From patchwork Tue Jun 14 17:52:38 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sumit Garg X-Patchwork-Id: 635191 X-Patchwork-Delegate: yorksun@freescale.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 3rTSTp4pKbz9t1b for ; Tue, 14 Jun 2016 21:43:58 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 77F33A756E; Tue, 14 Jun 2016 13:43:41 +0200 (CEST) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a27GnNlLGeCS; Tue, 14 Jun 2016 13:43:39 +0200 (CEST) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id AC6CCA7552; Tue, 14 Jun 2016 13:43:06 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id A8AD7A7521 for ; Tue, 14 Jun 2016 13:37:22 +0200 (CEST) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6YkSqkIgtiif for ; Tue, 14 Jun 2016 13:37:05 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0076.outbound.protection.outlook.com [207.46.100.76]) by theia.denx.de (Postfix) with ESMTPS id 88BFCA7526 for ; Tue, 14 Jun 2016 13:36:34 +0200 (CEST) Received: from BY2PR03CA004.namprd03.prod.outlook.com (10.255.93.21) by CY1PR03MB2266.namprd03.prod.outlook.com (10.166.207.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.511.8; Tue, 14 Jun 2016 11:36:30 +0000 Received: from BL2FFO11FD006.protection.gbl (10.255.93.4) by BY2PR03CA004.outlook.office365.com (10.255.93.21) with Microsoft SMTP Server (TLS) id 15.1.497.12 via Frontend Transport; Tue, 14 Jun 2016 11:36:30 +0000 Authentication-Results: spf=fail (sender IP is 192.88.158.2) smtp.mailfrom=nxp.com; nxp.com; dkim=none (message not signed) header.d=none; nxp.com; dmarc=none action=none header.from=nxp.com; nxp.com; dkim=none (message not signed) header.d=none; Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.158.2 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.158.2; helo=az84smr01.freescale.net; Received: from az84smr01.freescale.net (192.88.158.2) by BL2FFO11FD006.mail.protection.outlook.com (10.173.161.2) with Microsoft SMTP Server (TLS) id 15.1.511.7 via Frontend Transport; Tue, 14 Jun 2016 11:36:29 +0000 Received: from localhost.localdomain.ap.freescale.net ([10.232.14.164]) by az84smr01.freescale.net (8.14.3/8.14.0) with ESMTP id u5EBZnIV004141; Tue, 14 Jun 2016 04:36:25 -0700 From: Sumit Garg To: Date: Tue, 14 Jun 2016 13:52:38 -0400 Message-ID: <1465926760-8730-3-git-send-email-sumit.garg@nxp.com> X-Mailer: git-send-email 1.8.1.4 In-Reply-To: <1465926760-8730-1-git-send-email-sumit.garg@nxp.com> References: <1465926760-8730-1-git-send-email-sumit.garg@nxp.com> X-EOPAttributedMessage: 0 X-Matching-Connectors: 