diff options
Diffstat (limited to 'arch/arm/mach-k3')
| -rw-r--r-- | arch/arm/mach-k3/Makefile | 1 | ||||
| -rw-r--r-- | arch/arm/mach-k3/am6_init.c | 13 | ||||
| -rw-r--r-- | arch/arm/mach-k3/config.mk | 25 | ||||
| -rw-r--r-- | arch/arm/mach-k3/config_secure.mk | 44 | ||||
| -rw-r--r-- | arch/arm/mach-k3/include/mach/am6_hardware.h | 3 | ||||
| -rw-r--r-- | arch/arm/mach-k3/security.c | 63 |
6 files changed, 141 insertions, 8 deletions
diff --git a/arch/arm/mach-k3/Makefile b/arch/arm/mach-k3/Makefile index bd4ab361b2..0c3a4f7db1 100644 --- a/arch/arm/mach-k3/Makefile +++ b/arch/arm/mach-k3/Makefile @@ -6,4 +6,5 @@ obj-$(CONFIG_SOC_K3_AM6) += am6_init.o obj-$(CONFIG_ARM64) += arm64-mmu.o obj-$(CONFIG_CPU_V7R) += r5_mpu.o lowlevel_init.o +obj-$(CONFIG_TI_SECURE_DEVICE) += security.o obj-y += common.o diff --git a/arch/arm/mach-k3/am6_init.c b/arch/arm/mach-k3/am6_init.c index 77cd15f388..60a580305d 100644 --- a/arch/arm/mach-k3/am6_init.c +++ b/arch/arm/mach-k3/am6_init.c @@ -49,11 +49,16 @@ static void ctrl_mmr_unlock(void) mmr_unlock(CTRL_MMR0_BASE, 7); } +/* + * This uninitialized global variable would normal end up in the .bss section, + * but the .bss is cleared between writing and reading this variable, so move + * it to the .data section. + */ +u32 bootindex __attribute__((section(".data"))); + static void store_boot_index_from_rom(void) { - u32 *boot_index = (u32 *)K3_BOOT_PARAM_TABLE_INDEX_VAL; - - *boot_index = *(u32 *)(CONFIG_SYS_K3_BOOT_PARAM_TABLE_INDEX); + bootindex = *(u32 *)(CONFIG_SYS_K3_BOOT_PARAM_TABLE_INDEX); } void board_init_f(ulong dummy) @@ -92,7 +97,6 @@ u32 spl_boot_mode(const u32 boot_device) { #if defined(CONFIG_SUPPORT_EMMC_BOOT) u32 devstat = readl(CTRLMMR_MAIN_DEVSTAT); - u32 bootindex = readl(K3_BOOT_PARAM_TABLE_INDEX_VAL); u32 bootmode = (devstat & CTRLMMR_MAIN_DEVSTAT_BOOTMODE_MASK) >> CTRLMMR_MAIN_DEVSTAT_BOOTMODE_SHIFT; @@ -168,7 +172,6 @@ static u32 __get_primary_bootmedia(u32 devstat) u32 spl_boot_device(void) { u32 devstat = readl(CTRLMMR_MAIN_DEVSTAT); - u32 bootindex = readl(K3_BOOT_PARAM_TABLE_INDEX_VAL); if (bootindex == K3_PRIMARY_BOOTMODE) return __get_primary_bootmedia(devstat); diff --git a/arch/arm/mach-k3/config.mk b/arch/arm/mach-k3/config.mk index be00d79fb0..2d8f61f9db 100644 --- a/arch/arm/mach-k3/config.mk +++ b/arch/arm/mach-k3/config.mk @@ -36,6 +36,14 @@ cmd_gencert = cat $(srctree)/tools/k3_x509template.txt | sed $(SED_OPTS) > u-boo # If external key is not provided, generate key using openssl. ifeq ($(CONFIG_SYS_K3_KEY), "") KEY=u-boot-spl-eckey.pem +# On HS use real key or warn if not available +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/keys/custMpk.pem),) +KEY=$(TI_SECURE_DEV_PKG)/keys/custMpk.pem +else +$(warning "WARNING: signing key not found. Random key will NOT work on HS hardware!") +endif +endif else KEY=$(patsubst "%",$(srctree)/%,$(CONFIG_SYS_K3_KEY)) endif @@ -65,6 +73,15 @@ ALL-y += tiboot3.bin endif ifdef CONFIG_ARM64 +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) +SPL_ITS := u-boot-spl-k3_HS.its +$(SPL_ITS): FORCE + IS_HS=1 \ + $(srctree)/tools/k3_fit_atf.sh \ + $(patsubst %,$(obj)/dts/%.dtb,$(subst ",,$(CONFIG_SPL_OF_LIST))) > $@ + +ALL-y += tispl.bin_HS +else SPL_ITS := u-boot-spl-k3.its $(SPL_ITS): FORCE $(srctree)/tools/k3_fit_atf.sh \ @@ -72,7 +89,15 @@ $(SPL_ITS): FORCE ALL-y += tispl.bin endif +endif + +else +ifeq ($(CONFIG_TI_SECURE_DEVICE),y) +ALL-y += u-boot.img_HS else ALL-y += u-boot.img endif +endif + +include $(srctree)/arch/arm/mach-k3/config_secure.mk diff --git a/arch/arm/mach-k3/config_secure.mk b/arch/arm/mach-k3/config_secure.mk new file mode 100644 index 0000000000..6d63c57665 --- /dev/null +++ b/arch/arm/mach-k3/config_secure.mk @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: GPL-2.0 +# +# Copyright (C) 2018 Texas Instruments, Incorporated - http://www.ti.com/ +# Andrew F. Davis <afd@ti.com> + +quiet_cmd_k3secureimg = SECURE $@ +ifneq ($(TI_SECURE_DEV_PKG),) +ifneq ($(wildcard $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh),) +cmd_k3secureimg = $(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh \ + $< $@ \ + $(if $(KBUILD_VERBOSE:1=), >/dev/null) +else +cmd_k3secureimg = echo "WARNING:" \ + "$(TI_SECURE_DEV_PKG)/scripts/secure-binary-image.sh not found." \ + "$@ was NOT secured!"; cp $< $@ +endif +else +cmd_k3secureimg = echo "WARNING: TI_SECURE_DEV_PKG environment" \ + "variable must be defined for TI secure devices." \ + "$@ was NOT secured!"; cp $< $@ +endif + +%.dtb_HS: %.dtb FORCE + $(call if_changed,k3secureimg) + +$(obj)/u-boot-spl-nodtb.bin_HS: $(obj)/u-boot-spl-nodtb.bin FORCE + $(call if_changed,k3secureimg) + +tispl.bin_HS: $(obj)/u-boot-spl-nodtb.bin_HS $(patsubst %,$(obj)/dts/%.dtb_HS,$(subst ",,$(CONFIG_SPL_OF_LIST))) $(SPL_ITS) FORCE + $(call if_changed,mkfitimage) + +MKIMAGEFLAGS_u-boot.img_HS = -f auto -A $(ARCH) -T firmware -C none -O u-boot \ + -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \ + -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" -E \ + $(patsubst %,-b arch/$(ARCH)/dts/%.dtb_HS,$(subst ",,$(CONFIG_OF_LIST))) + +OF_LIST_TARGETS = $(patsubst %,arch/$(ARCH)/dts/%.dtb,$(subst ",,$(CONFIG_OF_LIST))) +$(OF_LIST_TARGETS): dtbs + +u-boot-nodtb.bin_HS: u-boot-nodtb.bin FORCE + $(call if_changed,k3secureimg) + +u-boot.img_HS: u-boot-nodtb.bin_HS u-boot.img $(patsubst %.dtb,%.dtb_HS,$(OF_LIST_TARGETS)) FORCE + $(call if_changed,mkimage) diff --git a/arch/arm/mach-k3/include/mach/am6_hardware.h b/arch/arm/mach-k3/include/mach/am6_hardware.h index b5244609af..3343233aa3 100644 --- a/arch/arm/mach-k3/include/mach/am6_hardware.h +++ b/arch/arm/mach-k3/include/mach/am6_hardware.h @@ -44,7 +44,4 @@ #define CTRLMMR_LOCK_KICK1 0x0100c #define CTRLMMR_LOCK_KICK1_UNLOCK_VAL 0xd172bc5a -/* MCU SCRATCHPAD usage */ -#define K3_BOOT_PARAM_TABLE_INDEX_VAL CONFIG_SYS_K3_MCU_SCRATCHPAD_BASE - #endif /* __ASM_ARCH_AM6_HARDWARE_H */ diff --git a/arch/arm/mach-k3/security.c b/arch/arm/mach-k3/security.c new file mode 100644 index 0000000000..52f49bf01f --- /dev/null +++ b/arch/arm/mach-k3/security.c @@ -0,0 +1,63 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * K3: Security functions + * + * Copyright (C) 2018 Texas Instruments Incorporated - http://www.ti.com/ + * Andrew F. Davis <afd@ti.com> + */ + +#include <common.h> +#include <dm.h> +#include <linux/soc/ti/ti_sci_protocol.h> +#include <mach/spl.h> +#include <spl.h> + +void board_fit_image_post_process(void **p_image, size_t *p_size) +{ + struct udevice *dev; + struct ti_sci_handle *ti_sci; + struct ti_sci_proc_ops *proc_ops; + u64 image_addr; + u32 image_size; + int ret; + + /* Get handle to Device Management and Security Controller (SYSFW) */ + ret = uclass_get_device_by_name(UCLASS_FIRMWARE, "dmsc", &dev); + if (ret) { + printf("Failed to get handle to SYSFW (%d)\n", ret); + hang(); + } + ti_sci = (struct ti_sci_handle *)(ti_sci_get_handle_from_sysfw(dev)); + proc_ops = &ti_sci->ops.proc_ops; + + image_addr = (uintptr_t)*p_image; + + debug("Authenticating image at address 0x%016llx\n", image_addr); + + /* Authenticate image */ + ret = proc_ops->proc_auth_boot_image(ti_sci, &image_addr, &image_size); + if (ret) { + printf("Authentication failed!\n"); + hang(); + } + + /* + * The image_size returned may be 0 when the authentication process has + * moved the image. When this happens no further processing on the + * image is needed or often even possible as it may have also been + * placed behind a firewall when moved. + */ + *p_size = image_size; + + /* + * Output notification of successful authentication to re-assure the + * user that the secure code is being processed as expected. However + * suppress any such log output in case of building for SPL and booting + * via YMODEM. This is done to avoid disturbing the YMODEM serial + * protocol transactions. + */ + if (!(IS_ENABLED(CONFIG_SPL_BUILD) && + IS_ENABLED(CONFIG_SPL_YMODEM_SUPPORT) && + spl_boot_device() == BOOT_DEVICE_UART)) + printf("Authentication passed\n"); +} |