Message ID | 1453460848-21808-4-git-send-email-aneesh.bansal@nxp.com |
---|---|
State | Accepted |
Delegated to: | York Sun |
Headers | show |
> -----Original Message----- > From: Aneesh Bansal [mailto:aneesh.bansal@nxp.com] > Sent: Friday, January 22, 2016 4:37 PM > To: u-boot@lists.denx.de > Cc: york sun <york.sun@nxp.com>; Ruchika Gupta > <ruchika.gupta@nxp.com>; Prabhakar Kushwaha > <prabhakar.kushwaha@nxp.com>; Aneesh Bansal > <aneesh.bansal@nxp.com> > Subject: [PATCH v3 3/7] SECURE_BOOT: split the secure boot functionality in > two parts > > There are two phases in Secure Boot > 1. ISBC: In BootROM, validate the BootLoader (U-Boot). > 2. ESBC: In U-Boot, continuing the Chain of Trust by > validating and booting LINUX. > > For ESBC phase, there is no difference in SoC's based on ARM or PowerPC > cores. > > But the exit conditions after ISBC phase i.e. entry conditions for U-Boot are > different for ARM and PowerPC. > PowerPC: > ======== > If Secure Boot is executed, a separate U-Boot target is required which must > be compiled with a diffrent Text Base as compared to Non-Secure Boot. > There are some LAW and TLB settings which are required specifically for > Secure Boot scenario. > > ARM: > ==== > ARM based SoC's have a fixed memory map and exit conditions from > BootROM are same irrespective of boot mode (Secure or Non-Secure). > > Thus the current Secure Boot functionlity has been split into two parts: > > CONFIG_CHAIN_OF_TRUST > ======================== > This will have the following functionality as part of U-Boot: > 1. Enable commands like esbc_validate, esbc_halt 2. Change the > environment settings based on bootmode (determined at run time): > - If bootmode is non-secure, no change > - If bootmode is secure, set the following: > - bootdelay = 0 (Don't give boot prompt) > - bootcmd = Validate and execute the bootscript. > > CONFIG_SECURE_BOOT > ===================== > This is defined only for creating a different compile time target for secure > boot. > > Traditionally, both these functionalities were defined under > CONFIG_SECURE_BOOT This patch is aimed at removing the requirement for > a separate Secure Boot target for ARM based SoC's. > CONFIG_CHAIN_OF_TRUST will be defined and boot mode will be determine > at run time. > > Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot > environemnt must not be picked from flash/external memory. This cannot > be done based on bootmode at run time in current U-Boot architecture. > Once this dependency is resolved, no separate SECURE_BOOT target will be > required for ARM based SoC's. > > Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is > defining CONFIG_ENV_IS_NOWHERE > > Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> > --- > Changes in v3: > None > > Changes in v2: > CONFIG_ENV_IS_NOWHERE is defined for Secure Boot > > arch/arm/include/asm/fsl_secure_boot.h | 16 ++-- > arch/powerpc/include/asm/fsl_secure_boot.h | 41 +++++----- > include/config_fsl_chain_trust.h | 101 +++++++++++++++++++++++++ > include/config_fsl_secboot.h | 116 ----------------------------- > 4 files changed, 135 insertions(+), 139 deletions(-) create mode 100644 > include/config_fsl_chain_trust.h delete mode 100644 > include/config_fsl_secboot.h > > diff --git a/arch/arm/include/asm/fsl_secure_boot.h > b/arch/arm/include/asm/fsl_secure_boot.h > index 8491a72..0da0599 100644 > --- a/arch/arm/include/asm/fsl_secure_boot.h > +++ b/arch/arm/include/asm/fsl_secure_boot.h > @@ -8,6 +8,14 @@ > #define __FSL_SECURE_BOOT_H > > #ifdef CONFIG_SECURE_BOOT > + > +#ifndef CONFIG_FIT_SIGNATURE > +#define CONFIG_CHAIN_OF_TRUST > +#endif > + > +#endif > + > +#ifdef CONFIG_CHAIN_OF_TRUST > #define CONFIG_CMD_ESBC_VALIDATE > #define CONFIG_CMD_BLOB > #define CONFIG_FSL_SEC_MON > @@ -40,8 +48,6 @@ > #define CONFIG_ESBC_ADDR_64BIT > #endif > > -#ifndef CONFIG_FIT_SIGNATURE > - > #define CONFIG_EXTRA_ENV \ > "setenv fdt_high 0xcfffffff;" \ > "setenv initrd_high 0xcfffffff;" \ > @@ -50,8 +56,6 @@ > /* The address needs to be modified according to NOR memory map */ > #define CONFIG_BOOTSCRIPT_HDR_ADDR 0x600a0000 > > -#include <config_fsl_secboot.h> > -#endif > -#endif > - > +#include <config_fsl_chain_trust.h> > +#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ > #endif > diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h > b/arch/powerpc/include/asm/fsl_secure_boot.h > index 7d217a6..41058d1 100644 > --- a/arch/powerpc/include/asm/fsl_secure_boot.h > +++ b/arch/powerpc/include/asm/fsl_secure_boot.h > @@ -9,19 +9,11 @@ > #include <asm/config_mpc85xx.h> > > #ifdef CONFIG_SECURE_BOOT > -#define CONFIG_CMD_ESBC_VALIDATE > -#define CONFIG_CMD_BLOB > -#define CONFIG_FSL_SEC_MON > -#define CONFIG_SHA_PROG_HW_ACCEL > -#define CONFIG_DM > -#define CONFIG_RSA > -#define CONFIG_RSA_FREESCALE_EXP > -#ifndef CONFIG_FSL_CAAM > -#define CONFIG_FSL_CAAM > -#endif > + > +#ifndef CONFIG_FIT_SIGNATURE > +#define CONFIG_CHAIN_OF_TRUST > #endif > > -#ifdef CONFIG_SECURE_BOOT > #if defined(CONFIG_FSL_CORENET) > #define CONFIG_SYS_PBI_FLASH_BASE 0xc0000000 > #elif defined(CONFIG_BSC9132QDS) > @@ -76,8 +68,25 @@ > */ > #define CONFIG_FSL_ISBC_KEY_EXT > #endif > +#endif /* #ifdef CONFIG_SECURE_BOOT */ > + > +#ifdef CONFIG_CHAIN_OF_TRUST > + > +#define CONFIG_CMD_ESBC_VALIDATE > +#define CONFIG_CMD_BLOB > +#define CONFIG_FSL_SEC_MON > +#define CONFIG_SHA_PROG_HW_ACCEL > +#define CONFIG_RSA > +#define CONFIG_RSA_FREESCALE_EXP > + > +#ifndef CONFIG_DM > +#define CONFIG_DM > +#endif > + > +#ifndef CONFIG_FSL_CAAM > +#define CONFIG_FSL_CAAM > +#endif > > -#ifndef CONFIG_FIT_SIGNATURE > /* If Boot Script is not on NOR and is required to be copied on RAM */ #ifdef > CONFIG_BOOTSCRIPT_COPY_RAM > #define CONFIG_BS_HDR_ADDR_RAM 0x00010000 > @@ -105,10 +114,8 @@ > #define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee020000 > #endif > > -#endif > - > -#include <config_fsl_secboot.h> > -#endif > +#endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */ > > -#endif > +#include <config_fsl_chain_trust.h> > +#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ > #endif > diff --git a/include/config_fsl_chain_trust.h > b/include/config_fsl_chain_trust.h > new file mode 100644 > index 0000000..45dda56 > --- /dev/null > +++ b/include/config_fsl_chain_trust.h > @@ -0,0 +1,101 @@ > +/* > + * Copyright 2015 Freescale Semiconductor, Inc. > + * > + * SPDX-License-Identifier: GPL-2.0+ > + */ > + > +#ifndef __CONFIG_FSL_CHAIN_TRUST_H > +#define __CONFIG_FSL_CHAIN_TRUST_H > + > +/* For secure boot, since ENVIRONMENT in flash/external memories is > + * not verified, undef CONFIG_ENV_xxx and set default env > + * (CONFIG_ENV_IS_NOWHERE) > + */ > +#ifdef CONFIG_SECURE_BOOT > + > +#undef CONFIG_ENV_IS_IN_EEPROM > +#undef CONFIG_ENV_IS_IN_NAND > +#undef CONFIG_ENV_IS_IN_MMC > +#undef CONFIG_ENV_IS_IN_SPI_FLASH > +#undef