131103777900127700; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.158.2; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(7916002)(2980300002)(1110001)(1109001)(339900001)(199003)(189002)(47776003)(33646002)(575784001)(86362001)(4326007)(50466002)(8666004)(2351001)(106466001)(2906002)(105606002)(356003)(586003)(50226002)(11100500001)(85426001)(8936002)(19580405001)(77096005)(36756003)(6806005)(19580395003)(76176999)(104016004)(69596002)(48376002)(2950100001)(189998001)(87936001)(5008740100001)(92566002)(81166006)(229853001)(81156014)(8676002)(50986999)(97736004)(110136002)(68736007)(5003940100001)(7059030)(4720700001); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR03MB2266; H:az84smr01.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11FD006; 1:31haRq+LKB/8EFW5s6iBQIXdq+3IfKLKifWT49PDdoyf/e3JIeg+dMPlX0kM6r9xf3aO/qxQyIU49vNhgS/LZz5lJ05E9SCxnuAHiTR3AEaRZ8xIAftq5P+iVI1u04k6FMJHw4VjUukbw6rItYV8ahuVd51WAxf/rBTCFu8o82cek6opGMAZjK97UX4xRGZH36HEcYGSysC85vBMFcjimOqdYyD3xcItmNWQ+PUGCGUdF+yQqu9UikryG2tvGbiMLIjdEODSDIzmF6M/9AqblqKlv2XGZHjMCN7WxnKwZ+YD4LfAtGqYJpuRTDh+OXgDnS+fcCiN8aVGRtZOXIYbqZ+H2HgFJXViSaAolKdJg7hK8YUhIIiRaEfrZG6/VcfWADVuEno+9X6C2OygZ+8g6pBmslly0++XYzFRwj1b9hq2XBXzIn3S+nt4BLi2THTYGJk5GytO+I0hytojrhK1nwFY5c5OFeXweexNxc7xKZLa8UnTvWxyWIV1mfcV+348D0zYjVDivYjdAYDM/F+jhJP9vby91ujYNtzgY8CtkbRvjMvyazfUqO33BGcanxns8gBRCSwXJa6IVsceEgaHlSY1rOeZpZxA7wWdctAo2dypL0cHxujEaBsK00cFoPskzQiFXmU7LoYGAVVgTc5YKKI97mJhgBecYvXnTt1vgOuxzQeTtSWzVQ7QRQ6YkkSs MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: 67fdbd3c-081a-44de-8473-08d3944820e7 X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB2266; 2:4b9DRlo8va/qsRWgHD3LNGqHAOj6AAEctaT6FwrxvDTixVRV/Ba/c7mLST6txnmqtBL66ZG1XotDYLrRzzA0XoqiteG13mY59g/B0wpLJRFUnhGMN+kptTzefASZYLhy1yl4joVYQJDQ4daZzikcSrV3TZihaFgGzOYesdOL5rpVDw7IeXj8SbHrr1aftWv4; 3:LWRDjgbCPJRD3tEiXJ5KjxjdmVmSKdgZBvUnxByr9sl0FxpM59F0FIIh+dbzW7THvY0Yky41TcmSnmrrn+6q46WUzpZd4a61EJ5xFzx1wG/6AGlIIVkm9LUE4D4rw34Hd1tDbWv/ikYL49B41v/60EC1e7iB+HB2FNL5PY5cJSoSINumeFaS1anL18tdoI6uH4dQQOacHyjlAUD13fvzh6iDAKOfkWa6zfMmhAGo7is= X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR03MB2266; X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB2266; 25:8gSp6pAqF8WFC0YVNG7O84O3nmStnDFI8WNnNiPmjzxn0Dv+PYJ7IXHlKNdYNs2/fvJkuAXZ3AE9eKLU8Ey2RPztIc4Op9sPPWjfdVRPU4WQEl6R0HM9r/UK0VSn1gOYB1sM6PC0N7mxzyX/VR4g+GRGQmLFydV+BSIBz8RuVF79t1kDCLTNvyv8fgyeoHelBC1OVY+k4AXnRFgxwHeatxX0xYcjVHj+P2BMlOZTdU16pq6QEXk3PklT5DrPz9Rpl9wBOIWkq+rXDmRaOtoEzIosuvJ0HytlmgsCLp9X1k/qFjXu/x3abIpZRonRY8JktzaHjsL2v2l3aOJoLLVVazd1ObqOlOzOLtTMh1lZOgxcEvD7mvAWwxRCuAQWSx+Tf3R+d5xAnzoiDOoLQp26fuMrdLmlfKkf/tPTmSDh5GK7T51kUykItpKgYyjRrqmLPxRhadk5bwh1A1k9a2MjIKIHuMYA6j87jj2JhQefATIU8K3N5Wul105w8Y7ps1jucr4yA+u9FuXKrl0iFLoR/SNICPPx4xu+SSg41w3pSinAUN9NnouyCsW3M6E9V2JlRi3Mnj9BNkgXDPQ9Dw1XkTwuWvN2nmPZzA9tP/2yeteV4OUHYjN3dil4nv9RnJoAd+DFdW89Xt2KVzCswD0Uc5ASfD7+rorwTuly4DaP9ci9DlSiwlSroSYp7H4kOIN6l9E1jcdOPcimFkmvxoPPJPx7npfA3/JS2I7vUZyqYXRouIHveBeciSTZWuINE2qWdQvGT8sReE9cUy/2XQyuHPuon8roGrjKetWbj711FkY= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(185117386973197); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(13018025)(13024025)(13023025)(13017025)(5005006)(8121501046)(13015025)(10201501046)(3002001)(6055026); SRVR:CY1PR03MB2266; BCL:0; PCL:0; RULEID:(400006); SRVR:CY1PR03MB2266; X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB2266; 4:JtIS80PrfGoFwABQi3PsUT4ZW1cUVmCUkoJZGOuenMHDQnc3copkXU+nESk0A/OXINk67lUjBPAfnONYzd5ZtJELHSMMi63b8l9jvtmF0t5lQPloOcmLgaQMgevI92n+gXEs4mbzamK3vGfT3EIlfHPEuvhPrtir/RREH8EyEJQ1GDJYi9NI+sm7VREQvXyBi8kLW3RggtDwbS/jXF8KwmjRIr7kGtr33G3+2aqAxzlKYI0ZiPIQePfJltJzPMLvzmFE2U7OTsYcGuKfxKw5ShC89QSufkdPnWnKHTLLLfEW77ksyqmHjNTMpM0uqV3HAGUec+0C3/Qpr1vEEvETyoeevh3CNn0ILgDKjJ8VXHGpOlj6IvmRt+d+4PdwB1Uac/BEbOJcENsBxxMkR+tT+zQ9zbO72s6w9TAOftCFBhZyKkcjUSfg998n9boWbFQzvVBWuemXHvCUg8vycW12j8T2zrrol3axuR1Tr6bpoSko+cuCGziE6x4b3UZrOjhCehYElaFjwIaME9WTdYCRLg== X-Forefront-PRVS: 09730BD177 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY1PR03MB2266; 23:+rYg9R2eqdtgn7mo0jH3rhzmpSiIiNPy+GYy3pxrq?= =?us-ascii?Q?ShQAD9v44VQjZqdv7xzh0Zg7TTGHo4Wi8NIE/DRRVUc/yP7W0c/dTVlz57iN?= =?us-ascii?Q?5FtPWVMH6yEs3COkkD/7pMwzICa3a2VdBM/D6U051KHwU9OeXqTwPpL49jIA?= =?us-ascii?Q?vbgQYInGC83DfDgg8LLl/T/Qd+H+YvS+vp1kC+YsGoYd+W9wW8S63XTThCiy?= =?us-ascii?Q?a7qUFTKWz+Kp4nwcc7mrRaugRGGYivcB1+UfSKycCJryUqjNedOftz69mqu/?= =?us-ascii?Q?4Qd2gjdoqUbKhBLi1Hi9j586x9VnHIZpR48bc5zruvknKKUQ0aWQhamXvU+P?= =?us-ascii?Q?IE6kWk1N4Bb4VukC9zOb+MAkyDpOYCnw4bvuiG9ySNofM47vKnKZk0H7aY0B?= =?us-ascii?Q?TlBnrQknJWG1vIM8hWen5OsQ7asSaYXhYkvYUoq6cAy9bq9KHjYZuRTXse/U?= =?us-ascii?Q?q95I7RF9cPalrE1VxL3QxOY0QkS4vj0ITL+2zDP4z5LPWEhg3BtJVx0HlBME?= =?us-ascii?Q?i+kV0G7RsK/9MppXfEtG3qplneoPUI7Hky7gGWklQsFS9S6Sy+HuMUNwR2kZ?= =?us-ascii?Q?dcUfD71vKrEouBC4CaeXw+4mOpDcnGyWVPgXT2kfJyO7ngQYuFfI3tTlnr7c?= =?us-ascii?Q?KQISSmhinlP7h9lWMnMb+uHTMNowsvdDsg9CpIx/k6S9PruH8pSQSdEaSLIm?= =?us-ascii?Q?o+wJOhiwr5w/T/8Q1CmAoAFA+sb4M9XWboQ3zKpz77WWpIhqQIAZihMtAZZk?= =?us-ascii?Q?cbTftvF/pZhE4kM/q/e0IrzeqQOhIl/+GDuuOfnVG8YQHwmoFaue38aIulC/?= =?us-ascii?Q?dok8CCPKyeNfPWhTkuUcahJb5ExHn8ZUkN1N7h23xyrsdnWJMbbkcIfZDmj9?= =?us-ascii?Q?nu0n5ERD4Z1gzz3gPyHxK1S+YY9mQ7k+pS22mldtd9sUX+2+Iqw2uD623dJy?