[U-Boot] [PATCH v6 00/10] Add new OPTEE bootm support to u-boot

[U-Boot] [PATCH v6 00/10] Add new OPTEE bootm support to u-boot

[Bryan O'Donoghue]

v6:
- Fix CONFIG_BOOTM_TEE
  Manually editing .config file meant this disparity was missed.
  "Those whom the gods wish to destroy they first make mad"

v5:

This patchset now works by making a bootable OPTEE image

mkimage -A arm -T kernel -O tee -C none -d tee.bin uTee.optee

The concept is the same as the earlier version of this patchset except
instead of "mkimage -T tee" we do "mkimage -T kernel -O tee". Andrew
suggested this and it is technically feasible.

So here is the revised patchset.

- Converted IH_TYPE_OPTEE to IH_OS_TEE - Andrew

- Removed Tested-by: for Peng Fan on patches with churn as a result

- Added patch for CONFIG_OPTEE_ADDR
  This CONFIG entry will be used in an upcoming set of patch for the
  board I'm working with.

v4:
- New type "optee" renamed to "tee-bootable". We discussed making the
  namespace here more logical and obvious in another thread.

  Kever may or may not end up adding "tee-combo".

  This patchset will result in
  "tee" and "tee-bootable" being valid names. Since "tee" is an existing
  image type the name will be maintained. - Tom

- Added doc/README.trusted-execution-environment
  This gives a brief introduction on TEE plus some links to the spec and
  the op-tee website.

  In then lays out the difference between these two types
  "tee" (tee-standalone)
  "tee-bootable"

  - Bryan, Philipp

- Small change made to comment on existing TEE - Bryan

- Reworded the Kconfig option "OPTEE"
  Makes a little bit more sense to me re-reading now - Bryan

- Add patch to define CONFIG_OPTEE_LOAD_ADDR
  An upcoming set of patches for a board will make use of this define in an
  OPTEE context.

v3:

- Rework printout to be added at the end as opposed to churn over three
  separate patches - Andrew

- Reword patch 006 to better explain the thinking behind new image type
  - Andrew

v2:
- Added CONFIG_OPTEE_TZDRAM_BASE instead of #ifndef OPTEE_TZDRAM_BASE
  as an error. - Tom Rini

- Added Tested-by: Peng Fan <peng.fan@nxp.com> - as indicated

- Added better explanation text to patch 6/9
  "tools: mkimage: add optee image type"

- Fixed some checkpatch warnings in optee.c

v1:
This series adds a new OPTEE bootable image type to u-boot, which is
directly bootable with the bootm command.

There is already a TEE image type but, in this case the TEE firmware is
loaded into RAM, jumped into and then back out of. This image type is a
directly bootable image as described here :
http://mrvan.github.io/optee-imx6ul

Instead of reusing the Linux bootable image type instead a new image type
is defined, which allows us to perform additional image verification, prior
to handing off control via bootm.

OPTEE images get linked to a specific address at compile time and must be
loaded to this address too. This series extends out mkimage with a new
image type that allows the OPTEE binary link location to be validated
against CONFIG_OPTEE_TZDRAM_BASE and CONFIG_OPTEE_TZDRAM_SIZE respectively
prior to proceeding through the bootm phase.

Once applied you can generate a bootable OPTEE image like this

mkimage -A arm -T optee -C none -d ./out/arm-plat-imx/core/tee.bin uTee.optee

That image can then be booted directly by bootm. bootm will verify the
header contents of the OPTEE binary against the DRAM area carved out in
u-boot. If the defined DRAM area does not match the link address specified
we refuse to boot.

Kever - I'd like to suggest that your OPTEE SPL image takes a different
image type IH_TYPE_OPTEE_SPL ? to indicate the different behavior your
image type has versus a directly bootable bootm image.


Bryan O'Donoghue (10):
  optee: Add lib entries for sharing OPTEE code across ports
  optee: Add CONFIG_OPTEE_TZDRAM_SIZE
  optee: Add CONFIG_OPTEE_TZDRAM_BASE
  optee: Add CONFIG_OPTEE_LOAD_ADDR
  optee: Add optee_image_get_entry_point()
  optee: Add optee_image_get_load_addr()
  optee: Add optee_verify_bootm_image()
  optee: Add error printout
  image: Add IH_OS_TEE for TEE chain-load boot
  bootm: optee: Add a bootm command for type IH_OS_TEE

 common/bootm_os.c     | 32 +++++++++++++++++++++++++
 common/image.c        |  1 +
 include/image.h       |  1 +
 include/tee/optee.h   | 41 ++++++++++++++++++++++++++++++++
 lib/Kconfig           |  1 +
 lib/Makefile          |  1 +
 lib/optee/Kconfig     | 39 ++++++++++++++++++++++++++++++
 lib/optee/Makefile    |  7 ++++++
 lib/optee/optee.c     | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++
 tools/default_image.c | 15 ++++++++++--
 10 files changed, 202 insertions(+), 2 deletions(-)
 create mode 100644 lib/optee/Kconfig
 create mode 100644 lib/optee/Makefile
 create mode 100644 lib/optee/optee.c

