[PATCH v2 00/14] aspeed: Support secure boot chain with FIT image verification

[PATCH v2 00/14] aspeed: Support secure boot chain with FIT image verification

[Chia-Wei Wang]

This patch series intends to provide a secure boot chain from SPL to Linux kernel
based on the hash and signature verification of FIT image paradigm.

To improve the performance and save code size (SPL is limited to 64KB due to HW-RoT),
the drviers of two HW crypto engine HACE and ARCY are also added for AST26xx SoCs.

As HACE and ARCY can only access to DRAM space, additional configuration and
boot command are also updated according to move each FIT image before its booting.

In addition, the common code of FIT image hash algorithm lookup is also revised
to leverage the HW accelerated calculation.

v2:
 - update commit authors

Chia-Wei Wang (9):
  aspeed: ast2600: Enlarge SRAM size
  clk: ast2600: Add RSACLK control for ARCY
  crypto: aspeed: Add AST2600 ARCY support
  ast2600: spl: Add ARCY probing
  ARM: dts: ast2600: Add ARCY to device tree
  ast2600: spl: Locate load buffer in DRAM space
  configs: ast2600-evb: Enable SPL FIT support
  configs: aspeed: Make EXTRA_ENV_SETTINGS board specific
  configs: ast2600: Boot kernel FIT in DRAM

Joel Stanley (5):
  clk: ast2600: Add YCLK control for HACE
  crypto: aspeed: Add AST2600 HACE support
  ast2600: spl: Add HACE probing
  ARM: dts: ast2600: Add HACE to device tree
  common: fit: Use hash.c to call CRC/SHA function

 arch/arm/dts/ast2600-evb.dts                  |  10 +
 arch/arm/dts/ast2600.dtsi                     |  17 ++
 arch/arm/include/asm/arch-aspeed/platform.h   |   2 +-
 .../arm/include/asm/arch-aspeed/scu_ast2600.h |   6 +-
 arch/arm/mach-aspeed/ast2600/spl.c            |  29 +-
 common/image-fit.c                            |  35 +--
 configs/evb-ast2600_defconfig                 |  26 +-
 drivers/clk/aspeed/clk_ast2600.c              |  35 +++
 drivers/crypto/Kconfig                        |   2 +
 drivers/crypto/Makefile                       |   1 +
 drivers/crypto/aspeed/Kconfig                 |  22 ++
 drivers/crypto/aspeed/Makefile                |   2 +
 drivers/crypto/aspeed/aspeed_arcy.c           | 182 +++++++++++
 drivers/crypto/aspeed/aspeed_hace.c           | 288 ++++++++++++++++++
 include/configs/aspeed-common.h               |   9 -
 include/configs/evb_ast2500.h                 |   6 +
 include/configs/evb_ast2600.h                 |  13 +
 lib/rsa/Kconfig                               |  10 +-
 18 files changed, 645 insertions(+), 50 deletions(-)
 create mode 100644 drivers/crypto/aspeed/Kconfig
 create mode 100644 drivers/crypto/aspeed/Makefile
 create mode 100644 drivers/crypto/aspeed/aspeed_arcy.c
 create mode 100644 drivers/crypto/aspeed/aspeed_hace.c

-- 
2.17.1

[PATCH v2 01/14] aspeed: ast2600: Enlarge SRAM size

[Chia-Wei Wang]

The AST2600 SRAM has been extended to 88KB since A1
chip revision. This patch updates the SRAM size to
offer more space for early stack/heap use.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 arch/arm/include/asm/arch-aspeed/platform.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/include/asm/arch-aspeed/platform.h b/arch/arm/include/asm/arch-aspeed/platform.h
index d50ec5f8a9..589abd4a3f 100644
--- a/arch/arm/include/asm/arch-aspeed/platform.h
+++ b/arch/arm/include/asm/arch-aspeed/platform.h
@@ -17,7 +17,7 @@
 #define ASPEED_MAC_COUNT	4
 #define ASPEED_DRAM_BASE	0x80000000
 #define ASPEED_SRAM_BASE	0x10000000
-#define ASPEED_SRAM_SIZE	0x10000
+#define ASPEED_SRAM_SIZE	0x16000
 #else
 #err "Unrecognized Aspeed platform."
 #endif
-- 
2.17.1

[PATCH v2 02/14] clk: ast2600: Add YCLK control for HACE

[Chia-Wei Wang]

From: Joel Stanley <joel@jms.id.au>

Add YCLK enable for HACE, the HW hash engine of
ASPEED AST2600 SoCs.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 .../arm/include/asm/arch-aspeed/scu_ast2600.h |  5 +++--
 drivers/clk/aspeed/clk_ast2600.c              | 20 +++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/arch/arm/include/asm/arch-aspeed/scu_ast2600.h b/arch/arm/include/asm/arch-aspeed/scu_ast2600.h
index a205fb1f76..d7b500f656 100644
--- a/arch/arm/include/asm/arch-aspeed/scu_ast2600.h
+++ b/arch/arm/include/asm/arch-aspeed/scu_ast2600.h
@@ -10,8 +10,9 @@
 #define SCU_CLKGATE1_EMMC			BIT(27)
 #define SCU_CLKGATE1_MAC2			BIT(21)
 #define SCU_CLKGATE1_MAC1			BIT(20)
-#define SCU_CLKGATE1_USB_HUB		BIT(14)
-#define SCU_CLKGATE1_USB_HOST2		BIT(7)
+#define SCU_CLKGATE1_USB_HUB			BIT(14)
+#define SCU_CLKGATE1_HACE			BIT(13)
+#define SCU_CLKGATE1_USB_HOST2			BIT(7)
 
 #define SCU_CLKGATE2_FSI			BIT(30)
 #define SCU_CLKGATE2_MAC4			BIT(21)
diff --git a/drivers/clk/aspeed/clk_ast2600.c b/drivers/clk/aspeed/clk_ast2600.c
index 3a92739f5c..69128fd3c4 100644
--- a/drivers/clk/aspeed/clk_ast2600.c
+++ b/drivers/clk/aspeed/clk_ast2600.c
@@ -1013,6 +1013,23 @@ static ulong ast2600_enable_usbbhclk(struct ast2600_scu *scu)
 	return 0;
 }
 
