[U-Boot] [PATCH 1/2] SECURE BOOT: add version info for ISBC

[U-Boot] [PATCH 1/2] SECURE BOOT: add version info for ISBC

[Aneesh Bansal]

T4/B4 SoC's have a different version of ISBC. The secure boot
functionality is different with the new version of ISBC
compared to the earlier SoC's. So the version information is added
in file config_mpc85xx.h

Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com>
---
 README                                    | 3 +++
 arch/powerpc/include/asm/config_mpc85xx.h | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/README b/README
index aea82be..6c3a8d1 100644
--- a/README
+++ b/README
@@ -423,6 +423,9 @@ The following options need to be configured:
 		CONFIG_SYS_FSL_DSP_CCSRBAR_DEFAULT
 		This value denotes start offset of DSP CCSR space.
 
+		CONFIG_SYS_FSL_ISBC_VER
+		This value indicates the major ISBC version on the platform.
+
 		CONFIG_SYS_FSL_SINGLE_SOURCE_CLK
 		Single Source Clock is clocking mode present in some of FSL SoC's.
 		In this mode, a single differential clock is used to supply
diff --git a/arch/powerpc/include/asm/config_mpc85xx.h b/arch/powerpc/include/asm/config_mpc85xx.h
index 54ce2f0..ba5b6fe 100644
--- a/arch/powerpc/include/asm/config_mpc85xx.h
+++ b/arch/powerpc/include/asm/config_mpc85xx.h
@@ -151,6 +151,7 @@
 #define CONFIG_SYS_FSL_ERRATUM_IFC_A003399
 #define CONFIG_SYS_FSL_ERRATUM_A005125
 #define CONFIG_SYS_FSL_ERRATUM_I2C_A004447
+#define CONFIG_SYS_FSL_ISBC_VER		1
 #define CONFIG_SYS_FSL_A004447_SVR_REV	0x10
 
 /* P1011 is single core version of P1020 */
@@ -383,6 +384,7 @@
 #define CONFIG_SYS_FSL_ERRATUM_A004849
 #define CONFIG_SYS_FSL_ERRATUM_I2C_A004447
 #define CONFIG_SYS_FSL_A004447_SVR_REV	0x11
+#define CONFIG_SYS_FSL_ISBC_VER		1
 
 #elif defined(CONFIG_PPC_P3041)
 #define CONFIG_SYS_FSL_QORIQ_CHASSIS1
@@ -421,6 +423,7 @@
 #define CONFIG_SYS_FSL_ERRATUM_A005812
 #define CONFIG_SYS_FSL_ERRATUM_I2C_A004447
 #define CONFIG_SYS_FSL_A004447_SVR_REV	0x20
+#define CONFIG_SYS_FSL_ISBC_VER		1
 
 #elif defined(CONFIG_PPC_P4080) /* also supports P4040 */
 #define CONFIG_SYS_FSL_QORIQ_CHASSIS1
@@ -470,6 +473,7 @@
 #define CONFIG_SYS_FSL_ERRATUM_A005812
 #define CONFIG_SYS_FSL_ERRATUM_I2C_A004447
 #define CONFIG_SYS_FSL_A004447_SVR_REV	0x20
+#define CONFIG_SYS_FSL_ISBC_VER		1
 
 #elif defined(CONFIG_PPC_P5020) /* also supports P5010 */
 #define CONFIG_SYS_PPC64		/* 64-bit core */
@@ -504,6 +508,7 @@
 #define CONFIG_SYS_FSL_ERRATUM_SRIO_A004034
 #define CONFIG_SYS_FSL_ERRATUM_I2C_A004447
 #define CONFIG_SYS_FSL_A004447_SVR_REV	0x20
+#define CONFIG_SYS_FSL_ISBC_VER		1
 