CONFIG_ENV_IS_IN_FLASH > + > +#define CONFIG_ENV_IS_NOWHERE > + > +#endif > + > +#ifdef CONFIG_CHAIN_OF_TRUST > + > +#ifndef CONFIG_EXTRA_ENV > +#define CONFIG_EXTRA_ENV "" > +#endif > + > +/* > + * Control should not reach back to uboot after validation of images > + * for secure boot flow and therefore bootscript should have > + * the bootm command. If control reaches back to uboot anyhow > + * after validating images, core should just spin. > + */ > + > +/* > + * Define the key hash for boot script here if public/private key pair > +used to > + * sign bootscript are different from the SRK hash put in the fuse > + * Example of defining KEY_HASH is > + * #define CONFIG_BOOTSCRIPT_KEY_HASH \ > + * > "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" > + */ > + > +#ifdef CONFIG_BOOTSCRIPT_KEY_HASH > +#define CONFIG_SECBOOT \ > + "setenv bs_hdraddr " > __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ > + "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \ > + "ramdisk_size=600000\';" \ > + CONFIG_EXTRA_ENV \ > + "esbc_validate $bs_hdraddr " \ > + __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";" \ > + "source $img_addr;" \ > + "esbc_halt\0" > +#else > +#define CONFIG_SECBOOT \ > + "setenv bs_hdraddr " > __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ > + "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \ > + "ramdisk_size=600000\';" \ > + CONFIG_EXTRA_ENV \ > + "esbc_validate $bs_hdraddr;" \ > + "source $img_addr;" \ > + "esbc_halt\0" > +#endif > + > +/* For secure boot flow, default environment used will be used */ #if > +defined(CONFIG_SYS_RAMBOOT) #ifdef CONFIG_BOOTSCRIPT_COPY_RAM > #define > +CONFIG_BS_COPY_ENV \ > + "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \ > + "setenv bs_hdr_flash " __stringify(CONFIG_BS_HDR_ADDR_FLASH)";" > \ > + "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \ > + "setenv bs_ram " __stringify(CONFIG_BS_ADDR_RAM)";" \ > + "setenv bs_flash " __stringify(CONFIG_BS_ADDR_FLASH)";" \ > + "setenv bs_size " __stringify(CONFIG_BS_SIZE)";" > + > +#if defined(CONFIG_RAMBOOT_NAND) > +#define CONFIG_BS_COPY_CMD \ > + "nand read $bs_hdr_ram $bs_hdr_flash $bs_hdr_size ;" \ > + "nand read $bs_ram $bs_flash $bs_size ;" > +#endif /* CONFIG_RAMBOOT_NAND */ > +#endif /* CONFIG_BOOTSCRIPT_COPY_RAM */ > + > +#endif > + > +#ifndef CONFIG_BS_COPY_ENV > +#define CONFIG_BS_COPY_ENV > +#endif > + > +#ifndef CONFIG_BS_COPY_CMD > +#define CONFIG_BS_COPY_CMD > +#endif > + > +#define CONFIG_CHAIN_BOOT_CMD CONFIG_BS_COPY_ENV \ > + CONFIG_BS_COPY_CMD \ > + CONFIG_SECBOOT > + > +#endif > +#endif > diff --git a/include/config_fsl_secboot.h b/include/config_fsl_secboot.h > deleted file mode 100644 index fc6788a..0000000 > --- a/include/config_fsl_secboot.h > +++ /dev/null > @@ -1,116 +0,0 @@ > -/* > - * Copyright 2015 Freescale Semiconductor, Inc. > - * > - * SPDX-License-Identifier: GPL-2.0+ > - */ > - > -#ifndef __CONFIG_FSL_SECBOOT_H > -#define __CONFIG_FSL_SECBOOT_H > - > -#ifdef CONFIG_SECURE_BOOT > - > -#ifndef CONFIG_CMD_ESBC_VALIDATE > -#define CONFIG_CMD_ESBC_VALIDATE > -#endif > - > -#ifndef CONFIG_EXTRA_ENV > -#define CONFIG_EXTRA_ENV "" > -#endif > - > -/* > - * Control should not reach back to uboot after validation of images > - * for secure boot flow and therefore bootscript should have > - * the bootm command. If control reaches back to uboot anyhow > - * after validating images, core should just