diff mbox

[U-Boot,2/2] ls1043ardb: PPA: add PPA validation in case of secure boot

Message ID 1456219754-30521-2-git-send-email-aneesh.bansal@nxp.com
State Superseded
Delegated to: York Sun
Headers show

Commit Message

Aneesh Bansal Feb. 23, 2016, 9:29 a.m. UTC 
As part of Secure Boot Chain of trust, PPA image must be validated
before the image is started.
The code for the same has been added.

Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
---
The patchset is dependent on
http://patchwork.ozlabs.org/patch/571339/

 arch/arm/cpu/armv8/fsl-layerscape/ppa.c | 22 ++++++++++++++++++++++
 arch/arm/include/asm/fsl_secure_boot.h  | 16 ++++++++++++++++
 2 files changed, 38 insertions(+)
diff mbox

Patch

diff --git a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
index db767f9..804c4d7 100644
--- a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
+++ b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c
@@ -18,6 +18,9 @@ 
 #include <asm/arch/immap_lsch2.h>
 #endif
 #include <asm/arch/ppa.h>
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
 
 DECLARE_GLOBAL_DATA_PTR;
 
@@ -69,12 +72,31 @@  static int parse_ppa_firmware_fit_image(const void **raw_image_addr,
 	int conf_node_off, fw_node_off;
 	char *conf_node_name = NULL;
 
+#ifdef CONFIG_CHAIN_OF_TRUST
+	int ret;
+	uintptr_t ppa_esbc_hdr = CONFIG_SYS_LS_PPA_ESBC_ADDR;
+	uintptr_t ppa_img_addr = 0;
+#endif
+
 #ifdef CONFIG_SYS_LS_PPA_FW_IN_NOR
 	fit_hdr = (void *)CONFIG_SYS_LS_PPA_FW_ADDR;
 #else
 #error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
 #endif
 
+#ifdef CONFIG_CHAIN_OF_TRUST
+	ppa_img_addr = (uintptr_t)fit_hdr;
+	if (fsl_check_boot_mode_secure() != 0) {
+		ret = fsl_secboot_validate(ppa_esbc_hdr,
+					   CONFIG_PPA_KEY_HASH,
+					   &ppa_img_addr);
+		if (ret != 0)
+			printf("PPA validation failed\n");
+		else
+			printf("PPA validation Successful\n");
+	}
+#endif
+
 	conf_node_name = LS_PPA_FIT_CNF_NAME;
 
 	if (fdt_check_header(fit_hdr)) {
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
index 0da0599..d275dd1 100644
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -56,6 +56,22 @@ 
 /* The address needs to be modified according to NOR memory map */
 #define CONFIG_BOOTSCRIPT_HDR_ADDR	0x600a0000
 
+#ifdef CONFIG_SYS_LS_PPA_FW_IN_NOR
+#ifdef CONFIG_LS1043A
+#define CONFIG_SYS_LS_PPA_ESBC_ADDR	0x600c0000
+#endif
+#else
+#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined"
+#endif
+
+/* Define the key hash here if SRK used for signing PPA image is
+ * different from SRK hash put in SFP used for U-Boot.
+ * Example
+ * #define CONFIG_PPA_KEY_HASH \
+ *	"41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+#define CONFIG_PPA_KEY_HASH		NULL
+
 #include <config_fsl_chain_trust.h>
 #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
 #endif