+static ulong ast2600_enable_haceclk(struct ast2600_scu *scu)
+{
+	uint32_t reset_bit;
+	uint32_t clkgate_bit;
+
+	reset_bit = BIT(ASPEED_RESET_HACE);
+	clkgate_bit = SCU_CLKGATE1_HACE;
+
+	writel(reset_bit, &scu->modrst_ctrl1);
+	udelay(100);
+	writel(clkgate_bit, &scu->clkgate_clr1);
+	mdelay(20);
+	writel(reset_bit, &scu->modrst_clr1);
+
+	return 0;
+}
+
 static int ast2600_clk_enable(struct clk *clk)
 {
 	struct ast2600_clk_priv *priv = dev_get_priv(clk->dev);
@@ -1051,6 +1068,9 @@ static int ast2600_clk_enable(struct clk *clk)
 	case ASPEED_CLK_GATE_USBPORT2CLK:
 		ast2600_enable_usbbhclk(priv->scu);
 		break;
+	case ASPEED_CLK_GATE_YCLK:
+		ast2600_enable_haceclk(priv->scu);
+		break;
 	default:
 		pr_err("can't enable clk\n");
 		return -ENOENT;
-- 
2.17.1

[PATCH v2 03/14] crypto: aspeed: Add AST2600 HACE support

[Chia-Wei Wang]

From: Joel Stanley <joel@jms.id.au>

Hash and Crypto Engine (HACE) is designed to accelerate the
throughput of hash data digest, and symmetric-key encryption.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 drivers/crypto/Kconfig              |   2 +
 drivers/crypto/Makefile             |   1 +
 drivers/crypto/aspeed/Kconfig       |  12 ++
 drivers/crypto/aspeed/Makefile      |   1 +
 drivers/crypto/aspeed/aspeed_hace.c | 288 ++++++++++++++++++++++++++++
 5 files changed, 304 insertions(+)
 create mode 100644 drivers/crypto/aspeed/Kconfig
 create mode 100644 drivers/crypto/aspeed/Makefile
 create mode 100644 drivers/crypto/aspeed/aspeed_hace.c

diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index 1ea116be75..422d01403e 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -2,4 +2,6 @@ menu "Hardware crypto devices"
 