spin. > - */ > - > -/* > - * Define the key hash for boot script here if public/private key pair used to > - * sign bootscript are different from the SRK hash put in the fuse > - * Example of defining KEY_HASH is > - * #define CONFIG_BOOTSCRIPT_KEY_HASH \ > - * > "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" > - */ > - > -#ifdef CONFIG_BOOTSCRIPT_KEY_HASH > -#define CONFIG_SECBOOT \ > - "setenv bs_hdraddr " > __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ > - "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \ > - "ramdisk_size=600000\';" \ > - CONFIG_EXTRA_ENV \ > - "esbc_validate $bs_hdraddr " \ > - __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";" \ > - "source $img_addr;" \ > - "esbc_halt\0" > -#else > -#define CONFIG_SECBOOT \ > - "setenv bs_hdraddr " > __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ > - "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \ > - "ramdisk_size=600000\';" \ > - CONFIG_EXTRA_ENV \ > - "esbc_validate $bs_hdraddr;" \ > - "source $img_addr;" \ > - "esbc_halt\0" > -#endif > - > -/* For secure boot flow, default environment used will be used */ -#if > defined(CONFIG_SYS_RAMBOOT) -#ifdef CONFIG_BOOTSCRIPT_COPY_RAM - > #define CONFIG_BS_COPY_ENV \ > - "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \ > - "setenv bs_hdr_flash " __stringify(CONFIG_BS_HDR_ADDR_FLASH)";" > \ > - "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \ > - "setenv bs_ram " __stringify(CONFIG_BS_ADDR_RAM)";" \ > - "setenv bs_flash " __stringify(CONFIG_BS_ADDR_FLASH)";" \ > - "setenv bs_size " __stringify(CONFIG_BS_SIZE)";" > - > -#if defined(CONFIG_RAMBOOT_NAND) > -#define CONFIG_BS_COPY_CMD \ > - "nand read $bs_hdr_ram $bs_hdr_flash $bs_hdr_size ;" \ > - "nand read $bs_ram $bs_flash $bs_size ;" > -#endif /* CONFIG_RAMBOOT_NAND */ > -#endif /* CONFIG_BOOTSCRIPT_COPY_RAM */ > - > -#if defined(CONFIG_RAMBOOT_SPIFLASH) > -#undef CONFIG_ENV_IS_IN_SPI_FLASH > -#elif defined(CONFIG_RAMBOOT_NAND) > -#undef CONFIG_ENV_IS_IN_NAND > -#elif defined(CONFIG_RAMBOOT_SDCARD) > -#undef CONFIG_ENV_IS_IN_MMC > -#endif > -#else /*CONFIG_SYS_RAMBOOT*/ > -#undef CONFIG_ENV_IS_IN_FLASH > -#endif > - > -#define CONFIG_ENV_IS_NOWHERE > - > -#ifndef CONFIG_BS_COPY_ENV > -#define CONFIG_BS_COPY_ENV > -#endif > - > -#ifndef CONFIG_BS_COPY_CMD > -#define CONFIG_BS_COPY_CMD > -#endif > - > -#define CONFIG_SECBOOT_CMD CONFIG_BS_COPY_ENV \ > - CONFIG_BS_COPY_CMD \ > - CONFIG_SECBOOT > -/* > - * We don't want boot delay for secure boot flow > - * before autoboot starts > - */ > -#undef CONFIG_BOOTDELAY > -#define CONFIG_BOOTDELAY 0 > -#undef CONFIG_BOOTCOMMAND > -#define CONFIG_BOOTCOMMAND CONFIG_SECBOOT_CMD > - > -/* > - * CONFIG_ZERO_BOOTDELAY_CHECK should not be defined for > - * secure boot flow as defining this would enable a user to > - * reach uboot prompt by pressing some key before start of > - * autoboot > - */ > -#undef CONFIG_ZERO_BOOTDELAY_CHECK > - > -#endif > -#endif > -- > 1.8.1.4 Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com>
