From patchwork Fri Feb 26 16:10:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siew Chin Lim X-Patchwork-Id: 1444989 X-Patchwork-Delegate: simon.k.r.goldschmidt@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DnF5t6WSVz9rx6 for ; Sat, 27 Feb 2021 03:11:46 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 3E39081FFD; Fri, 26 Feb 2021 17:11:31 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 900EE81FDD; Fri, 26 Feb 2021 17:11:18 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8B1D680EF2 for ; Fri, 26 Feb 2021 17:11:13 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=elly.siew.chin.lim@intel.com IronPort-SDR: qppvfrJV7lGR8xrVXrsAR+BxRMlG7hoTa9RPgq3X/PPFx2uHHrHH/ePiRqjRR+SNnMD3LKqriB EJJItkk3A71w== X-IronPort-AV: E=McAfee;i="6000,8403,9907"; a="182495413" X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="182495413" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Feb 2021 08:11:13 -0800 IronPort-SDR: CmaqHcL5gHSXZBOicv3sQpbGCUEln3cV1qgbhAzqg0SizRicMH1pk4KdSWGFYrl9HeDBEyUDjF g2ihODcmas0w== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="393659421" Received: from pg-iccf0306.altera.com ([10.104.2.59]) by fmsmga008.fm.intel.com with ESMTP; 26 Feb 2021 08:11:10 -0800 From: Siew Chin Lim To: u-boot@lists.denx.de Cc: Marek Vasut , Ley Foon Tan , Chin Liang See , Simon Goldschmidt , Tien Fong Chee , Dalon Westergreen , Simon Glass , Yau Wai Gan , Siew Chin Lim Subject: [v4 1/7] arm: socfpga: Move Stratix10 and Agilex to use TARGET_SOCFPGA_SOC64 Date: Sat, 27 Feb 2021 00:10:59 +0800 Message-Id: <20210226161105.2303-2-elly.siew.chin.lim@intel.com> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> References: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Create common macro TARGET_SOCFPGA_SOC64 for Stratix10 and Agilex. Signed-off-by: Siew Chin Lim --- arch/arm/Kconfig | 6 +++--- arch/arm/mach-socfpga/Kconfig | 5 +++++ arch/arm/mach-socfpga/include/mach/reset_manager.h | 3 +-- arch/arm/mach-socfpga/include/mach/system_manager.h | 3 +-- drivers/ddr/altera/Kconfig | 6 +++--- drivers/fpga/Kconfig | 2 +- drivers/sysreset/Kconfig | 2 +- 7 files changed, 15 insertions(+), 12 deletions(-) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 95557d6ed6..f4299ae692 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -975,7 +975,7 @@ config ARCH_SOCFPGA bool "Altera SOCFPGA family" select ARCH_EARLY_INIT_R select ARCH_MISC_INIT if !TARGET_SOCFPGA_ARRIA10 - select ARM64 if TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX + select ARM64 if TARGET_SOCFPGA_SOC64 select CPU_V7A if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_ARRIA10 select DM select DM_SERIAL @@ -987,7 +987,7 @@ config ARCH_SOCFPGA select SPL_LIBGENERIC_SUPPORT select SPL_NAND_SUPPORT if SPL_NAND_DENALI select SPL_OF_CONTROL - select SPL_SEPARATE_BSS if TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX + select SPL_SEPARATE_BSS if TARGET_SOCFPGA_SOC64 select SPL_SERIAL_SUPPORT select SPL_SYSRESET select SPL_WATCHDOG_SUPPORT @@ -996,7 +996,7 @@ config ARCH_SOCFPGA select SYS_THUMB_BUILD if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_ARRIA10 select SYSRESET select SYSRESET_SOCFPGA if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_ARRIA10 - select SYSRESET_SOCFPGA_SOC64 if TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX + select SYSRESET_SOCFPGA_SOC64 if TARGET_SOCFPGA_SOC64 imply CMD_DM imply CMD_MTDPARTS imply CRC32_VERIFY diff --git a/arch/arm/mach-socfpga/Kconfig b/arch/arm/mach-socfpga/Kconfig index 4d4ff16337..9b1abdaabd 100644 --- a/arch/arm/mach-socfpga/Kconfig +++ b/arch/arm/mach-socfpga/Kconfig @@ -38,6 +38,7 @@ config TARGET_SOCFPGA_AGILEX select FPGA_INTEL_SDM_MAILBOX select NCORE_CACHE select SPL_CLK if SPL + select TARGET_SOCFPGA_SOC64 config TARGET_SOCFPGA_ARRIA5 bool @@ -75,12 +76,16 @@ config TARGET_SOCFPGA_GEN5 imply SPL_SYS_MALLOC_SIMPLE imply SPL_USE_TINY_PRINTF +config TARGET_SOCFPGA_SOC64 + bool + config TARGET_SOCFPGA_STRATIX10 bool select ARMV8_MULTIENTRY select ARMV8_SET_SMPEN select BINMAN if SPL_ATF select FPGA_INTEL_SDM_MAILBOX + select TARGET_SOCFPGA_SOC64 choice prompt "Altera SOCFPGA board select" diff --git a/arch/arm/mach-socfpga/include/mach/reset_manager.h b/arch/arm/mach-socfpga/include/mach/reset_manager.h index 7844ad14cb..8c25325e45 100644 --- a/arch/arm/mach-socfpga/include/mach/reset_manager.h +++ b/arch/arm/mach-socfpga/include/mach/reset_manager.h @@ -43,8 +43,7 @@ void socfpga_per_reset_all(void); #include #elif defined(CONFIG_TARGET_SOCFPGA_ARRIA10) #include -#elif defined(CONFIG_TARGET_SOCFPGA_STRATIX10) || \ - defined(CONFIG_TARGET_SOCFPGA_AGILEX) +#elif defined(CONFIG_TARGET_SOCFPGA_SOC64) #include #endif diff --git a/arch/arm/mach-socfpga/include/mach/system_manager.h b/arch/arm/mach-socfpga/include/mach/system_manager.h index f816954717..5603eaa3d0 100644 --- a/arch/arm/mach-socfpga/include/mach/system_manager.h +++ b/arch/arm/mach-socfpga/include/mach/system_manager.h @@ -8,8 +8,7 @@ phys_addr_t socfpga_get_sysmgr_addr(void); -#if defined(CONFIG_TARGET_SOCFPGA_STRATIX10) || \ - defined(CONFIG_TARGET_SOCFPGA_AGILEX) +#if defined(CONFIG_TARGET_SOCFPGA_SOC64) #include #else #define SYSMGR_ROMCODEGRP_CTRL_WARMRSTCFGPINMUX BIT(0) diff --git a/drivers/ddr/altera/Kconfig b/drivers/ddr/altera/Kconfig index 8f590dc5f6..4660d20def 100644 --- a/drivers/ddr/altera/Kconfig +++ b/drivers/ddr/altera/Kconfig @@ -1,8 +1,8 @@ config SPL_ALTERA_SDRAM bool "SoCFPGA DDR SDRAM driver in SPL" depends on SPL - depends on TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_ARRIA10 || TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX - select RAM if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX - select SPL_RAM if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX + depends on TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_ARRIA10 || TARGET_SOCFPGA_SOC64 + select RAM if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_SOC64 + select SPL_RAM if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_SOC64 help Enable DDR SDRAM controller for the SoCFPGA devices. diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig index 425b52a926..dc0b3dd31b 100644 --- a/drivers/fpga/Kconfig +++ b/drivers/fpga/Kconfig @@ -33,7 +33,7 @@ config FPGA_CYCLON2 config FPGA_INTEL_SDM_MAILBOX bool "Enable Intel FPGA Full Reconfiguration SDM Mailbox driver" - depends on TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX + depends on TARGET_SOCFPGA_SOC64 select FPGA_ALTERA help Say Y here to enable the Intel FPGA Full Reconfig SDM Mailbox driver diff --git a/drivers/sysreset/Kconfig b/drivers/sysreset/Kconfig index 0e5c7c9971..52f874317b 100644 --- a/drivers/sysreset/Kconfig +++ b/drivers/sysreset/Kconfig @@ -88,7 +88,7 @@ config SYSRESET_SOCFPGA config SYSRESET_SOCFPGA_SOC64 bool "Enable support for Intel SOCFPGA SoC64 family (Stratix10/Agilex)" - depends on ARCH_SOCFPGA && (TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX) + depends on ARCH_SOCFPGA && TARGET_SOCFPGA_SOC64 help This enables the system reset driver support for Intel SOCFPGA SoC64 SoCs. From patchwork Fri Feb 26 16:11:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siew Chin Lim X-Patchwork-Id: 1444990 X-Patchwork-Delegate: simon.k.r.goldschmidt@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DnF6722YCz9rx6 for ; Sat, 27 Feb 2021 03:11:59 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 483268207F; Fri, 26 Feb 2021 17:11:43 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 0D0498204B; Fri, 26 Feb 2021 17:11:25 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 725EF81B94 for ; Fri, 26 Feb 2021 17:11:16 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=elly.siew.chin.lim@intel.com IronPort-SDR: DAeOoVYSeDiUh3vqzjOnWvJU7pECbnMRdTJlibzuHhC5zvzFQ/OvfdIHaEdCa5/1zz3MSPxzPy xrn3DRqXTSjg== X-IronPort-AV: E=McAfee;i="6000,8403,9907"; a="182495424" X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="182495424" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Feb 2021 08:11:16 -0800 IronPort-SDR: cb9f+ORimnWJFJ7nG9ULiLBFOGPMarsGvHVYgBhXcSmN7PKFi7s9trMX+Vwyh0Yd6s+Tly71AH cWIv+MpOgmZw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="393659445" Received: from pg-iccf0306.altera.com ([10.104.2.59]) by fmsmga008.fm.intel.com with ESMTP; 26 Feb 2021 08:11:13 -0800 From: Siew Chin Lim To: u-boot@lists.denx.de Cc: Marek Vasut , Ley Foon Tan , Chin Liang See , Simon Goldschmidt , Tien Fong Chee , Dalon Westergreen , Simon Glass , Yau Wai Gan , Siew Chin Lim Subject: [v4 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB) Date: Sat, 27 Feb 2021 00:11:00 +0800 Message-Id: <20210226161105.2303-3-elly.siew.chin.lim@intel.com> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> References: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Vendor Authorized Boot is a security feature for authenticating the images such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and etc loaded from FIT. After those images are loaded from FIT, the VAB certificate and signature block appended at the end of each image are sent to Secure Device Manager (SDM) for authentication. U-Boot will validate the SHA384 of the image against the SHA384 hash stored in the VAB certificate before sending the image to SDM for authentication. Signed-off-by: Siew Chin Lim --- v4: - Move function 'board_fit_image_post_process' and 'board_prep_linux' to arch/arm/mach-socfpga/board.c v3: - Add description for function 'socfpga_vendor_authentication'. - Relocate vab certificate to first memory bank before trigger SMC call to send mailbox command because ATF only able to access first memory bank. - Report error instead of bypass the authentication in SPL if Secure Device Manager (SDM) does not support VAB. - Print success string if VAB success. - Replace #ifdef with if(IS_ENABLED(CONFIG_...)). --- arch/arm/mach-socfpga/Kconfig | 15 ++ arch/arm/mach-socfpga/Makefile | 2 + arch/arm/mach-socfpga/board.c | 43 +++++- arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 + arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 ++++++++ arch/arm/mach-socfpga/secure_vab.c | 186 +++++++++++++++++++++++ common/Kconfig.boot | 2 +- 