From patchwork Fri Apr  1 13:23:56 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sumit Garg <sumit.garg@nxp.com>
X-Patchwork-Id: 605395
X-Patchwork-Delegate: yorksun@freescale.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from theia.denx.de (theia.denx.de [85.214.87.163])
	by ozlabs.org (Postfix) with ESMTP id 3qcYpF4D6xz9sD5
	for <incoming@patchwork.ozlabs.org>;
	Sat,  2 Apr 2016 21:07:33 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 267A3A75E4;
	Sat,  2 Apr 2016 12:07:28 +0200 (CEST)
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 9mYAdIWS28ND; Sat,  2 Apr 2016 12:07:28 +0200 (CEST)
Received: from theia.denx.de (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id A5D0AA75E9;
	Sat,  2 Apr 2016 12:07:22 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id F03AEA7514
	for <u-boot@lists.denx.de>; Fri,  1 Apr 2016 09:24:51 +0200 (CEST)
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id WDUZbeWa3ZHe for <u-boot@lists.denx.de>;
	Fri,  1 Apr 2016 09:24:51 +0200 (CEST)
X-Greylist: delayed 933 seconds by postgrey-1.34 at theia;
	Fri, 01 Apr 2016 09:24:47 CEST
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
	NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested)
Received: from na01-bl2-obe.outbound.protection.outlook.com
	(mail-bl2on0095.outbound.protection.outlook.com [65.55.169.95])
	by theia.denx.de (Postfix) with ESMTPS id 4599BA74E9
	for <u-boot@lists.denx.de>; Fri,  1 Apr 2016 09:24:47 +0200 (CEST)
Received: from BY2PR03CA007.namprd03.prod.outlook.com (10.255.93.24) by
	DM2PR0301MB0717.namprd03.prod.outlook.com (10.160.97.13) with
	Microsoft SMTP
	Server (TLS) id 15.1.447.15; Fri, 1 Apr 2016 07:09:11 +0000
Received: from BN1AFFO11FD039.protection.gbl (10.255.93.4) by
	BY2PR03CA007.outlook.office365.com (10.255.93.24) with Microsoft SMTP
	Server (TLS) id 15.1.447.15 via Frontend Transport;
	Fri, 1 Apr 2016 07:09:10 +0000
Authentication-Results: spf=fail (sender IP is 192.88.168.50)
	smtp.mailfrom=nxp.com; nxp.com; dkim=none (message not signed)
	header.d=none;nxp.com; dmarc=none action=none header.from=nxp.com;
Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not
	designate 192.88.168.50 as permitted sender)
	receiver=protection.outlook.com;
	client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net;
Received: from tx30smr01.am.freescale.net (192.88.168.50) by
	BN1AFFO11FD039.mail.protection.outlook.com (10.58.52.243) with
	Microsoft SMTP Server (TLS) id 15.1.453.6 via Frontend Transport;
	Fri, 1 Apr 2016 07:09:10 +0000
Received: from localhost.localdomain.ap.freescale.net ([10.232.14.164])
	by tx30smr01.am.freescale.net (8.14.3/8.14.0) with ESMTP id
	u31796u4000570; Fri, 1 Apr 2016 00:09:07 -0700
From: Sumit Garg <sumit.garg@nxp.com>
To: <u-boot@lists.denx.de>
Date: Fri, 1 Apr 2016 09:23:56 -0400
Message-ID: <1459517037-16833-1-git-send-email-sumit.garg@nxp.com>
X-Mailer: git-send-email 1.8.1.4
