From patchwork Tue Nov 10 07:05:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siew Chin Lim X-Patchwork-Id: 1397393 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=intel.com Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CVf5F1H5Pz9s1l for ; Tue, 10 Nov 2020 18:05:21 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A6B63824D9; Tue, 10 Nov 2020 08:05:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 0716C824D9; Tue, 10 Nov 2020 08:05:14 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=AC_FROM_MANY_DOTS,BAYES_00, SPF_HELO_NONE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.2 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B5549824D9 for ; Tue, 10 Nov 2020 08:05:09 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=elly.siew.chin.lim@intel.com IronPort-SDR: gMvXR5bjFBN4rh4qFZf1vV5uJrRAYu+lM6gESkA1hS/zOE54jlW9zPwMA5/m4O92slrOI5Oi42 SwbmXoxmL+Og== X-IronPort-AV: E=McAfee;i="6000,8403,9800"; a="170039516" X-IronPort-AV: E=Sophos;i="5.77,465,1596524400"; d="scan'208";a="170039516" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Nov 2020 23:05:07 -0800 IronPort-SDR: uUcU/pEBS5Z0wXtoC12Z5CKOMyoNnYOrlm48ZK6zjiYyNJnxY9Kr83kLXwfAEM/9NOEOfTzVdY /ekM2+LU3kDg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.77,465,1596524400"; d="scan'208";a="354392092" Received: from sj-iccf0114.altera.com ([10.100.9.104]) by orsmga008.jf.intel.com with ESMTP; 09 Nov 2020 23:05:06 -0800 From: Siew Chin Lim To: u-boot@lists.denx.de Cc: Marek Vasut , Ley Foon Tan , Chin Liang See , Simon Goldschmidt , Tien Fong Chee , Dalon Westergreen , Simon Glass , Yau Wai Gan , Siew Chin Lim Subject: [v1 0/5] Add Vendor Authorized Boot (VAB) support Date: Mon, 9 Nov 2020 23:05:00 -0800 Message-Id: <20201110070505.26935-1-elly.siew.chin.lim@intel.com> X-Mailer: git-send-email 2.13.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean This patchset add Vendor Authorized Boot (VAB) support for Intel Agilex and Diamond Mesa SoC devices. Vendor Authorized Boot is a security feature for authenticating the images such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and etc loaded from FIT. After those images are loaded from FIT, the VAB certificate and signature block appended at the end of each image are sent to Secure Device Manager (SDM) for authentication. U-Boot will validate the SHA384 of the image against the SHA384 hash stored in the VAB certificate before sending the image to SDM for authentication. These patchsets have dependency on: -------- Enable ARM Trusted Firmware for U-Boot https://patchwork.ozlabs.org/project/uboot/cover/20201015122955.10259-1-elly.siew.chin.lim@intel.com/ Add Intel Diamond Mesa SoC support https://patchwork.ozlabs.org/project/uboot/cover/20201110064439.9683-1-elly.siew.chin.lim@intel.com/ Siew Chin Lim (5): arm: socfpga: soc64: Support Vendor Authorized Boot (VAB) arm: socfpga: cmd: Support 'vab' command arm: socfpga: dts: soc64: Update filename in binman node of FIT image with VAB support configs: socfpga: soc64: Remove 'run linux_qspi_enable' from bootcommand configs: socfpga: Add defconfig for Agilex and Diamond Mesa with VAB support arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 +++ arch/arm/mach-socfpga/Kconfig | 15 ++ arch/arm/mach-socfpga/Makefile | 4 + arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 + arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 +++++++ arch/arm/mach-socfpga/secure_vab.c | 188 +++++++++++++++++++++ arch/arm/mach-socfpga/vab.c | 37 ++++ common/Kconfig.boot | 2 +- ..._atf_defconfig => socfpga_agilex_vab_defconfig} | 3 +- ...a_dm_atf_defconfig => socfpga_dm_vab_defconfig} | 3 +- include/configs/socfpga_soc64_common.h | 3 +- 11 files changed, 336 insertions(+), 5 deletions(-) create mode 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h create mode 100644 arch/arm/mach-socfpga/secure_vab.c create mode 100644 arch/arm/mach-socfpga/vab.c copy configs/{socfpga_agilex_atf_defconfig => socfpga_agilex_vab_defconfig} (96%) copy configs/{socfpga_dm_atf_defconfig => socfpga_dm_vab_defconfig} (96%)