diff options
author | Paer-Olof Haakansson <par-olof.hakansson@stericsson.com> | 2011-11-03 11:16:27 +0100 |
---|---|---|
committer | Par-Olof HAKANSSON <par-olof.hakansson@stericsson.com> | 2011-11-03 16:09:37 +0100 |
commit | fc3399fcbf0b4a8f87fb25ab7095239c9b3d1ca7 (patch) | |
tree | ed32f9949645f2ba94f1fd8bfea122a9f1648cc2 | |
parent | 72332e9c1c0780dd93bb4583526da27e248f50b0 (diff) |
U8500: Decide secure boot in runtime
Previously the compile time switch CONFIG_SECURE_KERNEL_BOOT
decided if the Linux kernel and the modem images should be verified.
Now this is handled in runtime by checking BOOT_AREA_SECURE_BOOT_BIT_INDEX
in secprofile
ST-Ericsson ID: 340102
ST-Ericsson FOSS-OUT ID: NA
Change-Id: I65a611a45c2e9eaeb01f2f7aa9054b246d488603
Reviewed-on: http://gerrit.lud.stericsson.com/gerrit/36186
Reviewed-by: Johan YDSTROM <johan.xj.ydstrom@stericsson.com>
Reviewed-by: Par-Olof HAKANSSON <par-olof.hakansson@stericsson.com>
Tested-by: Par-Olof HAKANSSON <par-olof.hakansson@stericsson.com>
-rw-r--r-- | Makefile | 5 | ||||
-rw-r--r-- | common/cmd_bootm.c | 17 | ||||
-rw-r--r-- | cpu/arm_cortexa9/db8500/itp.c | 17 | ||||
-rw-r--r-- | cpu/arm_cortexa9/db8500/sec_bridge.c | 53 | ||||
-rw-r--r-- | include/asm-arm/arch-db8500/sec_bridge.h | 1 |
5 files changed, 59 insertions, 34 deletions
@@ -3170,7 +3170,6 @@ u8500_def_config \ u8500_SRAM_config \ u8500_noconsole_config \ u8500_udc_config \ -u8500_secboot_config \ u8500_auto_config: @if [ -z "$(shell grep "steconfig:$@" $(obj)include/config.h 2>/dev/null)" ]; then \ $(MAKE) unconfig ; \ @@ -3194,10 +3193,6 @@ u8500_auto_config: echo "#define CONFIG_BOOT_SRAM" >> $(obj)include/config.h ; \ echo "TEXT_BASE = 0x40030000" >$(obj)board/st/u8500/config.tmp ; \ fi ; \ - if [ "$(findstring _secboot, $@)" ] ; then \ - echo "Configuring for secure boot ..." ; \ - echo "#define CONFIG_SECURE_KERNEL_BOOT" >> $(obj)include/config.h ; \ - fi ; \ $(MKCONFIG) -a u8500 arm arm_cortexa9 u8500 st-ericsson db8500 ; \ fi diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c index 0cac9cf1b..238bf2e1e 100644 --- a/common/cmd_bootm.c +++ b/common/cmd_bootm.c @@ -154,6 +154,10 @@ static boot_os_fn *boot_os[] = { #endif }; +#ifdef CONFIG_U8500 +extern int sec_bridge_verify_kernel_image(u32 *img_addr); +#endif + ulong load_addr = CONFIG_SYS_LOAD_ADDR; /* Default Load Address */ static bootm_headers_t images; /* pointers to os/initrd/fdt images */ @@ -867,16 +871,9 @@ static void *boot_get_kernel (cmd_tbl_t *cmdtp, int flag, int argc, char *argv[] /* copy from dataflash if needed */ img_addr = genimg_get_image (img_addr); -#if defined(CONFIG_SECURE_KERNEL_BOOT) - { - /* - * Extern declaration could more nicely done, but keeping - * it here to have as low impact as possible... - */ - extern int sec_bridge_verify_kernel_image(u32 *img_addr); - if (sec_bridge_verify_kernel_image ((u32*)&img_addr)) - img_addr = 0; - } +#if defined(CONFIG_U8500) + if (sec_bridge_verify_kernel_image ((u32*)&img_addr)) + img_addr = 0; #endif /* check image type, for FIT images get FIT kernel node */ diff --git a/cpu/arm_cortexa9/db8500/itp.c b/cpu/arm_cortexa9/db8500/itp.c index d2e75745e..7b61124d1 100644 --- a/cpu/arm_cortexa9/db8500/itp.c +++ b/cpu/arm_cortexa9/db8500/itp.c @@ -61,10 +61,8 @@ static int itp_load_toc_entry(block_dev_desc_t *block_dev, u32 n; u32 offset; u32 size; -#if defined(CONFIG_SECURE_KERNEL_BOOT) u32 real_loadaddr = 0; u32 size_in_bytes = 0; -#endif debug("itp_load_toc_entry: Loading %s\n", partname); @@ -74,7 +72,6 @@ static int itp_load_toc_entry(block_dev_desc_t *block_dev, return 1; } -#if defined(CONFIG_SECURE_KERNEL_BOOT) if (verify_signature) { size_in_bytes = size; real_loadaddr = *loadaddress; @@ -85,11 +82,6 @@ static int itp_load_toc_entry(block_dev_desc_t *block_dev, if (*loadaddress == 0) *loadaddress = *loadaddress + block_dev->blksz; } -#else - if (verify_signature) { - debug("itp_load_toc_entry: secure boot disabled so verify signature has no effect\n"); - } -#endif size = (size / block_dev->blksz) + ((size % block_dev->blksz) ? 