X-EOPAttributedMessage: 0
X-Matching-Connectors: 131039681504377653;
	(91ab9b29-cfa4-454e-5278-08d120cd25b8); ()
X-Forefront-Antispam-Report: CIP:192.88.168.50; IPV:NLI; CTRY:US; EFV:NLI;
	SFV:NSPM;
	SFS:(10009020)(6009001)(2980300002)(1109001)(1110001)(339900001)(199003)(189002)(50466002)(19580395003)(1096002)(33646002)(92566002)(1220700001)(5003940100001)(19580405001)(50226001)(50986999)(6806005)(110136002)(189998001)(586003)(11100500001)(5008740100001)(48376002)(104016004)(85426001)(2906002)(36756003)(4326007)(575784001)(47776003)(105606002)(106466001)(87936001)(77096005)(229853001)(2351001)(86362001)(81166005)(7059030)(4720700001);
	DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR0301MB0717;
	H:tx30smr01.am.freescale.net;
	FPR:; SPF:Fail; MLV:sfv; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD039;
	1:3/RaUh1DkRUMdHSYwGJIyLE54NhArqiPqAKuV7/DOPPV1BHV+vpU0wAdxY1bz9kkziE1szu2xRcljZ68acY3te5AKXV0D9QM8Sv3GS9yeyn1RglYP1ZN7XAWvdZ/l8KU9nV2lq4l99VZgDimKXH6Pju9PVQbPNnuy3UJ6WMkrPzkqlMbsalGoAO5Vo8FvW2iUOg8xG072YYh9NR0CD8ePBUCNHYuisgXNzzD5BL5hoseVCPVfo6g9De0xuP7G+Jzr6DkE41mNZtXk0cnFqgD7cQ4jRdiY4n0ue2+tGHG/MZjTRilw3QJyQAQ3g3BWR8H7ek56oDlDfXEs/k3s3qJQpPjdyiNxkUgKM6DYHaeeDe6+5ODsBNKHrHZ0CbQAss7fLOKmRo0ibQGn1tJvkJI2dOxfZpB33RcOwyuz/zRBwi0r8suVsSiAhwAcigdiikJgxNyi/nrzafZKNKykfslpowUlpoAR8QMLrO7L8Wp+TYpxiRVN0dy3xsTbVXMfYnIYXXhnRYJU2Z8MBmpV4j4yAUtLeTZbnTGROcOEGXi2+A8NmbvYapqKEFLfO8N4b+pmxRzp2jv9+EDfLlGpeAbhUAiElAoP8ONRmPxfBa4R8MYyqPxN/PfWCU2u2Jnq5fAC0q6Kx2g+QDmBsKH91z8+QY8kxHdaY4yH9B/n91a9Gk=
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 42e348ed-420e-4937-19d4-08d359fc8601
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0301MB0717;
	2:U7t+B6MIVIhucsuRhQ4meMKlJ2OLjFuSLejnKxhrkvwmf/s5s9Z3C5KEaoKjHe749xGEU5+S6nUAnlJNullnJLJ3qZ8sdRB60OdzF47HVPZ8RhJKOCRyd0SQ04pgoOGED2GCMfRUACjImQp4KCNp5YcCecBhwPy/rQ+bcVfuijKShJJKxWVq/jg1pgp81dxP;
	3:NAHJE0KmeSG8YO9laLlejMI5IzeLppQN+aIe5ZGzOm9nY7yZpfCzEY77TNd2XiGxma3CXQU4OAKzg1C4zH+N4gYgwSKtyAutLGf1bD9rac05NChFYkwjIyA6Y/DqQq8u/5uRM1bahS0DebPnT4XLWdpzIDOWDYlDrs79KDLNdKqHOiaNQrLk8bBrkuclNBr7HPEU+Jrv661A6FsoU+lTD2ypR+2E2k7DRRyn+0/JkGg=;
	25:nRR5FpORJO/Fh4AYNIuFyCnDwC0wj1FpNPK+WbayeE4LYYDrEORL5OnxjCx5VJKcJ82sV6ddjWYjeUO+JzW843rFULxCEgbGPB8oQ9vofBQ2TfFMGkJBBFGVLz9cJ0EwNHuwVyfBmjr9qWeJ/TTEY4GX5jdolopG/heBwrwa4jAFdFNnL8ZDhaYOPnK+vu2d2YOO5yDbB58fjK9TKdII8qDWTTGMZSv9Sdj29vpFEfcwVwxwp9UQNckoXK+bwEmhkDMGOnxz4ZhDv6eibiXbl4mju4WF34/0TTS7FjqYda4s/IqPv0o86N9ppxFLUi4iOnxjZLQ18j0SrQBt4mbPy8TgYL2T8gywfev+Kz/BhdA=
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0717;
X-Microsoft-Antispam-PRVS: 
 <DM2PR0301MB07177F06AEF85E0CA82002E5989A0@DM2PR0301MB0717.namprd03.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(601004)(2401047)(5005006)(13017025)(13018025)(13024025)(13023025)(8121501046)(13015025)(10201501046)(3002001);
	SRVR:DM2PR0301MB0717; BCL:0; PCL:0; RULEID:(400006);
	SRVR:DM2PR0301MB0717;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0301MB0717;
