MLK-16787-2 iMX8M: Add support to enable CONFIG_SECURE_BOOT

Add some SOC level codes and build configurations to use HAB lib for
CONFIG_SECURE_BOOT, like adding the SEC_CONFIG fuse, enable fuse driver,
CAAM clock function, and add CAAM secure RAM to MMU table.

The FSL_CAAM is temporally not enabled for iMX8M when CONFIG_SECURE_BOOT is set,
because we don't need the CAAM driver for SPL.

Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

6 files changed, 31 insertions, 3 deletions

diff --git a/arch/arm/cpu/armv8/imx8m/clock.c b/arch/arm/cpu/armv8/imx8m/clock.c
index e7795c9d83..a445a7a75f 100644
--- a/arch/arm/cpu/armv8/imx8m/clock.c
+++ b/arch/arm/cpu/armv8/imx8m/clock.c
@@ -13,6 +13,13 @@
 
 DECLARE_GLOBAL_DATA_PTR;
 
+#ifdef CONFIG_SECURE_BOOT
+void hab_caam_clock_enable(unsigned char enable)
+{
+	/* The CAAM clock is always on for iMX8M */
+}
+#endif
+
 #ifdef CONFIG_MXC_OCOTP
 void enable_ocotp_clk(unsigned char enable)
 {
diff --git a/arch/arm/cpu/armv8/imx8m/soc.c b/arch/arm/cpu/armv8/imx8m/soc.c
index c8038a7ae9..1a1e908d00 100644
--- a/arch/arm/cpu/armv8/imx8m/soc.c
+++ b/arch/arm/cpu/armv8/imx8m/soc.c
@@ -9,6 +9,7 @@
 #include <asm/io.h>
 #include <asm/arch/clock.h>
 #include <asm/arch/sys_proto.h>
+#include <asm/imx-common/hab.h>
 #include <asm/imx-common/boot_mode.h>
 #include <asm/armv8/mmu.h>
 #include <errno.h>
@@ -16,6 +17,13 @@
 
 DECLARE_GLOBAL_DATA_PTR;
 
+#if defined(CONFIG_SECURE_BOOT)
+struct imx_sec_config_fuse_t const imx_sec_config_fuse = {
+	.bank = 1,
+	.word = 3,
+};
+#endif
+
 /*
  * OCOTP_TESTER3[9:8] (see Fusemap Description Table offset 0x440)
  * defines a 2-bit SPEED_GRADING
@@ -156,6 +164,13 @@ static struct mm_region imx8m_mem_map[] = {
 		.attrs = PTE_BLOCK_MEMTYPE(MT_NORMAL) |
 			 PTE_BLOCK_OUTER_SHARE
 	}, {
+		.virt = 0x100000UL,
+		.phys = 0x100000UL,
+		.size = 0x8000UL,
+		.attrs = PTE_BLOCK_MEMTYPE(MT_DEVICE_NGNRNE) |
+			 PTE_BLOCK_NON_SHARE |
+			 PTE_BLOCK_PXN | PTE_BLOCK_UXN
+	}, {
 		.virt = 0x7C0000UL,
 		.phys = 0x7C0000UL,
 		.size = 0x80000UL,
diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig
index 883bdbac85..be488df601 100644
--- a/arch/arm/imx-common/Kconfig
+++ b/arch/arm/imx-common/Kconfig
@@ -39,8 +39,8 @@ config USE_IMXIMG_PLUGIN
 
 config SECURE_BOOT
 	bool "Support i.MX HAB features"
-	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
-	select FSL_CAAM if !MX6ULL && !MX6SLL && !MX6SL
+	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 || ARCH_IMX8M
+	select FSL_CAAM if !MX6ULL && !MX6SLL && !MX6SL && !IMX8M
 	help
 	  This option enables the support for secure boot (HAB).
 	  See doc/README.mxc_hab for more details.
diff --git a/arch/arm/imx-common/Makefile b/arch/arm/imx-common/Makefile
index 30d18a3c69..8972ec934d 100644
--- a/arch/arm/imx-common/Makefile
+++ b/arch/arm/imx-common/Makefile
@@ -13,6 +13,7 @@ endif
 ifeq ($(SOC),$(filter $(SOC),imx8m))
 obj-$(CONFIG_IMX_BOOTAUX) += imx_bootaux.o
 obj-$(CONFIG_SYS_I2C_MXC) += i2c-mxv7.o
+obj-$(CONFIG_SECURE_BOOT) += hab.o
 obj-y += cpu.o
 endif
 
diff --git a/arch/arm/include/asm/arch-imx8m/clock.h b/arch/arm/include/asm/arch-imx8m/clock.h
index dd3599bdd8..c6e9a66cb3 100644
--- a/arch/arm/include/asm/arch-imx8m/clock.h
+++ b/arch/arm/include/asm/arch-imx8m/clock.h
@@ -859,5 +859,5 @@ int enable_i2c_clk(unsigned char enable, unsigned i2c_num);
 #ifdef CONFIG_FEC_MXC
 int set_clk_enet(enum enet_freq type);
 #endif
-
+void hab_caam_clock_enable(unsigned char enable);
 #endif
diff --git a/include/configs/imx8mq_evk.h b/include/configs/imx8mq_evk.h
index baaf77ed33..ded5b1a34f 100644
--- a/include/configs/imx8mq_evk.h
+++ b/include/configs/imx8mq_evk.h
@@ -10,6 +10,10 @@
 #include <linux/sizes.h>
 #include <asm/arch/imx-regs.h>
 
+#ifdef CONFIG_SECURE_BOOT
+#define CONFIG_CSF_SIZE			0x2000 /* 8K region */
+#endif
+
 #define CONFIG_SPL_FRAMEWORK
 #define CONFIG_SPL_TEXT_BASE		0x7E1000
 #define CONFIG_SPL_MAX_SIZE		(124 * 1024)
@@ -21,6 +25,7 @@
 #ifdef CONFIG_SPL_BUILD
 /*#define CONFIG_ENABLE_DDR_TRAINING_DEBUG*/
 #define CONFIG_SPL_WATCHDOG_SUPPORT
+#define CONFIG_SPL_DRIVERS_MISC_SUPPORT
 #define CONFIG_SPL_POWER_SUPPORT
 #define CONFIG_SPL_I2C_SUPPORT
 #define CONFIG_SPL_BOARD_INIT