From: Saksham Jain <saksham.jain@nxp.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH v4 03/14] SECURE BOOT: Add new ESBC header for ls-ch3 Secure Boot
Date: Tue, 9 Feb 2016 10:53:31 +0530 [thread overview]
Message-ID: <1454995422-31731-4-git-send-email-saksham.jain@nxp.com> (raw)
In-Reply-To: <1454995422-31731-1-git-send-email-saksham.jain@nxp.com>
For Secure Boot, a header is used to identify key table, signature
and image address. For LS-CH3, there is a new header structure being used.
The following changes are there in the new header:
1) Currently IE Table (Key extension) feature is not supported
2) Single Key feature is not supported. Keys must be in table format.
3) Hence, SRK (Key table) is by default currently always present.
4) Max Key number has increase from 4 to 8. 8th Key is unrevockable.
5) New Barker Code is being used.
Signed-off-by: Aneesh Bansal <aneesh.bansal@nxp.com>
Signed-off-by: Saksham Jain <saksham.jain@nxp.com>
---
Changes for v2:
- No changes
Changes for v3:
- No changes
Changes for v4:
- Cleaned up commit message
arch/arm/include/asm/arch-fsl-layerscape/config.h | 3 +-
arch/arm/include/asm/fsl_secure_boot.h | 4 ++
board/freescale/common/fsl_validate.c | 35 +++++++++++--
include/fsl_secboot_err.h | 3 ++
include/fsl_validate.h | 60 ++++++++++++++++++++---
5 files changed, 91 insertions(+), 14 deletions(-)
diff --git a/arch/arm/include/asm/arch-fsl-layerscape/config.h b/arch/arm/include/asm/arch-fsl-layerscape/config.h
index d2d54b7..e975e25 100644
--- a/arch/arm/include/asm/arch-fsl-layerscape/config.h
+++ b/arch/arm/include/asm/arch-fsl-layerscape/config.h
@@ -79,7 +79,8 @@
/* Security Monitor */
#define CONFIG_SYS_FSL_SEC_MON_LE
-
+/* Secure Boot */
+#define CONFIG_ESBC_HDR_LS
/* Cache Coherent Interconnect */
#define CCI_MN_BASE 0x04000000
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
index 0da0599..3e46c63 100644
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -40,9 +40,13 @@
* The feature is only applicable in case of NOR boot and is
* not applicable in case of RAMBOOT (NAND, SD, SPI).
*/
+#ifndef CONFIG_ESBC_HDR_LS
+/* Current Key EXT feature not available in LS ESBC Header */
#define CONFIG_FSL_ISBC_KEY_EXT
#endif
+#endif
+
#ifdef CONFIG_LS1043A
/* For LS1043 (ARMv8), ESBC image Address in Header is 64 bit */
#define CONFIG_ESBC_ADDR_64BIT
diff --git a/board/freescale/common/fsl_validate.c b/board/freescale/common/fsl_validate.c
index 8fd6dd6..c12b9c9 100644
--- a/board/freescale/common/fsl_validate.c
+++ b/board/freescale/common/fsl_validate.c
@@ -35,7 +35,13 @@ static const u8 hash_identifier[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
};
static u8 hash_val[SHA256_BYTES];
+
+#ifdef CONFIG_ESBC_HDR_LS
+/* New Barker Code for LS ESBC Header */
+static const u8 barker_code[ESBC_BARKER_LEN] = { 0x12, 0x19, 0x20, 0x01 };
+#else
static const u8 barker_code[ESBC_BARKER_LEN] = { 0x68, 0x39, 0x27, 0x81 };
+#endif
void branch_to_self(void) __attribute__ ((noreturn));
@@ -157,10 +163,15 @@ static int get_ie_info_addr(u32 *ie_addr)
/* This function checks srk_table_flag in header and set/reset srk_flag.*/
static u32 check_srk(struct fsl_secboot_img_priv *img)
{
+#ifdef CONFIG_ESBC_HDR_LS
+ /* In LS, No SRK Flag as SRK is always present*/
+ return 1;
+#else
if (img->hdr.len_kr.srk_table_flag & SRK_FLAG)
return 1;
return 0;
+#endif
}
/* This function returns ospr's key_revoc values.*/
@@ -223,6 +234,7 @@ static u32 read_validate_srk_tbl(struct fsl_secboot_img_priv *img)
}
#endif
+#ifndef CONFIG_ESBC_HDR_LS
static u32 read_validate_single_key(struct fsl_secboot_img_priv *img)
{
struct fsl_secboot_img_hdr *hdr = &img->hdr;
@@ -238,6 +250,7 @@ static u32 read_validate_single_key(struct fsl_secboot_img_priv *img)
return 0;
}
+#endif /* CONFIG_ESBC_HDR_LS */
#if defined(CONFIG_FSL_ISBC_KEY_EXT)
static u32 read_validate_ie_tbl(struct fsl_secboot_img_priv *img)
@@ -388,6 +401,7 @@ void fsl_secboot_handle_error(int error)
case ERROR_ESBC_CLIENT_HEADER_SIG_KEY_MOD:
case ERROR_ESBC_CLIENT_HEADER_SG_ESBC_EP:
case ERROR_ESBC_CLIENT_HEADER_SG_ENTIRES_BAD:
+ case ERROR_KEY_TABLE_NOT_FOUND:
#ifdef CONFIG_KEY_REVOCATION
case ERROR_ESBC_CLIENT_HEADER_KEY_REVOKED:
case ERROR_ESBC_CLIENT_HEADER_INVALID_SRK_NUM_ENTRY:
@@ -536,11 +550,18 @@ static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img)
if (!key_hash && check_ie(img))
key_hash = 1;
#endif
- if (!key_hash)
+#ifndef CONFIG_ESBC_HDR_LS
+/* No single key support in LS ESBC header */
+ if (!key_hash) {
ret = algo->hash_update(algo, ctx,
img->img_key, img->hdr.key_len, 0);
+ key_hash = 1;
+ }
+#endif
if (ret)
return ret;
+ if (!key_hash)
+ return ERROR_KEY_TABLE_NOT_FOUND;
/* Update hash for actual Image */
ret = algo->hash_update(algo, ctx,
@@ -626,8 +647,6 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
u8 *k, *s;
u32 ret = 0;
-#ifdef CONFIG_KEY_REVOCATION
-#endif
int key_found = 0;
/* check barker code */
@@ -671,13 +690,17 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
key_found = 1;
}
#endif
-
+#ifndef CONFIG_ESBC_HDR_LS
+/* Single Key Feature not available in LS ESBC Header */
if (key_found == 0) {
ret = read_validate_single_key(img);
if (ret != 0)
return ret;
key_found = 1;
}
+#endif
+ if (!key_found)
+ return ERROR_KEY_TABLE_NOT_FOUND;
/* check signaure */
if (get_key_len(img) == 2 * hdr->sign_len) {
@@ -691,10 +714,12 @@ static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
}
memcpy(&img->img_sign, esbc + hdr->psign, hdr->sign_len);
-
+/* No SG support in LS-CH3 */
+#ifndef CONFIG_ESBC_HDR_LS
/* No SG support */
if (hdr->sg_flag)
return ERROR_ESBC_CLIENT_HEADER_SG;
+#endif
/* modulus most significant bit should be set */
k = (u8 *)&img->img_key;
diff --git a/include/fsl_secboot_err.h b/include/fsl_secboot_err.h
index afc50a8..95d890b 100644
--- a/include/fsl_secboot_err.h
+++ b/include/fsl_secboot_err.h
@@ -29,6 +29,7 @@
#define ERROR_ESBC_CLIENT_HEADER_INV_IE_ENTRY_KEYLEN 0x18
#define ERROR_IE_TABLE_NOT_FOUND 0x19
#define ERROR_ESBC_CLIENT_HEADER_KEY_LEN_NOT_TWICE_SIG_LEN 0x20
+#define ERROR_KEY_TABLE_NOT_FOUND 0x21
#define ERROR_ESBC_CLIENT_HEADER_KEY_MOD_1 0x40
#define ERROR_ESBC_CLIENT_HEADER_KEY_MOD_2 0x80
#define ERROR_ESBC_CLIENT_HEADER_SIG_KEY_MOD 0x100
@@ -121,6 +122,8 @@ static const struct fsl_secboot_errcode fsl_secboot_errcodes[] = {
"Wrong IE public key len in header" },
{ ERROR_IE_TABLE_NOT_FOUND,
"Information about IE Table missing" },
+ { ERROR_KEY_TABLE_NOT_FOUND,
+ "No Key/ Key Table Found in header"},
{ ERROR_ESBC_CLIENT_MAX, "NULL" }
};
diff --git a/include/fsl_validate.h b/include/fsl_validate.h
index 83efcf4..f812c1a 100644
--- a/include/fsl_validate.h
+++ b/include/fsl_validate.h
@@ -21,14 +21,6 @@
extern struct jobring jr;
-#ifdef CONFIG_KEY_REVOCATION
-/* Srk table and key revocation check */
-#define SRK_FLAG 0x01
-#define UNREVOCABLE_KEY 4
-#define ALIGN_REVOC_KEY 3
-#define MAX_KEY_ENTRIES 4
-#endif
-
/* Barker code size in bytes */
#define ESBC_BARKER_LEN 4 /* barker code length in ESBC uboot client */
/* header */
@@ -39,6 +31,47 @@ extern struct jobring jr;
/* Maximum number of SG entries allowed */
#define MAX_SG_ENTRIES 8
+/* Different Header Struct for LS-CH3 */
+#ifdef CONFIG_ESBC_HDR_LS
+struct fsl_secboot_img_hdr {
+ u8 barker[ESBC_BARKER_LEN]; /* barker code */
+ u32 srk_tbl_off;
+ struct {
+ u8 num_srk;
+ u8 srk_sel;
+ u8 reserve;
+ u8 ie_flag;
+ } len_kr;
+
+ u32 uid_flag;
+
+ u32 psign; /* signature offset */
+ u32 sign_len; /* length of the signature in bytes */
+
+ u64 pimg64; /* 64 bit pointer to ESBC Image */
+ u32 img_size; /* ESBC client image size in bytes */
+ u32 ie_key_sel;
+
+ u32 fsl_uid_0;
+ u32 fsl_uid_1;
+ u32 oem_uid_0;
+ u32 oem_uid_1;
+ u32 oem_uid_2;
+ u32 oem_uid_3;
+ u32 oem_uid_4;
+ u32 reserved1[3];
+};
+
+#ifdef CONFIG_KEY_REVOCATION
+/* Srk table and key revocation check */
+#define UNREVOCABLE_KEY 8
+#define ALIGN_REVOC_KEY 7
+#define MAX_KEY_ENTRIES 8
+#endif
+
+
+#else /* CONFIG_ESBC_HDR_LS */
+
/*
* ESBC uboot client header structure.
