As part of Secure Boot Chain of trust, PPA image must be validated before the image is started. The code for the same has been added.
Signed-off-by: Aneesh Bansal <aneesh.ban...@nxp.com> --- The patchset is dependent on http://patchwork.ozlabs.org/patch/571339/ arch/arm/cpu/armv8/fsl-layerscape/ppa.c | 22 ++++++++++++++++++++++ arch/arm/include/asm/fsl_secure_boot.h | 16 ++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c index db767f9..804c4d7 100644 --- a/arch/arm/cpu/armv8/fsl-layerscape/ppa.c +++ b/arch/arm/cpu/armv8/fsl-layerscape/ppa.c @@ -18,6 +18,9 @@ #include <asm/arch/immap_lsch2.h> #endif #include <asm/arch/ppa.h> +#ifdef CONFIG_CHAIN_OF_TRUST +#include <fsl_validate.h> +#endif DECLARE_GLOBAL_DATA_PTR; @@ -69,12 +72,31 @@ static int parse_ppa_firmware_fit_image(const void **raw_image_addr, int conf_node_off, fw_node_off; char *conf_node_name = NULL; +#ifdef CONFIG_CHAIN_OF_TRUST + int ret; + uintptr_t ppa_esbc_hdr = CONFIG_SYS_LS_PPA_ESBC_ADDR; + uintptr_t ppa_img_addr = 0; +#endif + #ifdef CONFIG_SYS_LS_PPA_FW_IN_NOR fit_hdr = (void *)CONFIG_SYS_LS_PPA_FW_ADDR; #else #error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined" #endif +#ifdef CONFIG_CHAIN_OF_TRUST + ppa_img_addr = (uintptr_t)fit_hdr; + if (fsl_check_boot_mode_secure() != 0) { + ret = fsl_secboot_validate(ppa_esbc_hdr, + CONFIG_PPA_KEY_HASH, + &ppa_img_addr); + if (ret != 0) + printf("PPA validation failed\n"); + else + printf("PPA validation Successful\n"); + } +#endif + conf_node_name = LS_PPA_FIT_CNF_NAME; if (fdt_check_header(fit_hdr)) { diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 0da0599..d275dd1 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -56,6 +56,22 @@ /* The address needs to be modified according to NOR memory map */ #define CONFIG_BOOTSCRIPT_HDR_ADDR 0x600a0000 +#ifdef CONFIG_SYS_LS_PPA_FW_IN_NOR +#ifdef CONFIG_LS1043A +#define CONFIG_SYS_LS_PPA_ESBC_ADDR 0x600c0000 +#endif +#else +#error "No CONFIG_SYS_LS_PPA_FW_IN_xxx defined" +#endif + +/* Define the key hash here if SRK used for signing PPA image is + * different from SRK hash put in SFP used for U-Boot. + * Example + * #define CONFIG_PPA_KEY_HASH \ + * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" + */ +#define CONFIG_PPA_KEY_HASH NULL + #include <config_fsl_chain_trust.h> #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ #endif -- 1.8.1.4 _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