 #elif defined(CONFIG_PPC_P5040)
 #define CONFIG_SYS_PPC64
@@ -536,6 +541,7 @@
 #define CONFIG_SYS_FSL_ERRATUM_A004510_SVR_REV	0x10
 #define CONFIG_SYS_FSL_CORENET_SNOOPVEC_COREONLY 0xf0000000
 #define CONFIG_SYS_FSL_ERRATUM_A005812
+#define CONFIG_SYS_FSL_ISBC_VER		1
 
 #elif defined(CONFIG_BSC9131)
 #define CONFIG_MAX_CPUS			1
@@ -575,6 +581,7 @@
 #define CONFIG_SYS_FSL_ERRATUM_A005125
 #define CONFIG_SYS_FSL_ERRATUM_I2C_A004447
 #define CONFIG_SYS_FSL_A004447_SVR_REV	0x11
+#define CONFIG_SYS_FSL_ISBC_VER		1
 
 #elif defined(CONFIG_PPC_T4240) || defined(CONFIG_PPC_T4160)
 #define CONFIG_E6500
@@ -631,6 +638,7 @@
 #define CONFIG_SYS_FSL_ERRATUM_A006593
 #define CONFIG_SYS_CCSRBAR_DEFAULT	0xfe000000
 #define CONFIG_SYS_FSL_PCI_VER_3_X
+#define CONFIG_SYS_FSL_ISBC_VER		2
 
 #elif defined(CONFIG_PPC_B4860) || defined(CONFIG_PPC_B4420)
 #define CONFIG_E6500
@@ -657,6 +665,7 @@
 #define CONFIG_SYS_FSL_ERRATUM_A006379
 #define CONFIG_SYS_FSL_ERRATUM_A006593
 #define CONFIG_SYS_CCSRBAR_DEFAULT	0xfe000000
+#define CONFIG_SYS_FSL_ISBC_VER		2
 
 #ifdef CONFIG_PPC_B4860
 #define CONFIG_SYS_FSL_CORES_PER_CLUSTER 4
-- 
1.8.1.4

[U-Boot] [PATCH 1/2] SECURE BOOT: add version info for ISBC

[Wolfgang Denk]

Dear Aneesh Bansal,

In message <1390202676-8167-1-git-send-email-aneesh.bansal@freescale.com> you wrote:
> T4/B4 SoC's have a different version of ISBC. The secure boot
> functionality is different with the new version of ISBC
> compared to the earlier SoC's. So the version information is added
> in file config_mpc85xx.h
> 
> Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
> Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com>
> ---
>  README                                    | 3 +++
>  arch/powerpc/include/asm/config_mpc85xx.h | 9 +++++++++
>  2 files changed, 12 insertions(+)
> 
> diff --git a/README b/README
> index aea82be..6c3a8d1 100644
> --- a/README
> +++ b/README
> @@ -423,6 +423,9 @@ The following options need to be configured:
>  		CONFIG_SYS_FSL_DSP_CCSRBAR_DEFAULT
>  		This value denotes start offset of DSP CCSR space.
>  
> +		CONFIG_SYS_FSL_ISBC_VER
> +		This value indicates the major ISBC version on the platform.
> +
>  		CONFIG_SYS_FSL_SINGLE_SOURCE_CLK
>  		Single Source Clock is clocking mode present in some of FSL SoC's.
>  		In this mode, a single differential clock is used to supply

You already have all relevant information present in the current
configuration.  There is no need to add yet another CONFIG_SYS_
option; the information can easily be derived from the existing data.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Ernest asks Frank how long he has been working for the company.
        "Ever since they threatened to fire me."

