u-boot-brain/arch/arm/include/asm/fsl_secure_boot.h

/*
 * Copyright 2015 Freescale Semiconductor, Inc.
 *
 * SPDX-License-Identifier:	GPL-2.0+
 */

#ifndef __FSL_SECURE_BOOT_H
#define __FSL_SECURE_BOOT_H

#ifdef CONFIG_SECURE_BOOT

#ifndef CONFIG_FIT_SIGNATURE
#define CONFIG_CHAIN_OF_TRUST
#endif

#endif

#ifdef CONFIG_CHAIN_OF_TRUST
#define CONFIG_CMD_ESBC_VALIDATE
#define CONFIG_CMD_BLOB
#define CONFIG_CMD_HASH
#define CONFIG_FSL_SEC_MON
#define CONFIG_SHA_HW_ACCEL
#define CONFIG_SHA_PROG_HW_ACCEL
#define CONFIG_RSA_FREESCALE_EXP

#ifndef CONFIG_FSL_CAAM
#define CONFIG_FSL_CAAM
#endif

#define CONFIG_KEY_REVOCATION
#ifndef CONFIG_SYS_RAMBOOT
/* The key used for verification of next level images
 * is picked up from an Extension Table which has
 * been verified by the ISBC (Internal Secure boot Code)
 * in boot ROM of the SoC.
 * The feature is only applicable in case of NOR boot and is
 * not applicable in case of RAMBOOT (NAND, SD, SPI).
 */
#ifndef CONFIG_ESBC_HDR_LS
/* Current Key EXT feature not available in LS ESBC Header */
#define CONFIG_FSL_ISBC_KEY_EXT
#endif

#endif

#if defined(CONFIG_LS1043A) || defined(CONFIG_LS2080A) ||\
	defined(CONFIG_LS2085A)
/* For LS1043 (ARMv8), ESBC image Address in Header is 64 bit
 * Similiarly for LS2080 and LS2085
 */
#define CONFIG_ESBC_ADDR_64BIT
#endif

#define CONFIG_EXTRA_ENV \
	"setenv fdt_high 0xcfffffff;"	\
	"setenv initrd_high 0xcfffffff;"	\
	"setenv hwconfig \'fsl_ddr:ctlr_intlv=null,bank_intlv=null\';"

/* The address needs to be modified according to NOR memory map */
#define CONFIG_BOOTSCRIPT_HDR_ADDR	0x600a0000

#include <config_fsl_chain_trust.h>
#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
#endif
Add bootscript support to esbc_validate. 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ "setenv bs_hdraddr 0xe8e00000;" \ "esbc_validate $bs_hdraddr;" \ "source $img_addr;" \ "esbc_halt;" #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com> Signed-off-by: Gaurav Rana <gaurav.rana@freescale.com> Reviewed-by: York Sun <yorksun@freescale.com> 2015-03-10 17:38:50 +09:00			`/*`
			`* Copyright 2015 Freescale Semiconductor, Inc.`
			`*`
			`* SPDX-License-Identifier: GPL-2.0+`
			`*/`