7 files changed, 307 insertions(+), 5 deletions(-) create mode 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h create mode 100644 arch/arm/mach-socfpga/secure_vab.c diff --git a/arch/arm/mach-socfpga/Kconfig b/arch/arm/mach-socfpga/Kconfig index 9b1abdaabd..0c35406232 100644 --- a/arch/arm/mach-socfpga/Kconfig +++ b/arch/arm/mach-socfpga/Kconfig @@ -6,6 +6,21 @@ config ERR_PTR_OFFSET config NR_DRAM_BANKS default 1 +config SOCFPGA_SECURE_VAB_AUTH + bool "Enable boot image authentication with Secure Device Manager" + depends on TARGET_SOCFPGA_AGILEX + select FIT_IMAGE_POST_PROCESS + select SHA384 + select SHA512_ALGO + select SPL_FIT_IMAGE_POST_PROCESS + help + All images loaded from FIT will be authenticated by Secure Device + Manager. + +config SOCFPGA_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE + bool "Allow non-FIT VAB signed images" + depends on SOCFPGA_SECURE_VAB_AUTH + config SPL_SIZE_LIMIT default 0x10000 if TARGET_SOCFPGA_GEN5 diff --git a/arch/arm/mach-socfpga/Makefile b/arch/arm/mach-socfpga/Makefile index 82b681d870..1f1e21766d 100644 --- a/arch/arm/mach-socfpga/Makefile +++ b/arch/arm/mach-socfpga/Makefile @@ -4,6 +4,7 @@ # Wolfgang Denk, DENX Software Engineering, wd@denx.de. # # Copyright (C) 2012-2017 Altera Corporation +# Copyright (C) 2017-2020 Intel Corporation obj-y += board.o obj-y += clock_manager.o @@ -47,6 +48,7 @@ obj-y += mailbox_s10.o obj-y += misc_s10.o obj-y += mmu-arm64_s10.o obj-y += reset_manager_s10.o +obj-$(CONFIG_SOCFPGA_SECURE_VAB_AUTH) += secure_vab.o obj-y += system_manager_s10.o obj-y += timer_s10.o obj-y += wrap_pinmux_config_s10.o diff --git a/arch/arm/mach-socfpga/board.c b/arch/arm/mach-socfpga/board.c index 7993c27646..9f60f2fc05 100644 --- a/arch/arm/mach-socfpga/board.c +++ b/arch/arm/mach-socfpga/board.c @@ -6,13 +6,16 @@ */ #include -#include -#include -#include -#include #include #include +#include +#include #include +#include +#include +#include +#include +#include #include #include #include @@ -97,3 +100,35 @@ __weak int board_fit_config_name_match(const char *name) return 0; } #endif + +#if IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH) +void board_fit_image_post_process(void **p_image, size_t *p_size) +{ + if (socfpga_vendor_authentication(p_image, p_size)) + hang(); +} + +void board_prep_linux(bootm_headers_t *images) +{ + if (!IS_ENABLED(CONFIG_SPL_BUILD)) { + if (!IS_ENABLED(CONFIG_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE)) { + /* + * Ensure the OS is always booted from FIT and with + * VAB signed certificate + */ + if (!images->fit_uname_cfg) { + printf("Please use FIT with VAB signed images!\n"); + hang(); + } + + env_set_hex("fdt_addr", (ulong)images->ft_addr); + debug("images->ft_addr = 0x%08lx\n", (ulong)images->ft_addr); + } + + if (IS_ENABLED(CONFIG_CADENCE_QSPI)) { + if (env_get("linux_qspi_enable")) + run_command(env_get("linux_qspi_enable"), 0); + } + } +} +#endif diff --git a/arch/arm/mach-socfpga/include/mach/mailbox_s10.h b/arch/arm/mach-socfpga/include/mach/mailbox_s10.h index 4d783119ea..fbaf11597e 100644 --- a/arch/arm/mach-socfpga/include/mach/mailbox_s10.h +++ b/arch/arm/mach-socfpga/include/mach/mailbox_s10.h @@ -118,6 +118,7 @@ enum ALT_SDM_MBOX_RESP_CODE { #define MBOX_RECONFIG_MSEL 7 #define MBOX_RECONFIG_DATA 8 #define MBOX_RECONFIG_STATUS 9 +#define MBOX_VAB_SRC_CERT 11 #define MBOX_QSPI_OPEN 50 #define MBOX_QSPI_CLOSE 51 #define MBOX_QSPI_DIRECT 59 diff --git a/arch/arm/mach-socfpga/include/mach/secure_vab.h b/arch/arm/mach-socfpga/include/mach/secure_vab.h new file mode 100644 index 0000000000..42588588e8 --- /dev/null +++ b/arch/arm/mach-socfpga/include/mach/secure_vab.h @@ -0,0 +1,63 @@ +/* SPDX-License-Identifier: GPL-2.0 + * + * Copyright (C) 2020 Intel Corporation + * + */ + +#ifndef _SECURE_VAB_H_ +#define _SECURE_VAB_H_ + +#include +#include +#include + +#define VAB_DATA_SZ 64 + +#define SDM_CERT_MAGIC_NUM 0x25D04E7F +#define FCS_HPS_VAB_MAGIC_NUM 0xD0564142 + +#define MAX_CERT_SIZE (SZ_4K) + +/* + * struct fcs_hps_vab_certificate_data + * @vab_cert_magic_num: VAB Certificate Magic Word (0xD0564142) + * @flags: TBD + * @fcs_data: Data words being certificate signed. + * @cert_sign_keychain: Certificate Signing Keychain + */ +struct fcs_hps_vab_certificate_data { + u32 vab_cert_magic_num; /* offset 0x10 */ + u32 flags; + u8 rsvd0_1[8]; + u8 fcs_sha384[SHA384_SUM_LEN]; /* offset 0x20 */ +}; + +/* + * struct fcs_hps_vab_certificate_header + * @cert_magic_num: Certificate Magic Word (0x25D04E7F) + * @cert_data_sz: size of this certificate header (0x80) + * Includes magic number all the way to the certificate + * signing keychain (excludes cert. signing keychain) + * @cert_ver: Certificate Version + * @cert_type: Certificate Type + * @data: VAB HPS Image Certificate data + */ +struct fcs_hps_vab_certificate_header { + u32 cert_magic_num; /* offset 0 */ + u32 cert_data_sz; + u32 cert_ver; + u32 cert_type; + struct fcs_hps_vab_certificate_data d; /* offset 0x10 */ + /* keychain starts at offset 0x50 */ +}; + +#define VAB_CERT_HEADER_SIZE sizeof(struct