diff options
author | Ye Li <ye.li@nxp.com> | 2018-07-26 07:54:34 -0700 |
---|---|---|
committer | Ye Li <ye.li@nxp.com> | 2018-08-05 19:29:05 -0700 |
commit | e469bf980df3fa5c7d4e059aaaed4db296a0b002 (patch) | |
tree | d15b61a88abdb702ae4c594d0de4c90f65b17de6 /include/configs | |
parent | 776cd6799e7bb97967a5ee480dbf199bc6ec2586 (diff) |
MLK-19064 imx8qm: Add secure boot environment
Add the secure boot relevant environment variables to ARM2 and MEK.
When CONFIG_AHAB_BOOT is enabled, we will switch to boot flow:
1. Load the signed OS container to address 0x88000000
2. Using auth_cntr to authenticate the OS container. It will load the
kernel and FDT to destination addresses.
3. Using booti to boot kernel.
Signed-off-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit eb47b72c1c89deddeaa3b3618d8c28aca05cd4ad)
Diffstat (limited to 'include/configs')
-rw-r--r-- | include/configs/imx8qm_arm2.h | 61 | ||||
-rw-r--r-- | include/configs/imx8qm_mek.h | 60 |
2 files changed, 95 insertions, 26 deletions
diff --git a/include/configs/imx8qm_arm2.h b/include/configs/imx8qm_arm2.h index 495d8669a31..18e73cbeaef 100644 --- a/include/configs/imx8qm_arm2.h +++ b/include/configs/imx8qm_arm2.h @@ -100,6 +100,12 @@ #define CONFIG_MAX7322_I2C_BUS 2 /* I2C2 */ #endif +#ifdef CONFIG_AHAB_BOOT +#define AHAB_ENV "sec_boot=yes\0" +#else +#define AHAB_ENV "sec_boot=no\0" +#endif + /* Boot M4 */ #define M4_BOOT_ENV \ "m4_0_image=m4_0.bin\0" \ @@ -162,6 +168,7 @@ CONFIG_MFG_ENV_SETTINGS \ XEN_BOOT_ENV \ M4_BOOT_ENV \ + AHAB_ENV \ "script=boot.scr\0" \ "image=Image\0" \ "panel=NULL\0" \ @@ -169,6 +176,8 @@ "earlycon=lpuart32,0x5a060000\0" \ "fdt_addr=0x83000000\0" \ "fdt_high=0xffffffffffffffff\0" \ + "cntr_addr=0x88000000\0" \ + "cntr_file=os_cntr_signed.bin\0" \ "boot_fdt=try\0" \ "fdt_file="__stringify(CONFIG_DEFAULT_DEVICE_TREE)".dtb\0" \ "initrd_addr=0x83800000\0" \ @@ -186,17 +195,27 @@ "hdp_addr=0x84000000\0" \ "hdp_file=dpfw.bin\0" \ "loadhdp=fatload mmc ${mmcdev}:${mmcpart} ${hdp_addr} ${hdp_file}\0" \ + "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \ + "auth_os=auth_cntr ${cntr_addr}\0" \ "mmcboot=echo Booting from mmc ...; " \ "if run loadhdp; then; hdp load ${hdp_addr}; fi;" \ "run mmcargs; " \ - "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ - "if run loadfdt; then " \ + "if test ${sec_boot} = yes; then " \ + "if run auth_os; then " \ "booti ${loadaddr} - ${fdt_addr}; " \ "else " \ - "echo WARN: Cannot load the DT; " \ + "echo ERR: failed to authenticate; " \ "fi; " \ "else " \ - "echo wait for boot; " \ + "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ + "if run loadfdt; then " \ + "booti ${loadaddr} - ${fdt_addr}; " \ + "else " \ + "echo WARN: Cannot load the DT; " \ + "fi; " \ + "else " \ + "echo wait for boot; " \ + "fi;" \ "fi;\0" \ "netargs=setenv bootargs console=${console},${baudrate} earlycon=${earlycon},${baudrate} " \ "root=/dev/nfs " \ @@ -209,15 +228,24 @@ "setenv get_cmd tftp; " \ "fi; " \ "if ${get_cmd} ${hdp_addr} ${hdp_file}; then; hdp load ${hdp_addr}; fi;" \ - "${get_cmd} ${loadaddr} ${image}; " \ - "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ - "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \ + "if test ${sec_boot} = yes; then " \ + "${get_cmd} ${cntr_addr} ${cntr_file}; " \ + "if run auth_os; then " \ "booti ${loadaddr} - ${fdt_addr}; " \ "else " \ - "echo WARN: Cannot load the DT; " \ + "echo ERR: failed to authenticate; " \ "fi; " \ "else " \ - "booti; " \ + "${get_cmd} ${loadaddr} ${image}; " \ + "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ + "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \ + "booti ${loadaddr} - ${fdt_addr}; " \ + "else " \ + "echo WARN: Cannot load the DT; " \ + "fi; " \ + "else " \ + "booti; " \ + "fi;" \ "fi;\0" #define