			`#ifndef __FSL_SECURE_BOOT_H`
			`#define __FSL_SECURE_BOOT_H`

			`#ifdef CONFIG_SECURE_BOOT`
secure_boot: split the secure boot functionality in two parts There are two phases in Secure Boot 1. ISBC: In BootROM, validate the BootLoader (U-Boot). 2. ESBC: In U-Boot, continuing the Chain of Trust by validating and booting LINUX. For ESBC phase, there is no difference in SoC's based on ARM or PowerPC cores. But the exit conditions after ISBC phase i.e. entry conditions for U-Boot are different for ARM and PowerPC. PowerPC: If Secure Boot is executed, a separate U-Boot target is required which must be compiled with a diffrent Text Base as compared to Non-Secure Boot. There are some LAW and TLB settings which are required specifically for Secure Boot scenario. ARM: ARM based SoC's have a fixed memory map and exit conditions from BootROM are same irrespective of boot mode (Secure or Non-Secure). Thus the current Secure Boot functionlity has been split into two parts: CONFIG_CHAIN_OF_TRUST This will have the following functionality as part of U-Boot: 1. Enable commands like esbc_validate, esbc_halt 2. Change the environment settings based on bootmode, determined at run time: - If bootmode is non-secure, no change - If bootmode is secure, set the following: - bootdelay = 0 (Don't give boot prompt) - bootcmd = Validate and execute the bootscript. CONFIG_SECURE_BOOT This is defined only for creating a different compile time target for secure boot. Traditionally, both these functionalities were defined under CONFIG_SECURE_BOOT. This patch is aimed at removing the requirement for a separate Secure Boot target for ARM based SoC's. CONFIG_CHAIN_OF_TRUST will be defined and boot mode will be determine at run time. Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt must not be picked from flash/external memory. This cannot be done based on bootmode at run time in current U-Boot architecture. Once this dependency is resolved, no separate SECURE_BOOT target will be required for ARM based SoC's. Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining CONFIG_ENV_IS_NOWHERE Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com> 2016-01-22 20:07:24 +09:00
			`#ifndef CONFIG_FIT_SIGNATURE`
			`#define CONFIG_CHAIN_OF_TRUST`
			`#endif`

			`#endif`

			`#ifdef CONFIG_CHAIN_OF_TRUST`
SECURE_BOOT: Disable IE Key feature for RAMBOOT ISBC Key Extension feature is not applicable for RAMBOOT as there is no way to retrieve the CSF Header and validated IE Key table from SRAM once CPC has been disabled. The feature is only applicable in case of NOR SECURE BOOT. Code Cleanup: The SECURE_BOOT specific defines have been moved from arch-ls102xa/config.h to arm/include/asm/fsl_secure_boot.h Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com> Reviewed-by: York Sun <yorksun@freescale.com> 2015-07-31 17:40:03 +09:00			`#define CONFIG_CMD_ESBC_VALIDATE`
secure_boot: include/configs: move definition of CONFIG_CMD_BLOB CONFIG_CMD_BLOB must be defined in case of Secure Boot. It was earlier defined in all config files. The definition has been moved to a common file which is included by all configs. Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com> 2016-01-22 20:07:23 +09:00			`#define CONFIG_CMD_BLOB`
armv8: ls2080rdb: ls2080qds: Add secure boot support Sec_init has been called at the beginning to initialize SEC Block (CAAM) which is used by secure boot validation later for both ls2080a qds and rdb. 64-bit address in ESBC Header has been enabled. Secure boot defconfigs are created for boards (NOR boot). Signed-off-by: Saksham Jain <saksham.jain@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com> 2016-03-23 19:54:35 +09:00			`#define CONFIG_CMD_HASH`
SECURE_BOOT: Disable IE Key feature for RAMBOOT ISBC Key Extension feature is not applicable for RAMBOOT as there is no way to retrieve the CSF Header and validated IE Key table from SRAM once CPC has been disabled. The feature is only applicable in case of NOR SECURE BOOT. Code Cleanup: The SECURE_BOOT specific defines have been moved from arch-ls102xa/config.h to arm/include/asm/fsl_secure_boot.h Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com> Reviewed-by: York Sun <yorksun@freescale.com> 2015-07-31 17:40:03 +09:00			`#define CONFIG_FSL_SEC_MON`
armv8: ls2080rdb: ls2080qds: Add secure boot support Sec_init has been called at the beginning to initialize SEC Block (CAAM) which is used by secure boot validation later for both ls2080a qds and rdb. 64-bit address in ESBC Header has been enabled. Secure boot defconfigs are created for boards (NOR boot). Signed-off-by: Saksham Jain <saksham.jain@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com> 2016-03-23 19:54:35 +09:00			`#define CONFIG_SHA_HW_ACCEL`
SECURE_BOOT: Disable IE Key feature for RAMBOOT ISBC Key Extension feature is not applicable for RAMBOOT as there is no way to retrieve the CSF Header and validated IE Key table from SRAM once CPC has been disabled. The feature is only applicable in case of NOR SECURE BOOT. Code Cleanup: The SECURE_BOOT specific defines have been moved from arch-ls102xa/config.h to arm/include/asm/fsl_secure_boot.h Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com> Reviewed-by: York Sun <yorksun@freescale.com> 2015-07-31 17:40:03 +09:00			`#define CONFIG_SHA_PROG_HW_ACCEL`
			`#define CONFIG_RSA_FREESCALE_EXP`
armv8/ls1043ardb: add SECURE BOOT target for NOR LS1043ARDB Secure Boot Target from NOR has been added. - Configs defined to enable esbc_validate. - ESBC Address in header is made 64 bit. - SMMU is re-configured in Bypass mode. Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com> Reviewed-by: York Sun <yorksun@freescale.com> 2015-12-08 17:24:29 +09:00
SECURE_BOOT: Disable IE Key feature for RAMBOOT ISBC Key Extension feature is not applicable for RAMBOOT as there is no way to retrieve the CSF Header and validated IE Key table from SRAM once CPC has been disabled. The feature is only applicable in case of NOR SECURE BOOT. Code Cleanup: The SECURE_BOOT specific defines have been moved from arch-ls102xa/config.h to arm/include/asm/fsl_secure_boot.h Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com> Reviewed-by: York Sun <yorksun@freescale.com> 2015-07-31 17:40:03 +09:00			`#ifndef CONFIG_FSL_CAAM`
			`#define CONFIG_FSL_CAAM`
			`#endif`