	4:S1rv+2dZWDT6kUXhbbZ3hOyJVFHwswfJJpU2Vq9jksYYhZ72VnJHGBbi8B/z5+TmltZXB5xXC3e9OD64JPItN+siGcE5Ag1mW3PN8qmNjwWOoxqMeatmg5qMM91EfQm/4dli4b+N7nCnaOrBaErNT0wYpbnSbGmDsp5LCIfIncHpU5AtLV5XJqI4Ei5jhBOE19apU9oYwCQODDkrGMcFS8XDOIqaAAhJ5FxHLSy2BOkmpNiK1ImB1A2Ke7XU9E8jbuRwO/6T9hwxSkZ5prxUS92NwF6+RXAallwu7FPx2KHWfoiHjoSgx20qaHCSinjv+DAdVso7sjEgl4qWnTIjFlM3atEmk2PXprUWodIIuOHGbLVCuCyJ/DRFUdQLX6znkysL5badq11tXc63rWfNdBP5hWXyVAQusBXtF6cYahuBQyVYUE2r35eT7v80sLJ/ThZd14wnpX/ZVm5j7MieRw==
X-Forefront-PRVS: 0899B47777
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DM2PR0301MB0717;
	23:ClMyfKvF0AZ3FKdshXIPH3E0yw6rLZphQO1U0AX?=
	=?us-ascii?Q?MKtV5okhVYZCXijE3fa9kZTyFDYZAT5vqaWf4dmt+zwVOYGpJqmIQTe8UHKy?=
	=?us-ascii?Q?ejfm6j0foe5v37hEjqqdSPjgB7yaEqrZnayFaARpxvFdy4cEVXBv5p86NF/c?=
	=?us-ascii?Q?R3XObCP77oLHIbw3D5LqeEoHd7oP72qeuNR1eSdCLzOqO9He0juUlP+JWm+P?=
	=?us-ascii?Q?TMxh5zuEMDcIxVrhkict73GBEMneKF1b70M2ZehCj96uaAraGHCR7axqpYZh?=
	=?us-ascii?Q?5DNnp09L585c72s3RgqQn7FGsUo7dPaMqhFwoTV1yqMHQXoeltFfh6d/BdYC?=
	=?us-ascii?Q?1/N7SFKmwQ+vfeX/khbBFBvLz9dz+BXoYPNlCnL+hJXCEtZyEDL1DjTIow3x?=
	=?us-ascii?Q?BOcNmvErgjgfsNcIbcVsgim76mvTJa0IBFROqrH4rGzABGY4i/0OAuS9RvV5?=
	=?us-ascii?Q?+NqEuDqxEHjuveiGdzUgaF/VqYFyIYs0cnka4smcTloOfakvfutJdZpXKmjw?=
	=?us-ascii?Q?dU+A/t4poN/A78O+qAvPLX0n0lXJUiF1U5lTUvxr3zfiolE+sOYxwvw10nzp?=
	=?us-ascii?Q?CIj2mZbnI8iNO1LEPNJbVKumw7xkTia1oJkxP3aRrOgNaRGrViSkSYH5tgQA?=
	=?us-ascii?Q?E+DXgFU9UMKPSOaAJWGYfIHZ6IMo9uk3hjeHhO9QmByTmGu/JxpRwdibBA67?=
	=?us-ascii?Q?yLtNZ826ANJJ6yqyyBFDPz/1rlqetWXQFVRv7vVF5X/PwDjka4OhFt5trcb9?=
	=?us-ascii?Q?147Z4VFK/j/cy06dj/MlcF9xVyWISN6yjbtv+NNtN5roCwcbPw3lXFaBgvI0?=
	=?us-ascii?Q?Pea7mqmNkzoyGg4cvIyICMZocp/Fds466oIDvmkOCCsoc8Fmq4og++jMzlGM?=
	=?us-ascii?Q?aJ8Ree1y3YMLDJnsMwQcmNTHZUi1BKRFpW7Iybyzd+cKCkm/pRBijPs/sACR?=
	=?us-ascii?Q?zRRXL8wMNJeDZnG5zD6mMjnkoYafovWJtoED3/TsjTkiM2lPlp3ZLzQvIJaz?=
	=?us-ascii?Q?iKXIEkyRscwem1de9KmNNGl+V4jvnZcT9MG+a+uPGS9a9WNOqqiIr3rzR6Dp?=
	=?us-ascii?Q?0Ck51Za4UjmxIPYsMaQpJKtsB4fJl?=
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0301MB0717;
	5:LiYPnFu6ZNymKBjDevS5RSyW6ukjCAk67Bg01dcP0H7qdqXcdwSEWArc9HGj7YUEnnB0NI9Sqv5TGGMMIsvLV0IgAEotrGcC7EOm3d3UbvfNBHZMoqGl82XiehYCVkWsZLiyXpn9xsL/6oTRocGqZC8a83DDNXUbMfyjRXMBgUk=;
	24:bCKYN2GPc6eKSn+iKfrd23kw1CGeeePG7C72ZAxvbvdcB8sA++ujhxPu9Gkxy6vuWAUaqi2LTtm9k9lvIJy+nOJCtuKXQ//cPndarr6PDws=
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Apr 2016 07:09:10.2349
	(UTC)
X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e;
	Ip=[192.88.168.50];
	Helo=[tx30smr01.am.freescale.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0717
X-Mailman-Approved-At: Sat, 02 Apr 2016 12:07:18 +0200
Cc: ruchika.gupta@nxp.com
Subject: [U-Boot] [PATCH 1/2] powerpc/mpc85xx: SECURE BOOT- Enable chain of
	trust in SPL
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <http://lists.denx.de/mailman/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