 source drivers/crypto/fsl/Kconfig
 
+source drivers/crypto/aspeed/Kconfig
+
 endmenu
diff --git a/drivers/crypto/Makefile b/drivers/crypto/Makefile
index efbd1d3fca..0442067e5e 100644
--- a/drivers/crypto/Makefile
+++ b/drivers/crypto/Makefile
@@ -6,3 +6,4 @@
 obj-$(CONFIG_EXYNOS_ACE_SHA)	+= ace_sha.o
 obj-y += rsa_mod_exp/
 obj-y += fsl/
+obj-y += aspeed/
diff --git a/drivers/crypto/aspeed/Kconfig b/drivers/crypto/aspeed/Kconfig
new file mode 100644
index 0000000000..299efc223f
--- /dev/null
+++ b/drivers/crypto/aspeed/Kconfig
@@ -0,0 +1,12 @@
+config ASPEED_HACE
+	bool "ASPEED Hash and Crypto Engine"
+	depends on ASPEED_AST2600
+	imply SHA_HW_ACCEL
+	imply SHA_PROG_HW_ACCEL
+	imply CMD_HASH
+	help
+	 Select this option to enable a driver for using the SHA engine in
+	 the ASPEED BMC SoCs.
+
+	 Enabling this allows the use of SHA operations in hardware without requiring the
+	 SHA software implementations. It also improves performance and saves code size.
diff --git a/drivers/crypto/aspeed/Makefile b/drivers/crypto/aspeed/Makefile
new file mode 100644
index 0000000000..84e6bfe82a
--- /dev/null
+++ b/drivers/crypto/aspeed/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_ASPEED_HACE) += aspeed_hace.o
diff --git a/drivers/crypto/aspeed/aspeed_hace.c b/drivers/crypto/aspeed/aspeed_hace.c
new file mode 100644
index 0000000000..34e68c07f4
--- /dev/null
+++ b/drivers/crypto/aspeed/aspeed_hace.c
@@ -0,0 +1,288 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright 2021 IBM Corp.
+ * Copyright 2021 ASPEED Technology Inc.
+ */
+#include <common.h>
+#include <clk.h>
+#include <log.h>
+#include <asm/io.h>
+#include <malloc.h>
+#include <hash.h>
+#include <dm/uclass.h>
+#include <dm/device.h>
+#include <dm/fdtaddr.h>
+#include <linux/bitops.h>
+#include <linux/delay.h>
+#include <linux/kernel.h>
+#include <linux/iopoll.h>
+
+/* register offsets*/
+#define HACE_STS		0x1C
+#define   HACE_HASH_INT		BIT(9)
+#define   HACE_HASH_BUSY	BIT(0)
+#define HACE_HASH_DATA		0x20
+#define HACE_HASH_DIGEST	0x24
+#define HACE_HASH_HMAC_KEY	0x28
+#define HACE_HASH_DATA_LEN	0x2C
+#define   HACE_SG_LAST		BIT(31)
+#define HACE_HASH_CMD		0x30
+#define   HACE_SG_EN		BIT(18)
+#define   HACE_ALGO_SHA384	(BIT(10) | BIT(6) | BIT(5))
+#define   HACE_ALGO_SHA512	(BIT(6) | BIT(5))
+#define   HACE_ALGO_SHA256	(BIT(6) | BIT(4))
+#define   HACE_ALGO_SHA224	BIT(6)
+#define   HACE_ALGO_SHA1	BIT(5)
+#define   HACE_SHA_BE_EN	BIT(3)
+#define   HACE_MD5_LE_EN	BIT(2)
+
+#define HACE_MAX_SG	32
+
+struct aspeed_sg {
+	u32 len;
+	u32 addr;
+};
+
+struct aspeed_hash_ctx {
+	u32 method;
+	u32 digest_size;
+	u32 len;
+	u32 count;
+	struct aspeed_sg list[HACE_MAX_SG]; /* Must be 8 byte aligned */
+};
+
+struct aspeed_hace {
+	phys_addr_t base;
+	struct clk clk;
+};
+
+static phys_addr_t aspeed_hace_get_base(void)
+{
+	int rc;
+	struct udevice *dev;
+	struct aspeed_hace *hace;
+
+	rc = uclass_get_device_by_driver(UCLASS_MISC,
+					 DM_DRIVER_GET(aspeed_hace),
+					 &dev);
+	if (rc) {
+		printf("Cannot get HACE device, rc=%d\n", rc);
+		return 0;
+	}
+
+	hace = dev_get_priv(dev);
+
+	return hace->base;
+}
+
+static int aspeed_hace_wait_completion(u32 reg, u32 flag, int timeout_us)
+{
+	u32 val;
+
+	return readl_poll_timeout(reg, val, (val & flag) == flag, timeout_us);
+}
+
+static int digest_object(const void *data, unsigned int length, void *digest,
+			 u32 method)
+{
+	phys_addr_t base = aspeed_hace_get_base();
+
+	if (!((u32)data & BIT(31))) {
+		debug("HACE src out of bounds: can only copy from SDRAM\n");
+		return -EINVAL;
+	}
+
+	if (!((u32)digest & BIT(31))) {
+		debug("HACE dst out of bounds: can only copy to SDRAM\n");
+		return -EINVAL;
+	}
+
+	if ((u32)digest & 0x7) {
+		debug("HACE dst alignment incorrect: %p\n", digest);
+		return -EINVAL;
+	}
+
+	if (readl(base + HACE_STS) & HACE_HASH_BUSY) {
+		debug("HACE error: engine busy\n");
+		return -EBUSY;
+	}
+
+	/* Clear pending completion status */
+	writel(HACE_HASH_INT, base + HACE_STS);
+	writel((u32)data, base + HACE_HASH_DATA);
+	writel((u32)digest, base + HACE_HASH_DIGEST);
+	writel(length, base + HACE_HASH_DATA_LEN);
+	writel(HACE_SHA_BE_EN | method, base + HACE_HASH_CMD);
+
+	/* SHA512 hashing appears to have a througput of about 12MB/s */
+	return aspeed_hace_wait_completion(base + HACE_STS,
+					   HACE_HASH_INT,
+					   1000 + (length >> 3));
+}
+
+void hw_sha1(const unsigned char *pbuf, unsigned int buf_len,
+	     unsigned char *pout, unsigned int chunk_size)
+{
+	int rc;
+
+	rc = digest_object(pbuf, buf_len, pout, HACE_ALGO_SHA1);
+	if (rc)
+		debug("HACE failure: %d\n", rc);
+}
+
+void hw_sha256(const unsigned char *pbuf, unsigned int buf_len,
+	       unsigned char *pout, unsigned int chunk_size)
+{
+	int rc;
+
+	rc = digest_object(pbuf, buf_len, pout, HACE_ALGO_SHA256);
+	if (rc)
+		debug("HACE failure: %d\n", rc);
+}
+
+void hw_sha384(const unsigned char *pbuf, unsigned int buf_len,
+	       unsigned char *pout, unsigned int chunk_size)
+{
+	int rc;
+
+	rc = digest_object(pbuf, buf_len, pout, HACE_ALGO_SHA384);
+	if (rc)
+		debug("HACE failure: %d\n", rc);
+}
+
+void hw_sha512(const unsigned char *pbuf, unsigned int buf_len,
+	       unsigned char *pout, unsigned int chunk_size)
+{
+	int rc;
+
+	rc = digest_object(pbuf, buf_len, pout, HACE_ALGO_SHA512);
+	if (rc)
+		debug("HACE failure: %d\n", rc);
+}
+
+int hw_sha_init(struct hash_algo *algo, void **ctxp)
+{
+	struct aspeed_hash_ctx *ctx;
+	u32 method;
+
+	if (!strcmp(algo->name, "sha1"))
+		method = HACE_ALGO_SHA1;
+	else if (!strcmp(algo->name, "sha256"))
+		method = HACE_ALGO_SHA256;
+	else if (!strcmp(algo->name, "sha384"))
+		method = HACE_ALGO_SHA384;
+	else if (!strcmp(algo->name, "sha512"))
+		method = HACE_ALGO_SHA512;
+	else
+		return -ENOTSUPP;
+
+	ctx = memalign(8, sizeof(*ctx));
+	if (!ctx) {
+		debug("HACE error: Cannot allocate memory for context\n");
+		return -ENOMEM;
+	}
+
+	memset(ctx, '\0', sizeof(*ctx));
+
+	if (((uintptr_t)ctx->list & 0x3) != 0) {
+		printf("HACE error: Invalid alignment for input data\n");
+		return -EINVAL;
+	}
+
+	ctx->method = method | HACE_SG_EN;
+	ctx->digest_size = algo->digest_size;
+
+	*ctxp = ctx;
+
+	return 0;
+}
+
+int hw_sha_update(struct hash_algo *algo, void *hash_ctx, const void *buf,
+		  unsigned int size, int is_last)
+{
+	struct aspeed_hash_ctx *ctx = hash_ctx;
+	struct aspeed_sg *sg = &ctx->list[ctx->count];
+
+	if (ctx->count >= ARRAY_SIZE(ctx->list)) {
+		debug("HACE error: Reached maximum number of hash segments\n");
+		free(ctx);
+		return -EINVAL;
+	}
+
+	sg->addr = (u32)buf;
+	sg->len = size;
+
+	if (is_last)
+		sg->len |= HACE_SG_LAST;
+
+	ctx->count++;
+	ctx->len += size;
+
+	return 0;
+}
+
+int hw_sha_finish(struct hash_algo *algo, void *hash_ctx, void *dest_buf, int size)
+{
+	struct aspeed_hash_ctx *ctx = hash_ctx;
+	int rc;
+
+	if (size < ctx->digest_size) {
+		debug("HACE error: insufficient size on destination buffer\n");
+		free(ctx);
+		return -EINVAL;
+	}
+
+	rc = digest_object(ctx->list, ctx->len, dest_buf, ctx->method);
+	if (rc)
+		debug("HACE Scatter-Gather failure\n");
+
+	free(ctx);
+
+	return rc;
+}
+
+static int aspeed_hace_probe(struct udevice *dev)
+{
+	struct aspeed_hace *hace = dev_get_priv(dev);
+	int ret;
+
+	ret = clk_get_by_index(dev, 0, &hace->clk);
+	if (ret < 0) {
+		debug("Can't get clock for %s: %d\n", dev->name, ret);
+		return ret;
+	}
+
+	ret = clk_enable(&hace->clk);
+	if (ret) {
+		debug("Failed to enable fsi clock (%d)\n", ret);
+		return ret;
+	}
+
+	hace->base = devfdt_get_addr(dev);
+
+	return ret;
+}
+
+static int aspeed_hace_remove(struct udevice *dev)
+{
+	struct aspeed_hace *hace = dev_get_priv(dev);
+
+	clk_disable(&hace->clk);
+
+	return 0;
+}
+
+static const struct udevice_id aspeed_hace_ids[] = {
+	{ .compatible = "aspeed,ast2600-hace" },
+	{ }
+};
+
+U_BOOT_DRIVER(aspeed_hace) = {
+	.name = "aspeed_hace",
+	.id = UCLASS_MISC,
+	.of_match = aspeed_hace_ids,
+	.probe = aspeed_hace_probe,
+	.remove	= aspeed_hace_remove,
+	.priv_auto = sizeof(struct aspeed_hace),
+	.flags = DM_FLAG_PRE_RELOC,
+};
-- 
2.17.1

