Hi Andreas, On 15 June 2016 at 13:26, Andreas Dannenberg <dannenb...@ti.com> wrote: > From: Madan Srinivas <mad...@ti.com> > > Adds an API that verifies a signature attached to an image (binary > blob). This API is basically a entry to a secure ROM service provided by > the device and accessed via an SMC call, using a particular calling > convention. This API is common across AM3x HS and AM4x HS devices. > > Signed-off-by: Madan Srinivas <mad...@ti.com> > Signed-off-by: Andreas Dannenberg <dannenb...@ti.com> > --- > arch/arm/cpu/armv7/am33xx/Makefile | 2 + > arch/arm/cpu/armv7/am33xx/sec_fxns.c | 90 > ++++++++++++++++++++++++++++ > arch/arm/include/asm/arch-am33xx/sys_proto.h | 6 +- > 3 files changed, 97 insertions(+), 1 deletion(-) > create mode 100644 arch/arm/cpu/armv7/am33xx/sec_fxns.c > > diff --git a/arch/arm/cpu/armv7/am33xx/Makefile > b/arch/arm/cpu/armv7/am33xx/Makefile > index 6fda482..d2b3e37 100644 > --- a/arch/arm/cpu/armv7/am33xx/Makefile > +++ b/arch/arm/cpu/armv7/am33xx/Makefile > @@ -20,3 +20,5 @@ obj-y += board.o > obj-y += mux.o > > obj-$(CONFIG_CLOCK_SYNTHESIZER) += clk_synthesizer.o > + > +obj-$(CONFIG_TI_SECURE_DEVICE) += sec_fxns.o > diff --git a/arch/arm/cpu/armv7/am33xx/sec_fxns.c > b/arch/arm/cpu/armv7/am33xx/sec_fxns.c > new file mode 100644 > index 0000000..560297c > --- /dev/null > +++ b/arch/arm/cpu/armv7/am33xx/sec_fxns.c > @@ -0,0 +1,90 @@ > +/* > + * sec_fxns.c > + * > + * Common security functions for AMxx devices that rely > + * on secure ROM services. > + * > + * Copyright (C) 2013, Texas Instruments, Incorporated - http://www.ti.com/ > + * > + * SPDX-License-Identifier: GPL-2.0+ > + */ > + > +#include <common.h> > +#include <asm/arch/sys_proto.h> > +#include <asm/omap_common.h> > + > +/* Index for signature verify ROM API*/ > +#define API_HAL_KM_VERIFYCERTIFICATESIGNATURE_INDEX (0x0000000E) > + > +static u32 find_sig_start(char *image, size_t size) > +{ > + char *image_end = image + size; > + char *sig_start_magic = "CERT_"; > + int magic_str_len = strlen(sig_start_magic); > + char *ch; > + > + while (--image_end > image) { > + if (*image_end == '_') { > + ch = image_end - magic_str_len + 1; > + if (!strncmp(ch, sig_start_magic, magic_str_len)) > + return (u32)ch; > + } > + } > + return 0; > +} > + > +int secure_boot_verify_image(void **image, size_t *size) > +{ > + int result = 1; > + u32 cert_addr, sig_addr; > + size_t cert_size; > + > +#ifndef CONFIG_SYS_DCACHE_OFF > + /* Perform cache writeback on input buffer */ > + flush_dcache_range( > + (u32)*image, > + (u32)*image + roundup(*size, ARCH_DMA_MINALIGN)); > +#endif > + cert_addr = (uint32_t)*image; > + sig_addr = find_sig_start((char *)*image, *size); > +
This seems similar to the code you added to arch/arm/cpu/armv7/omap5/sec_fxns.c. Can you put the common code somewhere? > + if (sig_addr == 0) { > + puts("No signature found in image.\n"); > + result = 1; > + goto auth_exit; > + } > + > + *size = sig_addr - cert_addr; /* Subtract out the signature size */ > + cert_size = *size; > + > + /* Check if image load address is 32-bit aligned */ > + if (0 != (0x3 & cert_addr)) { > + puts("Image is not 4-byte aligned.\n"); > + result = 1; > + goto auth_exit; > + } > + > + /* Image size also should be multiple of 4 */ > + if (0 != (0x3 & cert_size)) { > + puts("Image size is not 4-byte aligned.\n"); > + result = 1; > + goto auth_exit; > + } > + > + /* Call ROM HAL API to verify certificate signature */ > + debug("%s: load_addr = %x, size = %x, sig_addr = %x\n", __func__, > + cert_addr, cert_size, sig_addr); > + > + result = secure_rom_call( > + API_HAL_KM_VERIFYCERTIFICATESIGNATURE_INDEX, 0, 0, > + 4, cert_addr, cert_size, sig_addr, 0xFFFFFFFF); > +auth_exit: > + if (result != 0) { > + puts("Authentication failed!\n"); Please use printf() instead of puts() unless you have a good reason. > + printf("Return Value = %08X\n", result); > + hang(); > + } > + > + printf("Authentication passed: %s\n", (char *)sig_addr); > + return result; > +} > diff --git a/arch/arm/include/asm/arch-am33xx/sys_proto.h > b/arch/arm/include/asm/arch-am33xx/sys_proto.h > index 8f573d2..f5fc916 100644 > --- a/arch/arm/include/asm/arch-am33xx/sys_proto.h > +++ b/arch/arm/include/asm/arch-am33xx/sys_proto.h > @@ -41,7 +41,11 @@ void enable_norboot_pin_mux(void); > void am33xx_spl_board_init(void); > int am335x_get_efuse_mpu_max_freq(struct ctrl_dev *cdev); > int am335x_get_tps65910_mpu_vdd(int sil_rev, int frequency); > -#endif > > void enable_usb_clocks(int index); > void disable_usb_clocks(int index); > + > +#ifdef CONFIG_TI_SECURE_DEVICE > +int secure_boot_verify_image(void **p_image, size_t *p_size); Please add function comment. > +#endif > +#endif > -- > 2.6.4 > Regards, Simon _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot