U8500: Decide secure boot in runtime

Previously the compile time switch CONFIG_SECURE_KERNEL_BOOT
decided if the Linux kernel and the modem images should be verified.
Now this is handled in runtime by checking BOOT_AREA_SECURE_BOOT_BIT_INDEX
in secprofile

ST-Ericsson ID: 340102

ST-Ericsson FOSS-OUT ID: NA

Change-Id: I65a611a45c2e9eaeb01f2f7aa9054b246d488603
Reviewed-on: http://gerrit.lud.stericsson.com/gerrit/36186
Reviewed-by: Johan YDSTROM <johan.xj.ydstrom@stericsson.com>
Reviewed-by: Par-Olof HAKANSSON <par-olof.hakansson@stericsson.com>
Tested-by: Par-Olof HAKANSSON <par-olof.hakansson@stericsson.com>

5 files changed, 59 insertions, 34 deletions

diff --git a/Makefile b/Makefile
index 80abcfa2b..588ff766d 100644
--- a/Makefile
+++ b/Makefile
@@ -3170,7 +3170,6 @@ u8500_def_config \
 u8500_SRAM_config \
 u8500_noconsole_config \
 u8500_udc_config \
-u8500_secboot_config \
 u8500_auto_config:
 	@if [ -z "$(shell grep "steconfig:$@" $(obj)include/config.h 2>/dev/null)" ]; then \
 		$(MAKE) unconfig ; \
@@ -3194,10 +3193,6 @@ u8500_auto_config:
 			echo "#define CONFIG_BOOT_SRAM" >>  $(obj)include/config.h ; \
 			echo "TEXT_BASE = 0x40030000" >$(obj)board/st/u8500/config.tmp ; \
 		fi ; \
-		if [ "$(findstring _secboot, $@)" ] ; then \
-			echo "Configuring for secure boot ..." ; \
-			echo "#define CONFIG_SECURE_KERNEL_BOOT" >> $(obj)include/config.h ; \
-		fi ; \
 		$(MKCONFIG) -a u8500 arm arm_cortexa9 u8500 st-ericsson db8500 ; \
 	fi
 
diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c
index 0cac9cf1b..238bf2e1e 100644
--- a/common/cmd_bootm.c
+++ b/common/cmd_bootm.c
@@ -154,6 +154,10 @@ static boot_os_fn *boot_os[] = {
 #endif
 };
 
+#ifdef CONFIG_U8500
+extern int sec_bridge_verify_kernel_image(u32 *img_addr);
+#endif
+
 ulong load_addr = CONFIG_SYS_LOAD_ADDR;	/* Default Load Address */
 static bootm_headers_t images;		/* pointers to os/initrd/fdt images */
 
@@ -867,16 +871,9 @@ static void *boot_get_kernel (cmd_tbl_t *cmdtp, int flag, int argc, char *argv[]
 	/* copy from dataflash if needed */
 	img_addr = genimg_get_image (img_addr);
 
-#if defined(CONFIG_SECURE_KERNEL_BOOT)
-	{
-		/*
-		 * Extern declaration could more nicely done, but keeping
-		 * it here to have as low impact as possible...
-		 */
-		extern int sec_bridge_verify_kernel_image(u32 *img_addr);
-		if (sec_bridge_verify_kernel_image ((u32*)&img_addr))
-			img_addr = 0;
-	}
+#if defined(CONFIG_U8500)
+	if (sec_bridge_verify_kernel_image ((u32*)&img_addr))
+		img_addr = 0;
 #endif
 
 	/* check image type, for FIT images get FIT kernel node */
diff --git a/cpu/arm_cortexa9/db8500/itp.c b/cpu/arm_cortexa9/db8500/itp.c
index d2e75745e..7b61124d1 100644
--- a/cpu/arm_cortexa9/db8500/itp.c
+++ b/cpu/arm_cortexa9/db8500/itp.c
@@ -61,10 +61,8 @@ static int itp_load_toc_entry(block_dev_desc_t *block_dev,
 	u32 n;
 	u32 offset;
 	u32 size;
-#if defined(CONFIG_SECURE_KERNEL_BOOT)
 	u32 real_loadaddr = 0;
 	u32 size_in_bytes = 0;
-#endif
 
 	debug("itp_load_toc_entry: Loading %s\n", partname);
 
@@ -74,7 +72,6 @@ static int itp_load_toc_entry(block_dev_desc_t *block_dev,
 		return 1;
 	}
 
-#if defined(CONFIG_SECURE_KERNEL_BOOT)
 	if (verify_signature) {
 		size_in_bytes = size;
 		real_loadaddr = *loadaddress;
@@ -85,11 +82,6 @@ static int itp_load_toc_entry(block_dev_desc_t *block_dev,
 		if (*loadaddress == 0)
 			*loadaddress = *loadaddress + block_dev->blksz;
 	}
-#else
-	if (verify_signature) {
-		debug("itp_load_toc_entry: secure boot disabled so verify signature has no effect\n");
-	}
-#endif
 
 	size = (size / block_dev->blksz) +
 	       ((size % block_dev->blksz) ? 1 : 0);
@@ -104,12 +96,12 @@ static int itp_load_toc_entry(block_dev_desc_t *block_dev,
 		return 1;
 	}
 
-#if defined(CONFIG_SECURE_KERNEL_BOOT)
 	if (verify_signature) {
 		debug("itp_load_toc_entry: Verifying image...\n");
 
 		if (sec_bridge_verify_itp_image(loadaddress)) {
-			printf("itp_load_toc_entry: Failed to verify image %s!\n", partname);
+			printf("itp_load_toc_entry: Failed to verify image %s!\n",
+			       partname);
 			return 1;
 		}
 
