spl.h>
>  #include <fsl_devdis.h>
> +#include <fsl_validate.h>
> 
>  #include "../common/sleep.h"
>  #include "../common/qixis.h"
> @@ -369,6 +370,9 @@ int board_late_init(void)  #ifdef
> CONFIG_SCSI_AHCI_PLAT
>  	ls1021a_sata_init();
>  #endif
> +#ifdef CONFIG_CHAIN_OF_TRUST
> +	fsl_setenv_chain_of_trust();
> +#endif
> 
>  	return 0;
>  }
> diff --git a/board/freescale/ls1021atwr/ls1021atwr.c
> b/board/freescale/ls1021atwr/ls1021atwr.c
> index ae62bca..054cc3d 100644
> --- a/board/freescale/ls1021atwr/ls1021atwr.c
> +++ b/board/freescale/ls1021atwr/ls1021atwr.c
> @@ -30,6 +30,7 @@
>  #ifdef CONFIG_U_QE
>  #include "../../../drivers/qe/qe.h"
>  #endif
> +#include <fsl_validate.h>
> 
> 
>  DECLARE_GLOBAL_DATA_PTR;
> @@ -553,6 +554,9 @@ int board_late_init(void)  #ifdef
> CONFIG_SCSI_AHCI_PLAT
>  	ls1021a_sata_init();
>  #endif
> +#ifdef CONFIG_CHAIN_OF_TRUST
> +	fsl_setenv_chain_of_trust();
> +#endif
> 
>  	return 0;
>  }
> diff --git a/include/fsl_validate.h b/include/fsl_validate.h index
> ad14867..83efcf4 100644
> --- a/include/fsl_validate.h
> +++ b/include/fsl_validate.h
> @@ -205,4 +205,6 @@ int fsl_secboot_blob_encap(cmd_tbl_t *cmdtp, int
> flag, int argc,  int fsl_secboot_blob_decap(cmd_tbl_t *cmdtp, int flag, int
> argc,
>  	char * const argv[]);
> 
> +int fsl_check_boot_mode_secure(void);
> +int fsl_setenv_chain_of_trust(void);
>  #endif
> --
> 1.8.1.4
Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com>

York Sun Jan. 27, 2016, 5:02 p.m. UTC | #2

On 01/22/2016 03:10 AM, Aneesh Bansal wrote:
> Chain of Trust is enabled for ARM platforms (LS1021 and LS1043).
> In board_late_init(), fsl_setenv_chain_of_trust() is called which
> will perform the following:
> - If boot mode is non-secure, return (No Change)
> - If boot mode is secure, set the following environmet variables:
>    bootdelay = 0 (To disable Boot Prompt)
>    bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
> 
> Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
> ---
> Changes in v3:
> Protect the inclusion of file fsl_validate.h with macro CONFIG_CHAIN_OF_TRUST
> 
> Changes in v2:
> Defconfigs for Secure Boot Target are not removed.
> 
>  arch/arm/cpu/armv8/fsl-layerscape/soc.c     |  6 ++++++
>  board/freescale/common/Makefile             |  1 +
>  board/freescale/common/fsl_chain_of_trust.c | 17 +++++++++++++++++
>  board/freescale/ls1021aqds/ls1021aqds.c     |  4 ++++
>  board/freescale/ls1021atwr/ls1021atwr.c     |  4 ++++
>  include/fsl_validate.h                      |  2 ++
>  6 files changed, 34 insertions(+)

Prefix subject with "secure_boot:".
Applied to u-boot-fsl-qoriq master. Awaiting upstream.

Thanks.

