From patchwork Thu Feb 21 22:35:10 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Davis <afd@ti.com>
X-Patchwork-Id: 1046490
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.denx.de
	(client-ip=81.169.180.215; helo=lists.denx.de;
	envelope-from=u-boot-bounces@lists.denx.de;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none)
	header.from=ti.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=ti.com header.i=@ti.com header.b="tYHbpZCF";
	dkim-atps=neutral
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 4458WZ1xQsz9s8m
	for <incoming@patchwork.ozlabs.org>;
	Fri, 22 Feb 2019 09:38:18 +1100 (AEDT)
Received: by lists.denx.de (Postfix, from userid 105)
	id D0B99C21E2C; Thu, 21 Feb 2019 22:36:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=T_DKIM_INVALID
	autolearn=unavailable autolearn_force=no version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id 190D4C21E73;
	Thu, 21 Feb 2019 22:35:36 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id BADC9C21F3C; Thu, 21 Feb 2019 22:35:27 +0000 (UTC)
Received: from fllv0015.ext.ti.com (fllv0015.ext.ti.com [198.47.19.141])
	by lists.denx.de (Postfix) with ESMTPS id 3D0EAC21E73
	for <u-boot@lists.denx.de>; Thu, 21 Feb 2019 22:35:23 +0000 (UTC)
Received: from lelv0266.itg.ti.com ([10.180.67.225])
	by fllv0015.ext.ti.com (8.15.2/8.15.2) with ESMTP id x1LMZLAj058230;
	Thu, 21 Feb 2019 16:35:21 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com;
	s=ti-com-17Q1; t=1550788521;
	bh=SkrI9+ELMb4pgmqIQbQN7ygCYYKbLss6X7at7aV1dwQ=;
	h=From:To:CC:Subject:Date:In-Reply-To:References;
	b=tYHbpZCF7hBmsG8vpUrOLJbMDIlfvXpwsA2SjZ+i+/scyyk6hlGFcXQLtdnUJear9
	0PyB1QPB08EPyfJ1sXa0zLTYWgYzkxrED51XW/5cLSe253ZpH3CPQAqlMMNNBki9Bd
	6K0zgthcqVWKLG5pynVO+C0y8W3i/17gVvwcHVN4=
Received: from DLEE115.ent.ti.com (dlee115.ent.ti.com [157.170.170.26])
	by lelv0266.itg.ti.com (8.15.2/8.15.2) with ESMTPS id x1LMZLeJ109232
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL);
	Thu, 21 Feb 2019 16:35:21 -0600
Received: from DLEE100.ent.ti.com (157.170.170.30) by DLEE115.ent.ti.com
	(157.170.170.26) with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10;
	Thu, 21 Feb 2019 16:35:21 -0600
Received: from dflp33.itg.ti.com (10.64.6.16) by DLEE100.ent.ti.com
	(157.170.170.30) with Microsoft SMTP Server (version=TLS1_0,
	cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1591.10 via Frontend
	Transport; Thu, 21 Feb 2019 16:35:20 -0600
Received: from legion.dal.desgin.ti.com (legion.dal.design.ti.com
	[128.247.22.53])
	by dflp33.itg.ti.com (8.14.3/8.13.8) with ESMTP id x1LMZKum027349;
	Thu, 21 Feb 2019 16:35:20 -0600
Received: from localhost (uda0226330.dhcp.ti.com [172.22.111.174])
	by legion.dal.desgin.ti.com (8.11.7p1+Sun/8.11.7) with ESMTP id
	x1LMZKU08643; Thu, 21 Feb 2019 16:35:20 -0600 (CST)
From: "Andrew F. Davis" <afd@ti.com>
To: Tom Rini <trini@konsulko.com>, Lokesh Vutla <lokeshvutla@ti.com>, Andreas
	Dannenberg <dannenberg@ti.com>
Date: Thu, 21 Feb 2019 16:35:10 -0600
Message-ID: <20190221223512.8310-6-afd@ti.com>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20190221223512.8310-1-afd@ti.com>
References: <20190221223512.8310-1-afd@ti.com>
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180
Cc: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH v2 5/7] arm: mach-k3: Add secure device build
	support
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

K3 HS devices require signed binaries for boot, use the SECDEV tools
to sign the boot artifacts during build.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Andreas Dannenberg <dannenberg@ti.com>
---
 MAINTAINERS                       |  1 +
 arch/arm/mach-k3/config.mk        | 25 ++++++++++++++++++
 arch/arm/mach-k3/config_secure.mk | 44 +++++++++++++++++++++++++++++++
 tools/k3_fit_atf.sh               |  8 ++++--
 4 files changed, 76 insertions(+), 2 deletions(-)
 create mode 100644 arch/arm/mach-k3/config_secure.mk