* The struct contain the following fields
@@ -109,6 +142,17 @@ struct fsl_secboot_img_hdr {
u32 ie_key_sel;
};
+#ifdef CONFIG_KEY_REVOCATION
+/* Srk table and key revocation check */
+#define SRK_FLAG 0x01
+#define UNREVOCABLE_KEY 4
+#define ALIGN_REVOC_KEY 3
+#define MAX_KEY_ENTRIES 4
+#endif
+
+#endif /* CONFIG_ESBC_HDR_LS */
+
+
#if defined(CONFIG_FSL_ISBC_KEY_EXT)
struct ie_key_table {
u32 key_len;
--
1.8.1.4
next prev parent reply other threads:[~2016-02-09 5:23 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-09 5:23 [U-Boot] [PATCH v4 00/14] Add Support for Secure Boot on LS208x Saksham Jain
2016-02-09 5:23 ` [U-Boot] [PATCH v4 01/14] armv8: ls2080: Add SFP Configs for LS2080/LS2085 Saksham Jain
2016-03-18 15:36 ` york sun
2016-02-09 5:23 ` [U-Boot] [PATCH v4 02/14] armv8: ls2080: Add Secure Boot configs: SEC, Security Monitor, SRK and RCW Saksham Jain
2016-03-18 15:38 ` york sun
2016-02-09 5:23 ` Saksham Jain [this message]
2016-03-18 15:43 ` [U-Boot] [PATCH v4 03/14] SECURE BOOT: Add new ESBC header for ls-ch3 Secure Boot york sun
2016-02-09 5:23 ` [U-Boot] [PATCH v4 04/14] SECURE BOOT: Add Secure Boot support on ls2080aqds/rdb Saksham Jain
2016-03-09 17:13 ` york sun
2016-03-18 15:49 ` york sun
2016-02-09 5:23 ` [U-Boot] [PATCH v4 05/14] armv8: fsl-lsch3: Add bootscript header address for Secure Boot Saksham Jain
2016-03-18 15:52 ` york sun
2016-02-09 5:23 ` [U-Boot] [PATCH v4 06/14] SECURE BOOT: Copy Bootscript and header from NOR to DDR for LS2080/5 Saksham Jain
2016-03-18 15:54 ` york sun
2016-02-09 5:23 ` [U-Boot] [PATCH v4 07/14] SECURE BOOT: Change env variable "fdt_high" for LS2080a and LS2085a Saksham Jain
2016-02-09 5:23 ` [U-Boot] [PATCH v4 08/14] armv8 : ls2080: Add config for endianess of CCSR GUR Saksham Jain
2016-03-18 15:56 ` york sun
2016-02-09 5:23 ` [U-Boot] [PATCH v4 09/14] armv8: fsl-lsch3: Disable SMMU during Secure Boot Saksham Jain
2016-03-18 15:56 ` york sun
2016-02-09 5:23 ` [U-Boot] [PATCH v4 10/14] crypto/fsl: Correct 64bit Write when MMU disabled Saksham Jain
2016-03-18 15:58 ` york sun
2016-02-09 5:23 ` [U-Boot] [PATCH v4 11/14] crypto/fsl: Make CAAM transactions cacheable Saksham Jain
2016-03-18 15:59 ` york sun
2016-02-09 5:23 ` [U-Boot] [PATCH v4 12/14] SECURE_BOOT: Use default bootargs during Secure Boot Saksham Jain
2016-02-09 5:23 ` [U-Boot] [PATCH v4 13/14] SECURE BOOT: Halt execution when secure boot fail after reset request Saksham Jain
2016-03-18 16:00 ` york sun
2016-02-09 5:23 ` [U-Boot] [PATCH v4 14/14] SECURE BOOT: Change fsl_secboot_validate function to output image addr Saksham Jain
2016-03-18 16:01 ` york sun
2016-03-18 15:36 ` [U-Boot] [PATCH v4 00/14] Add Support for Secure Boot on LS208x york sun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454995422-31731-4-git-send-email-saksham.jain@nxp.com \
--to=saksham.jain@nxp.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.