As part of Chain of Trust for Secure boot, the SPL U-Boot will validate
the next level U-boot image. Add a new function spl_validate_uboot to
perform the validation.

Enable hardware crypto operations in SPL using SEC block.
In case of Secure Boot, PAMU is not bypassed. For allowing SEC block
access to CPC configured as SRAM, configure PAMU.

Reviewed-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
---
 arch/powerpc/cpu/mpc8xxx/fsl_pamu.c         |  8 +++++
 arch/powerpc/cpu/mpc8xxx/pamu_table.c       |  8 +++++
 arch/powerpc/include/asm/fsl_secure_boot.h  | 26 +++++++++++++++
 board/freescale/common/fsl_chain_of_trust.c | 50 +++++++++++++++++++++++++++++
 common/Makefile                             |  2 ++
 drivers/Makefile                            |  1 +
 drivers/crypto/fsl/jr.c                     | 16 +++++++++
 drivers/mtd/nand/fsl_ifc_spl.c              | 24 ++++++++++++++
 include/fsl_validate.h                      |  1 +
 9 files changed, 136 insertions(+)

diff --git a/arch/powerpc/cpu/mpc8xxx/fsl_pamu.c b/arch/powerpc/cpu/mpc8xxx/fsl_pamu.c
index 9421f1e..ede8e66 100644
--- a/arch/powerpc/cpu/mpc8xxx/fsl_pamu.c
+++ b/arch/powerpc/cpu/mpc8xxx/fsl_pamu.c
@@ -239,15 +239,23 @@ int pamu_init(void)
 	spaact_size = sizeof(struct paace) * NUM_SPAACT_ENTRIES;
 