-- 
2.7.4

[U-Boot] [PATCH v6 01/10] optee: Add lib entries for sharing OPTEE code across ports

[Bryan O'Donoghue]

This patch adds code to lib to enable sharing of useful OPTEE code between
board-ports and architectures. The code on lib/optee/optee.c comes from the
TI omap2 port. Eventually the OMAP2 code will be patched to include the
shared code. The intention here is to add more useful OPTEE specific code
as more functionality gets added.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
Tested-by: Peng Fan <peng.fan@nxp.com>
---
 include/tee/optee.h | 16 ++++++++++++++++
 lib/Kconfig         |  1 +
 lib/Makefile        |  1 +
 lib/optee/Kconfig   |  8 ++++++++
 lib/optee/Makefile  |  7 +++++++
 lib/optee/optee.c   | 31 +++++++++++++++++++++++++++++++
 6 files changed, 64 insertions(+)
 create mode 100644 lib/optee/Kconfig
 create mode 100644 lib/optee/Makefile
 create mode 100644 lib/optee/optee.c

diff --git a/include/tee/optee.h b/include/tee/optee.h
index 9ab0d08..8943afb 100644
--- a/include/tee/optee.h
+++ b/include/tee/optee.h
@@ -10,6 +10,8 @@
 #ifndef	_OPTEE_H
 #define _OPTEE_H
 
+#include <linux/errno.h>
+
 #define OPTEE_MAGIC             0x4554504f
 #define OPTEE_VERSION           1
 #define OPTEE_ARCH_ARM32        0
@@ -27,4 +29,18 @@ struct optee_header {
 	uint32_t paged_size;
 };
 
+#if defined(CONFIG_OPTEE)
+int optee_verify_image(struct optee_header *hdr, unsigned long tzdram_start,
+		       unsigned long tzdram_len, unsigned long image_len);
+#else
+static inline int optee_verify_image(struct optee_header *hdr,
+				     unsigned long tzdram_start,
+				     unsigned long tzdram_len,
+				     unsigned long image_len)
+{
+	return -EPERM;
+}
+
+#endif
+
 #endif /* _OPTEE_H */
diff --git a/lib/Kconfig b/lib/Kconfig
index 4fd41c4..a4029a6 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -310,5 +310,6 @@ endmenu
 
 source lib/efi/Kconfig
 source lib/efi_loader/Kconfig
+source lib/optee/Kconfig
 
 endmenu
diff --git a/lib/Makefile b/lib/Makefile
index 0db41c1..35da570 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -18,6 +18,7 @@ obj-$(CONFIG_FIT) += libfdt/
 obj-$(CONFIG_OF_LIVE) += of_live.o
 obj-$(CONFIG_CMD_DHRYSTONE) += dhry/
 obj-$(CONFIG_ARCH_AT91) += at91/
+obj-$(CONFIG_OPTEE) += optee/
 
 obj-$(CONFIG_AES) += aes.o
 obj-y += charset.o
diff --git a/lib/optee/Kconfig b/lib/optee/Kconfig
new file mode 100644
index 0000000..2e406fe
--- /dev/null
+++ b/lib/optee/Kconfig
@@ -0,0 +1,8 @@
+config OPTEE
+	bool "Support OPTEE images"
+	help
+	  U-Boot can be configured to boot OPTEE images.
+	  Selecting this option will enable shared OPTEE library code and
+          enable an OPTEE specific bootm command that will perform additional
+          OPTEE specific checks before booting an OPTEE image created with
+          mkimage.
diff --git a/lib/optee/Makefile b/lib/optee/Makefile
new file mode 100644
index 0000000..03e832f
--- /dev/null
+++ b/lib/optee/Makefile
@@ -0,0 +1,7 @@
+#
+# (C) Copyright 2017 Linaro
+#
+# SPDX-License-Identifier:	GPL-2.0+
+#
+
+obj-$(CONFIG_OPTEE) += optee.o
diff --git a/lib/optee/optee.c b/lib/optee/optee.c
new file mode 100644
index 0000000..2cc16d7
--- /dev/null
+++ b/lib/optee/optee.c
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2017 Linaro
+ * Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+ *
+ * SPDX-License-Identifier:	GPL-2.0+
+ */
+
+#include <common.h>
+#include <tee/optee.h>
+
+int optee_verify_image(struct optee_header *hdr, unsigned long tzdram_start,
+		       unsigned long tzdram_len, unsigned long image_len)
+{
+	unsigned long tzdram_end = tzdram_start + tzdram_len;
+	uint32_t tee_file_size;
+
+	tee_file_size = hdr->init_size + hdr->paged_size +
+			sizeof(struct optee_header);
+
+	if (hdr->magic != OPTEE_MAGIC ||
+	    hdr->version != OPTEE_VERSION ||
+	    hdr->init_load_addr_hi > tzdram_end ||
+	    hdr->init_load_addr_lo < tzdram_start ||
+	    tee_file_size > tzdram_len ||
+	    tee_file_size != image_len ||
+	    (hdr->init_load_addr_lo + tee_file_size) > tzdram_end) {
+		return -EINVAL;
+	}
+
+	return 0;
+}
-- 
2.7.4