[PATCH v2 04/14] ast2600: spl: Add HACE probing

[Chia-Wei Wang]

From: Joel Stanley <joel@jms.id.au>

Probe HACE driver in SPL board init if enabled.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 arch/arm/mach-aspeed/ast2600/spl.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/arch/arm/mach-aspeed/ast2600/spl.c b/arch/arm/mach-aspeed/ast2600/spl.c
index 0d8cb29678..a0fc420ff1 100644
--- a/arch/arm/mach-aspeed/ast2600/spl.c
+++ b/arch/arm/mach-aspeed/ast2600/spl.c
@@ -38,6 +38,20 @@ struct image_header *spl_get_load_buffer(ssize_t offset, size_t size)
 	return (struct image_header *)(CONFIG_SYS_TEXT_BASE);
 }
 
+#ifdef CONFIG_SPL_BOARD_INIT
+void spl_board_init(void)
+{
+	int rc;
+	struct udevice *dev;
+
+	rc = uclass_get_device_by_driver(UCLASS_MISC,
+					 DM_DRIVER_GET(aspeed_hace),
+					 &dev);
+	if (rc)
+		debug("HACE initialization failure, rc=%d\n", rc);
+}
+#endif
+
 #ifdef CONFIG_SPL_OS_BOOT
 int spl_start_uboot(void)
 {
-- 
2.17.1

[PATCH v2 05/14] ARM: dts: ast2600: Add HACE to device tree

[Chia-Wei Wang]

From: Joel Stanley <joel@jms.id.au>

Add HACE DTS node and enable it for AST2600 EVB.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 arch/arm/dts/ast2600-evb.dts | 5 +++++
 arch/arm/dts/ast2600.dtsi    | 8 ++++++++
 2 files changed, 13 insertions(+)

diff --git a/arch/arm/dts/ast2600-evb.dts b/arch/arm/dts/ast2600-evb.dts
index 2abd31341c..adb80a30ef 100644
--- a/arch/arm/dts/ast2600-evb.dts
+++ b/arch/arm/dts/ast2600-evb.dts
@@ -177,3 +177,8 @@
 			  0x08 0x04
 			  0x08 0x04>;
 };
+
+&hace {
+	u-boot,dm-pre-reloc;
+	status = "okay";
+};
diff --git a/arch/arm/dts/ast2600.dtsi b/arch/arm/dts/ast2600.dtsi
index ac0f08b7ea..642206fb77 100644
--- a/arch/arm/dts/ast2600.dtsi
+++ b/arch/arm/dts/ast2600.dtsi
@@ -187,6 +187,14 @@
 			};
 		};
 
+		hace: hace@1e6d0000 {
+			compatible = "aspeed,ast2600-hace";
+			reg = <0x1e6d0000 0x200>;
+			interrupts = <GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>;
+			clocks = <&scu ASPEED_CLK_GATE_YCLK>;
+			status = "disabled";
+		};
+
 		edac: sdram@1e6e0000 {
 			compatible = "aspeed,ast2600-sdram-edac";
 			reg = <0x1e6e0000 0x174>;
-- 
2.17.1

[PATCH v2 06/14] common: fit: Use hash.c to call CRC/SHA function

[Chia-Wei Wang]

From: Joel Stanley <joel@jms.id.au>

Currently the FIT verification calls directly into
SW implemented functions to get a CRC/SHA/MD5 hash.

This patch removes duplcated algorithm lookup and use
hash_lookup_algo to get the hashing function with HW
accelearation supported if configured.

The MD5 direct call remains as it is not included in
the hash lookup table of hash.c.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 common/image-fit.c | 35 ++++++++++-------------------------
 1 file changed, 10 insertions(+), 25 deletions(-)

diff --git a/common/image-fit.c b/common/image-fit.c
index 0c5a05948d..e52ff47bc3 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -1196,7 +1196,7 @@ int fit_set_timestamp(void *fit, int noffset, time_t timestamp)
  * calculate_hash - calculate and return hash for provided input data
  * @data: pointer to the input data
  * @data_len: data length
- * @algo: requested hash algorithm
+ * @algo_name: requested hash algorithm
  * @value: pointer to the char, will hold hash value data (caller must
  * allocate enough free space)
  * value_len: length of the calculated hash
@@ -1210,37 +1210,22 @@ int fit_set_timestamp(void *fit, int noffset, time_t timestamp)
  *     0, on success
  *    -1, when algo is unsupported
  */
-int calculate_hash(const void *data, int data_len, const char *algo,
-			uint8_t *value, int *value_len)
+int calculate_hash(const void *data, int data_len, const char *algo_name,
+		   uint8_t *value, int *value_len)
 {
-	if (IMAGE_ENABLE_CRC32 && strcmp(algo, "crc32") == 0) {
-		*((uint32_t *)value) = crc32_wd(0, data, data_len,
-							CHUNKSZ_CRC32);
-		*((uint32_t *)value) = cpu_to_uimage(*((uint32_t *)value));
-		*value_len = 4;
-	} else if (IMAGE_ENABLE_SHA1 && strcmp(algo, "sha1") == 0) {
-		sha1_csum_wd((unsigned char *)data, data_len,
-			     (unsigned char *)value, CHUNKSZ_SHA1);
-		*value_len = 20;
-	} else if (IMAGE_ENABLE_SHA256 && strcmp(algo, "sha256") == 0) {
-		sha256_csum_wd((unsigned char *)data, data_len,
-			       (unsigned char *)value, CHUNKSZ_SHA256);
-		*value_len = SHA256_SUM_LEN;
-	} else if (IMAGE_ENABLE_SHA384 && strcmp(algo, "sha384") == 0) {
-		sha384_csum_wd((unsigned char *)data, data_len,
-			       (unsigned char *)value, CHUNKSZ_SHA384);
-		*value_len = SHA384_SUM_LEN;
-	} else if (IMAGE_ENABLE_SHA512 && strcmp(algo, "sha512") == 0) {
-		sha512_csum_wd((unsigned char *)data, data_len,
-			       (unsigned char *)value, CHUNKSZ_SHA512);
-		*value_len = SHA512_SUM_LEN;
-	} else if (IMAGE_ENABLE_MD5 && strcmp(algo, "md5") == 0) {
+	struct hash_algo *algo;
+
+	if (IMAGE_ENABLE_MD5 && strcmp(algo_name, "md5") == 0) {
 		md5_wd((unsigned char *)data, data_len, value, CHUNKSZ_MD5);
 		*value_len = 16;
+	} else if (hash_lookup_algo(algo_name, &algo) == 0) {
+		algo->hash_func_ws(data, data_len, value, algo->chunk_size);
+		*value_len = algo->digest_size;
 	} else {
 		debug("Unsupported hash alogrithm\n");
 		return -1;
 	}
+
 	return 0;
 }
 