On 01/22/2016 03:10 AM, Aneesh Bansal wrote: > There are two phases in Secure Boot > 1. ISBC: In BootROM, validate the BootLoader (U-Boot). > 2. ESBC: In U-Boot, continuing the Chain of Trust by > validating and booting LINUX. > > For ESBC phase, there is no difference in SoC's based on ARM or PowerPC > cores. > > But the exit conditions after ISBC phase i.e. entry conditions for > U-Boot are different for ARM and PowerPC. > PowerPC: > ======== > If Secure Boot is executed, a separate U-Boot target is required which > must be compiled with a diffrent Text Base as compared to Non-Secure Boot. > There are some LAW and TLB settings which are required specifically for > Secure Boot scenario. > > ARM: > ==== > ARM based SoC's have a fixed memory map and exit conditions from BootROM > are same irrespective of boot mode (Secure or Non-Secure). > > Thus the current Secure Boot functionlity has been split into two parts: > > CONFIG_CHAIN_OF_TRUST > ======================== > This will have the following functionality as part of U-Boot: > 1. Enable commands like esbc_validate, esbc_halt > 2. Change the environment settings based on bootmode (determined at run time): > - If bootmode is non-secure, no change > - If bootmode is secure, set the following: > - bootdelay = 0 (Don't give boot prompt) > - bootcmd = Validate and execute the bootscript. > > CONFIG_SECURE_BOOT > ===================== > This is defined only for creating a different compile time target for secure boot. > > Traditionally, both these functionalities were defined under CONFIG_SECURE_BOOT > This patch is aimed at removing the requirement for a separate Secure Boot target > for ARM based SoC's. CONFIG_CHAIN_OF_TRUST will be defined and boot mode will be > determine at run time. > > Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt > must not be picked from flash/external memory. This cannot be done based on bootmode > at run time in current U-Boot architecture. Once this dependency is resolved, no separate > SECURE_BOOT target will be required for ARM based SoC's. > > Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining > CONFIG_ENV_IS_NOWHERE > > Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> > --- > Changes in v3: > None > > Changes in v2: > CONFIG_ENV_IS_NOWHERE is defined for Secure Boot > > arch/arm/include/asm/fsl_secure_boot.h | 16 ++-- > arch/powerpc/include/asm/fsl_secure_boot.h | 41 +++++----- > include/config_fsl_chain_trust.h | 101 +++++++++++++++++++++++++ > include/config_fsl_secboot.h | 116 ----------------------------- > 4 files changed, 135 insertions(+), 139 deletions(-) > create mode 100644 include/config_fsl_chain_trust.h > delete mode 100644 include/config_fsl_secboot.h > Change subject prefix to "secure_boot:". Slightly reformat commit message. Applied to u-boot-fsl-qoriq master. Awaiting upstream. Thanks. York
======== If Secure Boot is executed, a separate U-Boot target is required which must be compiled with a diffrent Text Base as compared to Non-Secure Boot. There are some LAW and TLB settings which are required specifically for Secure Boot scenario. ARM: ==== ARM based SoC's have a fixed memory map and exit conditions from BootROM are same irrespective of boot mode (Secure or Non-Secure). Thus the current Secure Boot functionlity has been split into two parts: CONFIG_CHAIN_OF_TRUST ======================== This will have the following functionality as part of U-Boot: 1. Enable commands like esbc_validate, esbc_halt 2. Change the environment settings based on bootmode (determined at run time): - If bootmode is non-secure, no change - If bootmode is secure, set the following: - bootdelay = 0 (Don't give boot prompt) - bootcmd = Validate and execute the bootscript. CONFIG_SECURE_BOOT ===================== This is defined only for creating a different compile time target for secure boot. Traditionally, both these functionalities were defined under CONFIG_SECURE_BOOT This patch is aimed at removing the requirement for a separate Secure Boot target for ARM based SoC's. CONFIG_CHAIN_OF_TRUST will be defined and boot mode will be determine at run time. Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt must not be picked from flash/external memory. This cannot be done based on bootmode at run time in current U-Boot architecture. Once this dependency is resolved, no separate SECURE_BOOT target will be required for ARM based SoC's. Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining CONFIG_ENV_IS_NOWHERE Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> --- Changes in v3: None Changes in v2: CONFIG_ENV_IS_NOWHERE is defined for Secure Boot arch/arm/include/asm/fsl_secure_boot.h | 16 ++-- arch/powerpc/include/asm/fsl_secure_boot.h | 41 +++++----- include/config_fsl_chain_trust.h | 101 +++++++++++++++++++++++++ include/config_fsl_secboot.h | 116 ----------------------------- 4 files changed, 135 insertions(+), 139 deletions(-) create mode 100644 include/config_fsl_chain_trust.h delete mode 100644 include/config_fsl_secboot.h diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 8491a72..0da0599 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -8,6 +8,14 @@ #define __FSL_SECURE_BOOT_H #ifdef CONFIG_SECURE_BOOT + +#ifndef CONFIG_FIT_SIGNATURE +#define CONFIG_CHAIN_OF_TRUST +#endif + +#endif + +#ifdef CONFIG_CHAIN_OF_TRUST #define CONFIG_CMD_ESBC_VALIDATE #define CONFIG_CMD_BLOB #define CONFIG_FSL_SEC_MON @@ -40,8 +48,6 @@ #define CONFIG_ESBC_ADDR_64BIT #endif -#ifndef CONFIG_FIT_SIGNATURE - #define CONFIG_EXTRA_ENV \ "setenv fdt_high 0xcfffffff;" \ "setenv initrd_high 0xcfffffff;" \ @@ -50,8 +56,6 @@ /* The address needs to be modified according to NOR memory map */ #define CONFIG_BOOTSCRIPT_HDR_ADDR 0x600a0000 -#include <config_fsl_secboot.h> -#endif -#endif - +#include <config_fsl_chain_trust.h> +#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ #endif diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h index 7d217a6..41058d1 100644 --- a/arch/powerpc/include/asm/fsl_secure_boot.h +++ b/arch/powerpc/include/asm/fsl_secure_boot.h @@ -9,19 +9,11 @@ #include <asm/config_mpc85xx.h> #ifdef CONFIG_SECURE_BOOT -#define CONFIG_CMD_ESBC_VALIDATE -#define CONFIG_CMD_BLOB -#define CONFIG_FSL_SEC_MON -#define CONFIG_SHA_PROG_HW_ACCEL -#define CONFIG_DM -#define CONFIG_RSA -#define CONFIG_RSA_FREESCALE_EXP -#ifndef CONFIG_FSL_CAAM -#define CONFIG_FSL_CAAM -#endif + +#ifndef CONFIG_FIT_SIGNATURE +#define CONFIG_CHAIN_OF_TRUST #endif -#ifdef CONFIG_SECURE_BOOT #if defined(CONFIG_FSL_CORENET) #define CONFIG_SYS_PBI_FLASH_BASE 0xc0000000 #elif defined(CONFIG_BSC9132QDS) @@ -76,8 +68,25 @@ */ #define CONFIG_FSL_ISBC_KEY_EXT #endif +#endif /* #ifdef CONFIG_SECURE_BOOT */ + +#ifdef CONFIG_CHAIN_OF_TRUST + +#define CONFIG_CMD_ESBC_VALIDATE +#define CONFIG_CMD_BLOB +#define CONFIG_FSL_SEC_MON +#define CONFIG_SHA_PROG_HW_ACCEL +#define CONFIG_RSA +#define CONFIG_RSA_FREESCALE_EXP + +#ifndef CONFIG_DM +#define CONFIG_DM +#endif + +#ifndef CONFIG_FSL_CAAM +#define CONFIG_FSL_CAAM +#endif -#ifndef CONFIG_FIT_SIGNATURE /* If Boot Script is not on NOR and is required to be copied on RAM */ #ifdef CONFIG_BOOTSCRIPT_COPY_RAM #define CONFIG_BS_HDR_ADDR_RAM 0x00010000 @@ -105,10 +114,8 @@ #define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee020000 #endif -#endif - -#include <config_fsl_secboot.h> -#endif +#endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */ -#endif +#include <config_fsl_chain_trust.h> +#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ #endif diff --git a/include/config_fsl_chain_trust.h b/include/config_fsl_chain_trust.h new file mode 100644 index 0000000..45dda56 --- /dev/null +++ b/include/config_fsl_chain_trust.h @@ -0,0 +1,101 @@ +/* + * Copyright 2015 Freescale Semiconductor, Inc. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#ifndef __CONFIG_FSL_CHAIN_TRUST_H +#define __CONFIG_FSL_CHAIN_TRUST_H + +/* For secure boot, since ENVIRONMENT in flash/external memories is + * not verified, undef CONFIG_ENV_xxx and set default env + * (CONFIG_ENV_IS_NOWHERE) + */ +#ifdef CONFIG_SECURE_BOOT + +#undef CONFIG_ENV_IS_IN_EEPROM +#undef CONFIG_ENV_IS_IN_NAND +#undef CONFIG_ENV_IS_IN_MMC +#undef CONFIG_ENV_IS_IN_SPI_FLASH +#undef CONFIG_ENV_IS_IN_FLASH + +#define CONFIG_ENV_IS_NOWHERE + +#endif + +#ifdef CONFIG_CHAIN_OF_TRUST + +#ifndef CONFIG_EXTRA_ENV +#define CONFIG_EXTRA_ENV "" +#endif + +/* + * Control should not reach back to uboot after validation of images + * for secure boot flow and therefore bootscript should have + * the bootm command. If control reaches back to uboot anyhow + * after validating images, core should just spin. + */ + +/* + * Define the key hash for boot script here if public/private key pair used to + * sign bootscript are different from the SRK hash put in the fuse + * Example of defining KEY_HASH is + * #define CONFIG_BOOTSCRIPT_KEY_HASH \ + * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" + */ + +#ifdef CONFIG_BOOTSCRIPT_KEY_HASH +#define CONFIG_SECBOOT \ + "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ + "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \ + "ramdisk_size=600000\';" \ + CONFIG_EXTRA_ENV \ + "esbc_validate $bs_hdraddr " \ + __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";" \ + "source $img_addr;" \ + "esbc_halt\0" +#else +#define CONFIG_SECBOOT \ + "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ + "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \ + "ramdisk_size=600000\';" \ + CONFIG_EXTRA_ENV \ + "esbc_validate $bs_hdraddr;" \ + "source $img_addr;" \ + "esbc_halt\0" +#endif + +/* For secure boot flow, default environment used will be used */ +#if defined(CONFIG_SYS_RAMBOOT) +#ifdef CONFIG_BOOTSCRIPT_COPY_RAM +#define CONFIG_BS_COPY_ENV \ + "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \ + "setenv bs_hdr_flash " __stringify(CONFIG_BS_HDR_ADDR_FLASH)";" \ + "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \ + "setenv bs_ram " __stringify(CONFIG_BS_ADDR_RAM)";" \ + "setenv bs_flash " __stringify(CONFIG_BS_ADDR_FLASH)";" \ + "setenv bs_size " __stringify(CONFIG_BS_SIZE)";" + +#if defined(CONFIG_RAMBOOT_NAND) +#define CONFIG_BS_COPY_CMD \ + "nand read $bs_hdr_ram $bs_hdr_flash $bs_hdr_size ;" \ + "nand read $bs_ram $bs_flash $bs_size ;" +#endif /* CONFIG_RAMBOOT_NAND */ +#endif /* CONFIG_BOOTSCRIPT_COPY_RAM */ + +#endif + +#ifndef CONFIG_BS_COPY_ENV +#define CONFIG_BS_COPY_ENV +#endif + +#ifndef CONFIG_BS_COPY_CMD +#define CONFIG_BS_COPY_CMD +#endif + +#define CONFIG_CHAIN_BOOT_CMD CONFIG_BS_COPY_ENV \ + CONFIG_BS_COPY_CMD \ + CONFIG_SECBOOT + +#endif +#endif diff --git a/include/config_fsl_secboot.h b/include/config_fsl_secboot.h deleted