 	/* Allocate space for Primary PAACT Table */
+#if (defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_PPAACT_ADDR))
+	ppaact = (void *)CONFIG_SPL_PPAACT_ADDR;
+#else
 	ppaact = memalign(PAMU_TABLE_ALIGNMENT, ppaact_size);
 	if (!ppaact)
 		return -1;
+#endif
 	memset(ppaact, 0, ppaact_size);
 
 	/* Allocate space for Secondary PAACT Table */
+#if (defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_SPAACT_ADDR))
+	sec = (void *)CONFIG_SPL_SPAACT_ADDR;
+#else
 	sec = memalign(PAMU_TABLE_ALIGNMENT, spaact_size);
 	if (!sec)
 		return -1;
+#endif
 	memset(sec, 0, spaact_size);
 
 	ppaact_phys = virt_to_phys((void *)ppaact);
diff --git a/arch/powerpc/cpu/mpc8xxx/pamu_table.c b/arch/powerpc/cpu/mpc8xxx/pamu_table.c
index 26c5ea4..a8e6f51 100644
--- a/arch/powerpc/cpu/mpc8xxx/pamu_table.c
+++ b/arch/powerpc/cpu/mpc8xxx/pamu_table.c
@@ -28,6 +28,14 @@ void construct_pamu_addr_table(struct pamu_addr_tbl *tbl, int *num_entries)
 
 	i++;
 #endif
+#if (defined(CONFIG_SPL_BUILD) && (CONFIG_SYS_INIT_L3_VADDR))
+	tbl->start_addr[i] =
+		(uint64_t)virt_to_phys((void *)CONFIG_SYS_INIT_L3_VADDR);
+	tbl->size[i] = 256 * 1024; /* 256K CPC flash */
+	tbl->end_addr[i] = tbl->start_addr[i] +  tbl->size[i] - 1;
+
+	i++;
+#endif
 	debug("PAMU address\t\t\tsize\n");
 	for (j = 0; j < i ; j++)
 		debug("%llx \t\t\t%llx\n",  tbl->start_addr[j],  tbl->size[j]);
diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h
index c45cace..e801517 100644
--- a/arch/powerpc/include/asm/fsl_secure_boot.h
+++ b/arch/powerpc/include/asm/fsl_secure_boot.h
@@ -72,6 +72,30 @@
 
 #ifdef CONFIG_CHAIN_OF_TRUST
 
+#ifdef CONFIG_SPL_BUILD
+#define CONFIG_SPL_DM			1
+#define CONFIG_SPL_CRYPTO_SUPPORT
+#define CONFIG_SPL_DRIVERS_MISC_SUPPORT
+/*
+ * PPAACT and SPAACT table for PAMU must be placed on DDR after DDR init
+ * due to space crunch on CPC and thus malloc will not work.
+ */
+#define CONFIG_SPL_PPAACT_ADDR		0x2e000000
+#define CONFIG_SPL_SPAACT_ADDR		0x2f000000
+#define CONFIG_SPL_JR0_LIODN_S		454
+#define CONFIG_SPL_JR0_LIODN_NS		458
+/*
+ * Define the key hash for U-Boot here if public/private key pair used to
+ * sign U-boot are different from the SRK hash put in the fuse
+ * Example of defining KEY_HASH is
+ * #define CONFIG_SPL_UBOOT_KEY_HASH \
+ *      "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ * else leave it defined as NULL
+ */
+
+#define CONFIG_SPL_UBOOT_KEY_HASH	NULL
+#endif /* ifdef CONFIG_SPL_BUILD */
+
 #define CONFIG_CMD_ESBC_VALIDATE
 #define CONFIG_CMD_BLOB
 #define CONFIG_FSL_SEC_MON
@@ -87,6 +111,7 @@
 #define CONFIG_FSL_CAAM
 #endif
 
+#ifndef CONFIG_SPL_BUILD
 /* fsl_setenv_chain_of_trust() must be called from
  * board_late_init()
  */
@@ -124,5 +149,6 @@
 #endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */
 
