Message ID | 1515519222-3507-1-git-send-email-sumit.garg@nxp.com |
---|---|
State | Accepted |
Delegated to: | York Sun |
Headers | show |
Series | [U-Boot,v2] arm64: ls1012ardb: Add distro secure boot support | expand |
On 01/08/2018 09:59 PM, Sumit Garg wrote: > From: Vinitha Pillai-B57223 <vinitha.pillai@nxp.com> > > Enable validation of boot.scr script prior to its execution dependent > on "secureboot" flag in environment. Enable fall back option to > qspi boot in case of secure boot. > > Signed-off-by: Sumit Garg <sumit.garg@nxp.com> > Signed-off-by: Vinitha Pillai <vinitha.pillai@nxp.com> > --- > > Changes in v2: > Rebased to top of master > > configs/ls1012ardb_qspi_SECURE_BOOT_defconfig | 14 +++++++------- > include/configs/ls1012ardb.h | 20 ++++++++++++++++++-- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig b/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > index b6930be..2d5d9ad 100644 > --- a/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > +++ b/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > @@ -2,7 +2,9 @@ CONFIG_ARM=y > CONFIG_TARGET_LS1012ARDB=y > CONFIG_SECURE_BOOT=y > CONFIG_FSL_LS_PPA=y > +CONFIG_QSPI_AHB_INIT=y > CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1012a-rdb" > +CONFIG_DISTRO_DEFAULTS=y > # CONFIG_SYS_MALLOC_F is not set > CONFIG_FIT_VERBOSE=y > CONFIG_OF_BOARD_SETUP=y > @@ -12,7 +14,7 @@ CONFIG_QSPI_BOOT=y > CONFIG_BOOTDELAY=10 > CONFIG_USE_BOOTARGS=y > CONFIG_BOOTARGS="console=ttyS0,115200 root=/dev/ram0 earlycon=uart8250,mmio,0x21c0500 quiet lpj=250000" > -CONFIG_HUSH_PARSER=y > +# CONFIG_DISPLAY_BOARDINFO is not set > CONFIG_CMD_GREPENV=y > CONFIG_CMD_GPT=y > CONFIG_CMD_I2C=y > @@ -20,16 +22,13 @@ CONFIG_CMD_MMC=y > CONFIG_CMD_PCI=y > CONFIG_CMD_SF=y > CONFIG_CMD_USB=y > -# CONFIG_CMD_SETEXPR is not set > -CONFIG_CMD_DHCP=y > -CONFIG_CMD_MII=y > -CONFIG_CMD_PING=y > CONFIG_CMD_CACHE=y > -CONFIG_CMD_EXT2=y > -CONFIG_CMD_FAT=y > CONFIG_OF_CONTROL=y > +CONFIG_ENV_IS_IN_SPI_FLASH=y > CONFIG_NET_RANDOM_ETHADDR=y > CONFIG_DM=y > +# CONFIG_BLK is not set > +CONFIG_DM_MMC=y > CONFIG_DM_SPI_FLASH=y > CONFIG_SPI_FLASH=y > CONFIG_NETDEVICES=y > @@ -42,6 +41,7 @@ CONFIG_SYS_NS16550=y > CONFIG_DM_SPI=y > CONFIG_FSL_DSPI=y > CONFIG_USB=y > +CONFIG_DM_USB=y > CONFIG_USB_XHCI_HCD=y > CONFIG_USB_XHCI_DWC3=y > CONFIG_USB_STORAGE=y Why do you change other config options in this patch? York
> From: York Sun > Sent: Monday, January 15, 2018 10:59 PM > > On 01/08/2018 09:59 PM, Sumit Garg wrote: > > From: Vinitha Pillai-B57223 <vinitha.pillai@nxp.com> > > > > Enable validation of boot.scr script prior to its execution dependent > > on "secureboot" flag in environment. Enable fall back option to qspi > > boot in case of secure boot. > > > > Signed-off-by: Sumit Garg <sumit.garg@nxp.com> > > Signed-off-by: Vinitha Pillai <vinitha.pillai@nxp.com> > > --- > > > > Changes in v2: > > Rebased to top of master > > > > configs/ls1012ardb_qspi_SECURE_BOOT_defconfig | 