diff mbox

[U-Boot] arm64: ls2088ardb: Add distro secure boot support

Message ID 1497240825-19831-1-git-send-email-vinitha.pillai@nxp.com
State Accepted
Delegated to: York Sun
Headers show

Commit Message

Vinitha V Pillai June 12, 2017, 4:13 a.m. UTC 
Enable validation of boot.scr script prior to its execution dependent
on "secureboot" flag in environment. Also enable "secureboot=y"
flag in environment for ARM based platforms instead of bootcmd.

Signed-off-by: Vinitha Pillai <vinitha.pillai@nxp.com>
Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
---

This patch depends on the following patch:

https://patchwork.ozlabs.org/patch/771211/

 include/configs/ls2080ardb.h | 107 +++++++++++++++++++------------------------
 1 file changed, 46 insertions(+), 61 deletions(-)

Comments

York Sun July 28, 2017, 5:08 p.m. UTC | #1 
On 06/11/2017 09:16 PM, Vinitha Pillai-B57223 wrote:
> Enable validation of boot.scr script prior to its execution dependent
> on "secureboot" flag in environment. Also enable "secureboot=y"
> flag in environment for ARM based platforms instead of bootcmd.
> 
> Signed-off-by: Vinitha Pillai <vinitha.pillai@nxp.com>
> Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
> ---
> 
> This patch depends on the following patch:
> 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpatchwork.ozlabs.org%2Fpatch%2F771211%2F&data=01%7C01%7Cyork.sun%40nxp.com%7C55dc88c51ec742fae2cf08d4b149c191%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0&sdata=sWcsO%2FFpDClq73QjSjROyVYlAL6U6swULxUwu3DtedQ%3D&reserved=0
> 
>   include/configs/ls2080ardb.h | 107 +++++++++++++++++++------------------------
>   1 file changed, 46 insertions(+), 61 deletions(-)
> 
> diff --git a/include/configs/ls2080ardb.h b/include/configs/ls2080ardb.h
> index 5fb889f..20757af 100644
> --- a/include/configs/ls2080ardb.h
> +++ b/include/configs/ls2080ardb.h
> @@ -365,77 +365,37 @@ unsigned long get_board_sys_clk(void);
>   
>   #ifdef CONFIG_QSPI_BOOT
>   #define MC_INIT_CMD				\
> -	"mcinitcmd=sf probe 0:0;"		\
> -	"sf read 0x20a00000 0xA00000 0x100000;"	\
> -	"sf read 0x20e00000 0xE00000 0x100000;" \
> +	"mcinitcmd=env exists secureboot && "		\
> +	"esbc_validate 0x20700000 && "	\
> +	"esbc_validate 0x20740000;" \
>   	"fsl_mc start mc 0x20a00000 0x20e00000 \0"
>   #else
>   #define MC_INIT_CMD			\
> -	"mcinitcmd=fsl_mc start mc 0x580a00000" \
> -	" 0x580e00000 \0"
> +	"mcinitcmd=env exists secureboot && " \
> +	"esbc_validate 0x580700000 && "	\
> +	"esbc_validate 0x580740000; " \
> +	"fsl_mc start mc 0x580a00000 0x580e00000 \0"
>   #endif
>   

I have a lot of conflicts with this file. Looks like you have a patch 
adding MC_INIT_CMD. I will try to figure it out. Need you to test the 
code later.

York
Vinitha V Pillai Aug. 4, 2017, 9:23 a.m. UTC | #2 
-----Original Message-----
From: York Sun 
Sent: Friday, July 28, 2017 10:38 PM
To: Vini Pillai <vinitha.pillai@nxp.com>; u-boot@lists.denx.de
Cc: Ruchika Gupta <ruchika.gupta@nxp.com>; Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>; Sumit Garg <sumit.garg@nxp.com>; Shengzhou Liu <shengzhou.liu@nxp.com>; Priyanka Jain <priyanka.jain@nxp.com>
Subject: Re: [PATCH] arm64: ls2088ardb: Add distro secure boot support

On 06/11/2017 09:16 PM, Vinitha Pillai-B57223 wrote:
> Enable validation of boot.scr script prior to its execution dependent 
> on "secureboot" flag in environment. Also enable "secureboot=y"
> flag in environment for ARM based platforms instead of bootcmd.
> 
> Signed-off-by: Vinitha Pillai <vinitha.pillai@nxp.com>
> Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
> ---
> 
> This patch depends on the following patch:
> 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpat
> chwork.ozlabs.org%2Fpatch%2F771211%2F&data=01%7C01%7Cyork.sun%40nxp.co
> m%7C55dc88c51ec742fae2cf08d4b149c191%7C686ea1d3bc2b4c6fa92cd99c5c30163
> 5%7C0&sdata=sWcsO%2FFpDClq73QjSjROyVYlAL6U6swULxUwu3DtedQ%3D&reserved=
> 0
> 
>   include/configs/ls2080ardb.h | 107 +++++++++++++++++++------------------------
>   1 file changed, 46 insertions(+), 61 deletions(-)
> 
> diff --git a/include/configs/ls2080ardb.h 
> b/include/configs/ls2080ardb.h index 5fb889f..20757af 100644
> --- a/include/configs/ls2080ardb.h
> +++ b/include/configs/ls2080ardb.h
> @@ -365,77 +365,37 @@ unsigned long get_board_sys_clk(void);
>   
>   #ifdef CONFIG_QSPI_BOOT
>   #define MC_INIT_CMD				\
> -	"mcinitcmd=sf probe 0:0;"		\
> -	"sf read 0x20a00000 0xA00000 0x100000;"	\
> -	"sf read 0x20e00000 0xE00000 0x100000;" \
> +	"mcinitcmd=env exists secureboot && "		\
> +	"esbc_validate 0x20700000 && "	\
> +	"esbc_validate 0x20740000;" \
>   	"fsl_mc start mc 0x20a00000 0x20e00000 \0"
>   #else
>   #define MC_INIT_CMD			\
> -	"mcinitcmd=fsl_mc start mc 0x580a00000" \
> -	" 0x580e00000 \0"
> +	"mcinitcmd=env exists secureboot && " \
> +	"esbc_validate 0x580700000 && "	\
> +	"esbc_validate 0x580740000; " \
> +	"fsl_mc start mc 0x580a00000 0x580e00000 \0"
>   #endif
>   

I have a lot of conflicts with this file. Looks like you have a patch adding MC_INIT_CMD. I will try to figure it out. Need you to test the code later.

York

Ok. Let me know when you want the testing to be done.

Vinitha
York Sun Aug. 4, 2017, 3:11 p.m. UTC | #3 
On 08/04/2017 02:23 AM, Vini Pillai wrote:
> 
> I have a lot of conflicts with this file. Looks like you have a patch adding MC_INIT_CMD. I will try to figure it out. Need you to test the code later.
> 
> York
> 
> Ok. Let me know when you want the testing to be done.
> 

Please test the latest master branch. It has been merged.

York
York Sun Aug. 7, 2017, 8:03 p.m. UTC | #4 
On 06/11/2017 09:16 PM, Vinitha Pillai-B57223 wrote:
> Enable validation of boot.scr script prior to its execution dependent
> on "secureboot" flag in environment. Also enable "secureboot=y"
> flag in environment for ARM based platforms instead of bootcmd.
> 
> Signed-off-by: Vinitha Pillai <vinitha.pillai@nxp.com>
> Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
> ---
> 

Applied to fsl-qoriq master. Thanks.

York
diff mbox

Patch

diff --git a/include/configs/ls2080ardb.h b/include/configs/ls2080ardb.h
index 5fb889f..20757af 100644
--- a/include/configs/ls2080ardb.h
+++ b/include/configs/ls2080ardb.h
@@ -365,77 +365,37 @@  unsigned long get_board_sys_clk(void);
 
 #ifdef CONFIG_QSPI_BOOT
 #define MC_INIT_CMD				\
-	"mcinitcmd=sf probe 0:0;"		\
-	"sf read 0x20a00000 0xA00000 0x100000;"	\
-	"sf read 0x20e00000 0xE00000 0x100000;" \
+	"mcinitcmd=env exists secureboot && "		\
+	"esbc_validate 0x20700000 && "	\
+	"esbc_validate 0x20740000;" \
 	"fsl_mc start mc 0x20a00000 0x20e00000 \0"
 #else
 #define MC_INIT_CMD			\
-	"mcinitcmd=fsl_mc start mc 0x580a00000" \
-	" 0x580e00000 \0"
+	"mcinitcmd=env exists secureboot && " \
+	"esbc_validate 0x580700000 && "	\
+	"esbc_validate 0x580740000; " \
+	"fsl_mc start mc 0x580a00000 0x580e00000 \0"
 #endif
 
