From patchwork Fri Feb 26 16:10:58 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Siew Chin Lim <elly.siew.chin.lim@intel.com>
X-Patchwork-Id: 1444988
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DnF5q4GMhz9rx6
	for <incoming@patchwork.ozlabs.org>; Sat, 27 Feb 2021 03:11:43 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 46C1C81FDD;
	Fri, 26 Feb 2021 17:11:26 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=intel.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Received: by phobos.denx.de (Postfix, from userid 109)
 id B74D081FDC; Fri, 26 Feb 2021 17:11:16 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=5.0 tests=AC_FROM_MANY_DOTS,BAYES_00,
 SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 1918780574
 for <u-boot@lists.denx.de>; Fri, 26 Feb 2021 17:11:11 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=elly.siew.chin.lim@intel.com
IronPort-SDR: 
 uNoLUscWqrrRTrLpQsyWapc+NK1fCYxPG95PVInBeelcGCun73N8czV9w+haBsB014IhFD0nmS
 18cz14qN71PA==
X-IronPort-AV: E=McAfee;i="6000,8403,9907"; a="182495401"
X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="182495401"
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
 by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 26 Feb 2021 08:11:10 -0800
IronPort-SDR: 
 RSMUr79EK69uEMzXr5BobDwahMQuhdKDr/dfP6ExXaRzlcMUolC1d7fMs37eax4f4z0pA2FYy+
 RFZUZdQ1u5TQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.81,208,1610438400"; d="scan'208";a="393659402"
Received: from pg-iccf0306.altera.com ([10.104.2.59])
 by fmsmga008.fm.intel.com with ESMTP; 26 Feb 2021 08:11:08 -0800
From: Siew Chin Lim <elly.siew.chin.lim@intel.com>
To: u-boot@lists.denx.de
Cc: Marek Vasut <marex@denx.de>, Ley Foon Tan <ley.foon.tan@intel.com>,
 Chin Liang See <chin.liang.see@intel.com>,
 Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>,
 Tien Fong Chee <tien.fong.chee@intel.com>,
 Dalon Westergreen <dalon.westergreen@intel.com>,
 Simon Glass <sjg@chromium.org>, Yau Wai Gan <yau.wai.gan@intel.com>,
 Siew Chin Lim <elly.siew.chin.lim@intel.com>
Subject: [v4 0/7] Add Vendor Authorized Boot (VAB) support
Date: Sat, 27 Feb 2021 00:10:58 +0800
Message-Id: <20210226161105.2303-1-elly.siew.chin.lim@intel.com>
X-Mailer: git-send-email 2.13.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de
X-Virus-Status: Clean

This is the 4th version of patchset to add Vendor Authorized Boot (VAB)
support for Intel Agilex SoC device.

Vendor Authorized Boot is a security feature for authenticating
the images such as U-Boot, ARM trusted Firmware, Linux kernel,
device tree blob and etc loaded from FIT. After those images are
loaded from FIT, the VAB certificate and signature block appended
at the end of each image are sent to Secure Device Manager (SDM)
for authentication. U-Boot will validate the SHA384 of the image
against the SHA384 hash stored in the VAB certificate before
sending the image to SDM for authentication.

Patch status:
Have changes: Patch 2, 7
Other patches unchanged.

Detail changelog can find in commit message.

v3->v4:
--------
Patch 2:
- Move function 'board_fit_image_post_process' and 'board_prep_linux' from
  secure_vab.c to board.c

Patch 7:
- Replace CONFIG_TARGET_SOCFPGA_STRATIX10/AGILEX with CONFIG_TARGET_SOCFPGA_SOC64.
- Add this patch into 'VAB' series because it is depending on
  CONFIG_TARGET_SOCFPGA_SOC64 patch.

History:
--------
[v1]: https://patchwork.ozlabs.org/project/uboot/cover/20201110070505.26935-1-elly.siew.chin.lim@intel.com/
[v2]: https://patchwork.ozlabs.org/project/uboot/cover/20210107100337.45293-1-elly.siew.chin.lim@intel.com/
[v3]: https://patchwork.ozlabs.org/project/uboot/cover/20210205105212.16510-1-elly.siew.chin.lim@intel.com/


Dalon Westergreen (1):
  Makefile: socfpga: Add target to generate hex output for combined spl
    and dtb

Siew Chin Lim (6):
  arm: socfpga: Move Stratix10 and Agilex to use TARGET_SOCFPGA_SOC64
  arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
  arm: socfpga: cmd: Support 'vab' command
  arm: socfpga: dts: soc64: Update filename in binman node of FIT image
    with VAB support
  configs: socfpga: soc64: Move CONFIG_BOOTCOMMAND to defconfig
  configs: socfpga: Add defconfig for Agilex with VAB support

 Makefile                                           |  11 +-
 arch/arm/Kconfig                                   |   6 +-
 arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi         |  22 +++
 arch/arm/mach-socfpga/Kconfig                      |  20 +++
 arch/arm/mach-socfpga/Makefile                     |   3 +
 arch/arm/mach-socfpga/board.c                      |  43 ++++-
 arch/arm/mach-socfpga/include/mach/mailbox_s10.h   |   1 +
 arch/arm/mach-socfpga/include/mach/reset_manager.h |   3 +-
 arch/arm/mach-socfpga/include/mach/secure_vab.h    |  63 +++++++
 .../arm/mach-socfpga/include/mach/system_manager.h |   3 +-
 arch/arm/mach-socfpga/secure_vab.c                 | 186 +++++++++++++++++++++
 arch/arm/mach-socfpga/vab.c                        |  34 ++++
 common/Kconfig.boot                                |   2 +-
 configs/socfpga_agilex_atf_defconfig               |   2 +
 configs/socfpga_agilex_defconfig                   |   2 +
 ..._atf_defconfig => socfpga_agilex_vab_defconfig} |   4 +
 configs/socfpga_stratix10_atf_defconfig            |   2 +
 configs/socfpga_stratix10_defconfig                |   2 +
 drivers/ddr/altera/Kconfig                         |   6 +-
 drivers/fpga/Kconfig                               |   2 +-
 drivers/sysreset/Kconfig                           |   2 +-
 include/configs/socfpga_soc64_common.h             |  10 +-
 scripts/Makefile.spl                               |   7 +
 23 files changed, 406 insertions(+), 30 deletions(-)
 create mode 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h
 create mode 100644 arch/arm/mach-socfpga/secure_vab.c
 create mode 100644 arch/arm/mach-socfpga/vab.c
 copy configs/{socfpga_agilex_atf_defconfig => socfpga_agilex_vab_defconfig} (91%)