1 : 0); @@ -104,12 +96,12 @@ static int itp_load_toc_entry(block_dev_desc_t *block_dev, return 1; } -#if defined(CONFIG_SECURE_KERNEL_BOOT) if (verify_signature) { debug("itp_load_toc_entry: Verifying image...\n"); if (sec_bridge_verify_itp_image(loadaddress)) { - printf("itp_load_toc_entry: Failed to verify image %s!\n", partname); + printf("itp_load_toc_entry: Failed to verify image %s!\n", + partname); return 1; } @@ -118,13 +110,12 @@ static int itp_load_toc_entry(block_dev_desc_t *block_dev, * Loadaddr is moved, need to move it back to ensure * binary is not put out of order... */ - memmove((void *)(real_loadaddr), (void*)*loadaddress, size_in_bytes); + memmove((void *)(real_loadaddr), (void*)*loadaddress, + size_in_bytes); *loadaddress = real_loadaddr; } } -#endif - return 0; } diff --git a/cpu/arm_cortexa9/db8500/sec_bridge.c b/cpu/arm_cortexa9/db8500/sec_bridge.c index 390350177..56919f9b4 100644 --- a/cpu/arm_cortexa9/db8500/sec_bridge.c +++ b/cpu/arm_cortexa9/db8500/sec_bridge.c @@ -8,6 +8,9 @@ #include <common.h> #include <asm/arch/sec_bridge.h> +#define TEE_RT_FLAGS_SECURE_BOOT 0x00000080 + + typedef u32 (*boot_rom_bridge_func_t)(const u32 , const u32, const va_list); static boot_rom_bridge_func_t hw_sec_rom_pub_bridge; @@ -85,6 +88,37 @@ int sec_bridge_flush_issw(void) return 0; } +int sec_bridge_get_rt_flags(u32* rt_flags) +{ + u32 ret; + int ret_val = 1; + + if ((hw_sec_rom_pub_bridge != NULL) && (rt_flags != NULL)) { + + ret = sec_bridge_call_secure_service(ISSWAPI_GET_RT_FLAGS, + SEC_ROM_FORCE_CLEAN_MASK, + rt_flags, + 0); + + if (ret == SEC_ROM_RET_OK) { + ret_val = 0; + } else + printf("sec_bridge: ISSWAPI_GET_RT_FLAGS: %d\n", ret); + + } + + return ret_val; +} + +int is_secboot_enabled(void) +{ + u32 rt_flags; + if (sec_bridge_get_rt_flags(&rt_flags) == 0) + return (rt_flags & TEE_RT_FLAGS_SECURE_BOOT); + else + return 0; +} + /* * All this signed header verification code is put here to reuse the static * functions defined in this file to call secure world. @@ -93,8 +127,6 @@ int sec_bridge_flush_issw(void) * module so the generic code below can be removed at that stage. */ -#if defined(CONFIG_SECURE_KERNEL_BOOT) - /* Stuff copied from isswapi_types.h */ enum issw_payload_type { ISSW_PL_TYPE_TAPP = 0, @@ -158,8 +190,12 @@ static int sec_bridge_verify_signed_header(issw_signed_header_t *hdr, { u32 ret; + if (!is_secboot_enabled()) + return 0; + ret = sec_bridge_call_secure_service(ISSWAPI_VERIFY_SIGNED_HEADER, - SEC_ROM_FORCE_CLEAN_MASK, hdr, (u32)pt); + SEC_ROM_FORCE_CLEAN_MASK, + hdr, (u32)pt); if (ret != SEC_ROM_RET_OK) { printf("sec_bridge: " "ISSWAPI_VERIFY_SIGNED_HEADER: %d\n", ret); @@ -173,6 +209,9 @@ static int sec_bridge_verify_hash(u8 *hash, u32 hash_size, u8 *payload, { u32 ret; + if (!is_secboot_enabled()) + return 0; + ret = sec_bridge_call_secure_service(ISSWAPI_VERIFY_HASH, SEC_ROM_FORCE_CLEAN_MASK, hash, hash_size, payload, payload_size, @@ -190,7 +229,11 @@ static int sec_bridge_verify_image(u32 *img_addr, { issw_signed_header_t *hdr = (issw_signed_header_t *) *img_addr; - debug("sec_bridge_verify_image(img_addr->0x%08x, payload_type:%d)\n", *img_addr, payload_type); + if (!is_secboot_enabled()) + return 0; + + debug("sec_bridge_verify_image(img_addr->0x%08x, payload_type:%d)\n", + *img_addr, payload_type); if (*img_addr == 0) return 1; @@ -222,5 +265,3 @@ int sec_bridge_verify_itp_image(u32 *img_addr) { return sec_bridge_verify_image(img_addr, ISSW_PL_TYPE_ITP); } - -#endif /* CONFIG_SECURE_KERNEL_BOOT */ diff --git a/include/asm-arm/arch-db8500/sec_bridge.h b/include/asm-arm/arch-db8500/sec_bridge.h index 447911c72..7f5d3f074 100644 --- a/include/asm-arm/arch-db8500/sec_bridge.h +++ b/include/asm-arm/arch-db8500/sec_bridge.h @@ -17,6 +17,7 @@ #define ISSWAPI_FLUSH_BOOT_CODE 0x11000003 #define ISSWAPI_VERIFY_SIGNED_HEADER 0x11000005 #define ISSWAPI_VERIFY_HASH 0x11000006 +#define ISSWAPI_GET_RT_FLAGS 0x11000007 int sec_bridge_init_bridge(void); u32 sec_bridge_call_secure_service(const u32 serviceid, |