Merge branch '2022-05-02-add-verifying-program-loader'

To quote the author:

U-Boot provides a verified-boot feature based around FIT, but there is
no standard way of implementing it for a board. At present the various
required pieces must be built up separately, to produce a working
implementation. In particular, there is no built-in support for selecting
A/B boot or recovery mode.

This series introduces VPL, a verified program loader phase for U-Boot.
Its purpose is to run the verified-boot process and decide which SPL
binary should be run. It is critical that this decision happens before
SPL runs, since SPL sets up SDRAM and we need to be able to update the
SDRAM-init code in the field.

Adding VPL into the boot flow provides a standard place to implement
verified boot. This series includes the phase itself, some useful Kconfig
options and a sandbox_vpl build for sandbox. No verfied-boot support is
provided in this series.

Most of the patches in this series are fixes and improvements to docs and
various Kconfig conditions for SPL.

2 files changed, 255 insertions, 4 deletions

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index ac61b25a06..84f2847c72 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -1,4 +1,4 @@
-menu "SPL / TPL"
+menu "SPL / TPL / VPL"
 
 config SUPPORT_SPL
 	bool
@@ -6,6 +6,9 @@ config SUPPORT_SPL
 config SUPPORT_TPL
 	bool
 
+config SUPPORT_VPL
+	bool
+
 config SPL_DFU_NO_RESET
 	bool
 
@@ -186,6 +189,13 @@ config SPL_BOARD_INIT
 	  spl_board_init() from board_init_r(). This function should be
 	  provided by the board.
 
+config VPL_BOARD_INIT
+	bool "Call board-specific initialization in VPL"
+	help
+	  If this option is enabled, U-Boot will call the function
+	  spl_board_init() from board_init_r(). This function should be
+	  provided by the board.
+
 config SPL_BOOTROM_SUPPORT
 	bool "Support returning to the BOOTROM"
 	help
@@ -302,6 +312,16 @@ config SPL_READ_ONLY
 	  writeable memory) of anything it wants to modify, such as
 	  device-private data.
 
+config TPL_SEPARATE_BSS
+	bool "BSS section is in a different memory region from text"
+	default y if SPL_SEPARATE_BSS
+	help
+	  Some platforms need a large BSS region in TPL and can provide this
+	  because RAM is already set up. In this case BSS can be moved to RAM.
+	  This option should then be enabled so that the correct device tree
+	  location is used. Normally we put the device tree at the end of BSS
+	  but with this option enabled, it goes at _image_binary_end.
+
 config SPL_BANNER_PRINT
 	bool "Enable output of the SPL banner 'U-Boot SPL ...'"
 	default y
@@ -1619,6 +1639,218 @@ config TPL_YMODEM_SUPPORT
 