York

diff --git a/arch/arm/cpu/armv8/fsl-layerscape/soc.c b/arch/arm/cpu/armv8/fsl-layerscape/soc.c
index 23d6b73..d97a445 100644
--- a/arch/arm/cpu/armv8/fsl-layerscape/soc.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/soc.c
@@ -12,6 +12,9 @@ 
 #include <asm/io.h>
 #include <asm/global_data.h>
 #include <asm/arch-fsl-layerscape/config.h>
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
 
 DECLARE_GLOBAL_DATA_PTR;
 
@@ -241,6 +244,9 @@  int board_late_init(void)
 #ifdef CONFIG_SCSI_AHCI_PLAT
 	sata_init();
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+	fsl_setenv_chain_of_trust();
+#endif
 
 	return 0;
 }
diff --git a/board/freescale/common/Makefile b/board/freescale/common/Makefile
index 51d2814..be114ce 100644
--- a/board/freescale/common/Makefile
+++ b/board/freescale/common/Makefile
@@ -76,5 +76,6 @@  obj-$(CONFIG_LAYERSCAPE_NS_ACCESS)	+= ns_access.o
 ifdef CONFIG_SECURE_BOOT
 obj-$(CONFIG_CMD_ESBC_VALIDATE) += fsl_validate.o cmd_esbc_validate.o
 endif
+obj-$(CONFIG_CHAIN_OF_TRUST) += fsl_chain_of_trust.o
 
 endif
diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c
index ff67bd7..ecfcc82 100644
--- a/board/freescale/common/fsl_chain_of_trust.c
+++ b/board/freescale/common/fsl_chain_of_trust.c
@@ -51,3 +51,20 @@  int fsl_check_boot_mode_secure(void)
 #endif
 	return 0;
 }
+
+int fsl_setenv_chain_of_trust(void)
+{
+	/* Check Boot Mode
+	 * If Boot Mode is Non-Secure, no changes are required
+	 */
+	if (fsl_check_boot_mode_secure() == 0)
+		return 0;
+
+	/* If Boot mode is Secure, set the environment variables
+	 * bootdelay = 0 (To disable Boot Prompt)
+	 * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
+	 */
+	setenv("bootdelay", "0");
+	setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD);
+	return 0;
+}
diff --git a/board/freescale/ls1021aqds/ls1021aqds.c b/board/freescale/ls1021aqds/ls1021aqds.c
index ca1ea61..6e82232 100644
--- a/board/freescale/ls1021aqds/ls1021aqds.c
+++ b/board/freescale/ls1021aqds/ls1021aqds.c
@@ -22,6 +22,7 @@ 
 #include <fsl_sec.h>
 #include <spl.h>
 #include <fsl_devdis.h>
+#include <fsl_validate.h>
 
 #include "../common/sleep.h"
 #include "../common/qixis.h"
@@ -369,6 +370,9 @@  int board_late_init(void)
 #ifdef CONFIG_SCSI_AHCI_PLAT
 	ls1021a_sata_init();
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+	fsl_setenv_chain_of_trust();
+#endif
 
 	return 0;
 }
diff --git a/board/freescale/ls1021atwr/ls1021atwr.c b/board/freescale/ls1021atwr/ls1021atwr.c
index ae62bca..054cc3d 100644
--- a/board/freescale/ls1021atwr/ls1021atwr.c
+++ b/board/freescale/ls1021atwr/ls1021atwr.c
@@ -30,6 +30,7 @@ 
 #ifdef CONFIG_U_QE
 #include "../../../drivers/qe/qe.h"
 #endif
+#include <fsl_validate.h>
 
 
 DECLARE_GLOBAL_DATA_PTR;
@@ -553,6 +554,9 @@  int board_late_init(void)
 #ifdef CONFIG_SCSI_AHCI_PLAT
 	ls1021a_sata_init();
 #endif
+#ifdef CONFIG_CHAIN_OF_TRUST
+	fsl_setenv_chain_of_trust();
+#endif
 
 	return 0;
 }
diff --git a/include/fsl_validate.h b/include/fsl_validate.h
index ad14867..83efcf4 100644
--- a/include/fsl_validate.h
+++ b/include/fsl_validate.h
@@ -205,4 +205,6 @@  int fsl_secboot_blob_encap(cmd_tbl_t *cmdtp, int flag, int argc,
 int fsl_secboot_blob_decap(cmd_tbl_t *cmdtp, int flag, int argc,
 	char * const argv[]);
 
+int fsl_check_boot_mode_secure(void);
+int fsl_setenv_chain_of_trust(void);
 #endif

[U-Boot,v3,5/7] enable chain of trust for ARM platforms

Commit Message

Comments

Patch