diff --git a/MAINTAINERS b/MAINTAINERS
index 5dd69562e0..bddfaf50c8 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -717,6 +717,7 @@ F:	arch/arm/mach-omap2/omap5/sec_entry_cpu1.S
 F:	arch/arm/mach-omap2/sec-common.c
 F:	arch/arm/mach-omap2/config_secure.mk
 F:	arch/arm/mach-k3/security.c
+F:	arch/arm/mach-k3/config_secure.mk
 F:	configs/am335x_hs_evm_defconfig
 F:	configs/am335x_hs_evm_uart_defconfig
 F:	configs/am43xx_hs_evm_defconfig
diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk
index be00d79fb0..2d8f61f9db 100644
--- a/arch/arm/mach-k3/config.mk
+++ b/arch/arm/mach-k3/config.mk
@@ -36,6 +36,14 @@ cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boo
 # If external key is not provided, generate key using openssl.
 ifeq ($(CONFIG_SYS_K3_KEY), "")
 KEY=u-boot-spl-eckey.pem
+# On HS use real key or warn if not available
+ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
+ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),)
+KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem
+else
+$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!")
+endif
+endif
 else
 KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY))
 endif
@@ -65,6 +73,15 @@ ALL-y	+= tiboot3.bin
 endif
 
 ifdef CONFIG_ARM64
+ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
+SPL_ITS := u-boot-spl-k3_HS.its
+$(SPL_ITS): FORCE
+	IS_HS=1 \
+	$(srctree)/tools/k3_fit_atf.sh \
+	$(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(CONFIG_SPL_OF_LIST))) > $@
+
+ALL-y	+= tispl.bin_HS
+else
 SPL_ITS := u-boot-spl-k3.its
 $(SPL_ITS): FORCE
 	$(srctree)/tools/k3_fit_atf.sh \
@@ -72,7 +89,15 @@ $(SPL_ITS): FORCE
 
 ALL-y	+= tispl.bin
 endif
+endif
+
+else
 
+ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
+ALL-y	+= u-boot.img_HS
 else
 ALL-y	+= u-boot.img
 endif
+endif
+
+include $(srctree)/arch/arm/mach-k3/config_secure.mk
diff --git a/arch/arm/mach-k3/config_secure.mk b/arch/arm/mach-k3/config_secure.mk
new file mode 100644
index 0000000000..6d63c57665
--- /dev/null
+++ b/arch/arm/mach-k3/config_secure.mk
@@ -0,0 +1,44 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2018 Texas Instruments, Incorporated - http://www.ti.com/
+#	Andrew F. Davis <afd@ti.com>
+
+quiet_cmd_k3secureimg = SECURE  $@
+ifneq ($(TI_SECURE_DEV_PKG),)
+ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),)
+cmd_k3secureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \
+	$< $@ \
+	$(if $(KBUILD_VERBOSE:1=), >/dev/null)
+else
+cmd_k3secureimg = echo "WARNING:" \
+	"$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \
+	"$@ was NOT secured!"; cp $< $@
+endif
+else
+cmd_k3secureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \
+	"variable must be defined for TI secure devices." \
+	"$@ was NOT secured!"; cp $< $@
+endif
+
+%.dtb_HS: %.dtb FORCE
+	$(call if_changed,k3secureimg)
+
+$(obj)/u-boot-spl-nodtb.bin_HS: $(obj)/u-boot-spl-nodtb.bin FORCE
+	$(call if_changed,k3secureimg)
+
+tispl.bin_HS: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) $(SPL_ITS) FORCE
+	$(call if_changed,mkfitimage)
+
+MKIMAGEFLAGS_u-boot.img_HS = -f auto -A $(ARCH) -T firmware -C none -O u-boot \
+	-a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \
+	-n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \
+	$(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST)))
+
+OF_LIST_TARGETS = $(patsubst %,arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST)))
+$(OF_LIST_TARGETS): dtbs
+
+u-boot-nodtb.bin_HS: u-boot-nodtb.bin FORCE
+	$(call if_changed,k3secureimg)
+
+u-boot.img_HS: u-boot-nodtb.bin_HS u-boot.img $(patsubst %.dtb,%.dtb_HS,$(OF_LIST_TARGETS)) FORCE
+	$(call if_changed,mkimage)
diff --git a/tools/k3_fit_atf.sh b/tools/k3_fit_atf.sh
index 430b5ca616..4e9f69c087 100755
--- a/tools/k3_fit_atf.sh
+++ b/tools/k3_fit_atf.sh
@@ -21,6 +21,10 @@ if [ ! -f $TEE ]; then
 	TEE=/dev/null
 fi
 
+if [ ! -z "$IS_HS" ]; then
+	HS_APPEND=_HS
+fi
+
 cat << __HEADER_EOF
 /dts-v1/;
 
@@ -51,7 +55,7 @@ cat << __HEADER_EOF
 		};
 		spl {
 			description = "SPL (64-bit)";
-			data = /incbin/("spl/u-boot-spl-nodtb.bin");
+			data = /incbin/("spl/u-boot-spl-nodtb.bin$HS_APPEND");
 			type = "standalone";
 			os = "U-Boot";
 			arch = "arm64";
@@ -66,7 +70,7 @@ do
 	cat << __FDT_IMAGE_EOF
 		$(basename $dtname) {
 			description = "$(basename $dtname .dtb)";
-			data = /incbin/("$dtname");
+			data = /incbin/("$dtname$HS_APPEND");
 			type = "flat_dt";
 			arch = "arm";
 			compression = "none";