| Message ID | 1472193016-77388-4-git-send-email-madans@ti.com |
|---|---|
| State | Superseded |
| Delegated to: | Tom Rini |
| Headers | show |
On 08/26/2016 01:30 AM, Madan Srinivas wrote: > From: Vitaly Andrianov <vitalya@ti.com> > > This commit implements the board_fit_image_post_process() function for > the keystone architecture. Unlike OMAP class devices, security > functions in keystone are not handled in the ROM. > The interface to the secure functions is TI proprietary and depending > on the keystone platform, the security functions like encryption, > decryption and authentication might even be offloaded to other secure > processing elements in the SoC. > The boot monitor acts as the gateway to these secure functions and the > boot monitor for secure devices is available as part of the SECDEV > package for KS2. For more details refer doc/README.ti-secure > > Signed-off-by: Vitaly Andrianov <vitalya@ti.com> > Signed-off-by: Madan Srinivas <madans@ti.com> > --- > > arch/arm/mach-keystone/mon.c | 53 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 53 insertions(+) > > diff --git a/arch/arm/mach-keystone/mon.c b/arch/arm/mach-keystone/mon.c > index 256f630..b4a6f1c 100644 > --- a/arch/arm/mach-keystone/mon.c > +++ b/arch/arm/mach-keystone/mon.c > @@ -12,10 +12,31 @@ > #include <mach/mon.h> > asm(".arch_extension sec\n\t"); > > +#ifdef CONFIG_TI_SECURE_DEVICE > +#define KS2_HS_AUTH_FN_OFFSET 8 > +#define KS2_HS_SEC_HEADER_LEN 0x60 > +#define KS2_AUTH_CMD "2" > +/** > + * (*fn_auth)() - Invokes security functions using a > + * proprietary TI interface. This binary and source for > + * this is available in the secure development package or > + * SECDEV. For details on how to access this please refer > + * doc/README.ti-secure > + * > + * @first param: no. of parameters > + * @second param: parameter list > + * @return non-zero value on success, zero on error > + */ > +static unsigned int (*fn_auth)(int, char * const []); > +#endif > + > int mon_install(u32 addr, u32 dpsc, u32 freq) > { > int result; > > +#ifdef CONFIG_TI_SECURE_DEVICE > + fn_auth = (void *)(addr + KS2_HS_AUTH_FN_OFFSET); > +#endif > __asm__ __volatile__ ( > "stmfd r13!, {lr}\n" > "mov r0, %1\n" > @@ -61,3 +82,35 @@ int mon_power_off(int core_id) > : "cc", "r0", "r1", "memory"); > return result; > } > + > +#ifdef CONFIG_TI_SECURE_DEVICE > +static void k2_hs_auth(void *addr) > +{ > + char *argv1 = KS2_AUTH_CMD; > + char argv2[32]; > + char *argv[3] = {NULL, argv1, argv2}; > + int ret; > + > + sprintf(argv2, "0x%08x", (u32)addr); > + ret = fn_auth(3, argv); > + > + if (ret == 0) { Can this be if (!ret)? > + printf("FAIL!!!\n"); /* remove form production code */ Wouldn't this be production code? If this print is intended to stay the s/form/from Dan > + hang(); > + } > +} > + > +void board_fit_image_post_process(void **p_image, size_t *p_size) > +{ > + void *dst = *p_image; > + void *src = dst + KS2_HS_SEC_HEADER_LEN; > + > + k2_hs_auth(*p_image); > + > + /* > + * Overwrite the image headers after authentication > + * and decryption. Move the image to its run address > + */ > + memcpy(dst, src, *p_size - KS2_HS_SEC_HEADER_LEN); > +} > +#endif
On Friday 26 August 2016 12:00 PM, Madan Srinivas wrote: > From: Vitaly Andrianov <vitalya@ti.com> > > This commit implements the board_fit_image_post_process() function for > the keystone architecture. Unlike OMAP class devices, security > functions in keystone are not handled in the ROM. > The interface to the secure functions is TI proprietary and depending > on the keystone platform, the security functions like encryption, > decryption and authentication might even be offloaded to other secure > processing elements in the SoC. > The boot monitor acts as the gateway to these secure functions and the > boot monitor for secure devices is available as part of the SECDEV > package for KS2. For more details refer doc/README.ti-secure > > Signed-off-by: Vitaly Andrianov <vitalya@ti.com> > Signed-off-by: Madan Srinivas <madans@ti.com> > --- > > arch/arm/mach-keystone/mon.c | 53 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 