14 +++++++------- > > include/configs/ls1012ardb.h | 20 ++++++++++++++++++-- > > 2 files changed, 25 insertions(+), 9 deletions(-) > > > > diff --git a/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > > b/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > > index b6930be..2d5d9ad 100644 > > --- a/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > > +++ b/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > > @@ -2,7 +2,9 @@ CONFIG_ARM=y > > CONFIG_TARGET_LS1012ARDB=y > > CONFIG_SECURE_BOOT=y > > CONFIG_FSL_LS_PPA=y > > +CONFIG_QSPI_AHB_INIT=y > > CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1012a-rdb" > > +CONFIG_DISTRO_DEFAULTS=y > > # CONFIG_SYS_MALLOC_F is not set > > CONFIG_FIT_VERBOSE=y > > CONFIG_OF_BOARD_SETUP=y > > @@ -12,7 +14,7 @@ CONFIG_QSPI_BOOT=y > > CONFIG_BOOTDELAY=10 > > CONFIG_USE_BOOTARGS=y > > CONFIG_BOOTARGS="console=ttyS0,115200 root=/dev/ram0 > earlycon=uart8250,mmio,0x21c0500 quiet lpj=250000" > > -CONFIG_HUSH_PARSER=y > > +# CONFIG_DISPLAY_BOARDINFO is not set > > CONFIG_CMD_GREPENV=y > > CONFIG_CMD_GPT=y > > CONFIG_CMD_I2C=y > > @@ -20,16 +22,13 @@ CONFIG_CMD_MMC=y > > CONFIG_CMD_PCI=y > > CONFIG_CMD_SF=y > > CONFIG_CMD_USB=y > > -# CONFIG_CMD_SETEXPR is not set > > -CONFIG_CMD_DHCP=y > > -CONFIG_CMD_MII=y > > -CONFIG_CMD_PING=y > > CONFIG_CMD_CACHE=y > > -CONFIG_CMD_EXT2=y > > -CONFIG_CMD_FAT=y > > CONFIG_OF_CONTROL=y > > +CONFIG_ENV_IS_IN_SPI_FLASH=y > > CONFIG_NET_RANDOM_ETHADDR=y > > CONFIG_DM=y > > +# CONFIG_BLK is not set > > +CONFIG_DM_MMC=y > > CONFIG_DM_SPI_FLASH=y > > CONFIG_SPI_FLASH=y > > CONFIG_NETDEVICES=y > > @@ -42,6 +41,7 @@ CONFIG_SYS_NS16550=y CONFIG_DM_SPI=y > > CONFIG_FSL_DSPI=y CONFIG_USB=y > > +CONFIG_DM_USB=y > > CONFIG_USB_XHCI_HCD=y > > CONFIG_USB_XHCI_DWC3=y > > CONFIG_USB_STORAGE=y > > Why do you change other config options in this patch? > > York This is done to align with non-secure boot deconfig. Actually IP owners update only non-secure boot defconfig, so we need to take care of alignment. -Sumit
On 01/15/2018 09:34 AM, Sumit Garg wrote: >> From: York Sun >> Sent: Monday, January 15, 2018 10:59 PM >> >> On 01/08/2018 09:59 PM, Sumit Garg wrote: >>> From: Vinitha Pillai-B57223 <vinitha.pillai@nxp.com> >>> >>> Enable validation of boot.scr script prior to its execution dependent >>> on "secureboot" flag in environment. Enable fall back option to qspi >>> boot in case of secure boot. >>> >>> Signed-off-by: Sumit Garg <sumit.garg@nxp.com> >>> Signed-off-by: Vinitha Pillai <vinitha.pillai@nxp.com> >>> --- >>> >>> Changes in v2: >>> Rebased to top of master >>> >>> configs/ls1012ardb_qspi_SECURE_BOOT_defconfig | 14 +++++++------- >>> include/configs/ls1012ardb.h | 20 ++++++++++++++++++-- >>> 2 files changed, 25 insertions(+), 9 deletions(-) >>> >>> diff --git a/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig >>> b/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig >>> index b6930be..2d5d9ad 100644 >>> --- a/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig >>> +++ b/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig >>> @@ -2,7 +2,9 @@ CONFIG_ARM=y >>> CONFIG_TARGET_LS1012ARDB=y >>> CONFIG_SECURE_BOOT=y >>> CONFIG_FSL_LS_PPA=y >>> +CONFIG_QSPI_AHB_INIT=y >>> CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1012a-rdb" >>> +CONFIG_DISTRO_DEFAULTS=y >>> # CONFIG_SYS_MALLOC_F is not set >>> CONFIG_FIT_VERBOSE=y >>> CONFIG_OF_BOARD_SETUP=y >>> @@ -12,7 +14,7 @@ CONFIG_QSPI_BOOT=y >>> CONFIG_BOOTDELAY=10 >>> CONFIG_USE_BOOTARGS=y >>> CONFIG_BOOTARGS="console=ttyS0,115200 root=/dev/ram0 >> earlycon=uart8250,mmio,0x21c0500 quiet lpj=250000" >>> -CONFIG_HUSH_PARSER=y >>> +# CONFIG_DISPLAY_BOARDINFO is not set >>> CONFIG_CMD_GREPENV=y >>> CONFIG_CMD_GPT=y >>> CONFIG_CMD_I2C=y >>> @@ -20,16 +22,13 @@ CONFIG_CMD_MMC=y >>> CONFIG_CMD_PCI=y >>> CONFIG_CMD_SF=y >>> CONFIG_CMD_USB=y >>> -# CONFIG_CMD_SETEXPR is not set >>> -CONFIG_CMD_DHCP=y >>> -CONFIG_CMD_MII=y >>> -CONFIG_CMD_PING=y >>> CONFIG_CMD_CACHE=y >>> -CONFIG_CMD_EXT2=y >>> -CONFIG_CMD_FAT=y >>> CONFIG_OF_CONTROL=y >>> +CONFIG_ENV_IS_IN_SPI_FLASH=y This is wrong. You shouldn't have ENV for secure boot. Please double check. York
> -----Original Message----- > From: York Sun > Sent: Tuesday, January 30, 2018 2:57 AM > To: Sumit Garg <sumit.garg@nxp.com>; u-boot@lists.denx.de > Cc: Ruchika Gupta <ruchika.gupta@nxp.com>; Prabhakar Kushwaha > <prabhakar.kushwaha@nxp.com>; Vini Pillai <vinitha.pillai@nxp.com> > Subject: Re: [PATCH v2] arm64: ls1012ardb: Add distro secure boot support > > On 01/15/2018 09:34 AM, Sumit Garg wrote: > >> From: York Sun > >> Sent: Monday, January 15, 2018 10:59 PM > >> > >> On 01/08/2018 09:59 PM, Sumit Garg wrote: > >>> From: Vinitha Pillai-B57223 <vinitha.pillai@nxp.com> > >>> > >>> Enable validation of boot.scr script prior to its execution > >>> dependent on "secureboot" flag in environment. Enable fall back > >>> option to qspi boot in case of secure boot. > >>> > >>> Signed-off-by: Sumit Garg <sumit.garg@nxp.com> > >>> Signed-off-by: Vinitha Pillai <vinitha.pillai@nxp.com> > >>> --- > >>> > >>> Changes in v2: > >>> Rebased to top of master > >>> > >>> configs/ls1012ardb_qspi_SECURE_BOOT_defconfig | 14 +++++++------- > >>> include/configs/ls1012ardb.h | 20 ++++++++++++++++++-- > >>> 2 files changed, 25 insertions(+), 9 deletions(-) > >>> > >>> diff --git a/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > >>> b/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > >>> index b6930be..2d5d9ad 100644 > >>> --- a/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > >>> +++ b/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig > >>> @@ -2,7 +2,9 @@ CONFIG_ARM=y > >>> CONFIG_TARGET_LS1012ARDB=y > >>> CONFIG_SECURE_BOOT=y > >>> CONFIG_FSL_LS_PPA=y > >>> +CONFIG_QSPI_AHB_INIT=y > >>> CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1012a-rdb" > >>> +CONFIG_DISTRO_DEFAULTS=y > >>> # CONFIG_SYS_MALLOC_F is not set > >>> CONFIG_FIT_VERBOSE=y > >>> CONFIG_OF_BOARD_SETUP=y > >>> @@ -12,7 +14,7 @@ CONFIG_QSPI_BOOT=y > >>> CONFIG_BOOTDELAY=10 > >>> CONFIG_USE_BOOTARGS=y > >>> CONFIG_BOOTARGS="console=ttyS0,115200 root=/dev/ram0 > >> earlycon=uart8250,mmio,0x21c0500 quiet lpj=250000" > >>> -CONFIG_HUSH_PARSER=y > >>> +# CONFIG_DISPLAY_BOARDINFO is not set > >>> CONFIG_CMD_GREPENV=y > >>> CONFIG_CMD_GPT=y > >>> CONFIG_CMD_I2C=y > >>> @@ -20,16 +22,13 @@ CONFIG_CMD_MMC=y CONFIG_CMD_PCI=y > >>> CONFIG_CMD_SF=y CONFIG_CMD_USB=y -# CONFIG_CMD_SETEXPR is > not set > >>> -CONFIG_CMD_DHCP=y -CONFIG_CMD_MII=y -CONFIG_CMD_PING=y > >>> CONFIG_CMD_CACHE=y -CONFIG_CMD_EXT2=y -CONFIG_CMD_FAT=y > >>> CONFIG_OF_CONTROL=y > >>> +CONFIG_ENV_IS_IN_SPI_FLASH=y > > This is wrong. You shouldn't have ENV for secure boot. Please double check. > > York Yes you are correct. We should drop this from defconfig. Shall I send next version or could you drop it while applying the patch? BTW we select ENV_IS_NOWHERE in case of Secure boot. Sumit
On 01/30/2018 09:07 PM, Sumit Garg wrote: >> -----Original Message----- >> From: York Sun >> Sent: Tuesday, January 30, 2018 2:57 AM >> To: Sumit Garg <sumit.garg@nxp.com>; u-boot@lists.denx.de >> Cc: Ruchika Gupta <ruchika.gupta@nxp.com>; Prabhakar Kushwaha >> <prabhakar.kushwaha@nxp.com>; Vini Pillai <vinitha.pillai@nxp.com> >> Subject: Re: [PATCH v2] arm64: ls1012ardb: Add distro secure boot support >> >> On 01/15/2018 09:34 AM, Sumit Garg wrote: >>>> From: York Sun >>>> Sent: Monday, January 15, 2018 10:59 PM >>>> >>>> On 01/08/2018 09:59 PM, Sumit Garg wrote: >>>>> From: Vinitha Pillai-B57223 <vinitha.pillai@nxp.com> >>>>> >>>>> Enable validation of boot.scr script prior to its execution >>>>> dependent on "secureboot" flag in environment. Enable fall back >>>>> option to qspi boot in case of secure boot. >>>>> >>>>> Signed-off-by: Sumit Garg <sumit.garg@nxp.com> >>>>> Signed-off-by: Vinitha Pillai <vinitha.pillai@nxp.com> >>>>> --- >>>>> >>>>> Changes in v2: >>>>> Rebased to top of master >>>>> >>>>> configs/ls1012ardb_qspi_SECURE_BOOT_defconfig | 14 +++++++------- >>>>> include/configs/ls1012ardb.h | 20 ++++++++++++++++++-- >>>>> 2 files changed, 25 insertions(+), 9 deletions(-) >>>>> <snip> >>>>> +CONFIG_ENV_IS_IN_SPI_FLASH=y >> >> This is wrong. You shouldn't have ENV for secure boot. Please double check. >> >> York > > Yes you are correct. We should drop this from defconfig. Shall I send next version or could you drop it while applying the patch? > Applied to fsl-qoriq master, awaiting upstream. Thanks. York