fcs_hps_vab_certificate_header) +#define VAB_CERT_MAGIC_OFFSET offsetof \ + (struct fcs_hps_vab_certificate_header, d) +#define VAB_CERT_FIT_SHA384_OFFSET offsetof \ + (struct fcs_hps_vab_certificate_data, \ + fcs_sha384[0]) + +int socfpga_vendor_authentication(void **p_image, size_t *p_size); + +#endif /* _SECURE_VAB_H_ */ diff --git a/arch/arm/mach-socfpga/secure_vab.c b/arch/arm/mach-socfpga/secure_vab.c new file mode 100644 index 0000000000..e2db588506 --- /dev/null +++ b/arch/arm/mach-socfpga/secure_vab.c @@ -0,0 +1,186 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2020 Intel Corporation + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define CHUNKSZ_PER_WD_RESET (256 * SZ_1K) + +/* + * Read the length of the VAB certificate from the end of image + * and calculate the actual image size (excluding the VAB certificate). + */ +static size_t get_img_size(u8 *img_buf, size_t img_buf_sz) +{ + u8 *img_buf_end = img_buf + img_buf_sz; + u32 cert_sz = get_unaligned_le32(img_buf_end - sizeof(u32)); + u8 *p = img_buf_end - cert_sz - sizeof(u32); + + /* Ensure p is pointing within the img_buf */ + if (p < img_buf || p > (img_buf_end - VAB_CERT_HEADER_SIZE)) + return 0; + + if (get_unaligned_le32(p) == SDM_CERT_MAGIC_NUM) + return (size_t)(p - img_buf); + + return 0; +} + +/* + * Vendor Authorized Boot (VAB) is a security feature for authenticating + * the images such as U-Boot, ARM trusted Firmware, Linux kernel, + * device tree blob and etc loaded from FIT. User can also trigger + * the VAB authentication from U-Boot command. + * + * This function extracts the VAB certificate and signature block + * appended at the end of the image, then send to Secure Device Manager + * (SDM) for authentication. This function will validate the SHA384 + * of the image against the SHA384 hash stored in the VAB certificate + * before sending the VAB certificate to SDM for authentication. + * + * RETURN + * 0 if authentication success or + * if authentication is not required and bypassed on a non-secure device + * negative error code if authentication fail + */ +int socfpga_vendor_authentication(void **p_image, size_t *p_size) +{ + int retry_count = 20; + u8 hash384[SHA384_SUM_LEN]; + u64 img_addr, mbox_data_addr; + size_t img_sz, mbox_data_sz; + u8 *cert_hash_ptr, *mbox_relocate_data_addr; + u32 resp = 0, resp_len = 1; + int ret; + + img_addr = (uintptr_t)*p_image; + + debug("Authenticating image at address 0x%016llx (%ld bytes)\n", + img_addr, *p_size); + + img_sz = get_img_size((u8 *)img_addr, *p_size); + debug("img_sz = %ld\n", img_sz); + + if (!img_sz) { + puts("VAB certificate not found in image!\n"); + return -ENOKEY; + } + + if (!IS_ALIGNED(img_sz, sizeof(u32))) { + printf("Image size (%ld bytes) not aliged to 4 bytes!\n", + img_sz); + return -EBFONT; + } + + /* Generate HASH384 from the image */ + sha384_csum_wd((u8 *)img_addr, img_sz, hash384, CHUNKSZ_PER_WD_RESET); + + cert_hash_ptr = (u8 *)(img_addr + img_sz + VAB_CERT_MAGIC_OFFSET + + VAB_CERT_FIT_SHA384_OFFSET); + + /* + * Compare the SHA384 found in certificate against the SHA384 + * calculated from image + */ + if (memcmp(hash384, cert_hash_ptr, SHA384_SUM_LEN)) { + puts("SHA384 not match!\n"); + return -EKEYREJECTED; + } + + mbox_data_addr = img_addr + img_sz - sizeof(u32); + /* Size in word (32bits) */ + mbox_data_sz = (ALIGN(*p_size - img_sz, sizeof(u32))) >> 2; + + debug("mbox_data_addr = 0x%016llx\n", mbox_data_addr); + debug("mbox_data_sz = %ld words\n", mbox_data_sz); + + /* + * Relocate certificate to first memory block before trigger SMC call + * to send mailbox command because ATF only able to access first + * memory block. + */ + mbox_relocate_data_addr = (u8 *)malloc(mbox_data_sz * sizeof(u32)); + if (!mbox_relocate_data_addr) { + puts("Out of memory for VAB certificate relocation!\n"); + return -ENOMEM; + } + + memcpy(mbox_relocate_data_addr, (u8 *)mbox_data_addr, mbox_data_sz * sizeof(u32)); + *(u32 *)mbox_relocate_data_addr = 0; + + debug("mbox_relocate_data_addr = 0x%p\n", mbox_relocate_data_addr); + + do { + if (!IS_ENABLED(CONFIG_SPL_BUILD) && IS_ENABLED(CONFIG_SPL_ATF)) { + /* Invoke SMC call to ATF to send the VAB certificate to SDM */ + ret = smc_send_mailbox(MBOX_VAB_SRC_CERT, mbox_data_sz, + (u32 *)mbox_relocate_data_addr, 0, &resp_len, + &resp); + } else { + /* Send the VAB certficate to SDM for authentication */ + ret = mbox_send_cmd(MBOX_ID_UBOOT, MBOX_VAB_SRC_CERT, + MBOX_CMD_DIRECT, mbox_data_sz, + (u32 *)mbox_relocate_data_addr, 0, &resp_len, + &resp); + } + /* If SDM is not available, just delay 50ms and retry again */ + if (ret == MBOX_RESP_DEVICE_BUSY) + mdelay(50); + else + break; + } while (--retry_count); + + /* Free the relocate certificate memory space */ + free(mbox_relocate_data_addr); + + /* Exclude the size of the VAB certificate from image size */ + *p_size = img_sz; + + debug("ret = 0x%08x, resp = 0x%08x, resp_len = %d\n", ret, resp, + resp_len); + + if (ret) { + /* + * Unsupported mailbox command or device not in the + * owned/secure state + */ + if (ret == MBOX_RESP_NOT_ALLOWED_UNDER_SECURITY_SETTINGS) { + /* SDM bypass authentication */ + printf("%s 0x%016llx (%ld bytes)\n", + "Image Authentication bypassed at address", + img_addr, img_sz); + return 0; + } + puts("VAB certificate authentication failed in SDM"); + if (ret == MBOX_RESP_DEVICE_BUSY) { + puts(" (SDM busy timeout)\n"); + return -ETIMEDOUT; + } else if (ret == MBOX_RESP_UNKNOWN) { + puts(" (Not supported)\n"); + return -ESRCH; + } + puts("\n"); + return -EKEYREJECTED; + } else { + /* If Certificate Process Status has error */ + if (resp) { + puts("VAB certificate process failed\n"); + return -ENOEXEC; + } + } + + printf("%s 0x%016llx (%ld bytes)\n", + "Image Authentication passed at address", img_addr, img_sz); + + return 0; +} diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 5eaabdfc27..7b94f402fd 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -128,7 +128,7 @@ config FIT_BEST_MATCH config FIT_IMAGE_POST_PROCESS bool "Enable post-processing of FIT artifacts after loading by U-Boot" - depends on TI_SECURE_DEVICE + depends on TI_SECURE_DEVICE || SOCFPGA_SECURE_VAB_AUTH help Allows doing any sort of manipulation to blobs after they got extracted from FIT images like stripping off headers or modifying the size of the From patchwork Fri Feb 26 16:11:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siew Chin Lim X-Patchwork-Id: 1444991 X-Patchwork-Delegate: simon.k.r.goldschmidt@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DnF6P0wfXz9rx6 for ; Sat, 27 Feb 2021 03:12:13 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id DA210827B1; Fri, 26 Feb 2021 17:11:46 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id CAC2A82049; Fri, 26 Feb 2021 17:11:25 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5A35A80574 for ; Fri, 26 Feb 2021 17:11:19 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=elly.siew.chin.lim@intel.com IronPort-SDR: EwowE3tdFQhivEH6KXiaOHuDM503Vg7ETU+HdigbRaRMRktTWe3yt1gpJ2vdyothEwz+FMu2P3 hE5I7d8ZI+jg== X-IronPort-AV: E=McAfee;i="6000,8403,9907"; a="182495444" X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="182495444" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Feb 2021 08:11:19 -0800 IronPort-SDR: aPvv1CwpTkT+uBb9Y8iBejjRPNtibrW1n6Ulx2ILDcV31RtukGxO/aBzvFVDBj+aWziKu5/Axq U7ByUUvIDS7g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="393659468" Received: from pg-iccf0306.altera.com ([10.104.2.59]) by fmsmga008.fm.intel.com with ESMTP; 26 Feb 2021 08:11:16 -0800 From: Siew Chin Lim To: u-boot@lists.denx.de Cc: Marek Vasut , Ley Foon Tan , Chin Liang See , Simon Goldschmidt , Tien Fong Chee , Dalon Westergreen , Simon Glass , Yau Wai Gan , Siew Chin Lim Subject: [v4 3/7] arm: socfpga: cmd: Support 'vab' command Date: Sat, 27 Feb 2021 00:11:01 +0800 Message-Id: <20210226161105.2303-4-elly.siew.chin.lim@intel.com> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> References: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Support 'vab' command to perform vendor authentication. Command format: vab addr len Authorize 'len' bytes starting at 'addr' via vendor public key Signed-off-by: Siew Chin Lim --- v3 --- - Remove the print in 'vab' command to avoid duplicated print out. The 'socfpga_vendor_authntication' function in secure_vab.c will print out the string if VAB success. --- arch/arm/mach-socfpga/Makefile | 1 + arch/arm/mach-socfpga/vab.c | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 arch/arm/mach-socfpga/vab.c diff --git a/arch/arm/mach-socfpga/Makefile b/arch/arm/mach-socfpga/Makefile index 1f1e21766d..9e63296b38 100644 --- a/arch/arm/mach-socfpga/Makefile +++ b/arch/arm/mach-socfpga/Makefile @@ -51,6 +51,7 @@ obj-y += reset_manager_s10.o obj-$(CONFIG_SOCFPGA_SECURE_VAB_AUTH) += secure_vab.o obj-y += system_manager_s10.o obj-y += timer_s10.o +obj-$(CONFIG_SOCFPGA_SECURE_VAB_AUTH) += vab.o obj-y += wrap_pinmux_config_s10.o obj-y += wrap_pll_config_s10.o endif diff --git a/arch/arm/mach-socfpga/vab.c b/arch/arm/mach-socfpga/vab.c new file mode 100644 index 0000000000..85b3f30211 --- /dev/null +++ b/arch/arm/mach-socfpga/vab.c @@ -0,0 +1,34 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2020 Intel Corporation + * + */ + +#include +#include +#include +#include + +static int do_vab(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + unsigned long addr, len; + + if (argc < 3) + return CMD_RET_USAGE; + + addr = simple_strtoul(argv[1], NULL, 16); + len = simple_strtoul(argv[2], NULL, 16); + + if (socfpga_vendor_authentication((void *)&addr, (size_t *)&len) != 0) + return CMD_RET_FAILURE; + + return 0; +} + +U_BOOT_CMD( + vab, 3, 2, do_vab, + "perform vendor authorization", + "addr len - authorize 'len' bytes starting at\n" + " 'addr' via vendor public key" +); From patchwork Fri Feb 26 16:11:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siew Chin Lim X-Patchwork-Id: 1444992 X-Patchwork-Delegate: simon.k.r.goldschmidt@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DnF6h2cSbz9rx6 for ; Sat, 27 Feb 2021 03:12:28 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 3FD74827FA; Fri, 26 Feb 2021 17:11:51 