@@ -118,13 +110,12 @@ static int itp_load_toc_entry(block_dev_desc_t *block_dev,
 			 * Loadaddr is moved, need to move it back to ensure
 			 * binary is not put out of order...
 			 */
-			memmove((void *)(real_loadaddr), (void*)*loadaddress, size_in_bytes);
+			memmove((void *)(real_loadaddr), (void*)*loadaddress,
+				size_in_bytes);
 			*loadaddress = real_loadaddr;
 		}
 	}
 
-#endif
-
 	return 0;
 }
 
diff --git a/cpu/arm_cortexa9/db8500/sec_bridge.c b/cpu/arm_cortexa9/db8500/sec_bridge.c
index 390350177..56919f9b4 100644
--- a/cpu/arm_cortexa9/db8500/sec_bridge.c
+++ b/cpu/arm_cortexa9/db8500/sec_bridge.c
@@ -8,6 +8,9 @@
 #include <common.h>
 #include <asm/arch/sec_bridge.h>
 
+#define TEE_RT_FLAGS_SECURE_BOOT        0x00000080
+
+
 typedef u32 (*boot_rom_bridge_func_t)(const u32 , const u32, const va_list);
 static boot_rom_bridge_func_t hw_sec_rom_pub_bridge;
 
@@ -85,6 +88,37 @@ int sec_bridge_flush_issw(void)
 	return 0;
 }
 
+int sec_bridge_get_rt_flags(u32* rt_flags)
+{
+	u32 ret;
+	int ret_val = 1;
+
+	if ((hw_sec_rom_pub_bridge != NULL) && (rt_flags != NULL)) {
+
+		ret = sec_bridge_call_secure_service(ISSWAPI_GET_RT_FLAGS,
+						     SEC_ROM_FORCE_CLEAN_MASK,
+						     rt_flags,
+						     0);
+
+		if (ret == SEC_ROM_RET_OK) {
+			ret_val = 0;
+		} else
+			printf("sec_bridge: ISSWAPI_GET_RT_FLAGS: %d\n", ret);
+
+	}
+
+	return ret_val;
+}
+
+int is_secboot_enabled(void)
+{
+	u32 rt_flags;
+	if (sec_bridge_get_rt_flags(&rt_flags) == 0)
+		return (rt_flags & TEE_RT_FLAGS_SECURE_BOOT);
+	else
+		return 0;
+}
+
 /*
  * All this signed header verification code is put here to reuse the static
  * functions defined in this file to call secure world.
@@ -93,8 +127,6 @@ int sec_bridge_flush_issw(void)
  * module so the generic code below can be removed at that stage.
  */
 
-#if defined(CONFIG_SECURE_KERNEL_BOOT)
-
 /* Stuff copied from isswapi_types.h */
 enum issw_payload_type {
 	ISSW_PL_TYPE_TAPP = 0,
@@ -158,8 +190,12 @@ static int sec_bridge_verify_signed_header(issw_signed_header_t *hdr,
 {
 	u32 ret;
 
+	if (!is_secboot_enabled())
+		return 0;
+
 	ret = sec_bridge_call_secure_service(ISSWAPI_VERIFY_SIGNED_HEADER,
-					     SEC_ROM_FORCE_CLEAN_MASK, hdr, (u32)pt);
+					     SEC_ROM_FORCE_CLEAN_MASK,
+					     hdr, (u32)pt);
 	if (ret != SEC_ROM_RET_OK) {
 		printf("sec_bridge: "
 		       "ISSWAPI_VERIFY_SIGNED_HEADER: %d\n", ret);
@@ -173,6 +209,9 @@ static int sec_bridge_verify_hash(u8 *hash, u32 hash_size, u8 *payload,
 {
 	u32 ret;
 
+	if (!is_secboot_enabled())
+		return 0;
+
 	ret = sec_bridge_call_secure_service(ISSWAPI_VERIFY_HASH,
 				      SEC_ROM_FORCE_CLEAN_MASK,
 				      hash, hash_size, payload, payload_size,
@@ -190,7 +229,11 @@ static int sec_bridge_verify_image(u32 *img_addr,
 {
 	issw_signed_header_t *hdr = (issw_signed_header_t *) *img_addr;
 
-	debug("sec_bridge_verify_image(img_addr->0x%08x, payload_type:%d)\n", *img_addr, payload_type);
+	if (!is_secboot_enabled())
+		return 0;
+
+	debug("sec_bridge_verify_image(img_addr->0x%08x, payload_type:%d)\n",
+	      *img_addr, payload_type);
 
 	if (*img_addr  == 0)
 		return 1;
@@ -222,5 +265,3 @@ int sec_bridge_verify_itp_image(u32 *img_addr)
 {
 	return sec_bridge_verify_image(img_addr, ISSW_PL_TYPE_ITP);
 }
-
-#endif /* CONFIG_SECURE_KERNEL_BOOT */
diff --git a/include/asm-arm/arch-db8500/sec_bridge.h b/include/asm-arm/arch-db8500/sec_bridge.h
index 447911c72..7f5d3f074 100644
--- a/include/asm-arm/arch-db8500/sec_bridge.h
+++ b/include/asm-arm/arch-db8500/sec_bridge.h
@@ -17,6 +17,7 @@
 #define ISSWAPI_FLUSH_BOOT_CODE		0x11000003
 #define ISSWAPI_VERIFY_SIGNED_HEADER	0x11000005
 #define ISSWAPI_VERIFY_HASH		0x11000006
+#define ISSWAPI_GET_RT_FLAGS		0x11000007
 
 int sec_bridge_init_bridge(void);
 u32 sec_bridge_call_secure_service(const u32 serviceid,