-- 
2.17.1

[PATCH v2 07/14] clk: ast2600: Add RSACLK control for ARCY

[Chia-Wei Wang]

Add RSACLK enable for ARCY, the HW RSA/ECC crypto engine
of ASPEED AST26xx SoCs.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 arch/arm/include/asm/arch-aspeed/scu_ast2600.h |  1 +
 drivers/clk/aspeed/clk_ast2600.c               | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/arch/arm/include/asm/arch-aspeed/scu_ast2600.h b/arch/arm/include/asm/arch-aspeed/scu_ast2600.h
index d7b500f656..27f4e9f994 100644
--- a/arch/arm/include/asm/arch-aspeed/scu_ast2600.h
+++ b/arch/arm/include/asm/arch-aspeed/scu_ast2600.h
@@ -8,6 +8,7 @@
 #define SCU_UNLOCK_KEY			0x1688a8a8
 
 #define SCU_CLKGATE1_EMMC			BIT(27)
+#define SCU_CLKGATE1_ARCY			BIT(24)
 #define SCU_CLKGATE1_MAC2			BIT(21)
 #define SCU_CLKGATE1_MAC1			BIT(20)
 #define SCU_CLKGATE1_USB_HUB			BIT(14)
diff --git a/drivers/clk/aspeed/clk_ast2600.c b/drivers/clk/aspeed/clk_ast2600.c
index 69128fd3c4..bf3379fce2 100644
--- a/drivers/clk/aspeed/clk_ast2600.c
+++ b/drivers/clk/aspeed/clk_ast2600.c
@@ -1030,6 +1030,18 @@ static ulong ast2600_enable_haceclk(struct ast2600_scu *scu)
 	return 0;
 }
 
+static ulong ast2600_enable_rsaclk(struct ast2600_scu *scu)
+{
+	uint32_t clkgate_bit;
+
+	clkgate_bit = SCU_CLKGATE1_ARCY;
+
+	writel(clkgate_bit, &scu->clkgate_clr1);
+	mdelay(20);
+
+	return 0;
+}
+
 static int ast2600_clk_enable(struct clk *clk)
 {
 	struct ast2600_clk_priv *priv = dev_get_priv(clk->dev);
@@ -1071,6 +1083,9 @@ static int ast2600_clk_enable(struct clk *clk)
 	case ASPEED_CLK_GATE_YCLK:
 		ast2600_enable_haceclk(priv->scu);
 		break;
+	case ASPEED_CLK_GATE_RSACLK:
+		ast2600_enable_rsaclk(priv->scu);
+		break;
 	default:
 		pr_err("can't enable clk\n");
 		return -ENOENT;
-- 
2.17.1

[PATCH v2 08/14] crypto: aspeed: Add AST2600 ARCY support

[Chia-Wei Wang]

ARCY is deisnged to accerlerate ECC/RSA digital signature
generation and verification.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 drivers/crypto/aspeed/Kconfig       |  10 ++
 drivers/crypto/aspeed/Makefile      |   1 +
 drivers/crypto/aspeed/aspeed_arcy.c | 182 ++++++++++++++++++++++++++++
 lib/rsa/Kconfig                     |  10 +-
 4 files changed, 202 insertions(+), 1 deletion(-)
 create mode 100644 drivers/crypto/aspeed/aspeed_arcy.c

diff --git a/drivers/crypto/aspeed/Kconfig b/drivers/crypto/aspeed/Kconfig
index 299efc223f..9d896afa8a 100644
--- a/drivers/crypto/aspeed/Kconfig
+++ b/drivers/crypto/aspeed/Kconfig
@@ -10,3 +10,13 @@ config ASPEED_HACE
 