			`#define CONFIG_KEY_REVOCATION`
			`#ifndef CONFIG_SYS_RAMBOOT`
			`/* The key used for verification of next level images`
			`* is picked up from an Extension Table which has`
			`* been verified by the ISBC (Internal Secure boot Code)`
			`* in boot ROM of the SoC.`
			`* The feature is only applicable in case of NOR boot and is`
			`* not applicable in case of RAMBOOT (NAND, SD, SPI).`
			`*/`
armv8: fsl-lsch3: Add new header for secure boot For secure boot, a header is used to identify key table, signature and image address. A new header structure is added for lsch3. Currently key extension (IE) feature is not supported. Single key feature is not supported. Keys must be in table format. Hence, SRK (key table) must be present. Max key number has increase from 4 to 8. The 8th key is irrevocable. A new barker Code is used. Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Signed-off-by: Saksham Jain <saksham.jain@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com> 2016-03-23 19:54:34 +09:00			`#ifndef CONFIG_ESBC_HDR_LS`
			`/* Current Key EXT feature not available in LS ESBC Header */`
SECURE_BOOT: Disable IE Key feature for RAMBOOT ISBC Key Extension feature is not applicable for RAMBOOT as there is no way to retrieve the CSF Header and validated IE Key table from SRAM once CPC has been disabled. The feature is only applicable in case of NOR SECURE BOOT. Code Cleanup: The SECURE_BOOT specific defines have been moved from arch-ls102xa/config.h to arm/include/asm/fsl_secure_boot.h Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com> Reviewed-by: York Sun <yorksun@freescale.com> 2015-07-31 17:40:03 +09:00			`#define CONFIG_FSL_ISBC_KEY_EXT`
			`#endif`

armv8: fsl-lsch3: Add new header for secure boot For secure boot, a header is used to identify key table, signature and image address. A new header structure is added for lsch3. Currently key extension (IE) feature is not supported. Single key feature is not supported. Keys must be in table format. Hence, SRK (key table) must be present. Max key number has increase from 4 to 8. The 8th key is irrevocable. A new barker Code is used. Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Signed-off-by: Saksham Jain <saksham.jain@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com> 2016-03-23 19:54:34 +09:00			`#endif`