 /* Initial environment variables */
 #undef CONFIG_EXTRA_ENV_SETTINGS
-#ifdef CONFIG_SECURE_BOOT
-#ifdef CONFIG_QSPI_BOOT
-#define CONFIG_EXTRA_ENV_SETTINGS		\
-	"hwconfig=fsl_ddr:bank_intlv=auto\0"	\
-	"scriptaddr=0x80800000\0"		\
-	"kernel_addr_r=0x81000000\0"		\
-	"pxefile_addr_r=0x81000000\0"		\
-	"fdt_addr_r=0x88000000\0"		\
-	"ramdisk_addr_r=0x89000000\0"		\
-	"loadaddr=0x80100000\0"			\
-	"kernel_addr=0x100000\0"		\
-	"ramdisk_size=0x2000000\0"		\
-	"fdt_high=0xa0000000\0"			\
-	"initrd_high=0xffffffffffffffff\0"	\
-	"kernel_start=0x21000000\0"		\
-	"mcmemsize=0x40000000\0"		\
-	"mcinitcmd=esbc_validate 0x20700000;"	\
-	"esbc_validate 0x20740000;"		\
-	"fsl_mc start mc 0x20a00000"		\
-	" 0x20e00000 \0"			\
-	BOOTENV
-#else /* !(CONFIG_QSPI_BOOT) */
 #define CONFIG_EXTRA_ENV_SETTINGS		\
 	"hwconfig=fsl_ddr:bank_intlv=auto\0"	\
-	"scriptaddr=0x80800000\0"		\
-	"kernel_addr_r=0x81000000\0"		\
-	"pxefile_addr_r=0x81000000\0"		\
-	"fdt_addr_r=0x88000000\0"		\
-	"ramdisk_addr_r=0x89000000\0"		\
-	"loadaddr=0x80100000\0"			\
-	"kernel_addr=0x100000\0"		\
-	"ramdisk_addr=0x800000\0"		\
-	"ramdisk_size=0x2000000\0"		\
-	"fdt_high=0xa0000000\0"			\
-	"initrd_high=0xffffffffffffffff\0"	\
-	"kernel_start=0x581000000\0"		\
-	"kernel_load=0xa0000000\0"		\
-	"kernel_size=0x2800000\0"		\
-	"mcmemsize=0x40000000\0"		\
-	"fdtfile=fsl-ls2080a-rdb.dtb\0"		\
-	"mcinitcmd=esbc_validate 0x580700000;"  \
-	"esbc_validate 0x580740000;"            \
-	"fsl_mc start mc 0x580a00000"           \
-	" 0x580e00000 \0"                       \
-	BOOTENV
-#endif
-#else /* !(CONFIG_SECURE_BOOT) */
-#define CONFIG_EXTRA_ENV_SETTINGS               \
-	"hwconfig=fsl_ddr:bank_intlv=auto\0"	\
 	"ramdisk_addr=0x800000\0"		\
 	"ramdisk_size=0x2000000\0"		\
 	"fdt_high=0xa0000000\0"			\
 	"initrd_high=0xffffffffffffffff\0"	\
 	"fdt_addr=0x64f00000\0"			\
 	"kernel_addr=0x581000000\0"		\
+	"kernel_start=0x1000000\0"		\
+	"kernelheader_start=0x800000\0"		\
 	"scriptaddr=0x80000000\0"		\
+	"scripthdraddr=0x80080000\0"		\
 	"fdtheader_addr_r=0x80100000\0"		\
 	"kernelheader_addr_r=0x80200000\0"	\
+	"kernelheader_addr=0x580800000\0"	\
 	"kernel_addr_r=0x81000000\0"		\
+	"kernelheader_size=0x40000\0"		\
 	"fdt_addr_r=0x90000000\0"		\
 	"load_addr=0xa0000000\0"		\
 	"kernel_size=0x2800000\0"		\
@@ -443,6 +403,7 @@  unsigned long get_board_sys_clk(void);
 	MC_INIT_CMD				\
 	BOOTENV					\
 	"boot_scripts=ls2088ardb_boot.scr\0"	\
+	"boot_script_hdr=hdr_ls2088ardb_bs.out\0"	\
 	"scan_dev_for_boot_part="		\
 		"part list ${devtype} ${devnum} devplist; "	\
 		"env exists devplist || setenv devplist 1; " 	\
@@ -453,31 +414,55 @@  unsigned long get_board_sys_clk(void);
 				"run scan_dev_for_boot; "	\
 			"fi; "					\
 		"done\0"					\
+	"scan_dev_for_boot="			\
+		"echo Scanning ${devtype} "		\
+			"${devnum}:${distro_bootpart}...; "	\
+		"for prefix in ${boot_prefixes}; do "	\
+			"run scan_dev_for_scripts; "		\
+	"done;"					\
+	"\0"					\
+	"boot_a_script="			\
+		"load ${devtype} ${devnum}:${distro_bootpart} "	\
+			"${scriptaddr} ${prefix}${script}; "	\
+	"env exists secureboot && load ${devtype} "	\
+		"${devnum}:${distro_bootpart} "		\
+		"${scripthdraddr} ${prefix}${boot_script_hdr} "	\
+		"&& esbc_validate ${scripthdraddr};"	\
+	"source ${scriptaddr}\0"		\
 	"installer=load scsi 0:2 $load_addr "			\
 		"/flex_installer_arm64.itb; "			\
 		"bootm $load_addr#ls2088ardb\0"			\
 	"qspi_bootcmd=echo Trying load from qspi..;"		\
 		"sf probe && sf read $load_addr "		\
-		"$kernel_addr $kernel_size &&"			\
+		"$kernel_start $kernel_size ; env exists secureboot "	\
+		"&& sf read $kernelheader_addr_r $kernelheader_start "  \
+		"$kernelheader_size && esbc_validate ${kernelheader_addr_r}; " \
 		" bootm $load_addr#$board\0"\
 	"nor_bootcmd=echo Trying load from nor..;"		\
 		"cp.b $kernel_addr $load_addr "			\
-		"$kernel_size && bootm $load_addr#$board\0"
-#endif
+		"$kernel_size ; env exists secureboot && "		\
+		"cp.b $kernelheader_addr $kernelheader_addr_r "	\
+		"$kernelheader_size && esbc_validate ${kernelheader_addr_r}; "	\
+		"bootm $load_addr#$board\0"
 