[U-Boot] [PATCH v6 02/10] optee: Add CONFIG_OPTEE_TZDRAM_SIZE

[Bryan O'Donoghue]

OPTEE is currently linked to a specific area of memory called the TrustZone
DRAM. This patch adds a CONFIG entry for the default size of TrustZone DRAM
that a board-port can over-ride. The region that U-Boot sets aside for the
OPTEE run-time should be verified before attempting to hand off to the
OPTEE run-time. Each board-port should carefully ensure that the TZDRAM
size specified in the OPTEE build and the TZDRAM size specified in U-Boot
match-up.

Further patches will use TZDRAM size with other defines and variables to
carry out a degree of automated verification in U-Boot prior to trying to
boot an OPTEE image.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
Tested-by: Peng Fan <peng.fan@nxp.com>
---
 lib/optee/Kconfig | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/optee/Kconfig b/lib/optee/Kconfig
index 2e406fe..41c0ab7 100644
--- a/lib/optee/Kconfig
+++ b/lib/optee/Kconfig
@@ -6,3 +6,11 @@ config OPTEE
           enable an OPTEE specific bootm command that will perform additional
           OPTEE specific checks before booting an OPTEE image created with
           mkimage.
+
+config OPTEE_TZDRAM_SIZE
+	hex "Amount of Trust-Zone RAM for the OPTEE image"
+	depends on OPTEE
+	default 0x3000000
+	help
+	  The size of pre-allocated Trust Zone DRAM to allocate for the OPTEE
+	  runtime.
-- 
2.7.4

[U-Boot] [PATCH v6 03/10] optee: Add CONFIG_OPTEE_TZDRAM_BASE

[Bryan O'Donoghue]

OPTEE is currently linked to a specific area of memory called the TrustZone
DRAM. This patch adds a CONFIG entry for the default address of TrustZone
DRAM that a board-port can over-ride. The region that U-Boot sets aside for
the OPTEE run-time should be verified before attempting to hand off to the
OPTEE run-time. Each board-port should carefully ensure that the TZDRAM
address specified in the OPTEE build and the TZDRAM address specified in
U-Boot match-up.

Further patches will use TZDRAM address with other defines and variables to
carry out a degree of automated verification in U-Boot prior to trying to
boot an OPTEE image.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
---
 lib/optee/Kconfig | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/optee/Kconfig b/lib/optee/Kconfig
index 41c0ab7..a3b7332 100644
--- a/lib/optee/Kconfig
+++ b/lib/optee/Kconfig
@@ -14,3 +14,11 @@ config OPTEE_TZDRAM_SIZE
 	help
 	  The size of pre-allocated Trust Zone DRAM to allocate for the OPTEE
 	  runtime.
+
+config OPTEE_TZDRAM_BASE
+	hex "Base address of Trust-Zone RAM for the OPTEE image"
+	depends on OPTEE
+	default 0x9d000000
+	help
+	  The base address of pre-allocated Trust Zone DRAM for
+	  the OPTEE runtime.
-- 
2.7.4

[U-Boot] [PATCH v6 04/10] optee: Add CONFIG_OPTEE_LOAD_ADDR

[Bryan O'Donoghue]

CONFIG_OPTEE_LOAD_ADDR is used to tell u-boot where to load the OPTEE
binary into memory prior to handing off control to OPTEE.

We need to pull this value out of u-boot in order to produce an IMX IVT/CSF
signed pair for the purposes of secure boot. The best way to do that is to
have CONFIG_OPTEE_LOAD_ADDR appear in u-boot.cfg.

Adding new CONFIG entires to u-boot should be kconfig driven so this patch
does just that.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
---
 lib/optee/Kconfig | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/optee/Kconfig b/lib/optee/Kconfig
index a3b7332..cc73ec3 100644
--- a/lib/optee/Kconfig
+++ b/lib/optee/Kconfig
@@ -7,6 +7,12 @@ config OPTEE
           OPTEE specific checks before booting an OPTEE image created with
           mkimage.
 
+config OPTEE_LOAD_ADDR
+	hex "OPTEE load address"
+	default 0x00000000
+	help
+	  The load address of the bootable OPTEE binary.
+
 config OPTEE_TZDRAM_SIZE
 	hex "Amount of Trust-Zone RAM for the OPTEE image"
 	depends on OPTEE
-- 
2.7.4

[U-Boot] [PATCH v6 05/10] optee: Add optee_image_get_entry_point()

[Bryan O'Donoghue]

Add a helper function for extracting the least significant 32 bits from the
OPTEE entry point address, which will be good enough to load OPTEE binaries
up to (2^32)-1 bytes.

