diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig index ca06c1eaaf..27b0b081ad 100644 --- a/arch/arm/mach-imx/Kconfig +++ b/arch/arm/mach-imx/Kconfig @@ -81,6 +81,13 @@ config CMD_DEKBLOB creates a blob of data. See also CMD_BLOB and doc/imx/habv4/* for more information. +config CMD_PRIBLOB + bool "Support the set_priblob_bitfield command" + depends on HAS_CAAM && IMX_HAB + help + This option enables the priblob command which can be used + to set the priblob setting to 0x3. + config CMD_HDMIDETECT bool "Support the 'hdmidet' command" help diff --git a/arch/arm/mach-imx/Makefile b/arch/arm/mach-imx/Makefile index 63b3549d20..82aa39dee7 100644 --- a/arch/arm/mach-imx/Makefile +++ b/arch/arm/mach-imx/Makefile @@ -30,6 +30,7 @@ obj-$(CONFIG_SYS_I2C_MXC) += i2c-mxv7.o endif ifeq ($(SOC),$(filter $(SOC),mx7 mx6 mxs imx8m imx8 imxrt)) obj-y += misc.o +obj-$(CONFIG_CMD_PRIBLOB) += priblob.o obj-$(CONFIG_SPL_BUILD) += spl.o endif ifeq ($(SOC),$(filter $(SOC),mx7)) diff --git a/arch/arm/mach-imx/priblob.c b/arch/arm/mach-imx/priblob.c new file mode 100644 index 0000000000..e253eddfdc --- /dev/null +++ b/arch/arm/mach-imx/priblob.c @@ -0,0 +1,33 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright 2018 NXP + */ + +/* + * Boot command to get and set the PRIBLOB bitfield form the SCFGR register + * of the CAAM IP. It is recommended to set this bitfield to 3 once your + * encrypted boot image is ready, to prevent the generation of blobs usable + * to decrypt an encrypted boot image. + */ + +#include +#include +#include +#include "../drivers/crypto/fsl_caam_internal.h" + +int do_priblob_write(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) +{ + writel((readl(CAAM_SCFGR) & 0xFFFFFFFC) | 3, CAAM_SCFGR); + printf("New priblob setting = 0x%x\n", readl(CAAM_SCFGR) & 0x3); + + return 0; +} + +U_BOOT_CMD( + set_priblob_bitfield, 1, 0, do_priblob_write, + "Set the PRIBLOB bitfield to 3", + "\n" + " - Write 3 in PRIBLOB bitfield of SCFGR regiter of CAAM IP.\n" + " Prevent the generation of blobs usable to decrypt an\n" + " encrypted boot image." +);