= =?us-ascii?Q?mqrg1lifCK+GexnUxMSTmv38wi19eXr7J31/LDCoZjOoxZhw6CPmgKN2vKSB?= =?us-ascii?Q?HzOva9U1FxGQ/lCB4UJFnlLTeH7dEHPeYuvRagQCUgv4J1dZZjMMDkLLV2uX?= =?us-ascii?Q?wJbB0GXmP4cK/AhENkfbl5LibhyzyQsLLE78a95mXJNGcoLWVQ4BuRrxeTzO?= =?us-ascii?Q?LBUQ1JcvORlUbp3L/BeH6983vb+62QoP+5Dz4YiEgCvug0W0sc3vSfTBjPfe?= =?us-ascii?Q?lHIT1pV7Dm6YUtyBXuptp6qP5z3zf8kt3PeaREogS5BE1MUofcgvos93X4eT?= =?us-ascii?Q?+ZxXwGww15vkm5QC3o=3D?= X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB2266; 5:0kEWUHlEfWg6e+nwvuGL7+Vlf2awExffbfG3atrv8wJIlP4myvKBncDnGmen8RjmupAHDH1KyP1QVfRjE5IGgG2AZABQxR9AdUvoSFqfimsNJCAxs348nKEIupHSstMPR2nbybm/OyOTzMptldA2znBdoy35DTApJNyYmKHNsLw=; 24:L1DjvoV8dokkwuUvTQoF6khYGyo4NOZcItyc/NnUC+mQex+q6xQxVjq00g0NHcvsKpVwL0PTjENOMBuWsbKxzGmJUErDi+2MA5doCzwi4O8=; 7:t5duabQ8bD9ybLNlORLY5JxDk0+RsN12L6bVCUqRg/BpSNDLThDT8kd2/UmuvBbctDx/ukE5xR40FM/rRr497rKykNxdXK1Nw9GZ0DCy1liF/iRm0yAG/JC0duGudNTvBty1xkpZi49jvSwl8udWhkzYSHOP5+lmlHAPf+4R4uho0CmJxDxfeuEgsreAreRI8E3jtSWjlRV7q/nOwaj59kDbUmK+AGfdvYHXwfuI4c0= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Jun 2016 11:36:29.7787 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.158.2]; Helo=[az84smr01.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB2266 Cc: trini@konsulko.com, ruchika.gupta@nxp.com Subject: [U-Boot] [PATCH 2/4] SECURE_BOOT: Enable chain of trust in SPL framework X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.15 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Override jump_to_image_no_args function to include validation of u-boot image using spl_validate_uboot before jumping to u-boot image. Also define macros in SPL framework to enable crypto operations. Reviewed-by: Aneesh Bansal Signed-off-by: Sumit Garg Reviewed-by: Simon Glass --- arch/arm/include/asm/fsl_secure_boot.h | 25 +++++++++++++++++++-- board/freescale/common/fsl_chain_of_trust.c | 34 ++++++++++++++++++++++++++++- 2 files changed, 56 insertions(+), 3 deletions(-) diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 53cd755..3f76c9a 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -17,8 +17,6 @@ #ifdef CONFIG_CHAIN_OF_TRUST #define CONFIG_CMD_ESBC_VALIDATE -#define CONFIG_CMD_BLOB -#define CONFIG_CMD_HASH #define CONFIG_FSL_SEC_MON #define CONFIG_SHA_HW_ACCEL #define CONFIG_SHA_PROG_HW_ACCEL @@ -28,6 +26,28 @@ #define CONFIG_FSL_CAAM #endif +#ifdef CONFIG_SPL_BUILD +#define CONFIG_SPL_BOARD_INIT +#define CONFIG_SPL_DM 1 +#define CONFIG_SPL_CRYPTO_SUPPORT +#define CONFIG_SPL_HASH_SUPPORT +#define CONFIG_SPL_RSA +#define CONFIG_SPL_DRIVERS_MISC_SUPPORT +/* + * Define the key