 	 Enabling this allows the use of SHA operations in hardware without requiring the
 	 SHA software implementations. It also improves performance and saves code size.
+
+config ASPEED_ARCY
+	bool "ASPEED RSA and ECC Engine"
+	depends on ASPEED_AST2600
+	help
+	 Select this option to enable a driver for using the RSA/ECC engine in
+	 the ASPEED BMC SoCs.
+
+	 Enabling this allows the use of RSA/ECC operations in hardware without requiring the
+	 software implementations. It also improves performance and saves code size.
diff --git a/drivers/crypto/aspeed/Makefile b/drivers/crypto/aspeed/Makefile
index 84e6bfe82a..8de95eef7e 100644
--- a/drivers/crypto/aspeed/Makefile
+++ b/drivers/crypto/aspeed/Makefile
@@ -1 +1,2 @@
 obj-$(CONFIG_ASPEED_HACE) += aspeed_hace.o
+obj-$(CONFIG_ASPEED_ARCY) += aspeed_arcy.o
diff --git a/drivers/crypto/aspeed/aspeed_arcy.c b/drivers/crypto/aspeed/aspeed_arcy.c
new file mode 100644
index 0000000000..d3da869f83
--- /dev/null
+++ b/drivers/crypto/aspeed/aspeed_arcy.c
@@ -0,0 +1,182 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright 2021 ASPEED Technology Inc.
+ */
+#include <config.h>
+#include <common.h>
+#include <clk.h>
+#include <dm.h>
+#include <asm/types.h>
+#include <asm/io.h>
+#include <dm/device.h>
+#include <dm/fdtaddr.h>
+#include <linux/delay.h>
+#include <u-boot/rsa-mod-exp.h>
+
+/* ARCY register offsets */
+#define ARCY_CTRL1		0x00
+#define   ARCY_CTRL1_RSA_DMA		BIT(1)
+#define   ARCY_CTRL1_RSA_START		BIT(0)
+#define ARCY_CTRL2		0x44
+#define ARCY_CTRL3		0x48
+#define   ARCY_CTRL3_SRAM_AHB_ACCESS	BIT(8)
+#define   ARCY_CTRL3_ECC_RSA_MODE_MASK	GENMASK(5, 4)
+#define   ARCY_CTRL3_ECC_RSA_MODE_SHIFT	4
+#define ARCY_DMA_DRAM_SADDR	0x4c
+#define ARCY_DMA_DMEM_TADDR	0x50
+#define   ARCY_DMA_DMEM_TADDR_LEN_MASK	GENMASK(15, 0)
+#define   ARCY_DMA_DMEM_TADDR_LEN_SHIFT	0
+#define ARCY_RSA_PARAM		0x58
+#define   ARCY_RSA_PARAM_EXP_MASK	GENMASK(31, 16)
+#define   ARCY_RSA_PARAM_EXP_SHIFT	16
+#define   ARCY_RSA_PARAM_MOD_MASK	GENMASK(15, 0)
+#define   ARCY_RSA_PARAM_MOD_SHIFT	0
+#define ARCY_RSA_INT_EN		0x3f8
+#define   ARCY_RSA_INT_EN_RSA_READY	BIT(2)
+#define   ARCY_RSA_INT_EN_RSA_CMPLT	BIT(1)
+#define ARCY_RSA_INT_STS	0x3fc
+#define   ARCY_RSA_INT_STS_RSA_READY	BIT(2)
+#define   ARCY_RSA_INT_STS_RSA_CMPLT	BIT(1)
+
+/* misc. constant */
+#define ARCY_ECC_MODE	2
+#define ARCY_RSA_MODE	3
+#define ARCY_CTX_BUFSZ	0x600
+
+struct aspeed_arcy {
+	phys_addr_t base;
+	phys_addr_t sram_base; /* internal sram */
+	struct clk clk;
+};
+
+static int aspeed_arcy_mod_exp(struct udevice *dev, const uint8_t *sig, uint32_t sig_len,
+			       struct key_prop *prop, uint8_t *out)
+{
+	int i, j;
+	u8 *ctx;
+	u8 *ptr;
+	u32 reg;
+	struct aspeed_arcy *arcy = dev_get_priv(dev);
+
+	ctx = memalign(16, ARCY_CTX_BUFSZ);
+	if (!ctx)
+		return -ENOMEM;
+
+	memset(ctx, 0, ARCY_CTX_BUFSZ);
+
+	ptr = (u8 *)prop->public_exponent;
+	for (i = prop->exp_len - 1, j = 0; i >= 0; --i) {
+		ctx[j] = ptr[i];
+		j++;
+		j = (j % 16) ? j : j + 32;
+	}
+
+	ptr = (u8 *)prop->modulus;
+	for (i = (prop->num_bits >> 3) - 1, j = 0; i >= 0; --i) {
+		ctx[j + 16] = ptr[i];
+		j++;
+		j = (j % 16) ? j : j + 32;
+	}
+
+	ptr = (u8 *)sig;
+	for (i = sig_len - 1, j = 0; i >= 0; --i) {
+		ctx[j + 32] = ptr[i];
+		j++;
+		j = (j % 16) ? j : j + 32;
+	}
+
+	writel((u32)ctx, arcy->base + ARCY_DMA_DRAM_SADDR);
+
+	reg = (((prop->exp_len << 3) << ARCY_RSA_PARAM_EXP_SHIFT) & ARCY_RSA_PARAM_EXP_MASK) |
+		  ((prop->num_bits << ARCY_RSA_PARAM_MOD_SHIFT) & ARCY_RSA_PARAM_MOD_MASK);
+	writel(reg, arcy->base + ARCY_RSA_PARAM);
+
+	reg = (ARCY_CTX_BUFSZ << ARCY_DMA_DMEM_TADDR_LEN_SHIFT) & ARCY_DMA_DMEM_TADDR_LEN_MASK;
+	writel(reg, arcy->base + ARCY_DMA_DMEM_TADDR);
+
+	reg = (ARCY_RSA_MODE << ARCY_CTRL3_ECC_RSA_MODE_SHIFT) & ARCY_CTRL3_ECC_RSA_MODE_MASK;
+	writel(reg, arcy->base + ARCY_CTRL3);
+
+	writel(ARCY_CTRL1_RSA_DMA | ARCY_CTRL1_RSA_START, arcy->base + ARCY_CTRL1);
+
+	/* polling RSA status */
+	while (1) {
+		reg = readl(arcy->base + ARCY_RSA_INT_STS);
+		if ((reg & ARCY_RSA_INT_STS_RSA_READY) && (reg & ARCY_RSA_INT_STS_RSA_CMPLT))
+			break;
+		udelay(20);
+	}
+
+	writel(0x0, arcy->base + ARCY_CTRL1);
+	writel(ARCY_CTRL3_SRAM_AHB_ACCESS, arcy->base + ARCY_CTRL3);
+	udelay(20);
+
+	for (i = (prop->num_bits / 8) - 1, j = 0; i >= 0; --i) {
+		out[i] = readb(arcy->sram_base + (j + 32));
+		j++;
+		j = (j % 16) ? j : j + 32;
+	}
+
+	return 0;
+}
+
+static int aspeed_arcy_probe(struct udevice *dev)
+{
+	struct aspeed_arcy *arcy = dev_get_priv(dev);
+	int ret;
+
+	ret = clk_get_by_index(dev, 0, &arcy->clk);
+	if (ret < 0) {
+		debug("Can't get clock for %s: %d\n", dev->name, ret);
+		return ret;
+	}
+
+	ret = clk_enable(&arcy->clk);
+	if (ret) {
+		debug("Failed to enable arcy clock (%d)\n", ret);
+		return ret;
+	}
+
+	arcy->base = devfdt_get_addr_index(dev, 0);
+	if (arcy->base == FDT_ADDR_T_NONE) {
+		debug("Failed to get arcy base\n");
+		return arcy->base;
+	}
+
+	arcy->sram_base = devfdt_get_addr_index(dev, 1);
+	if (arcy->sram_base == FDT_ADDR_T_NONE) {
+		debug("Failed to get arcy SRAM base\n");
+		return arcy->sram_base;
+	}
+
+	return ret;
+}
+
+static int aspeed_arcy_remove(struct udevice *dev)
+{
+	struct aspeed_arcy *arcy = dev_get_priv(dev);
+
+	clk_disable(&arcy->clk);
+
+	return 0;
+}
+
+static const struct mod_exp_ops aspeed_arcy_ops = {
+	.mod_exp = aspeed_arcy_mod_exp,
+};
+
+static const struct udevice_id aspeed_arcy_ids[] = {
+	{ .compatible = "aspeed,ast2600-arcy" },
+	{ }
+};
+
+U_BOOT_DRIVER(aspeed_arcy) = {
+	.name = "aspeed_arcy",
+	.id = UCLASS_MOD_EXP,
+	.of_match = aspeed_arcy_ids,
+	.probe = aspeed_arcy_probe,
+	.remove = aspeed_arcy_remove,
+	.priv_auto = sizeof(struct aspeed_arcy),
+	.ops = &aspeed_arcy_ops,
+	.flags = DM_FLAG_PRE_RELOC,
+};
diff --git a/lib/rsa/Kconfig b/lib/rsa/Kconfig
index a90d67e5a8..81c0936e58 100644
--- a/lib/rsa/Kconfig
+++ b/lib/rsa/Kconfig
@@ -1,7 +1,8 @@
 config RSA
 	bool "Use RSA Library"
 	select RSA_FREESCALE_EXP if FSL_CAAM && !ARCH_MX7 && !ARCH_MX6 && !ARCH_MX5
-	select RSA_SOFTWARE_EXP if !RSA_FREESCALE_EXP
+	select RSA_ASPEED_EXP if ASPEED_ARCY
+	select RSA_SOFTWARE_EXP if !RSA_FREESCALE_EXP && !RSA_ASPEED_EXP
 	help
 	  RSA support. This enables the RSA algorithm used for FIT image
 	  verification in U-Boot.
@@ -61,4 +62,11 @@ config RSA_FREESCALE_EXP
 	Enables driver for RSA modular exponentiation using Freescale cryptographic
 	accelerator - CAAM.
 
