diff options
Diffstat (limited to 'arch/arm/mach-imx/imx8/ahab.c')
| -rw-r--r-- | arch/arm/mach-imx/imx8/ahab.c | 161 |
1 files changed, 108 insertions, 53 deletions
diff --git a/arch/arm/mach-imx/imx8/ahab.c b/arch/arm/mach-imx/imx8/ahab.c index 9addb824b6..b58b14ca9b 100644 --- a/arch/arm/mach-imx/imx8/ahab.c +++ b/arch/arm/mach-imx/imx8/ahab.c @@ -1,6 +1,6 @@ // SPDX-License-Identifier: GPL-2.0+ /* - * Copyright 2018-2019 NXP + * Copyright 2018-2019, 2022 NXP */ #include <common.h> @@ -16,6 +16,8 @@ #include <asm/mach-imx/image.h> #include <console.h> #include <cpu_func.h> +#include "u-boot/sha256.h" +#include <asm/mach-imx/ahab.h> DECLARE_GLOBAL_DATA_PTR; @@ -24,6 +26,86 @@ DECLARE_GLOBAL_DATA_PTR; #define SECO_LOCAL_SEC_SEC_SECURE_RAM_BASE (0x60000000UL) #define SECO_PT 2U +#define AHAB_HASH_TYPE_MASK 0x00000700 +#define AHAB_HASH_TYPE_SHA256 0 + +int ahab_auth_cntr_hdr(struct container_hdr *container, u16 length) +{ + int err; + + memcpy((void *)SEC_SECURE_RAM_BASE, (const void *)container, + ALIGN(length, CONFIG_SYS_CACHELINE_SIZE)); + + err = sc_seco_authenticate(-1, SC_SECO_AUTH_CONTAINER, + SECO_LOCAL_SEC_SEC_SECURE_RAM_BASE); + if (err) + printf("Authenticate container hdr failed, return %d\n", err); + + return err; +} + +int ahab_auth_release(void) +{ + int err; + + err = sc_seco_authenticate(-1, SC_SECO_REL_CONTAINER, 0); + if (err) + printf("Error: release container failed!\n"); + + return err; +} + +int ahab_verify_cntr_image(struct boot_img_t *img, int image_index) +{ + sc_faddr_t start, end; + sc_rm_mr_t mr; + int err; + int ret = 0; + + debug("img %d, dst 0x%llx, src 0x%x, size 0x%x\n", + image_index, img->dst, img->offset, img->size); + + /* Find the memreg and set permission for seco pt */ + err = sc_rm_find_memreg(-1, &mr, + img->dst & ~(CONFIG_SYS_CACHELINE_SIZE - 1), + ALIGN(img->dst + img->size, CONFIG_SYS_CACHELINE_SIZE) - 1); + + if (err) { + printf("Error: can't find memreg for image load address 0x%llx, error %d\n", + img->dst, err); + return -ENOMEM; + } + + err = sc_rm_get_memreg_info(-1, mr, &start, &end); + if (!err) + debug("memreg %u 0x%llx -- 0x%llx\n", mr, start, end); + + err = sc_rm_set_memreg_permissions(-1, mr, + SECO_PT, SC_RM_PERM_FULL); + if (err) { + printf("Set permission failed for img %d, error %d\n", + image_index, err); + return -EPERM; + } + + err = sc_seco_authenticate(-1, SC_SECO_VERIFY_IMAGE, + 1 << image_index); + if (err) { + printf("Authenticate img %d failed, return %d\n", + image_index, err); + ret = -EIO; + } + + err = sc_rm_set_memreg_permissions(-1, mr, + SECO_PT, SC_RM_PERM_NONE); + if (err) { + printf("Remove permission failed for img %d, error %d\n", + image_index, err); + ret = -EPERM; + } + + return ret; +} static inline bool check_in_dram(ulong addr) { @@ -46,11 +128,12 @@ int authenticate_os_container(ulong addr) struct container_hdr *phdr; int i, ret = 0; int err; - sc_rm_mr_t mr; - sc_faddr_t start, end; u16 length; struct boot_img_t *img; unsigned long s, e; +#ifdef CONFIG_ARMV8_CE_SHA256 + u8 hash_value[SHA256_SUM_LEN]; +#endif if (addr % 4) { puts("Error: Image's address is not 4 byte aligned\n"); @@ -76,14 +159,9 @@ int authenticate_os_container(ulong addr) length = phdr->length_lsb + (phdr->length_msb << 8); debug("container length %u\n", length); - memcpy((void *)SEC_SECURE_RAM_BASE, (const void *)addr, - ALIGN(length, CONFIG_SYS_CACHELINE_SIZE)); - err = sc_seco_authenticate(-1, SC_SECO_AUTH_CONTAINER, - SECO_LOCAL_SEC_SEC_SECURE_RAM_BASE); + err = ahab_auth_cntr_hdr(phdr, length); if (err) { - printf("Authenticate container hdr failed, return %d\n", - err); ret = -EIO; goto exit; } @@ -105,50 +183,27 @@ int authenticate_os_container(ulong addr) flush_dcache_range(s, e); - /* Find the memreg and set permission for seco pt */ - err = sc_rm_find_memreg(-1, &mr, s, e); - if (err) { - printf("Error: can't find memreg for image load address 0x%llx, error %d\n", img->dst, err); - ret = -ENOMEM; - goto exit; - } - - err = sc_rm_get_memreg_info(-1, mr, &start, &end); - if (!err) - debug("memreg %u 0x%llx -- 0x%llx\n", mr, start, end); - - err = sc_rm_set_memreg_permissions(-1, mr, SECO_PT, - SC_RM_PERM_FULL); - if (err) { - printf("Set permission failed for img %d, error %d\n", - i, err); - ret = -EPERM; - goto exit; - } - - err = sc_seco_authenticate(-1, SC_SECO_VERIFY_IMAGE, - (1 << i)); - if (err) { - printf("Authenticate img %d failed, return %d\n", - i, err); - ret = -EIO; +#ifdef CONFIG_ARMV8_CE_SHA256 + if (((img->hab_flags & AHAB_HASH_TYPE_MASK) >> 8) == AHAB_HASH_TYPE_SHA256) { + sha256_csum_wd((void *)img->dst, img->size, hash_value, CHUNKSZ_SHA256); + err = memcmp(&img->hash, &hash_value, SHA256_SUM_LEN); + if (err) { + printf("img %d hash comparison failed, error %d\n", i, err); + ret = -EIO; + goto exit; + } + } else { +#endif + ret = ahab_verify_cntr_image(img, i); + if (ret) + goto exit; +#ifdef CONFIG_ARMV8_CE_SHA256 } - - err = sc_rm_set_memreg_permissions(-1, mr, SECO_PT, - SC_RM_PERM_NONE); - if (err) { - printf("Remove permission failed for img %d, err %d\n", - i, err); - ret = -EPERM; - } - - if (ret) - goto exit; +#endif } exit: - if (sc_seco_authenticate(-1, SC_SECO_REL_CONTAINER, 0) != SC_ERR_NONE) - printf("Error: release container failed!\n"); + ahab_auth_release(); return ret; } @@ -263,7 +318,7 @@ static int do_ahab_status(struct cmd_tbl *cmdtp, int flag, int argc, u16 lc; err = sc_seco_chip_info(-1, &lc, NULL, NULL, NULL); - if (err != SC_ERR_NONE) { + if (err) { printf("Error in get lifecycle\n"); return -EIO; } @@ -271,7 +326,7 @@ static int do_ahab_status(struct cmd_tbl *cmdtp, int flag, int argc, display_life_cycle(lc); err = sc_seco_get_event(-1, idx, &event); - while (err == SC_ERR_NONE) { + while (!err) { printf("SECO Event[%u] = 0x%08X\n", idx, event); display_ahab_auth_event(event); @@ -312,7 +367,7 @@ static int do_ahab_close(struct cmd_tbl *cmdtp, int flag, int argc, return -EACCES; err = sc_seco_chip_info(-1, &lc, NULL, NULL, NULL); - if (err != SC_ERR_NONE) { + if (err) { printf("Error in get lifecycle\n"); return -EIO; } @@ -324,7 +379,7 @@ static int do_ahab_close(struct cmd_tbl *cmdtp, int flag, int argc, } err = sc_seco_forward_lifecycle(-1, 16); - if (err != SC_ERR_NONE) { + if (err) { printf("Error in forward lifecycle to OEM closed\n"); return -EIO; } |