hash for U-Boot here if public/private key pair used to + * sign U-boot are different from the SRK hash put in the fuse + * Example of defining KEY_HASH is + * #define CONFIG_SPL_UBOOT_KEY_HASH \ + * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b" + * else leave it defined as NULL + */ + +#define CONFIG_SPL_UBOOT_KEY_HASH NULL +#endif /* ifdef CONFIG_SPL_BUILD */ + +#ifndef CONFIG_SPL_BUILD +#define CONFIG_CMD_BLOB +#define CONFIG_CMD_HASH #define CONFIG_KEY_REVOCATION #ifndef CONFIG_SYS_RAMBOOT /* The key used for verification of next level images @@ -92,5 +112,6 @@ #endif #include +#endif /* #ifndef CONFIG_SPL_BUILD */ #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ #endif diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c index 7bf9827..0f5ec35 100644 --- a/board/freescale/common/fsl_chain_of_trust.c +++ b/board/freescale/common/fsl_chain_of_trust.c @@ -10,6 +10,10 @@ #include #include +#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_FRAMEWORK) +#include +#endif + #ifdef CONFIG_ADDR_MAP #include #endif @@ -113,7 +117,7 @@ void spl_validate_uboot(uint32_t hdr_addr, uintptr_t img_addr) * do not use common SPL framework, so need to call this function here. */ #if defined(CONFIG_SPL_DM) && (!defined(CONFIG_SPL_FRAMEWORK)) - dm_init_and_scan(false); + dm_init_and_scan(true); #endif res = fsl_secboot_validate(hdr_addr, CONFIG_SPL_UBOOT_KEY_HASH, &img_addr); @@ -121,4 +125,32 @@ void spl_validate_uboot(uint32_t hdr_addr, uintptr_t img_addr) if (res == 0) printf("SPL: Validation of U-boot successful\n"); } + +#ifdef CONFIG_SPL_FRAMEWORK +/* Override weak funtion defined in SPL framework to enable validation + * of main u-boot image before jumping to u-boot image. + */ +void __noreturn jump_to_image_no_args(struct spl_image_info *spl_image) +{ + typedef void __noreturn (*image_entry_noargs_t)(void); + uint32_t hdr_addr; + + image_entry_noargs_t image_entry = + (image_entry_noargs_t)(unsigned long)spl_image->entry_point; + + hdr_addr = (spl_image->entry_point + spl_image->size - + CONFIG_U_BOOT_HDR_SIZE); + spl_validate_uboot(hdr_addr, (uintptr_t)spl_image->entry_point); + /* + * In case of failure in validation, spl_validate_uboot would + * not return back in case of Production environment with ITS=1. + * Thus U-Boot will not start. + * In Development environment (ITS=0 and SB_EN=1), the function + * may return back in case of non-fatal failures. + */ + + debug("image entry point: 0x%X\n", spl_image->entry_point); + image_entry(); +} +#endif /* ifdef CONFIG_SPL_FRAMEWORK */ #endif /* ifdef CONFIG_SPL_BUILD */