 #undef CONFIG_BOOTCOMMAND
 #ifdef CONFIG_QSPI_BOOT
 /* Try to boot an on-QSPI kernel first, then do normal distro boot */
 #define CONFIG_BOOTCOMMAND						\
-			"env exists mcinitcmd && run mcinitcmd && "	\
-			"fsl_mc lazyapply dpl 0x20d00000;"		\
-			"run distro_bootcmd;run qspi_bootcmd"
+			"env exists mcinitcmd && env exists secureboot "	\
+			"&& esbc_validate 0x20780000; " 		\
+			"env exists mcinitcmd && " 			\
+			"fsl_mc lazyapply dpl 0x20d00000; "		\
+			"run distro_bootcmd;run qspi_bootcmd; "		\
+			"env exists secureboot && esbc_halt; "
 #else
 /* Try to boot an on-NOR kernel first, then do normal distro boot */
 #define CONFIG_BOOTCOMMAND						\
-			"env exists mcinitcmd && run mcinitcmd && "	\
-			"fsl_mc lazyapply dpl 0x580d00000;"		\
-			"run distro_bootcmd;run nor_bootcmd"
+			"env exists mcinitcmd && env exists secureboot "	\
+			"&& esbc_validate 0x580780000; env exists mcinitcmd "	\
+			"&& fsl_mc lazyapply dpl 0x580d00000;"		\
+			"run distro_bootcmd;run nor_bootcmd; "	\
+			"env exists secureboot && esbc_halt; "
 #endif
 
 #undef CONFIG_BOOTARGS