We may need to extend this out later on but for now (2^32)-1 should be
fine.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
Tested-by: Peng Fan <peng.fan@nxp.com>
---
 include/tee/optee.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/include/tee/optee.h b/include/tee/optee.h
index 8943afb..eb328d3 100644
--- a/include/tee/optee.h
+++ b/include/tee/optee.h
@@ -29,6 +29,13 @@ struct optee_header {
 	uint32_t paged_size;
 };
 
+static inline uint32_t optee_image_get_entry_point(const image_header_t *hdr)
+{
+	struct optee_header *optee_hdr = (struct optee_header *)(hdr + 1);
+
+	return optee_hdr->init_load_addr_lo;
+}
+
 #if defined(CONFIG_OPTEE)
 int optee_verify_image(struct optee_header *hdr, unsigned long tzdram_start,
 		       unsigned long tzdram_len, unsigned long image_len);
-- 
2.7.4

[U-Boot] [PATCH v6 06/10] optee: Add optee_image_get_load_addr()

[Bryan O'Donoghue]

This patch adds optee_image_get_load_addr() a helper function used to
calculate the load-address of an OPTEE image based on the lower
entry-point address given in the OPTEE header.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
Tested-by: Peng Fan <peng.fan@nxp.com>
---
 include/tee/optee.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/include/tee/optee.h b/include/tee/optee.h
index eb328d3..e782cb0 100644
--- a/include/tee/optee.h
+++ b/include/tee/optee.h
@@ -36,6 +36,11 @@ static inline uint32_t optee_image_get_entry_point(const image_header_t *hdr)
 	return optee_hdr->init_load_addr_lo;
 }
 
+static inline uint32_t optee_image_get_load_addr(const image_header_t *hdr)
+{
+	return optee_image_get_entry_point(hdr) - sizeof(struct optee_header);
+}
+
 #if defined(CONFIG_OPTEE)
 int optee_verify_image(struct optee_header *hdr, unsigned long tzdram_start,
 		       unsigned long tzdram_len, unsigned long image_len);
-- 
2.7.4

[U-Boot] [PATCH v6 07/10] optee: Add optee_verify_bootm_image()

[Bryan O'Donoghue]

This patch adds optee_verify_bootm_image() which will be subsequently used
to verify the parameters encoded in the OPTEE header match the memory
allocated to the OPTEE region, OPTEE header magic and version prior to
handing off control to the OPTEE image.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
---
 include/tee/optee.h | 13 +++++++++++++
 lib/optee/optee.c   | 20 ++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/include/tee/optee.h b/include/tee/optee.h
index e782cb0..4b9e94c 100644
--- a/include/tee/optee.h
+++ b/include/tee/optee.h
@@ -55,4 +55,17 @@ static inline int optee_verify_image(struct optee_header *hdr,
 
 #endif
 
+#if defined(CONFIG_OPTEE)
+int optee_verify_bootm_image(unsigned long image_addr,
+			     unsigned long image_load_addr,
+			     unsigned long image_len);
+#else
+static inline int optee_verify_bootm_image(unsigned long image_addr,
+					   unsigned long image_load_addr,
+					   unsigned long image_len)
+{
+	return -EPERM;
+}
+#endif
+
 #endif /* _OPTEE_H */
diff --git a/lib/optee/optee.c b/lib/optee/optee.c
index 2cc16d7..365c078 100644
--- a/lib/optee/optee.c
+++ b/lib/optee/optee.c
@@ -29,3 +29,23 @@ int optee_verify_image(struct optee_header *hdr, unsigned long tzdram_start,
 
 	return 0;
 }
+
+int optee_verify_bootm_image(unsigned long image_addr,
+			     unsigned long image_load_addr,
+			     unsigned long image_len)
+{
+	struct optee_header *hdr = (struct optee_header *)image_addr;
+	unsigned long tzdram_start = CONFIG_OPTEE_TZDRAM_BASE;
+	unsigned long tzdram_len = CONFIG_OPTEE_TZDRAM_SIZE;
+
+	int ret;
+
+	ret = optee_verify_image(hdr, tzdram_start, tzdram_len, image_len);
+	if (ret)
+		return ret;
+
+	if (image_load_addr + sizeof(*hdr) != hdr->init_load_addr_lo)
+		ret = -EINVAL;
+
+	return ret;
+}
-- 
2.7.4

[U-Boot] [PATCH v6 08/10] optee: Add error printout

[Bryan O'Donoghue]

When encountering an error in OPTEE verification print out various details
of the OPTEE header to aid in further debugging of encountered errors.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
Tested-by: Peng Fan <peng.fan@nxp.com>
---
 lib/optee/optee.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/optee/optee.c b/lib/optee/optee.c
index 365c078..78a15e8 100644
--- a/lib/optee/optee.c
+++ b/lib/optee/optee.c
@@ -8,6 +8,12 @@
 #include <common.h>
 #include <tee/optee.h>
 