 #include <config_fsl_chain_trust.h>
+#endif /* #ifndef CONFIG_SPL_BUILD */
 #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
 #endif
diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c
index ecfcc82..d24149b 100644
--- a/board/freescale/common/fsl_chain_of_trust.c
+++ b/board/freescale/common/fsl_chain_of_trust.c
@@ -6,7 +6,17 @@
 
 #include <common.h>
 #include <fsl_validate.h>
+#include <fsl_secboot_err.h>
 #include <fsl_sfp.h>
+#include <dm/root.h>
+
+#ifdef CONFIG_ADDR_MAP
+#include <asm/mmu.h>
+#endif
+
+#ifdef CONFIG_FSL_CORENET
+#include <asm/fsl_pamu.h>
+#endif
 
 #ifdef CONFIG_LS102XA
 #include <asm/arch/immap_ls102xa.h>
@@ -52,6 +62,7 @@ int fsl_check_boot_mode_secure(void)
 	return 0;
 }
 
+#ifndef CONFIG_SPL_BUILD
 int fsl_setenv_chain_of_trust(void)
 {
 	/* Check Boot Mode
@@ -68,3 +79,42 @@ int fsl_setenv_chain_of_trust(void)
 	setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD);
 	return 0;
 }
+#endif
+
+#ifdef CONFIG_SPL_BUILD
+void spl_validate_uboot(uint32_t hdr_addr, uint32_t img_addr)
+{
+	int res;
+
+	/* Check Boot Mode
+	 * If Boot Mode is Non-Secure, skip validation
+	 */
+	if (fsl_check_boot_mode_secure() == 0)
+		return;
+
+	printf("SPL: Validating U-Boot image\n");
+
+#ifdef CONFIG_ADDR_MAP
+	init_addr_map();
+#endif
+
+#ifdef CONFIG_FSL_CORENET
+	if (pamu_init() < 0)
+		fsl_secboot_handle_error(ERROR_ESBC_PAMU_INIT);
+#endif
+
+#ifdef CONFIG_FSL_CAAM
+	if (sec_init() < 0)
+		fsl_secboot_handle_error(ERROR_ESBC_SEC_INIT);
+#endif
+
+#if defined(CONFIG_DM)
+	dm_init_and_scan(false);
+#endif
+	res = fsl_secboot_validate(hdr_addr, CONFIG_SPL_UBOOT_KEY_HASH,
+				   img_addr);
+
+	if (res == 0)
+		printf("SPL: Validation of U-boot successful\n");
+}
+#endif
diff --git a/common/Makefile b/common/Makefile
index 117178a..b070780 100644
--- a/common/Makefile
+++ b/common/Makefile
@@ -89,6 +89,8 @@ obj-$(CONFIG_USB_KEYBOARD) += usb_kbd.o
 endif # !CONFIG_SPL_BUILD
 
 ifdef CONFIG_SPL_BUILD
+# core
+obj-$(CONFIG_SPL_CRYPTO_SUPPORT) += hash.o
 obj-$(CONFIG_ENV_IS_IN_FLASH) += env_flash.o
 obj-$(CONFIG_SPL_YMODEM_SUPPORT) += xyzModem.o
 obj-$(CONFIG_SPL_NET_SUPPORT) += miiphyutil.o
diff --git a/drivers/Makefile b/drivers/Makefile
index e7eab66..943959b 100644
--- a/drivers/Makefile
+++ b/drivers/Makefile
@@ -36,6 +36,7 @@ obj-$(CONFIG_SPL_WATCHDOG_SUPPORT) += watchdog/
 obj-$(CONFIG_SPL_USB_HOST_SUPPORT) += usb/host/
 obj-$(CONFIG_OMAP_USB_PHY) += usb/phy/
 obj-$(CONFIG_SPL_SATA_SUPPORT) += block/
+obj-$(CONFIG_SPL_CRYPTO_SUPPORT) += crypto/
 
 else
 
diff --git a/drivers/crypto/fsl/jr.c b/drivers/crypto/fsl/jr.c
index b766470..29950cc 100644
--- a/drivers/crypto/fsl/jr.c
+++ b/drivers/crypto/fsl/jr.c
@@ -550,10 +550,26 @@ int sec_init(void)
 	sec_out32(&sec->mcfgr, mcr);
 