 endif # TPL
 
+config VPL
+	bool
+	depends on SUPPORT_SPL
+	prompt "Enable VPL"
+	help
+	  If you want to build VPL as well as the normal image, TPL and SPL,
+	  say Y.
+
+if VPL
+
+config VPL_BANNER_PRINT
+	bool "Enable output of the VPL banner 'U-Boot VPL ...'"
+	depends on VPL
+	default y
+	help
+	  If this option is enabled, VPL will print the banner with version
+	  info. Disabling this option could be useful to reduce VPL boot time
+	  (e.g. approx. 6 ms faster, when output on i.MX6 with 115200 baud).
+
+config VPL_BOARD_INIT
+	bool "Call board-specific initialization in VPL"
+	help
+	  If this option is enabled, U-Boot will call the function
+	  spl_board_init() from board_init_r(). This function should be
+	  provided by the board.
+
+config VPL_CACHE
+	depends on CACHE
+	bool "Support cache drivers in VPL"
+	help
+	  Enable support for cache drivers in VPL.
+
+config VPL_CRC32
+	bool "Support CRC32 in VPL"
+	default y if VPL_ENV_SUPPORT || VPL_BLOBLIST
+	help
+	  Enable this to support CRC32 in uImages or FIT images within VPL.
+	  This is a 32-bit checksum value that can be used to verify images.
+	  For FIT images, this is the least secure type of checksum, suitable
+	  for detected accidental image corruption. For secure applications you
+	  should consider SHA1 or SHA256.
+
+config VPL_DM_SPI
+	bool "Support SPI DM drivers in VPL"
+	help
+	  Enable support for SPI DM drivers in VPL.
+
+config VPL_DM_SPI_FLASH
+	bool "Support SPI DM FLASH drivers in VPL"
+	help
+	  Enable support for SPI DM flash drivers in VPL.
+
+config VPL_FRAMEWORK
+	bool "Support VPL based upon the common SPL framework"
+	default y
+	help
+	  Enable the SPL framework under common/spl/ for VPL builds.
+	  This framework supports MMC, NAND and YMODEM and other methods
+	  loading of U-Boot's next stage. If unsure, say Y.
+
+config VPL_HANDOFF
+	bool "Pass hand-off information from VPL to SPL"
+	depends on HANDOFF && VPL_BLOBLIST
+	default y
+	help
+	  This option enables VPL to write handoff information. This can be
+	  used to pass information like the size of SDRAM from VPL to SPL. Also
+	  VPL can receive information from TPL in the same place if that is
+	  enabled.
+
+config VPL_LIBCOMMON_SUPPORT
+	bool "Support common libraries"
+	default y if SPL_LIBCOMMON_SUPPORT
+	help
+	  Enable support for common U-Boot libraries within VPL. See
+	  SPL_LIBCOMMON_SUPPORT for details.
+
+config VPL_LIBGENERIC_SUPPORT
+	bool "Support generic libraries"
+	default y if SPL_LIBGENERIC_SUPPORT
+	help
+	  Enable support for generic U-Boot libraries within VPL. These
+	  libraries include generic code to deal with device tree, hashing,
+	  printf(), compression and the like. This option is enabled on many
+	  boards. Enable this option to build the code in lib/ as part of a
+	  VPL build.
+
+config VPL_DRIVERS_MISC
+	bool "Support misc drivers"
+	default y if TPL_DRIVERS_MISC
+	help
+	  Enable miscellaneous drivers in VPL. These drivers perform various
+	  tasks that don't fall nicely into other categories, Enable this
+	  option to build the drivers in drivers/misc as part of a VPL
+	  build, for those that support building in VPL (not all drivers do).
+
+config VPL_ENV_SUPPORT
+	bool "Support an environment"
+	help
+	  Enable environment support in VPL. The U-Boot environment provides
+	  a number of settings (essentially name/value pairs) which can
+	  control many aspects of U-Boot's operation. Enabling this option will
+	  make env_get() and env_set() available in VSPL.
+
+config VPL_GPIO
+	bool "Support GPIO in VPL"
+	default y if SPL_GPIO
+	help
+	  Enable support for GPIOs (General-purpose Input/Output) in VPL.
+	  GPIOs allow U-Boot to read the state of an input line (high or
+	  low) and set the state of an output line. This can be used to
+	  drive LEDs, control power to various system parts and read user
+	  input. GPIOs can be useful in VPL to enable a 'sign-of-life' LED,
+	  for example. Enable this option to build the drivers in
+	  drivers/gpio as part of a VPL build.
+
+config VPL_HANDOFF
+	bool "Pass hand-off information from VPL to SPL and U-Boot proper"
+	depends on HANDOFF && VPL_BLOBLIST
+	default y
+	help
+	  This option enables VPL to write handoff information. This can be
+	  used to pass information like the size of SDRAM from VPL to U-Boot
+	  proper. The information is also available to VPL if it is useful
+	  there.
+
+config VPL_HASH
+	bool "Support hashing drivers in VPL"
+	depends on VPL
+	select SHA1
+	select SHA256
+	help
+	  Enable hashing drivers in VPL. These drivers can be used to
+	  accelerate secure boot processing in secure applications. Enable
+	  this option to build system-specific drivers for hash acceleration
+	  as part of a VPL build.
+
+config VPL_I2C_SUPPORT
+	bool "Support I2C in VPL"
+	default y if SPL_I2C_SUPPORT
+	help
+	  Enable support for the I2C bus in VPL. Vee SPL_I2C_SUPPORT for
+	  details.
+
+config VPL_PCH_SUPPORT
+	bool "Support PCH drivers"
+	default y if TPL_PCH_SUPPORT
+	help
+	  Enable support for PCH (Platform Controller Hub) devices in VPL.
+	  These are used to set up GPIOs and the SPI peripheral early in
+	  boot. This enables the drivers in drivers/pch as part of a VPL
+	  build.
+
+config VPL_PCI
+	bool "Support PCI drivers"
+	default y if SPL_PCI
+	help
+	  Enable support for PCI in VPL. For platforms that need PCI to boot,
+	  or must perform some init using PCI in VPL, this provides the
+	  necessary driver support. This enables the drivers in drivers/pci
+	  as part of a VPL build.
+
+config VPL_RTC
+	bool "Support RTC drivers"
+	help
+	  Enable RTC (Real-time Clock) support in VPL. This includes support
+	  for reading and setting the time. Some RTC devices also have some
+	  non-volatile (battery-backed) memory which is accessible if
+	  needed. This enables the drivers in drivers/rtc as part of a VPL
+	  build.
+
+config VPL_SERIAL
+	bool "Support serial"
+	default y if TPL_SERIAL
+	select VPL_PRINTF
+	select VPL_STRTO
+	help
+	  Enable support for serial in VPL. See SPL_SERIAL_SUPPORT for
+	  details.
+
+config VPL_SIZE_LIMIT
+	hex "Maximum size of VPL image"
+	depends on VPL
+	default 0x0
+	help
+	  Specifies the maximum length of the U-Boot VPL image.
+	  If this value is zero, it is ignored.
+
+config VPL_SPI
+	bool "Support SPI drivers"
+	help
+	  Enable support for using SPI in VPL. See SPL_SPI_SUPPORT for
+	  details.
+
+config VPL_SPI_FLASH_SUPPORT
+	bool "Support SPI flash drivers"
+	help
+	  Enable support for using SPI flash in VPL, and loading U-Boot from
+	  SPI flash. SPI flash (Serial Peripheral Bus flash) is named after
+	  the SPI bus that is used to connect it to a system. It is a simple
+	  but fast bidirectional 4-wire bus (clock, chip select and two data
+	  lines). This enables the drivers in drivers/mtd/spi as part of a
+	  VPL build. This normally requires VPL_SPI_SUPPORT.
+
+config VPL_TEXT_BASE
+	hex "VPL Text Base"
+	default 0x0
+	help
+	  The address in memory that VPL will be running from.
+
+endif # VPL
+
 config SPL_AT91_MCK_BYPASS
 	bool "Use external clock signal as a source of main clock for AT91 platforms"
 	depends on ARCH_AT91
diff --git a/common/spl/spl.c b/common/spl/spl.c
index c9750ee163..c8c463f80b 100644
--- a/common/spl/spl.c
+++ b/common/spl/spl.c
@@ -61,6 +61,11 @@ binman_sym_declare(ulong, u_boot_spl, image_pos);
 binman_sym_declare(ulong, u_boot_spl, size);
 #endif
 