CONFIG_BOOTCOMMAND \ @@ -225,10 +253,17 @@ "if run loadbootscript; then " \ "run bootscript; " \ "else " \ - "if run loadimage; then " \ - "run mmcboot; " \ - "else run netboot; " \ - "fi; " \ + "if test ${sec_boot} = yes; then " \ + "if run loadcntr; then " \ + "run mmcboot; " \ + "else run netboot; " \ + "fi; " \ + "else " \ + "if run loadimage; then " \ + "run mmcboot; " \ + "else run netboot; " \ + "fi; " \ + "fi; " \ "fi; " \ "else booti ${loadaddr} - ${fdt_addr}; fi" diff --git a/include/configs/imx8qm_mek.h b/include/configs/imx8qm_mek.h index 9dab0f3e7ce..48fab1c6db2 100644 --- a/include/configs/imx8qm_mek.h +++ b/include/configs/imx8qm_mek.h @@ -90,6 +90,11 @@ #define CONFIG_LIB_RAND #define CONFIG_NET_RANDOM_ETHADDR +#ifdef CONFIG_AHAB_BOOT +#define AHAB_ENV "sec_boot=yes\0" +#else +#define AHAB_ENV "sec_boot=no\0" +#endif #define JAILHOUSE_ENV \ "jh_mmcboot=" \ @@ -166,6 +171,7 @@ M4_BOOT_ENV \ XEN_BOOT_ENV \ JAILHOUSE_ENV\ + AHAB_ENV \ "script=boot.scr\0" \ "image=Image\0" \ "panel=NULL\0" \ @@ -173,6 +179,8 @@ "earlycon=lpuart32,0x5a060000\0" \ "fdt_addr=0x83000000\0" \ "fdt_high=0xffffffffffffffff\0" \ + "cntr_addr=0x88000000\0" \ + "cntr_file=os_cntr_signed.bin\0" \ "boot_fdt=try\0" \ "fdt_file=fsl-imx8qm-mek.dtb\0" \ "initrd_addr=0x83800000\0" \ @@ -194,18 +202,28 @@ "loadhdp=fatload mmc ${mmcdev}:${mmcpart} ${hdp_addr} ${hdp_file}\0" \ "loadhdprx=fatload mmc ${mmcdev}:${mmcpart} ${hdprx_addr} ${hdprx_file}\0" \ "boot_os=booti ${loadaddr} - ${fdt_addr};\0" \ + "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \ + "auth_os=auth_cntr ${cntr_addr}\0" \ "mmcboot=echo Booting from mmc ...; " \ "if run loadhdp; then; hdp load ${hdp_addr}; fi;" \ "if run loadhdprx; then; hdprx load ${hdprx_addr}; fi;" \ "run mmcargs; " \ - "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ - "if run loadfdt; then " \ + "if test ${sec_boot} = yes; then " \ + "if run auth_os; then " \ "run boot_os; " \ "else " \ - "echo WARN: Cannot load the DT; " \ + "echo ERR: failed to authenticate; " \ "fi; " \ "else " \ - "echo wait for boot; " \ + "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ + "if run loadfdt; then " \ + "run boot_os; " \ + "else " \ + "echo WARN: Cannot load the DT; " \ + "fi; " \ + "else " \ + "echo wait for boot; " \ + "fi;" \ "fi;\0" \ "netargs=setenv bootargs console=${console},${baudrate} earlycon=${earlycon},${baudrate} " \ "root=/dev/nfs " \ @@ -219,15 +237,24 @@ "fi; " \ "if ${get_cmd} ${hdp_addr} ${hdp_file}; then; hdp load ${hdp_addr}; fi;" \ "if ${get_cmd} ${hdprx_addr} ${hdprx_file}; then; hdprx load ${hdprx_addr}; fi;" \ - "${get_cmd} ${loadaddr} ${image}; " \ - "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ - "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \ + "if test ${sec_boot} = yes; then " \ + "${get_cmd} ${cntr_addr} ${cntr_file}; " \ + "if run auth_os; then " \ "run boot_os; " \ "else " \ - "echo WARN: Cannot load the DT; " \ + "echo ERR: failed to authenticate; " \ "fi; " \ "else " \ - "booti; " \ + "${get_cmd} ${loadaddr} ${image}; " \ + "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ + "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \ + "run boot_os; " \ + "else " \ + "echo WARN: Cannot load the DT; " \ + "fi; " \ + "else " \ + "booti; " \ + "fi;" \ "fi;\0" #define CONFIG_BOOTCOMMAND \ @@ -235,10 +262,17 @@ "if run loadbootscript; then " \ "run bootscript; " \ "else " \ - "if run loadimage; then " \ - "run mmcboot; " \ - "else run netboot; " \ - "fi; " \ + "if test ${sec_boot} = yes; then " \ + "if run loadcntr; then " \ + "run mmcboot; " \ + "else run netboot; " \ + "fi; " \ + "else " \ + "if run loadimage; then " \ + "run mmcboot; " \ + "else run netboot; " \ + "fi; " \ + "fi; " \ "fi; " \ "else booti ${loadaddr} - ${fdt_addr}; fi" |