[U-Boot] [PATCH 1/2] SECURE BOOT: add version info for ISBC

[aneesh.bansal at freescale.com]

> T4/B4 SoC's have a different version of ISBC. The secure boot
> functionality is different with the new version of ISBC
> compared to the earlier SoC's. So the version information is added
> in file config_mpc85xx.h
>
> Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
> Signed-off-by: Aneesh Bansal <aneesh.bansal@freescale.com>
> ---
>  README                                    | 3 +++
>  arch/powerpc/include/asm/config_mpc85xx.h | 9 +++++++++
>  2 files changed, 12 insertions(+)
>
> diff --git a/README b/README
> index aea82be..6c3a8d1 100644
> --- a/README
> +++ b/README
> @@ -423,6 +423,9 @@ The following options need to be configured:
>               CONFIG_SYS_FSL_DSP_CCSRBAR_DEFAULT
>               This value denotes start offset of DSP CCSR space.
>
> +             CONFIG_SYS_FSL_ISBC_VER
> +             This value indicates the major ISBC version on the platform.
> +
>               CONFIG_SYS_FSL_SINGLE_SOURCE_CLK
>               Single Source Clock is clocking mode present in some of FSL SoC's.
>               In this mode, a single differential clock is used to supply

You already have all relevant information present in the current
configuration.  There is no need to add yet another CONFIG_SYS_
option; the information can easily be derived from the existing data.

Best regards,

Wolfgang Denk

--
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Ernest asks Frank how long he has been working for the company.
        "Ever since they threatened to fire me."

ISBC (Internal Secure Boot Code) is an IP which has different versions on different SOC's. The major difference which this CONFIG represents is whether CAAM block is being used for cryptographic operations or not. I will be adding more details in the description IN README and resend the patch.
 
The only other way that this can be derived is by doing SoC specific checking which would become a little messy.

Regards,
Aneesh Bansal

[U-Boot] [PATCH 1/2] SECURE BOOT: add version info for ISBC

[Wolfgang Denk]

Dear "aneesh.bansal at freescale.com",

In message <aba33ec5436c40939359f93b6d243b08@DM2PR03MB415.namprd03.prod.outlook.com> you wrote:
>
> >               CONFIG_SYS_FSL_SINGLE_SOURCE_CLK
> >               Single Source Clock is clocking mode present in some of FSL SoC's.
> >               In this mode, a single differential clock is used to supply
> 
> You already have all relevant information present in the current
> configuration.  There is no need to add yet another CONFIG_SYS_
> option; the information can easily be derived from the existing data.
...

> ISBC (Internal Secure Boot Code) is an IP which has different versions on different SOC's. The major difference which this CONFIG represents is whether CAAM block is being used for cryptographic operations or not. I will be adding more details in the de
> scription IN README and resend the patch.
>  
> The only other way that this can be derived is by doing SoC specific checking which would become a little messy.

But this is what I had in mind.  It appears to be a simple 1:1 mapping
from SoC to ISBC version to me, or am I wrong here?

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
When the ax entered the forest, the trees said, "The handle is one of
us!"                                               -- Turkish proverb

[U-Boot] [PATCH 1/2] SECURE BOOT: add version info for ISBC

[aneesh.bansal at freescale.com]

>>
>> >               CONFIG_SYS_FSL_SINGLE_SOURCE_CLK
>> >               Single Source Clock is clocking mode present in some of FSL SoC's.
>> >               In this mode, a single differential clock is used to supply
>>
>> You already have all relevant information present in the current
>> configuration.  There is no need to add yet another CONFIG_SYS_
>> option; the information can easily be derived from the existing data.
>...
>
>> ISBC (Internal Secure Boot Code) is an IP which has different versions on different SOC's. >The major difference which this CONFIG represents is whether CAAM block is being used >for cryptographic operations or not. I will be adding more details in the de
>> scription IN README and resend the patch.
>>
>> The only other way that this can be derived is by doing SoC specific checking which >would become a little messy.
>
>But this is what I had in mind.  It appears to be a simple 1:1 mapping
>from SoC to ISBC version to me, or am I wrong here?
>
>Best regards,
>
>Wolfgang Denk
>
>--
>DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
>HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
>When the ax entered the forest, the trees said, "The handle is one of
>us!"                                               -- Turkish proverb

Yes, it is a 1:1 mapping from SoC to ISBC version but we have multiple SoC's having the same ISBC version. So using the SoC names would result in having a long list of SoC's wherever we are doing some stuff specific to the ISBC version.
Also in future, we might have new versions of ISBC with more features.
SO having multiple SoC specific checks inside the code would lead to confusion.

