Message ID | 20220816151607.1569660-7-sean.anderson@seco.com |
---|---|
State | Accepted |
Delegated to: | Peng Fan |
Headers | show |
Series | net: fm: Verify Fman microcode | expand |
On Tue, 16 Aug 2022 at 09:16, Sean Anderson <sean.anderson@seco.com> wrote: > > Fman microcode is executable code (AFAICT) loaded into a > coprocessor. As such, if verified boot is enabled, it must be verified > like other executable code. However, this is not currently done. > > This commit adds verified boot functionality by encapsulating the > microcode in a FIT, which can then be signed/verified as normal. By > default we allow fallback to unencapsulated firmware, but if > CONFIG_FIT_SIGNATURE is enabled, then we make it mandatory. Because > existing Layerscape do not use this config (instead enabling > CONFIG_CHAIN_OF_TRUST), this should not break any existing boards. > > An example (mildly-abbreviated) its is provided below: > > / { > #address-cells = <1>; > > images { > firmware { > data = /incbin/(/path/to/firmware); > type = "firmware"; > arch = "arm64"; > compression = "none"; > signature { > algo = "sha256,rsa2048"; > key-name-hint = "your key name"; > }; > }; > }; > > configurations { > default = "conf"; > conf { > description = "Load FMAN microcode"; > fman = "firmware"; > }; > }; > }; > > Signed-off-by: Sean Anderson <sean.anderson@seco.com> > --- > > (no changes since v1) > > drivers/net/fm/fm.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) Reviewed-by: Simon Glass <sjg@chromium.org>
diff --git a/drivers/net/fm/fm.c b/drivers/net/fm/fm.c index 4f5d51251e5..894a5e29fa4 100644 --- a/drivers/net/fm/fm.c +++ b/drivers/net/fm/fm.c @@ -6,6 +6,7 @@ #include <common.h> #include <env.h> #include <fs_loader.h> +#include <image.h> #include <malloc.h> #include <asm/io.h> #include <dm/device_compat.h> @@ -537,6 +538,23 @@ int fm_init_common(int index, struct ccsr_fman *reg, const char *firmware_name) void *addr = NULL; #endif + rc = fit_check_format(addr, CONFIG_SYS_QE_FMAN_FW_LENGTH); + if (!rc) { + size_t unused; + const void *new_addr; + + rc = fit_get_data_conf_prop(addr, "fman", &new_addr, &unused); + if (rc) + return rc; + addr = (void *)new_addr; + } else if (CONFIG_IS_ENABLED(FIT_SIGNATURE)) { + /* + * Using a (signed) FIT wrapper is mandatory if we are + * doing verified boot. + */ + return rc; + } + /* Upload the Fman microcode if it's present */ rc = fman_upload_firmware(index, ®->fm_imem, addr); if (rc)
Fman microcode is executable code (AFAICT) loaded into a coprocessor. As such, if verified boot is enabled, it must be verified like other executable code. However, this is not currently done. This commit adds verified boot functionality by encapsulating the microcode in a FIT, which can then be signed/verified as normal. By default we allow fallback to unencapsulated firmware, but if CONFIG_FIT_SIGNATURE is enabled, then we make it mandatory. Because existing Layerscape do not use this config (instead enabling CONFIG_CHAIN_OF_TRUST), this should not break any existing boards. An example (mildly-abbreviated) its is provided below: / { #address-cells = <1>; images { firmware { data = /incbin/(/path/to/firmware); type = "firmware"; arch = "arm64"; compression = "none"; signature { algo = "sha256,rsa2048"; key-name-hint = "your key name"; }; }; }; configurations { default = "conf"; conf { description = "Load FMAN microcode"; fman = "firmware"; }; }; }; Signed-off-by: Sean Anderson <sean.anderson@seco.com> --- (no changes since v1) drivers/net/fm/fm.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)