+#define optee_hdr_err_msg \
+	"OPTEE verification error:" \
+	"\n\thdr=%p image=0x%08lx magic=0x%08x tzdram 0x%08lx-0x%08lx " \
+	"\n\theader lo=0x%08x hi=0x%08x size=0x%08lx arch=0x%08x" \
+	"\n\tuimage params 0x%08lx-0x%08lx\n"
+
 int optee_verify_image(struct optee_header *hdr, unsigned long tzdram_start,
 		       unsigned long tzdram_len, unsigned long image_len)
 {
@@ -42,10 +48,19 @@ int optee_verify_bootm_image(unsigned long image_addr,
 
 	ret = optee_verify_image(hdr, tzdram_start, tzdram_len, image_len);
 	if (ret)
-		return ret;
+		goto error;
 
-	if (image_load_addr + sizeof(*hdr) != hdr->init_load_addr_lo)
+	if (image_load_addr + sizeof(*hdr) != hdr->init_load_addr_lo) {
 		ret = -EINVAL;
+		goto error;
+	}
+
+	return ret;
+error:
+	printf(optee_hdr_err_msg, hdr, image_addr, hdr->magic, tzdram_start,
+	       tzdram_start + tzdram_len, hdr->init_load_addr_lo,
+	       hdr->init_load_addr_hi, image_len, hdr->arch, image_load_addr,
+	       image_load_addr + image_len);
 
 	return ret;
 }
-- 
2.7.4

[U-Boot] [PATCH v6 09/10] image: Add IH_OS_TEE for TEE chain-load boot

[Bryan O'Donoghue]

This patch adds a new type IH_OS_TEE. This new OS type will be used for
chain-loading to Linux via a TEE.

With this patch in-place you can generate a bootable OPTEE image like this:

mkimage -A arm -T kernel -O tee -C none -d tee.bin uTee.optee

where "tee.bin" is the input binary prefixed with an OPTEE header and
uTee.optee is the output prefixed with a u-boot wrapper header.

This image type "-T kernel -O tee" is differentiated from the existing
IH_TYPE_TEE "-T tee" in that the IH_TYPE is installed by u-boot (flow
control returns to u-boot) whereas for the new IH_OS_TEE control passes to
the OPTEE firmware and the firmware chainloads onto Linux.

Andrew Davis gave the following ASCII diagram:

IH_OS_TEE: (mkimage -T kernel -O tee)
Non-Secure       Secure

                 BootROM
                   |
      -------------
     |
     v
    SPL
     |
     v
   U-Boot ------>
          <-----  OP-TEE
      |
      V
    Linux

IH_TYPE_TEE: (mkimage -T tee)
Non-Secure       Secure

                 BootROM
                   |
      -------------
     |
     v
    SPL ------->
         <-----  OP-TEE
     |
     v
   U-Boot
      |
      V
    Linux

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Suggested-by: Andrew F. Davis <afd@ti.com>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
Link: http://mrvan.github.io/optee-imx6ul
---
 common/image.c        |  1 +
 include/image.h       |  1 +
 tools/default_image.c | 15 +++++++++++++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/common/image.c b/common/image.c
index 14be3ca..61e3d25 100644
--- a/common/image.c
+++ b/common/image.c
@@ -100,6 +100,7 @@ static const table_entry_t uimage_os[] = {
 	{	IH_OS_OSE,	"ose",		"Enea OSE",		},
 	{	IH_OS_PLAN9,	"plan9",	"Plan 9",		},
 	{	IH_OS_RTEMS,	"rtems",	"RTEMS",		},
+	{	IH_OS_TEE,	"tee",		"Trusted Execution Environment" },
 	{	IH_OS_U_BOOT,	"u-boot",	"U-Boot",		},
 	{	IH_OS_VXWORKS,	"vxworks",	"VxWorks",		},
 #if defined(CONFIG_CMD_ELF) || defined(USE_HOSTCC)
diff --git a/include/image.h b/include/image.h
index dbdaecb..a0a530d 100644
--- a/include/image.h
+++ b/include/image.h
@@ -153,6 +153,7 @@ enum {
 	IH_OS_PLAN9,			/* Plan 9	*/
 	IH_OS_OPENRTOS,		/* OpenRTOS	*/
 	IH_OS_ARM_TRUSTED_FIRMWARE,     /* ARM Trusted Firmware */
+	IH_OS_TEE,			/* Trusted Execution Environment */
 
 	IH_OS_COUNT,
 };
diff --git a/tools/default_image.c b/tools/default_image.c
index 4e5568e..c67f66b 100644
--- a/tools/default_image.c
+++ b/tools/default_image.c
@@ -18,6 +18,7 @@
 #include "mkimage.h"
 
 #include <image.h>
+#include <tee/optee.h>
 #include <u-boot/crc.h>
 
 static image_header_t header;
@@ -90,6 +91,8 @@ static void image_set_header(void *ptr, struct stat *sbuf, int ifd,
 	uint32_t checksum;
 	time_t time;
 	uint32_t imagesize;
+	uint32_t ep;
+	uint32_t addr;
 
 	image_header_t * hdr = (image_header_t *)ptr;
 