+config RSA_ASPEED_EXP
+	bool "Enable RSA Modular Exponentiation with ASPEED crypto accelerator"
+	depends on DM && ASPEED_ARCY
+	help
+	Enables driver for RSA modular exponentiation using ASPEED cryptographic
+	accelerator - ARCY
+
 endif
-- 
2.17.1

[PATCH v2 09/14] ast2600: spl: Add ARCY probing

[Chia-Wei Wang]

Probe ARCY driver in SPL board init if enabled.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 arch/arm/mach-aspeed/ast2600/spl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/arm/mach-aspeed/ast2600/spl.c b/arch/arm/mach-aspeed/ast2600/spl.c
index a0fc420ff1..2172bb4ae7 100644
--- a/arch/arm/mach-aspeed/ast2600/spl.c
+++ b/arch/arm/mach-aspeed/ast2600/spl.c
@@ -49,6 +49,12 @@ void spl_board_init(void)
 					 &dev);
 	if (rc)
 		debug("HACE initialization failure, rc=%d\n", rc);
+
+	rc = uclass_get_device_by_driver(UCLASS_MOD_EXP,
+					 DM_DRIVER_GET(aspeed_arcy),
+					 &dev);
+	if (rc)
+		debug("ARCY initialization failure, rc=%d\n", rc);
 }
 #endif
 
-- 
2.17.1

[PATCH v2 10/14] ARM: dts: ast2600: Add ARCY to device tree

[Chia-Wei Wang]

Add ARCY DTS node and enable it for AST2600 EVB.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 arch/arm/dts/ast2600-evb.dts | 5 +++++
 arch/arm/dts/ast2600.dtsi    | 9 +++++++++
 2 files changed, 14 insertions(+)

diff --git a/arch/arm/dts/ast2600-evb.dts b/arch/arm/dts/ast2600-evb.dts
index adb80a30ef..fd4e35e954 100644
--- a/arch/arm/dts/ast2600-evb.dts
+++ b/arch/arm/dts/ast2600-evb.dts
@@ -182,3 +182,8 @@
 	u-boot,dm-pre-reloc;
 	status = "okay";
 };
+
+&arcy {
+	u-boot,dm-pre-reloc;
+	status = "okay";
+};
diff --git a/arch/arm/dts/ast2600.dtsi b/arch/arm/dts/ast2600.dtsi
index 642206fb77..216156bfbb 100644
--- a/arch/arm/dts/ast2600.dtsi
+++ b/arch/arm/dts/ast2600.dtsi
@@ -195,6 +195,15 @@
 			status = "disabled";
 		};
 
+		arcy: arcy@1e6fa000 {
+			compatible = "aspeed,ast2600-arcy";
+			reg = <0x1e6fa000 0x1000>,
+			      <0x1e710000 0x10000>;
+			interrupts = <GIC_SPI 160 IRQ_TYPE_LEVEL_HIGH>;
+			clocks = <&scu ASPEED_CLK_GATE_RSACLK>;
+			status = "disabled";
+		};
+
 		edac: sdram@1e6e0000 {
 			compatible = "aspeed,ast2600-sdram-edac";
 			reg = <0x1e6e0000 0x174>;
-- 
2.17.1

[PATCH v2 11/14] ast2600: spl: Locate load buffer in DRAM space

[Chia-Wei Wang]

Return CONFIG_SYS_LOAD_ADDR pointing to DRAM space for
spl_get_load_buffer() to allow generic SPL image loading
code (e.g. FIT and Ymodem) to store data in DRAM.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 arch/arm/mach-aspeed/ast2600/spl.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/arch/arm/mach-aspeed/ast2600/spl.c b/arch/arm/mach-aspeed/ast2600/spl.c
index 2172bb4ae7..42ef24316e 100644
--- a/arch/arm/mach-aspeed/ast2600/spl.c
+++ b/arch/arm/mach-aspeed/ast2600/spl.c
@@ -28,14 +28,7 @@ u32 spl_boot_device(void)
 
 struct image_header *spl_get_load_buffer(ssize_t offset, size_t size)
 {
-	/*
-	 * When boot from SPI, AST2600 already remap 0x00000000 ~ 0x0fffffff
-	 * to BMC SPI memory space 0x20000000 ~ 0x2fffffff. The next stage BL
-	 * has been located in SPI for XIP. In this case, the load buffer for
-	 * SPL image loading will be set to the remapped address of the next
-	 * BL instead of the DRAM space CONFIG_SYS_LOAD_ADDR
-	 */
-	return (struct image_header *)(CONFIG_SYS_TEXT_BASE);
+	return (struct image_header *)(CONFIG_SYS_LOAD_ADDR);
 }
 
 #ifdef CONFIG_SPL_BOARD_INIT
-- 
2.17.1

[PATCH v2 12/14] configs: ast2600-evb: Enable SPL FIT support

[Chia-Wei Wang]