 #ifdef CONFIG_FSL_CORENET
+#ifdef CONFIG_SPL_BUILD
+	/* For SPL Build, Set the Liodns in SEC JR0 for
+	 * creating PAMU entries corresponding to these.
+	 * For normal build, these are set in set_liodns().
+	 */
+	liodn_ns = CONFIG_SPL_JR0_LIODN_NS & JRNSLIODN_MASK;
+	liodn_s = CONFIG_SPL_JR0_LIODN_S & JRSLIODN_MASK;
+
+	liodnr = sec_in32(&sec->jrliodnr[0].ls) &
+		 ~(JRNSLIODN_MASK | JRSLIODN_MASK);
+	liodnr = liodnr |
+		 (liodn_ns << JRNSLIODN_SHIFT) |
+		 (liodn_s << JRSLIODN_SHIFT);
+	sec_out32(&sec->jrliodnr[0].ls, liodnr);
+#else
 	liodnr = sec_in32(&sec->jrliodnr[0].ls);
 	liodn_ns = (liodnr & JRNSLIODN_MASK) >> JRNSLIODN_SHIFT;
 	liodn_s = (liodnr & JRSLIODN_MASK) >> JRSLIODN_SHIFT;
 #endif
+#endif
 
 	ret = jr_init();
 	if (ret < 0) {
diff --git a/drivers/mtd/nand/fsl_ifc_spl.c b/drivers/mtd/nand/fsl_ifc_spl.c
index cbeb74a..30aa966 100644
--- a/drivers/mtd/nand/fsl_ifc_spl.c
+++ b/drivers/mtd/nand/fsl_ifc_spl.c
@@ -11,6 +11,9 @@
 #include <asm/io.h>
 #include <fsl_ifc.h>
 #include <linux/mtd/nand.h>
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
 
 static inline int is_blank(uchar *addr, int page_size)
 {
@@ -268,6 +271,27 @@ void nand_boot(void)
 	 */
 	flush_cache(CONFIG_SYS_NAND_U_BOOT_DST, CONFIG_SYS_NAND_U_BOOT_SIZE);
 #endif
+
+#ifdef CONFIG_CHAIN_OF_TRUST
+	/*
+	 * As U-Boot header is appended at end of U-boot image, so
+	 * calculate U-boot header address using U-boot header size.
+	 */
+#define CONFIG_U_BOOT_HDR_ADDR \
+		((CONFIG_SYS_NAND_U_BOOT_START + \
+		  CONFIG_SYS_NAND_U_BOOT_SIZE) - \
+		 CONFIG_U_BOOT_HDR_SIZE)
+	spl_validate_uboot(CONFIG_U_BOOT_HDR_ADDR,
+			   CONFIG_SYS_NAND_U_BOOT_START);
+	/*
+	 * In case of failure in validation, spl_validate_uboot would
+	 * not return back in case of Production environment with ITS=1.
+	 * Thus U-Boot will not start.
+	 * In Development environment (ITS=0 and SB_EN=1), the function
+	 * may return back in case of non-fatal failures.
+	 */
+#endif
+
 	uboot = (void *)CONFIG_SYS_NAND_U_BOOT_START;
 	uboot();
 }
diff --git a/include/fsl_validate.h b/include/fsl_validate.h
index 83efcf4..a064954 100644
--- a/include/fsl_validate.h
+++ b/include/fsl_validate.h
@@ -207,4 +207,5 @@ int fsl_secboot_blob_decap(cmd_tbl_t *cmdtp, int flag, int argc,
 
 int fsl_check_boot_mode_secure(void);
 int fsl_setenv_chain_of_trust(void);
+void spl_validate_uboot(uint32_t hdr_addr, uint32_t img_addr);
 #endif