file mode 100644 index fc6788a..0000000 --- a/include/config_fsl_secboot.h +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright 2015 Freescale Semiconductor, Inc. - * - * SPDX-License-Identifier: GPL-2.0+ - */ - -#ifndef __CONFIG_FSL_SECBOOT_H -#define __CONFIG_FSL_SECBOOT_H - -#ifdef CONFIG_SECURE_BOOT - -#ifndef CONFIG_CMD_ESBC_VALIDATE -#define CONFIG_CMD_ESBC_VALIDATE -#endif - -#ifndef CONFIG_EXTRA_ENV -#define CONFIG_EXTRA_ENV "" -#endif - -/* - * Control should not reach back to uboot after validation of images - * for secure boot flow and therefore bootscript should have - * the bootm command. If control reaches back to uboot anyhow - * after validating images, core should just spin. - */ - -/* - * Define the key hash for boot script here if public/private key pair used to - * sign bootscript are different from the SRK hash put in the fuse - * Example of defining KEY_HASH is - * #define CONFIG_BOOTSCRIPT_KEY_HASH \ - * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" - */ - -#ifdef CONFIG_BOOTSCRIPT_KEY_HASH -#define CONFIG_SECBOOT \ - "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ - "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \ - "ramdisk_size=600000\';" \ - CONFIG_EXTRA_ENV \ - "esbc_validate $bs_hdraddr " \ - __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";" \ - "source $img_addr;" \ - "esbc_halt\0" -#else -#define CONFIG_SECBOOT \ - "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ - "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \ - "ramdisk_size=600000\';" \ - CONFIG_EXTRA_ENV \ - "esbc_validate $bs_hdraddr;" \ - "source $img_addr;" \ - "esbc_halt\0" -#endif - -/* For secure boot flow, default environment used will be used */ -#if defined(CONFIG_SYS_RAMBOOT) -#ifdef CONFIG_BOOTSCRIPT_COPY_RAM -#define CONFIG_BS_COPY_ENV \ - "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \ - "setenv bs_hdr_flash " __stringify(CONFIG_BS_HDR_ADDR_FLASH)";" \ - "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \ - "setenv bs_ram " __stringify(CONFIG_BS_ADDR_RAM)";" \ - "setenv bs_flash " __stringify(CONFIG_BS_ADDR_FLASH)";" \ - "setenv bs_size " __stringify(CONFIG_BS_SIZE)";" - -#if defined(CONFIG_RAMBOOT_NAND) -#define CONFIG_BS_COPY_CMD \ - "nand read $bs_hdr_ram $bs_hdr_flash $bs_hdr_size ;" \ - "nand read $bs_ram $bs_flash $bs_size ;" -#endif /* CONFIG_RAMBOOT_NAND */ -#endif /* CONFIG_BOOTSCRIPT_COPY_RAM */ - -#if defined(CONFIG_RAMBOOT_SPIFLASH) -#undef CONFIG_ENV_IS_IN_SPI_FLASH -#elif defined(CONFIG_RAMBOOT_NAND) -#undef CONFIG_ENV_IS_IN_NAND -#elif defined(CONFIG_RAMBOOT_SDCARD) -#undef CONFIG_ENV_IS_IN_MMC -#endif -#else /*CONFIG_SYS_RAMBOOT*/ -#undef CONFIG_ENV_IS_IN_FLASH -#endif - -#define CONFIG_ENV_IS_NOWHERE - -#ifndef CONFIG_BS_COPY_ENV -#define CONFIG_BS_COPY_ENV -#endif - -#ifndef CONFIG_BS_COPY_CMD -#define CONFIG_BS_COPY_CMD -#endif - -#define CONFIG_SECBOOT_CMD CONFIG_BS_COPY_ENV \ - CONFIG_BS_COPY_CMD \ - CONFIG_SECBOOT -/* - * We don't want boot delay for secure boot flow - * before autoboot starts - */ -#undef CONFIG_BOOTDELAY -#define CONFIG_BOOTDELAY 0 -#undef CONFIG_BOOTCOMMAND -#define CONFIG_BOOTCOMMAND CONFIG_SECBOOT_CMD - -/* - * CONFIG_ZERO_BOOTDELAY_CHECK should not be defined for - * secure boot flow as defining this would enable a user to - * reach uboot prompt by pressing some key before start of - * autoboot - */ -#undef CONFIG_ZERO_BOOTDELAY_CHECK - -#endif -#endif