armv8: ls2080rdb: ls2080qds: Add secure boot support Sec_init has been called at the beginning to initialize SEC Block (CAAM) which is used by secure boot validation later for both ls2080a qds and rdb. 64-bit address in ESBC Header has been enabled. Secure boot defconfigs are created for boards (NOR boot). Signed-off-by: Saksham Jain <saksham.jain@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com> 2016-03-23 19:54:35 +09:00			`#if defined(CONFIG_LS1043A) \|\| defined(CONFIG_LS2080A) \|\|\`
			`defined(CONFIG_LS2085A)`
			`/* For LS1043 (ARMv8), ESBC image Address in Header is 64 bit`
			`* Similiarly for LS2080 and LS2085`
			`*/`
secure_boot: include/configs: make secure boot header file uniform The file fsl_secure_boot.h must be included in config file for Secure Boot. This is not required to be protected by any macro. CONFIG_FSL_CAAM must be defined and CONFIG_CMD_HASH should be turned on. The above was missing in some config files and all files have been made uniform in this respect. Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com> 2016-01-22 20:07:22 +09:00			`#define CONFIG_ESBC_ADDR_64BIT`
			`#endif`

Add bootscript support to esbc_validate. 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ "setenv bs_hdraddr 0xe8e00000;" \ "esbc_validate $bs_hdraddr;" \ "source $img_addr;" \ "esbc_halt;" #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com> Signed-off-by: Gaurav Rana <gaurav.rana@freescale.com> Reviewed-by: York Sun <yorksun@freescale.com> 2015-03-10 17:38:50 +09:00			`#define CONFIG_EXTRA_ENV \`
			`"setenv fdt_high 0xcfffffff;" \`
			`"setenv initrd_high 0xcfffffff;" \`
			`"setenv hwconfig \'fsl_ddr:ctlr_intlv=null,bank_intlv=null\';"`

			`/* The address needs to be modified according to NOR memory map */`
			`#define CONFIG_BOOTSCRIPT_HDR_ADDR 0x600a0000`

secure_boot: split the secure boot functionality in two parts There are two phases in Secure Boot 1. ISBC: In BootROM, validate the BootLoader (U-Boot). 2. ESBC: In U-Boot, continuing the Chain of Trust by validating and booting LINUX. For ESBC phase, there is no difference in SoC's based on ARM or PowerPC cores. But the exit conditions after ISBC phase i.e. entry conditions for U-Boot are different for ARM and PowerPC. PowerPC: If Secure Boot is executed, a separate U-Boot target is required which must be compiled with a diffrent Text Base as compared to Non-Secure Boot. There are some LAW and TLB settings which are required specifically for Secure Boot scenario. ARM: ARM based SoC's have a fixed memory map and exit conditions from BootROM are same irrespective of boot mode (Secure or Non-Secure). Thus the current Secure Boot functionlity has been split into two parts: CONFIG_CHAIN_OF_TRUST This will have the following functionality as part of U-Boot: 1. Enable commands like esbc_validate, esbc_halt 2. Change the environment settings based on bootmode, determined at run time: - If bootmode is non-secure, no change - If bootmode is secure, set the following: - bootdelay = 0 (Don't give boot prompt) - bootcmd = Validate and execute the bootscript. CONFIG_SECURE_BOOT This is defined only for creating a different compile time target for secure boot. Traditionally, both these functionalities were defined under CONFIG_SECURE_BOOT. This patch is aimed at removing the requirement for a separate Secure Boot target for ARM based SoC's. CONFIG_CHAIN_OF_TRUST will be defined and boot mode will be determine at run time. Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt must not be picked from flash/external memory. This cannot be done based on bootmode at run time in current U-Boot architecture. Once this dependency is resolved, no separate SECURE_BOOT target will be required for ARM based SoC's. Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining CONFIG_ENV_IS_NOWHERE Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com> Acked-by: Ruchika Gupta <ruchika.gupta@nxp.com> Reviewed-by: York Sun <york.sun@nxp.com> 2016-01-22 20:07:24 +09:00			`#include <config_fsl_chain_trust.h>`
			`#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */`
Add bootscript support to esbc_validate. 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ "setenv bs_hdraddr 0xe8e00000;" \ "esbc_validate $bs_hdraddr;" \ "source $img_addr;" \ "esbc_halt;" #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com> Signed-off-by: Gaurav Rana <gaurav.rana@freescale.com> Reviewed-by: York Sun <yorksun@freescale.com> 2015-03-10 17:38:50 +09:00			`#endif`