diff --git a/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig b/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig index b6930be..2d5d9ad 100644 --- a/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig +++ b/configs/ls1012ardb_qspi_SECURE_BOOT_defconfig @@ -2,7 +2,9 @@ CONFIG_ARM=y CONFIG_TARGET_LS1012ARDB=y CONFIG_SECURE_BOOT=y CONFIG_FSL_LS_PPA=y +CONFIG_QSPI_AHB_INIT=y CONFIG_DEFAULT_DEVICE_TREE="fsl-ls1012a-rdb" +CONFIG_DISTRO_DEFAULTS=y # CONFIG_SYS_MALLOC_F is not set CONFIG_FIT_VERBOSE=y CONFIG_OF_BOARD_SETUP=y @@ -12,7 +14,7 @@ CONFIG_QSPI_BOOT=y CONFIG_BOOTDELAY=10 CONFIG_USE_BOOTARGS=y CONFIG_BOOTARGS="console=ttyS0,115200 root=/dev/ram0 earlycon=uart8250,mmio,0x21c0500 quiet lpj=250000" -CONFIG_HUSH_PARSER=y +# CONFIG_DISPLAY_BOARDINFO is not set CONFIG_CMD_GREPENV=y CONFIG_CMD_GPT=y CONFIG_CMD_I2C=y @@ -20,16 +22,13 @@ CONFIG_CMD_MMC=y CONFIG_CMD_PCI=y CONFIG_CMD_SF=y CONFIG_CMD_USB=y -# CONFIG_CMD_SETEXPR is not set -CONFIG_CMD_DHCP=y -CONFIG_CMD_MII=y -CONFIG_CMD_PING=y CONFIG_CMD_CACHE=y -CONFIG_CMD_EXT2=y -CONFIG_CMD_FAT=y CONFIG_OF_CONTROL=y +CONFIG_ENV_IS_IN_SPI_FLASH=y CONFIG_NET_RANDOM_ETHADDR=y CONFIG_DM=y +# CONFIG_BLK is not set +CONFIG_DM_MMC=y CONFIG_DM_SPI_FLASH=y CONFIG_SPI_FLASH=y CONFIG_NETDEVICES=y @@ -42,6 +41,7 @@ CONFIG_SYS_NS16550=y CONFIG_DM_SPI=y CONFIG_FSL_DSPI=y CONFIG_USB=y +CONFIG_DM_USB=y CONFIG_USB_XHCI_HCD=y CONFIG_USB_XHCI_DWC3=y CONFIG_USB_STORAGE=y diff --git a/include/configs/ls1012ardb.h b/include/configs/ls1012ardb.h index ab139b0..d161bb8 100644 --- a/include/configs/ls1012ardb.h +++ b/include/configs/ls1012ardb.h @@ -72,16 +72,20 @@ "initrd_high=0xffffffffffffffff\0" \ "fdt_addr=0x00f00000\0" \ "kernel_addr=0x01000000\0" \ + "kernelheader_addr=0x800000\0" \ "scriptaddr=0x80000000\0" \ + "scripthdraddr=0x80080000\0" \ "fdtheader_addr_r=0x80100000\0" \ "kernelheader_addr_r=0x80200000\0" \ "kernel_addr_r=0x81000000\0" \ "fdt_addr_r=0x90000000\0" \ "load_addr=0xa0000000\0" \ "kernel_size=0x2800000\0" \ + "kernelheader_size=0x40000\0" \ "console=ttyS0,115200\0" \ BOOTENV \ "boot_scripts=ls1012ardb_boot.scr\0" \ + "boot_script_hdr=hdr_ls1012ardb_bs.out\0" \ "scan_dev_for_boot_part=" \ "part list ${devtype} ${devnum} devplist; " \ "env exists devplist || setenv devplist 1; " \ @@ -99,15 +103,27 @@ "run scan_dev_for_scripts; " \ "done;" \ "\0" \ + "boot_a_script=" \ + "load ${devtype} ${devnum}:${distro_bootpart} " \ + "${scriptaddr} ${prefix}${script}; " \ + "env exists secureboot && load ${devtype} " \ + "${devnum}:${distro_bootpart} " \ + "${scripthdraddr} ${prefix}${boot_script_hdr} " \ + "&& esbc_validate ${scripthdraddr};" \ + "source ${scriptaddr}\0" \ "installer=load mmc 0:2 $load_addr " \ "/flex_installer_arm64.itb; " \ "bootm $load_addr#$board\0" \ "qspi_bootcmd=echo Trying load from qspi..;" \ "sf probe && sf read $load_addr " \ - "$kernel_addr $kernel_size && bootm $load_addr#$board\0" + "$kernel_addr $kernel_size; env exists secureboot " \ + "&& sf read $kernelheader_addr_r $kernelheader_addr " \ + "$kernelheader_size && esbc_validate ${kernelheader_addr_r}; " \ + "bootm $load_addr#$board\0" #undef CONFIG_BOOTCOMMAND -#define CONFIG_BOOTCOMMAND "run distro_bootcmd;run qspi_bootcmd" +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; run qspi_bootcmd; " \ + "env exists secureboot && esbc_halt;" #include <asm/fsl_secure_boot.h>