53 insertions(+) > > diff --git a/arch/arm/mach-keystone/mon.c b/arch/arm/mach-keystone/mon.c > index 256f630..b4a6f1c 100644 > --- a/arch/arm/mach-keystone/mon.c > +++ b/arch/arm/mach-keystone/mon.c > @@ -12,10 +12,31 @@ > #include <mach/mon.h> > asm(".arch_extension sec\n\t"); > > +#ifdef CONFIG_TI_SECURE_DEVICE > +#define KS2_HS_AUTH_FN_OFFSET 8 > +#define KS2_HS_SEC_HEADER_LEN 0x60 > +#define KS2_AUTH_CMD "2" > +/** > + * (*fn_auth)() - Invokes security functions using a > + * proprietary TI interface. This binary and source for > + * this is available in the secure development package or > + * SECDEV. For details on how to access this please refer > + * doc/README.ti-secure > + * > + * @first param: no. of parameters > + * @second param: parameter list > + * @return non-zero value on success, zero on error > + */ > +static unsigned int (*fn_auth)(int, char * const []); > +#endif > + > int mon_install(u32 addr, u32 dpsc, u32 freq) > { > int result; > > +#ifdef CONFIG_TI_SECURE_DEVICE > + fn_auth = (void *)(addr + KS2_HS_AUTH_FN_OFFSET); > +#endif > __asm__ __volatile__ ( > "stmfd r13!, {lr}\n" > "mov r0, %1\n" > @@ -61,3 +82,35 @@ int mon_power_off(int core_id) > : "cc", "r0", "r1", "memory"); > return result; > } > + > +#ifdef CONFIG_TI_SECURE_DEVICE > +static void k2_hs_auth(void *addr) > +{ > + char *argv1 = KS2_AUTH_CMD; > + char argv2[32]; > + char *argv[3] = {NULL, argv1, argv2}; > + int ret; > + > + sprintf(argv2, "0x%08x", (u32)addr); > + ret = fn_auth(3, argv); Can fn_auth be checked before calling it? Just to make sure monitor is installed before processing any image. > + > + if (ret == 0) { > + printf("FAIL!!!\n"); /* remove form production code */ > + hang(); > + } > +} > + > +void board_fit_image_post_process(void **p_image, size_t *p_size) > +{ > + void *dst = *p_image; > + void *src = dst + KS2_HS_SEC_HEADER_LEN; > + > + k2_hs_auth(*p_image); > + > + /* > + * Overwrite the image headers after authentication > + * and decryption. Move the image to its run address > + */ > + memcpy(dst, src, *p_size - KS2_HS_SEC_HEADER_LEN); Technically image is not being moved to its run address. This is just updating FIT image after post processing. Also, *p_size should be updated to remove header size. Thanks and regards, Lokesh > +} > +#endif >
diff --git a/arch/arm/mach-keystone/mon.c b/arch/arm/mach-keystone/mon.c index 256f630..b4a6f1c 100644 --- a/arch/arm/mach-keystone/mon.c +++ b/arch/arm/mach-keystone/mon.c @@ -12,10 +12,31 @@ #include <mach/mon.h> asm(".arch_extension sec\n\t"); +#ifdef CONFIG_TI_SECURE_DEVICE +#define KS2_HS_AUTH_FN_OFFSET 8 +#define KS2_HS_SEC_HEADER_LEN 0x60 +#define KS2_AUTH_CMD "2" +/** + * (*fn_auth)() - Invokes security functions using a + * proprietary TI interface. This binary and source for + * this is available in the secure development package or + * SECDEV. For details on how to access this please refer + * doc/README.ti-secure + * + * @first param: no. of parameters + * @second param: parameter list + * @return non-zero value on success, zero on error + */ +static unsigned int (*fn_auth)(int, char * const []); +#endif + int mon_install(u32 addr, u32 dpsc, u32 freq) { int result; +#ifdef CONFIG_TI_SECURE_DEVICE + fn_auth = (void *)(addr + KS2_HS_AUTH_FN_OFFSET); +#endif __asm__ __volatile__ ( "stmfd r13!, {lr}\n" "mov r0, %1\n" @@ -61,3 +82,35 @@ int mon_power_off(int core_id) : "cc", "r0", "r1", "memory"); return result; } + +#ifdef CONFIG_TI_SECURE_DEVICE +static void k2_hs_auth(void *addr) +{ + char *argv1 = KS2_AUTH_CMD; + char argv2[32]; + char *argv[3] = {NULL, argv1, argv2}; + int ret; + + sprintf(argv2, "0x%08x", (u32)addr); + ret = fn_auth(3, argv); + + if (ret == 0) { + printf("FAIL!!!\n"); /* remove form production code */ + hang(); + } +} + +void board_fit_image_post_process(void **p_image, size_t *p_size) +{ + void *dst = *p_image; + void *src = dst + KS2_HS_SEC_HEADER_LEN; + + k2_hs_auth(*p_image); + + /* + * Overwrite the image headers after authentication + * and decryption. Move the image to its run address + */ + memcpy(dst, src, *p_size - KS2_HS_SEC_HEADER_LEN); +} +#endif