diff options
| author | Siew Chin Lim <elly.siew.chin.lim@intel.com> | 2021-03-01 20:04:11 +0800 |
|---|---|---|
| committer | Ley Foon Tan <ley.foon.tan@intel.com> | 2021-03-08 10:59:10 +0800 |
| commit | 1bc20897c1263f038f5b27f7b3ed67aa15e97a5c (patch) | |
| tree | 2c422be99e5e4ebd40d2b8b9df36a39a22a8aa06 /arch/arm/mach-socfpga/board.c | |
| parent | 9a5bbdfd1a952901bda567d7d56225374ef883bc (diff) | |
arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
Vendor Authorized Boot is a security feature for authenticating
the images such as U-Boot, ARM trusted Firmware, Linux kernel,
device tree blob and etc loaded from FIT. After those images are
loaded from FIT, the VAB certificate and signature block appended
at the end of each image are sent to Secure Device Manager (SDM)
for authentication. U-Boot will validate the SHA384 of the image
against the SHA384 hash stored in the VAB certificate before
sending the image to SDM for authentication.
Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com>
Reviewed-by: Ley Foon Tan <ley.foon.tan@intel.com>
Diffstat (limited to 'arch/arm/mach-socfpga/board.c')
| -rw-r--r-- | arch/arm/mach-socfpga/board.c | 45 |
1 files changed, 41 insertions, 4 deletions
diff --git a/arch/arm/mach-socfpga/board.c b/arch/arm/mach-socfpga/board.c index 2a6af9d1f8a..81aa07c9025 100644 --- a/arch/arm/mach-socfpga/board.c +++ b/arch/arm/mach-socfpga/board.c @@ -6,14 +6,17 @@ */ #include <common.h> -#include <errno.h> -#include <fdtdec.h> -#include <init.h> -#include <asm/arch/reset_manager.h> #include <asm/arch/clock_manager.h> #include <asm/arch/misc.h> +#include <asm/arch/reset_manager.h> +#include <asm/arch/secure_vab.h> #include <asm/global_data.h> #include <asm/io.h> +#include <errno.h> +#include <fdtdec.h> +#include <hang.h> +#include <image.h> +#include <init.h> #include <log.h> #include <usb.h> #include <usb/dwc2_udc.h> @@ -98,3 +101,37 @@ __weak int board_fit_config_name_match(const char *name) return 0; } #endif + +#if IS_ENABLED(CONFIG_FIT_IMAGE_POST_PROCESS) +void board_fit_image_post_process(void **p_image, size_t *p_size) +{ + if (IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH)) { + if (socfpga_vendor_authentication(p_image, p_size)) + hang(); + } +} +#endif + +#if !IS_ENABLED(CONFIG_SPL_BUILD) && IS_ENABLED(CONFIG_FIT) +void board_prep_linux(bootm_headers_t *images) +{ + if (!IS_ENABLED(CONFIG_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE)) { + /* + * Ensure the OS is always booted from FIT and with + * VAB signed certificate + */ + if (!images->fit_uname_cfg) { + printf("Please use FIT with VAB signed images!\n"); + hang(); + } + + env_set_hex("fdt_addr", (ulong)images->ft_addr); + debug("images->ft_addr = 0x%08lx\n", (ulong)images->ft_addr); + } + + if (IS_ENABLED(CONFIG_CADENCE_QSPI)) { + if (env_get("linux_qspi_enable")) + run_command(env_get("linux_qspi_enable"), 0); + } +} +#endif |