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id BCD8481FDC; Fri, 26 Feb 2021 17:11:29 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0CE6980EF2 for ; Fri, 26 Feb 2021 17:11:21 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=elly.siew.chin.lim@intel.com IronPort-SDR: R4lhmP7ynidYsRy6IRm8ljbfhOw0txRRtIKiX1FZWJHu6k4ZKTbZrQspffGN6o6/qizrgrivNk OSj6iBjeIFKg== X-IronPort-AV: E=McAfee;i="6000,8403,9907"; a="182495451" X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="182495451" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Feb 2021 08:11:21 -0800 IronPort-SDR: YEpZ7SFtZ4iqjO3IDW9ageArqjLLr1s2OBcl5Kigc9QoCVq/x6I3f2FJbg4ooQuN7NZ9ebaNim f+QOx4iHl+9g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="393659492" Received: from pg-iccf0306.altera.com ([10.104.2.59]) by fmsmga008.fm.intel.com with ESMTP; 26 Feb 2021 08:11:19 -0800 From: Siew Chin Lim To: u-boot@lists.denx.de Cc: Marek Vasut , Ley Foon Tan , Chin Liang See , Simon Goldschmidt , Tien Fong Chee , Dalon Westergreen , Simon Glass , Yau Wai Gan , Siew Chin Lim Subject: [v4 4/7] arm: socfpga: dts: soc64: Update filename in binman node of FIT image with VAB support Date: Sat, 27 Feb 2021 00:11:02 +0800 Message-Id: <20210226161105.2303-5-elly.siew.chin.lim@intel.com> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> References: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean FIT image of Vendor Authentication Coot (VAB) contains signed images. Signed-off-by: Siew Chin Lim --- arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi b/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi index cf365590a8..4b30473743 100644 --- a/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi +++ b/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi @@ -117,4 +117,26 @@ }; }; +#if defined(CONFIG_SOCFPGA_SECURE_VAB_AUTH) +&uboot_blob { + filename = "signed-u-boot-nodtb.bin"; +}; + +&atf_blob { + filename = "signed-bl31.bin"; +}; + +&uboot_fdt_blob { + filename = "signed-u-boot.dtb"; +}; + +&kernel_blob { + filename = "signed-Image"; +}; + +&kernel_fdt_blob { + filename = "signed-linux.dtb"; +}; +#endif + #endif From patchwork Fri Feb 26 16:11:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siew Chin Lim X-Patchwork-Id: 1444993 X-Patchwork-Delegate: simon.k.r.goldschmidt@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DnF6x1tvhz9sBy for ; Sat, 27 Feb 2021 03:12:41 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id AF47082824; Fri, 26 Feb 2021 17:11:57 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id C24D982082; Fri, 26 Feb 2021 17:11:31 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B62C18207F for ; Fri, 26 Feb 2021 17:11:24 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=elly.siew.chin.lim@intel.com IronPort-SDR: PVR6hi9kTlQmql8iGZvYu4HuGDjeAM7rvu1lZllVBn1ct0lQ6p3rLIe2Kb5aDI+iyduuLAOCx4 F+BPaGYqGn+g== X-IronPort-AV: E=McAfee;i="6000,8403,9907"; a="182495469" X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="182495469" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Feb 2021 08:11:24 -0800 IronPort-SDR: Nwy/Jmbn5Jmdv2s9mpVWhHzhgwfSqEQRhi06dVkTEVkan9SwRmn4IOOGtQUDGRv6dejRdpWrFG dk0nVU4GY6WQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="393659506" Received: from pg-iccf0306.altera.com ([10.104.2.59]) by fmsmga008.fm.intel.com with ESMTP; 26 Feb 2021 08:11:21 -0800 From: Siew Chin Lim To: u-boot@lists.denx.de Cc: Marek Vasut , Ley Foon Tan , Chin Liang See , Simon Goldschmidt , Tien Fong Chee , Dalon Westergreen , Simon Glass , Yau Wai Gan , Siew Chin Lim Subject: [v4 5/7] configs: socfpga: soc64: Move CONFIG_BOOTCOMMAND to defconfig Date: Sat, 27 Feb 2021 00:11:03 +0800 Message-Id: <20210226161105.2303-6-elly.siew.chin.lim@intel.com> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> References: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean CONFIG_BOOTCOMMAND have been moved to Kconfig.boot. This patch move the CONFIG_BOOTCOMMAND macro from socfpga_soc64_common.h to *_defconfig file for both Stratix 10 and Agilex. Signed-off-by: Siew Chin Lim --- configs/socfpga_agilex_atf_defconfig | 2 ++ configs/socfpga_agilex_defconfig | 2 ++ configs/socfpga_stratix10_atf_defconfig | 2 ++ configs/socfpga_stratix10_defconfig | 2 ++ include/configs/socfpga_soc64_common.h | 8 +------- 5 files changed, 9 insertions(+), 7 deletions(-) diff --git a/configs/socfpga_agilex_atf_defconfig b/configs/socfpga_agilex_atf_defconfig index ebe6ce63a4..7adda02b00 100644 --- a/configs/socfpga_agilex_atf_defconfig +++ b/configs/socfpga_agilex_atf_defconfig @@ -20,6 +20,8 @@ CONFIG_SPL_LOAD_FIT_ADDRESS=0x02000000 CONFIG_BOOTDELAY=5 CONFIG_USE_BOOTARGS=y CONFIG_BOOTARGS="earlycon" +CONFIG_USE_BOOTCOMMAND=y +CONFIG_BOOTCOMMAND="run fatscript; run mmcfitload; run linux_qspi_enable; run mmcfitboot" CONFIG_SPL_CACHE=y CONFIG_SPL_SPI_LOAD=y CONFIG_SPL_ATF=y diff --git a/configs/socfpga_agilex_defconfig b/configs/socfpga_agilex_defconfig index 230d3c2ce5..3d5d39fe0f 100644 --- a/configs/socfpga_agilex_defconfig +++ b/configs/socfpga_agilex_defconfig @@ -18,6 +18,8 @@ CONFIG_DEFAULT_DEVICE_TREE="socfpga_agilex_socdk" CONFIG_BOOTDELAY=5 CONFIG_USE_BOOTARGS=y CONFIG_BOOTARGS="earlycon" +CONFIG_USE_BOOTCOMMAND=y +CONFIG_BOOTCOMMAND="run fatscript; run mmcload; run linux_qspi_enable; run mmcboot" CONFIG_SPL_CACHE=y CONFIG_SPL_SPI_LOAD=y CONFIG_HUSH_PARSER=y diff --git a/configs/socfpga_stratix10_atf_defconfig b/configs/socfpga_stratix10_atf_defconfig index d1b12113ab..8dbb7424ba 100644 --- a/configs/socfpga_stratix10_atf_defconfig +++ b/configs/socfpga_stratix10_atf_defconfig @@ -20,6 +20,8 @@ CONFIG_SPL_LOAD_FIT_ADDRESS=0x02000000 CONFIG_BOOTDELAY=5 CONFIG_USE_BOOTARGS=y CONFIG_BOOTARGS="earlycon" +CONFIG_USE_BOOTCOMMAND=y +CONFIG_BOOTCOMMAND="run fatscript; run mmcfitload; run linux_qspi_enable; run mmcfitboot" CONFIG_SPL_SPI_LOAD=y CONFIG_SPL_ATF=y CONFIG_SPL_ATF_NO_PLATFORM_PARAM=y diff --git a/configs/socfpga_stratix10_defconfig b/configs/socfpga_stratix10_defconfig index 3df44bb88d..2d145e1a5f 100644 --- a/configs/socfpga_stratix10_defconfig +++ b/configs/socfpga_stratix10_defconfig @@ -20,6 +20,8 @@ CONFIG_SPL_OPTIMIZE_INLINING=y CONFIG_BOOTDELAY=5 CONFIG_USE_BOOTARGS=y CONFIG_BOOTARGS="earlycon" +CONFIG_USE_BOOTCOMMAND=y +CONFIG_BOOTCOMMAND="run fatscript; run mmcload; run linux_qspi_enable; run mmcboot" CONFIG_SPL_SPI_LOAD=y CONFIG_HUSH_PARSER=y CONFIG_SYS_PROMPT="SOCFPGA_STRATIX10 # " diff --git a/include/configs/socfpga_soc64_common.h b/include/configs/socfpga_soc64_common.h index fdcd7d3e9a..0e54601257 100644 --- a/include/configs/socfpga_soc64_common.h +++ b/include/configs/socfpga_soc64_common.h @@ -79,19 +79,13 @@ unsigned int cm_get_qspi_controller_clk_hz(void); #endif /* CONFIG_CADENCE_QSPI */ /* - * Boot arguments passed to the boot command. The value of - * CONFIG_BOOTARGS goes into the environment value "bootargs". - * Do note the value will override also the chosen node in FDT blob. + * Environment variable */ #ifdef CONFIG_FIT #define CONFIG_BOOTFILE "kernel.itb" -#define CONFIG_BOOTCOMMAND "run fatscript; run mmcfitload;run linux_qspi_enable;" \ - "run mmcfitboot" #else #define CONFIG_BOOTFILE "Image" -#define CONFIG_BOOTCOMMAND "run fatscript; run mmcload;run linux_qspi_enable;" \ - "run mmcboot" #endif #define CONFIG_EXTRA_ENV_SETTINGS \ From patchwork Fri Feb 26 16:11:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siew Chin Lim X-Patchwork-Id: 1444994 X-Patchwork-Delegate: simon.k.r.goldschmidt@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DnF7B6SRgz9sBy for ; Sat, 27 Feb 2021 03:12:54 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CE60482838; Fri, 26 Feb 2021 17:12:04 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id E84FE8207F; Fri, 26 Feb 2021 17:11:32 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A1CD08270D for ; Fri, 26 Feb 2021 17:11:27 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=elly.siew.chin.lim@intel.com IronPort-SDR: WbPAjLT992DBLDvHVYY66D7QBbBISC1eVJV1qsH7JOGwHjE3vxfoHn58DncRrtv1S8wx88dDqo 48F9aVL5JJTA== X-IronPort-AV: E=McAfee;i="6000,8403,9907"; a="182495481" X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="182495481" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Feb 2021 08:11:27 -0800 IronPort-SDR: LKrNvdmhgftOKXKFNUaFGBqCNoQNDmKm4YSDTyMjjRSjeISI1i62cT1ohqtAwTeepp156LMuR3 5jfbKVW3fP5g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="393659524" Received: from pg-iccf0306.altera.com ([10.104.2.59]) by fmsmga008.fm.intel.com with ESMTP; 26 Feb 2021 08:11:24 -0800 From: Siew Chin Lim To: u-boot@lists.denx.de Cc: Marek Vasut , Ley Foon Tan , Chin Liang See , Simon Goldschmidt , Tien Fong Chee , Dalon Westergreen , Simon Glass , Yau Wai Gan , Siew Chin Lim Subject: [v4 6/7] configs: socfpga: Add defconfig for Agilex with VAB support Date: Sat, 27 Feb 2021 00:11:04 +0800 Message-Id: <20210226161105.2303-7-elly.siew.chin.lim@intel.com> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> References: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Booting Agilex with Vendor Authorized Boot. Signed-off-by: Siew Chin Lim --- .../{socfpga_agilex_atf_defconfig => socfpga_agilex_vab_defconfig} | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) copy configs/{socfpga_agilex_atf_defconfig => socfpga_agilex_vab_defconfig} (92%) diff --git a/configs/socfpga_agilex_atf_defconfig b/configs/socfpga_agilex_vab_defconfig similarity index 92% copy from configs/socfpga_agilex_atf_defconfig copy to configs/socfpga_agilex_vab_defconfig index 7adda02b00..bca663ed61 100644 --- a/configs/socfpga_agilex_atf_defconfig +++ b/configs/socfpga_agilex_vab_defconfig @@ -9,6 +9,7 @@ CONFIG_ENV_OFFSET=0x200 CONFIG_SYS_SPI_U_BOOT_OFFS=0x02000000 CONFIG_DM_GPIO=y CONFIG_SPL_TEXT_BASE=0xFFE00000 +CONFIG_SOCFPGA_SECURE_VAB_AUTH=y CONFIG_TARGET_SOCFPGA_AGILEX_SOCDK=y CONFIG_IDENT_STRING="socfpga_agilex" CONFIG_SPL_FS_FAT=y @@ -17,11 +18,12 @@ CONFIG_FIT=y CONFIG_SPL_LOAD_FIT=y CONFIG_SPL_LOAD_FIT_ADDRESS=0x02000000 # CONFIG_USE_SPL_FIT_GENERATOR is not set +# CONFIG_LEGACY_IMAGE_FORMAT is not set CONFIG_BOOTDELAY=5 CONFIG_USE_BOOTARGS=y CONFIG_BOOTARGS="earlycon" CONFIG_USE_BOOTCOMMAND=y -CONFIG_BOOTCOMMAND="run fatscript; run mmcfitload; run linux_qspi_enable; run mmcfitboot" +CONFIG_BOOTCOMMAND="run fatscript; run mmcfitload; run mmcfitboot" CONFIG_SPL_CACHE=y CONFIG_SPL_SPI_LOAD=y CONFIG_SPL_ATF=y From patchwork Fri Feb 26 16:11:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siew Chin Lim X-Patchwork-Id: 1444995 X-Patchwork-Delegate: simon.k.r.goldschmidt@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DnF7Q4rsPz9sBy for ; Sat, 27 Feb 2021 03:13:06 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A963F82849; Fri, 26 Feb 2021 17:12:09 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 5D13E82082; Fri, 26 Feb 2021 17:11:35 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6AE2D80EF2 for ; Fri, 26 Feb 2021 17:11:30 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=elly.siew.chin.lim@intel.com IronPort-SDR: l537qZXib5Y4MWVc+AGnvDI5J4GeXrwTs5mOjBGAVL/dRQbEEctTJTk8IXJPVK5ZlZ/utuba9R gAXko+BgVxIg== X-IronPort-AV: E=McAfee;i="6000,8403,9907"; a="182495499" X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="182495499" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Feb 2021 08:11:30 -0800 IronPort-SDR: X2l1NDMcS/mXSnaI3ZzQpbw/Px7Zb53ahOWtWoK5dd59lseYwVunZXSoA2//z4tvtAZzlQQrl2 WhlMQXG19/Iw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="393659538" Received: from pg-iccf0306.altera.com ([10.104.2.59]) by fmsmga008.fm.intel.com with ESMTP; 26 Feb 2021 08:11:27 -0800 From: Siew Chin Lim To: u-boot@lists.denx.de Cc: Marek Vasut , Ley Foon Tan , Chin Liang See , Simon Goldschmidt , Tien Fong Chee , Dalon Westergreen , Simon Glass , Yau Wai Gan , Siew Chin Lim Subject: [v4 7/7] Makefile: socfpga: Add target to generate hex output for combined spl and dtb Date: Sat, 27 Feb 2021 00:11:05 +0800 Message-Id: <20210226161105.2303-8-elly.siew.chin.lim@intel.com> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> References: <20210226161105.2303-1-elly.siew.chin.lim@intel.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean From: Dalon Westergreen Add target to Makefile to generate "u-boot-spl-dtb.hex" for Intel SOCFPGA SOC64 devices (Stratix 10 and Agilex). "u-boot-spl-dtb.hex" is hex formatted spl with and offset of CONFIG_SPL_TEXT_BASE. It combines the spl image and dtb. "u-boot-spl-dtb.hex" is needed to generate the final configuration bitstream for Intel SOCFPGA SOC64 devices. Signed-off-by: Dalon Westergreen Signed-off-by: Siew Chin Lim --- v4 --- - Replace CONFIG_TARGET_SOCFPGA_STRATIX10/AGILEX with CONFIG_TARGET_SOCFPGA_SOC64. - Add this patch into 'VAB' series because it is depending on CONFIG_TARGET_SOCFPGA_SOC64 patch. --- Makefile | 11 ++++++----- include/configs/socfpga_soc64_common.h | 2 +- scripts/Makefile.spl | 7 +++++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 23dd11f723..dd7781b43c 100644 --- a/Makefile +++ b/Makefile @@ -1263,11 +1263,6 @@ OBJCOPYFLAGS_u-boot-nodtb.bin := -O binary \ $(if $(CONFIG_X86_16BIT_INIT),-R .start16 -R .resetvec) \ $(if $(CONFIG_MPC85XX_HAVE_RESET_VECTOR),-R .bootpg -R .resetvec) -OBJCOPYFLAGS_u-boot-spl.hex = $(OBJCOPYFLAGS_u-boot.hex) - -spl/u-boot-spl.hex: spl/u-boot-spl FORCE - $(call if_changed,objcopy) - binary_size_check: u-boot-nodtb.bin FORCE @file_size=$(shell wc -c u-boot-nodtb.bin | awk '{print $$1}') ; \ map_size=$(shell cat u-boot.map | \ @@ -1931,6 +1926,12 @@ spl/u-boot-spl.bin: spl/u-boot-spl @: $(SPL_SIZE_CHECK) +spl/u-boot-spl-dtb.bin: spl/u-boot-spl + @: + +spl/u-boot-spl-dtb.hex: spl/u-boot-spl + @: + spl/u-boot-spl: tools prepare \ $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_SPL_OF_PLATDATA),dts/dt.dtb) \ $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb) diff --git a/include/configs/socfpga_soc64_common.h b/include/configs/socfpga_soc64_common.h index 0e54601257..1cfa190047 100644 --- a/include/configs/socfpga_soc64_common.h +++ b/include/configs/socfpga_soc64_common.h @@ -194,7 +194,7 @@ unsigned int cm_get_l4_sys_free_clk_hz(void); * 0x8000_0000 ...... End of SDRAM_1 (assume 2GB) * */ -#define CONFIG_SPL_TARGET "spl/u-boot-spl.hex" +#define CONFIG_SPL_TARGET "spl/u-boot-spl-dtb.hex" #define CONFIG_SPL_MAX_SIZE CONFIG_SYS_INIT_RAM_SIZE #define CONFIG_SPL_STACK CONFIG_SYS_INIT_SP_ADDR #define CONFIG_SPL_BSS_MAX_SIZE 0x100000 /* 1 MB */ diff --git a/scripts/Makefile.spl b/scripts/Makefile.spl index ea4e045769..1fd63efdfd 100644 --- a/scripts/Makefile.spl +++ b/scripts/Makefile.spl @@ -229,6 +229,8 @@ ifneq ($(CONFIG_TARGET_SOCFPGA_GEN5)$(CONFIG_TARGET_SOCFPGA_ARRIA10),) INPUTS-y += $(obj)/$(SPL_BIN).sfp endif +INPUTS-$(CONFIG_TARGET_SOCFPGA_SOC64) += $(obj)/u-boot-spl-dtb.hex + ifdef CONFIG_ARCH_SUNXI INPUTS-y += $(obj)/sunxi-spl.bin @@ -389,6 +391,11 @@ $(obj)/$(SPL_BIN).sfp: $(obj)/$(SPL_BIN).bin FORCE MKIMAGEFLAGS_sunxi-spl.bin = -T sunxi_egon \ -n $(CONFIG_DEFAULT_DEVICE_TREE) +OBJCOPYFLAGS_u-boot-spl-dtb.hex := -I binary -O ihex --change-address=$(CONFIG_SPL_TEXT_BASE) + +$(obj)/u-boot-spl-dtb.hex: $(obj)/u-boot-spl-dtb.bin FORCE + $(call if_changed,objcopy) + $(obj)/sunxi-spl.bin: $(obj)/$(SPL_BIN).bin FORCE $(call if_changed,mkimage)