@@ -99,18 +102,26 @@ static void image_set_header(void *ptr, struct stat *sbuf, int ifd,
 			sbuf->st_size - sizeof(image_header_t));
 
 	time = imagetool_get_source_date(params, sbuf->st_mtime);
+	ep = params->ep;
+	addr = params->addr;
+
 	if (params->type == IH_TYPE_FIRMWARE_IVT)
 		/* Add size of CSF minus IVT */
 		imagesize = sbuf->st_size - sizeof(image_header_t) + 0x1FE0;
 	else
 		imagesize = sbuf->st_size - sizeof(image_header_t);
 
+	if (params->os == IH_OS_TEE) {
+		addr = optee_image_get_load_addr(hdr);
+		ep = optee_image_get_entry_point(hdr);
+	}
+
 	/* Build new header */
 	image_set_magic(hdr, IH_MAGIC);
 	image_set_time(hdr, time);
 	image_set_size(hdr, imagesize);
-	image_set_load(hdr, params->addr);
-	image_set_ep(hdr, params->ep);
+	image_set_load(hdr, addr);
+	image_set_ep(hdr, ep);
 	image_set_dcrc(hdr, checksum);
 	image_set_os(hdr, params->os);
 	image_set_arch(hdr, params->arch);
-- 
2.7.4

[U-Boot] [PATCH v6 10/10] bootm: optee: Add a bootm command for type IH_OS_TEE

[Bryan O'Donoghue]

This patch makes it possible to verify the contents and location of an
OPTEE image in DRAM prior to handing off control to that image. If image
verification fails we won't try to boot any further.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Suggested-by: Andrew F. Davis <afd@ti.com>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
---
 common/bootm_os.c | 32 ++++++++++++++++++++++++++++++++
 lib/optee/Kconfig |  9 +++++++++
 2 files changed, 41 insertions(+)

diff --git a/common/bootm_os.c b/common/bootm_os.c
index 5e6b177..b84a8e2 100644
--- a/common/bootm_os.c
+++ b/common/bootm_os.c
@@ -11,6 +11,7 @@
 #include <linux/libfdt.h>
 #include <malloc.h>
 #include <vxworks.h>
+#include <tee/optee.h>
 
 DECLARE_GLOBAL_DATA_PTR;
 
@@ -433,6 +434,34 @@ static int do_bootm_openrtos(int flag, int argc, char * const argv[],
 }
 #endif
 
+#ifdef CONFIG_BOOTM_OPTEE
+static int do_bootm_tee(int flag, int argc, char * const argv[],
+			bootm_headers_t *images)
+{
+	int ret;
+
+	/* Verify OS type */
+	if (images->os.os != IH_OS_TEE) {
+		return 1;
+	};
+
+	/* Validate OPTEE header */
+	ret = optee_verify_bootm_image(images->os.image_start,
+				       images->os.load,
+				       images->os.image_len);
+	if (ret)
+		return ret;
+
+	/* Locate FDT etc */
+	ret = bootm_find_images(flag, argc, argv);
+	if (ret)
+		return ret;
+
+	/* From here we can run the regular linux boot path */
+	return do_bootm_linux(flag, argc, argv, images);
+}
+#endif
+
 static boot_os_fn *boot_os[] = {
 	[IH_OS_U_BOOT] = do_bootm_standalone,
 #ifdef CONFIG_BOOTM_LINUX
@@ -466,6 +495,9 @@ static boot_os_fn *boot_os[] = {
 #ifdef CONFIG_BOOTM_OPENRTOS
 	[IH_OS_OPENRTOS] = do_bootm_openrtos,
 #endif
+#ifdef CONFIG_BOOTM_OPTEE
+	[IH_OS_TEE] = do_bootm_tee,
+#endif
 };
 
 /* Allow for arch specific config before we boot */
diff --git a/lib/optee/Kconfig b/lib/optee/Kconfig
index cc73ec3..1e5ab45 100644
--- a/lib/optee/Kconfig
+++ b/lib/optee/Kconfig
@@ -28,3 +28,12 @@ config OPTEE_TZDRAM_BASE
 	help
 	  The base address of pre-allocated Trust Zone DRAM for
 	  the OPTEE runtime.
+
+config BOOTM_OPTEE
+	bool "Support OPTEE bootm command"
+	select BOOTM_LINUX
+	default n
+	help
+	  Select this command to enable chain-loading of a Linux kernel
+	  via an OPTEE firmware.
+	  The bootflow is BootROM -> u-boot -> OPTEE -> Linux in this case.
-- 
2.7.4

[U-Boot] [U-Boot, v6, 01/10] optee: Add lib entries for sharing OPTEE code across ports

[Tom Rini]

On Tue, Mar 13, 2018 at 04:50:27PM +0000, Bryan O'Donoghue wrote:

> This patch adds code to lib to enable sharing of useful OPTEE code between
> board-ports and architectures. The code on lib/optee/optee.c comes from the
> TI omap2 port. Eventually the OMAP2 code will be patched to include the
> shared code. The intention here is to add more useful OPTEE specific code
> as more functionality gets added.
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Cc: Harinarayan Bhatta <harinarayan@ti.com>
> Cc: Andrew F. Davis <afd@ti.com>
> Cc: Tom Rini <trini@konsulko.com>
> Cc: Kever Yang <kever.yang@rock-chips.com>
> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
> Cc: Peng Fan <peng.fan@nxp.com>
> Tested-by: Peng Fan <peng.fan@nxp.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/e97ecbd5/attachment.sig>

[U-Boot] [U-Boot,v6,02/10] optee: Add CONFIG_OPTEE_TZDRAM_SIZE

[Tom Rini]

On Tue, Mar 13, 2018 at 04:50:28PM +0000, Bryan O'Donoghue wrote:

> OPTEE is currently linked to a specific area of memory called the TrustZone
> DRAM. This patch adds a CONFIG entry for the default size of TrustZone DRAM
> that a board-port can over-ride. The region that U-Boot sets aside for the
> OPTEE run-time should be verified before attempting to hand off to the
> OPTEE run-time. Each board-port should carefully ensure that the TZDRAM
> size specified in the OPTEE build and the TZDRAM size specified in U-Boot
> match-up.
> 
> Further patches will use TZDRAM size with other defines and variables to
> carry out a degree of automated verification in U-Boot prior to trying to
> boot an OPTEE image.
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Cc: Harinarayan Bhatta <harinarayan@ti.com>
> Cc: Andrew F. Davis <afd@ti.com>
> Cc: Tom Rini <trini@konsulko.com>
> Cc: Kever Yang <kever.yang@rock-chips.com>
> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
> Cc: Peng Fan <peng.fan@nxp.com>
> Tested-by: Peng Fan <peng.fan@nxp.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/fa28c5c3/attachment.sig>

[U-Boot] [U-Boot,v6,03/10] optee: Add CONFIG_OPTEE_TZDRAM_BASE

[Tom Rini]

On Tue, Mar 13, 2018 at 04:50:29PM +0000, Bryan O'Donoghue wrote:

> OPTEE is currently linked to a specific area of memory called the TrustZone
> DRAM. This patch adds a CONFIG entry for the default address of TrustZone
> DRAM that a board-port can over-ride. The region that U-Boot sets aside for
> the OPTEE run-time should be verified before attempting to hand off to the
> OPTEE run-time. Each board-port should carefully ensure that the TZDRAM
> address specified in the OPTEE build and the TZDRAM address specified in
> U-Boot match-up.
> 
> Further patches will use TZDRAM address with other defines and variables to
> carry out a degree of automated verification in U-Boot prior to trying to
> boot an OPTEE image.
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Cc: Harinarayan Bhatta <harinarayan@ti.com>
> Cc: Andrew F. Davis <afd@ti.com>
> Cc: Tom Rini <trini@konsulko.com>
> Cc: Kever Yang <kever.yang@rock-chips.com>
> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/90fa7f58/attachment-0001.sig>

[U-Boot] [U-Boot,v6,04/10] optee: Add CONFIG_OPTEE_LOAD_ADDR

[Tom Rini]

On Tue, Mar 13, 2018 at 04:50:30PM +0000, Bryan O'Donoghue wrote:

> CONFIG_OPTEE_LOAD_ADDR is used to tell u-boot where to load the OPTEE
> binary into memory prior to handing off control to OPTEE.
> 
> We need to pull this value out of u-boot in order to produce an IMX IVT/CSF
> signed pair for the purposes of secure boot. The best way to do that is to
> have CONFIG_OPTEE_LOAD_ADDR appear in u-boot.cfg.
> 
> Adding new CONFIG entires to u-boot should be kconfig driven so this patch
> does just that.
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/37c8428a/attachment.sig>

[U-Boot] [U-Boot, v6, 05/10] optee: Add optee_image_get_entry_point()

[Tom Rini]

On Tue, Mar 13, 2018 at 04:50:31PM +0000, Bryan O'Donoghue wrote:

> Add a helper function for extracting the least significant 32 bits from the
> OPTEE entry point address, which will be good enough to load OPTEE binaries
> up to (2^32)-1 bytes.
> 
> We may need to extend this out later on but for now (2^32)-1 should be
> fine.
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Cc: Harinarayan Bhatta <harinarayan@ti.com>
> Cc: Andrew F. Davis <afd@ti.com>
> Cc: Tom Rini <trini@konsulko.com>
> Cc: Kever Yang <kever.yang@rock-chips.com>
> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
> Cc: Peng Fan <peng.fan@nxp.com>
> Tested-by: Peng Fan <peng.fan@nxp.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/52e44eab/attachment.sig>

[U-Boot] [U-Boot, v6, 06/10] optee: Add optee_image_get_load_addr()

[Tom Rini]

On Tue, Mar 13, 2018 at 04:50:32PM +0000, Bryan O'Donoghue wrote:

> This patch adds optee_image_get_load_addr() a helper function used to
> calculate the load-address of an OPTEE image based on the lower
> entry-point address given in the OPTEE header.
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Cc: Harinarayan Bhatta <harinarayan@ti.com>
> Cc: Andrew F. Davis <afd@ti.com>
> Cc: Tom Rini <trini@konsulko.com>
> Cc: Kever Yang <kever.yang@rock-chips.com>
> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
> Cc: Peng Fan <peng.fan@nxp.com>
> Tested-by: Peng Fan <peng.fan@nxp.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/071606e6/attachment.sig>

[U-Boot] [U-Boot, v6, 07/10] optee: Add optee_verify_bootm_image()

[Tom Rini]

On Tue, Mar 13, 2018 at 04:50:33PM +0000, Bryan O'Donoghue wrote:

> This patch adds optee_verify_bootm_image() which will be subsequently used
> to verify the parameters encoded in the OPTEE header match the memory
> allocated to the OPTEE region, OPTEE header magic and version prior to
> handing off control to the OPTEE image.
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Cc: Harinarayan Bhatta <harinarayan@ti.com>
> Cc: Andrew F. Davis <afd@ti.com>
> Cc: Tom Rini <trini@konsulko.com>
> Cc: Kever Yang <kever.yang@rock-chips.com>
> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
> Cc: Peng Fan <peng.fan@nxp.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/51581bbd/attachment.sig>

[U-Boot] [U-Boot,v6,08/10] optee: Add error printout

[Tom Rini]

On Tue, Mar 13, 2018 at 04:50:34PM +0000, Bryan O'Donoghue wrote:

> When encountering an error in OPTEE verification print out various details
> of the OPTEE header to aid in further debugging of encountered errors.
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Cc: Harinarayan Bhatta <harinarayan@ti.com>
> Cc: Andrew F. Davis <afd@ti.com>
> Cc: Tom Rini <trini@konsulko.com>
> Cc: Kever Yang <kever.yang@rock-chips.com>
> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
> Cc: Peng Fan <peng.fan@nxp.com>
> Tested-by: Peng Fan <peng.fan@nxp.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/b5fad0f9/attachment.sig>

[U-Boot] [U-Boot, v6, 09/10] image: Add IH_OS_TEE for TEE chain-load boot

[Tom Rini]

On Tue, Mar 13, 2018 at 04:50:35PM +0000, Bryan O'Donoghue wrote:

> This patch adds a new type IH_OS_TEE. This new OS type will be used for
> chain-loading to Linux via a TEE.
> 
> With this patch in-place you can generate a bootable OPTEE image like this:
> 
> mkimage -A arm -T kernel -O tee -C none -d tee.bin uTee.optee
> 
> where "tee.bin" is the input binary prefixed with an OPTEE header and
> uTee.optee is the output prefixed with a u-boot wrapper header.
> 
> This image type "-T kernel -O tee" is differentiated from the existing
> IH_TYPE_TEE "-T tee" in that the IH_TYPE is installed by u-boot (flow
> control returns to u-boot) whereas for the new IH_OS_TEE control passes to
> the OPTEE firmware and the firmware chainloads onto Linux.
> 
> Andrew Davis gave the following ASCII diagram:
> 
> IH_OS_TEE: (mkimage -T kernel -O tee)
> Non-Secure       Secure
> 
>                  BootROM
>                    |
>       -------------
>      |
>      v
>     SPL
>      |
>      v
>    U-Boot ------>
>           <-----  OP-TEE
>       |
>       V
>     Linux
> 
> IH_TYPE_TEE: (mkimage -T tee)
> Non-Secure       Secure
> 
>                  BootROM
>                    |
>       -------------
>      |
>      v
>     SPL ------->
>          <-----  OP-TEE
>      |
>      v
>    U-Boot
>       |
>       V
>     Linux
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Suggested-by: Andrew F. Davis <afd@ti.com>
> Cc: Harinarayan Bhatta <harinarayan@ti.com>
> Cc: Andrew F. Davis <afd@ti.com>
> Cc: Tom Rini <trini@konsulko.com>
> Cc: Kever Yang <kever.yang@rock-chips.com>
> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
> Cc: Peng Fan <peng.fan@nxp.com>
> Link: http://mrvan.github.io/optee-imx6ul

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/0cbe730c/attachment.sig>

[U-Boot] [U-Boot, v6, 10/10] bootm: optee: Add a bootm command for type IH_OS_TEE

[Tom Rini]

On Tue, Mar 13, 2018 at 04:50:36PM +0000, Bryan O'Donoghue wrote:

> This patch makes it possible to verify the contents and location of an
> OPTEE image in DRAM prior to handing off control to that image. If image
> verification fails we won't try to boot any further.
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Suggested-by: Andrew F. Davis <afd@ti.com>
> Cc: Harinarayan Bhatta <harinarayan@ti.com>
> Cc: Andrew F. Davis <afd@ti.com>
> Cc: Tom Rini <trini@konsulko.com>
> Cc: Kever Yang <kever.yang@rock-chips.com>
> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
> Cc: Peng Fan <peng.fan@nxp.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180319/eb7afa76/attachment.sig>