Regards,
Aneesh Bansal

[U-Boot] [PATCH 1/2] SECURE BOOT: add version info for ISBC

[Wolfgang Denk]

Dear Aneesh,

In message <caf0224e47434bdba2623faeea12bd9a@DM2PR03MB415.namprd03.prod.outlook.com> you wrote:
>
> > But this is what I had in mind.  It appears to be a simple 1:1 mapping
> > from SoC to ISBC version to me, or am I wrong here?
...
> Yes, it is a 1:1 mapping from SoC to ISBC version but we have multiple SoC's
> having the same ISBC version. So using the SoC names would result in having 
> a long list of SoC's wherever we are doing some stuff specific to the ISBC 
> version.
> Also in future, we might have new versions of ISBC with more features.
> SO having multiple SoC specific checks inside the code would lead to confusion.

So don't use code, and instead make this data-driven.  Use a
lookup-table.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
"The algorithm to do that is extremely nasty. You might want  to  mug
someone with it."                   - M. Devine, Computer Science 340

[U-Boot] [PATCH 1/2] SECURE BOOT: add version info for ISBC

[aneesh.bansal at freescale.com]

> -----Original Message-----
> From: Wolfgang Denk [mailto:wd at denx.de]
> Sent: Monday, January 27, 2014 7:42 PM
> To: Bansal Aneesh-B39320
> Cc: u-boot at lists.denx.de; Gupta Ruchika-R66431
> Subject: Re: [U-Boot] [PATCH 1/2] SECURE BOOT: add version info for ISBC
> 
> Dear Aneesh,
> 
> In message
> <caf0224e47434bdba2623faeea12bd9a@DM2PR03MB415.namprd03.prod.outlook.com>
> you wrote:
> >
> > > But this is what I had in mind.  It appears to be a simple 1:1
> > > mapping from SoC to ISBC version to me, or am I wrong here?
> ...
> > Yes, it is a 1:1 mapping from SoC to ISBC version but we have multiple
> > SoC's having the same ISBC version. So using the SoC names would
> > result in having a long list of SoC's wherever we are doing some stuff
> > specific to the ISBC version.
> > Also in future, we might have new versions of ISBC with more features.
> > SO having multiple SoC specific checks inside the code would lead to
> confusion.
> 
> So don't use code, and instead make this data-driven.  Use a lookup-
> table.
> 
> Best regards,
> 
> Wolfgang Denk
> 
> --
> DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
> Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
> "The algorithm to do that is extremely nasty. You might want  to  mug
> someone with it."                   - M. Devine, Computer Science 340
> 
ISBC is a platform IP and as usually I see that platform specific information like IP versions are maintained in the file arch/powerpc/include/asm/config_mpc85xx.h. Also based on this IP, we need some compile time information as stated below. 

CONFIG_SYS_ISBC_VERSION is further used to define a macro CONFIG_SECURE_HKAREA_CPC in a follow-on patch.

The ISBC code on some SoC's with a specific ISBC VERSION configures the platform cache as SRAM to be used as house keeping area for the SEC Block.
In U-boot in normal sequence of code platform cache is enabled. Before enabling the platform cache, we need to disable this setting of cache as SRAM and invalidate it.
For this purpose we need to define the macro CONFIG_SECURE_HKAREA_CPC only for platforms where this cache is being used as SRAM. WE identify these platforms based on the ISBC Version.

So currently we have this piece of code:


#if CONFIG_SYS_FSL_ISBC_VER > 1
#define CONFIG_SECURE_HKAREA_CPC
#undef CONFIG_SYS_INIT_L3_ADDR
#define CONFIG_SYS_INIT_L3_ADDR                        0xbff00000
#endif
.
.
.
.
#if defined(CONFIG_SECURE_HKAREA_CPC)
       disable_cpc_sram();

Regards,
Aneesh Bansal