diff options
author | Ye Li <ye.li@nxp.com> | 2018-04-25 02:45:32 -0700 |
---|---|---|
committer | Ye Li <ye.li@nxp.com> | 2018-04-27 06:15:01 -0700 |
commit | cba5acebbe6be0736f229ef719b1a1e5835e1a5f (patch) | |
tree | ed5469711e69fcc4ae95209f91c1114f495c3a15 /include | |
parent | 1c83e14fb8e8ceec99f2c42ee1442596d8ffe517 (diff) |
MLK-18129-2 imx8qxp: Add secure boot environment
Add the secure boot relevant environment variables to ARM2 and MEK.
When CONFIG_AHAB_BOOT is enabled, we will switch to boot in this
new way:
1. Load the OS container to address 0x88000000
2. Using auth_cntr to authenticate the OS container. It will load the
kernel and FDT to destination address.
3. Using booti to boot kernel.
Signed-off-by: Ye Li <ye.li@nxp.com>
Acked-by: Peng Fan <peng.fan@nxp.com>
(cherry picked from commit 545c8fe112244f20377e97921389c86eacc8551f)
Diffstat (limited to 'include')
-rw-r--r-- | include/configs/imx8qxp_arm2.h | 54 | ||||
-rw-r--r-- | include/configs/imx8qxp_mek.h | 54 |
2 files changed, 82 insertions, 26 deletions
diff --git a/include/configs/imx8qxp_arm2.h b/include/configs/imx8qxp_arm2.h index 24d670419b1..98673039072 100644 --- a/include/configs/imx8qxp_arm2.h +++ b/include/configs/imx8qxp_arm2.h @@ -133,6 +133,8 @@ "console=ttyLP0,${baudrate} earlycon=lpuart32,0x5a060000,${baudrate}\0" \ "fdt_addr=0x83000000\0" \ "fdt_high=0xffffffffffffffff\0" \ + "cntr_addr=0x88000000\0" \ + "cntr_file=os_cntr_signed.bin\0" \ "boot_fdt=try\0" \ "fdt_file=fsl-imx8qxp-lpddr4-arm2.dtb\0" \ "initrd_addr=0x83800000\0" \ @@ -147,16 +149,26 @@ "source\0" \ "loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}\0" \ "loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}\0" \ + "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \ + "auth_os=auth_cntr ${cntr_addr}\0" \ "mmcboot=echo Booting from mmc ...; " \ "run mmcargs; " \ - "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ - "if run loadfdt; then " \ + "if test ${sec_boot} = yes; then " \ + "if run auth_os; then " \ "booti ${loadaddr} - ${fdt_addr}; " \ "else " \ - "echo WARN: Cannot load the DT; " \ + "echo ERR: failed to authenticate; " \ "fi; " \ "else " \ - "echo wait for boot; " \ + "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ + "if run loadfdt; then " \ + "booti ${loadaddr} - ${fdt_addr}; " \ + "else " \ + "echo WARN: Cannot load the DT; " \ + "fi; " \ + "else " \ + "echo wait for boot; " \ + "fi;" \ "fi;\0" \ "netargs=setenv bootargs console=${console} " \ "root=/dev/nfs " \ @@ -168,15 +180,24 @@ "else " \ "setenv get_cmd tftp; " \ "fi; " \ - "${get_cmd} ${loadaddr} ${image}; " \ - "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ - "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \ + "if test ${sec_boot} = yes; then " \ + "${get_cmd} ${cntr_addr} ${cntr_file}; " \ + "if run auth_os; then " \ "booti ${loadaddr} - ${fdt_addr}; " \ "else " \ - "echo WARN: Cannot load the DT; " \ + "echo ERR: failed to authenticate; " \ "fi; " \ "else " \ - "booti; " \ + "${get_cmd} ${loadaddr} ${image}; " \ + "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ + "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \ + "booti ${loadaddr} - ${fdt_addr}; " \ + "else " \ + "echo WARN: Cannot load the DT; " \ + "fi; " \ + "else " \ + "booti; " \ + "fi;" \ "fi;\0" #endif @@ -191,10 +212,17 @@ "if run loadbootscript; then " \ "run bootscript; " \ "else " \ - "if run loadimage; then " \ - "run mmcboot; " \ - "else run netboot; " \ - "fi; " \ + "if test ${sec_boot} = yes; then " \ + "if run loadcntr; then " \ + "run mmcboot; " \ + "else run netboot; " \ + "fi; " \ + "else " \ + "if run loadimage; then " \ + "run mmcboot; " \ + "else run netboot; " \ + "fi; " \ + "fi; " \ "fi; " \ "else booti ${loadaddr} - ${fdt_addr}; fi" #endif diff --git a/include/configs/imx8qxp_mek.h b/include/configs/imx8qxp_mek.h index 1e2fcb18243..966ff674ab7 100644 --- a/include/configs/imx8qxp_mek.h +++ b/include/configs/imx8qxp_mek.h @@ -146,6 +146,8 @@ "console=ttyLP0,${baudrate} earlycon=lpuart32,0x5a060000,${baudrate}\0" \ "fdt_addr=0x83000000\0" \ "fdt_high=0xffffffffffffffff\0" \ + "cntr_addr=0x88000000\0" \ + "cntr_file=os_cntr_signed.bin\0" \ "boot_fdt=try\0" \ "fdt_file=fsl-imx8qxp-mek.dtb\0" \ "initrd_addr=0x83800000\0" \ @@ -160,16 +162,26 @@ "source\0" \ "loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}\0" \ "loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}\0" \ + "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \ + "auth_os=auth_cntr ${cntr_addr}\0" \ "mmcboot=echo Booting from mmc ...; " \ "run mmcargs; " \ - "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ - "if run loadfdt; then " \ + "if test ${sec_boot} = yes; then " \ + "if run auth_os; then " \ "booti ${loadaddr} - ${fdt_addr}; " \ "else " \ - "echo WARN: Cannot load the DT; " \ + "echo ERR: failed to authenticate; " \ "fi; " \ "else " \ - "echo wait for boot; " \ + "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ + "if run loadfdt; then " \ + "booti ${loadaddr} - ${fdt_addr}; " \ + "else " \ + "echo WARN: Cannot load the DT; " \ + "fi; " \ + "else " \ + "echo wait for boot; " \ + "fi;" \ "fi;\0" \ "netargs=setenv bootargs console=${console} " \ "root=/dev/nfs " \ @@ -181,15 +193,24 @@ "else " \ "setenv get_cmd tftp; " \ "fi; " \ - "${get_cmd} ${loadaddr} ${image}; " \ - "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ - "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \ + "if test ${sec_boot} = yes; then " \ + "${get_cmd} ${cntr_addr} ${cntr_file}; " \ + "if run auth_os; then " \ "booti ${loadaddr} - ${fdt_addr}; " \ "else " \ - "echo WARN: Cannot load the DT; " \ + "echo ERR: failed to authenticate; " \ "fi; " \ "else " \ - "booti; " \ + "${get_cmd} ${loadaddr} ${image}; " \ + "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ + "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \ + "booti ${loadaddr} - ${fdt_addr}; " \ + "else " \ + "echo WARN: Cannot load the DT; " \ + "fi; " \ + "else " \ + "booti; " \ + "fi;" \ "fi;\0" #define CONFIG_BOOTCOMMAND \ @@ -197,10 +218,17 @@ "if run loadbootscript; then " \ "run bootscript; " \ "else " \ - "if run loadimage; then " \ - "run mmcboot; " \ - "else run netboot; " \ - "fi; " \ + "if test ${sec_boot} = yes; then " \ + "if run loadcntr; then " \ + "run mmcboot; " \ + "else run netboot; " \ + "fi; " \ + "else " \ + "if run loadimage; then " \ + "run mmcboot; " \ + "else run netboot; " \ + "fi; " \ + "fi; " \ "fi; " \ "else booti ${loadaddr} - ${fdt_addr}; fi" |