+#ifdef CONFIG_VPL
+binman_sym_declare(ulong, u_boot_vpl, image_pos);
+binman_sym_declare(ulong, u_boot_vpl, size);
+#endif
+
 /* Define board data structure */
 static struct bd_info bdata __attribute__ ((section(".data")));
 
@@ -146,14 +151,22 @@ void spl_fixup_fdt(void *fdt_blob)
 #if CONFIG_IS_ENABLED(BINMAN_SYMBOLS)
 ulong spl_get_image_pos(void)
 {
-	return spl_phase() == PHASE_TPL ?
+#ifdef CONFIG_VPL
+	if (spl_next_phase() == PHASE_VPL)
+		return binman_sym(ulong, u_boot_vpl, image_pos);
+#endif
+	return spl_next_phase() == PHASE_SPL ?
 		binman_sym(ulong, u_boot_spl, image_pos) :
 		binman_sym(ulong, u_boot_any, image_pos);
 }
 
 ulong spl_get_image_size(void)
 {
-	return spl_phase() == PHASE_TPL ?
+#ifdef CONFIG_VPL
+	if (spl_next_phase() == PHASE_VPL)
+		return binman_sym(ulong, u_boot_vpl, size);
+#endif
+	return spl_next_phase() == PHASE_SPL ?
 		binman_sym(ulong, u_boot_spl, size) :
 		binman_sym(ulong, u_boot_any, size);
 }
@@ -161,7 +174,11 @@ ulong spl_get_image_size(void)
 
 ulong spl_get_image_text_base(void)
 {
-	return spl_phase() == PHASE_TPL ? CONFIG_SPL_TEXT_BASE :
+#ifdef CONFIG_VPL
+	if (spl_next_phase() == PHASE_VPL)
+		return CONFIG_VPL_TEXT_BASE;
+#endif
+	return spl_next_phase() == PHASE_SPL ? CONFIG_SPL_TEXT_BASE :
 		CONFIG_SYS_TEXT_BASE;
 }
 
@@ -466,6 +483,8 @@ static enum bootstage_id get_bootstage_id(bool start)
 
 	if (IS_ENABLED(CONFIG_TPL_BUILD) && phase == PHASE_TPL)
 		return start ? BOOTSTAGE_ID_START_TPL : BOOTSTAGE_ID_END_TPL;
+	else if (IS_ENABLED(CONFIG_VPL_BUILD) && phase == PHASE_VPL)
+		return start ? BOOTSTAGE_ID_START_VPL : BOOTSTAGE_ID_END_VPL;
 	else
 		return start ? BOOTSTAGE_ID_START_SPL : BOOTSTAGE_ID_END_SPL;
 }