Enable SPL FIT image load and verification support.
The HW accelerated SHA is also available with the
newly added support of the HACE HW hash engine.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 configs/evb-ast2600_defconfig | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/configs/evb-ast2600_defconfig b/configs/evb-ast2600_defconfig
index f24425997d..5049217b55 100644
--- a/configs/evb-ast2600_defconfig
+++ b/configs/evb-ast2600_defconfig
@@ -1,7 +1,7 @@
 CONFIG_ARM=y
 CONFIG_SYS_DCACHE_OFF=y
 CONFIG_ARCH_ASPEED=y
-CONFIG_SYS_TEXT_BASE=0x10000
+CONFIG_SYS_TEXT_BASE=0x80000000
 CONFIG_ASPEED_AST2600=y
 CONFIG_TARGET_EVB_AST2600=y
 CONFIG_SPL_LIBCOMMON_SUPPORT=y
@@ -11,12 +11,19 @@ CONFIG_NR_DRAM_BANKS=1
 CONFIG_ENV_SIZE=0x10000
 CONFIG_DEFAULT_DEVICE_TREE="ast2600-evb"
 CONFIG_SPL_SERIAL_SUPPORT=y
+CONFIG_SPL_DRIVERS_MISC_SUPPORT=y
+CONFIG_SPL_STACK_R_ADDR=0x83000000
 CONFIG_SPL_SIZE_LIMIT=0x10000
 CONFIG_SPL=y
 # CONFIG_ARMV7_NONSEC is not set
 # CONFIG_SYS_MALLOC_CLEAR_ON_INIT is not set
 CONFIG_FIT=y
-# CONFIG_LEGACY_IMAGE_FORMAT is not set
+CONFIG_FIT_ENABLE_SHA384_SUPPORT=y
+CONFIG_FIT_ENABLE_SHA512_SUPPORT=y
+CONFIG_SPL_FIT_SIGNATURE=y
+CONFIG_SPL_LOAD_FIT=y
+CONFIG_SPL_LOAD_FIT_ADDRESS=0x10000
+# CONFIG_USE_SPL_FIT_GENERATOR is not set
 CONFIG_USE_BOOTARGS=y
 CONFIG_BOOTARGS="console=ttyS4,115200n8 root=/dev/ram rw"
 CONFIG_USE_BOOTCOMMAND=y
@@ -24,8 +31,15 @@ CONFIG_BOOTCOMMAND="bootm 20100000"
 # CONFIG_DISPLAY_CPUINFO is not set
 CONFIG_SPL_SIZE_LIMIT_SUBTRACT_GD=y
 CONFIG_SPL_SIZE_LIMIT_SUBTRACT_MALLOC=y
-# CONFIG_SPL_LEGACY_IMAGE_SUPPORT is not set
+CONFIG_SPL_BOARD_INIT=y
 CONFIG_SPL_SYS_MALLOC_SIMPLE=y
+CONFIG_SPL_STACK_R=y
+CONFIG_SPL_STACK_R_MALLOC_SIMPLE_LEN=0x2000000
+CONFIG_SPL_SHA1_SUPPORT=y
+CONFIG_SPL_SHA256_SUPPORT=y
+CONFIG_SPL_SHA384_SUPPORT=y
+CONFIG_SPL_SHA512_SUPPORT=y
+CONFIG_SPL_FIT_IMAGE_TINY=y
 CONFIG_SPL_DM_RESET=y
 CONFIG_SPL_RAM_SUPPORT=y
 CONFIG_SPL_RAM_DEVICE=y
@@ -45,6 +59,8 @@ CONFIG_REGMAP=y
 CONFIG_SPL_OF_TRANSLATE=y
 CONFIG_CLK=y
 CONFIG_SPL_CLK=y
+CONFIG_ASPEED_HACE=y
+CONFIG_ASPEED_ARCY=y
 CONFIG_DM_I2C=y
 CONFIG_MISC=y
 CONFIG_SPL_MISC=y
@@ -63,6 +79,8 @@ CONFIG_SYS_NS16550=y
 CONFIG_SYSRESET=y
 CONFIG_SPL_SYSRESET=y
 CONFIG_WDT=y
+CONFIG_SHA512_HW_ACCEL=y
 CONFIG_HEXDUMP=y
 # CONFIG_SPL_HEXDUMP is not set
 # CONFIG_EFI_LOADER is not set
+CONFIG_PHANDLE_CHECK_SEQ=y
-- 
2.17.1

[PATCH v2 13/14] configs: aspeed: Make EXTRA_ENV_SETTINGS board specific

[Chia-Wei Wang]

Move CONFIG_EXTRA_ENV_SETTINGS to board-specific
configuration headers.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 include/configs/aspeed-common.h | 9 ---------
 include/configs/evb_ast2500.h   | 6 ++++++
 include/configs/evb_ast2600.h   | 6 ++++++
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/include/configs/aspeed-common.h b/include/configs/aspeed-common.h
index df0f5d2e76..afe690af53 100644
--- a/include/configs/aspeed-common.h
+++ b/include/configs/aspeed-common.h
@@ -43,13 +43,4 @@
  */
 #define CONFIG_BOOTP_BOOTFILESIZE
 
-/*
- * Miscellaneous configurable options
- */
-
-#define CONFIG_EXTRA_ENV_SETTINGS \
-	"verify=yes\0"	\
-	"spi_dma=yes\0" \
-	""
-
 #endif	/* __AST_COMMON_CONFIG_H */
diff --git a/include/configs/evb_ast2500.h b/include/configs/evb_ast2500.h
index 0ff01af833..a886fd941e 100644
--- a/include/configs/evb_ast2500.h
+++ b/include/configs/evb_ast2500.h
@@ -16,4 +16,10 @@
 /* Memory Info */
 #define CONFIG_SYS_LOAD_ADDR		0x83000000
 
+/* Misc */
+#define CONFIG_EXTRA_ENV_SETTINGS \
+	"verify=yes\0"	\
+	"spi_dma=yes\0" \
+	""
+
 #endif	/* __CONFIG_H */
diff --git a/include/configs/evb_ast2600.h b/include/configs/evb_ast2600.h
index e7975bf66d..d2aceb6663 100644
--- a/include/configs/evb_ast2600.h
+++ b/include/configs/evb_ast2600.h
@@ -13,4 +13,10 @@
 /* Memory Info */
 #define CONFIG_SYS_LOAD_ADDR		0x83000000
 
+/* Misc */
+#define CONFIG_EXTRA_ENV_SETTINGS \
+	"verify=yes\0"	\
+	"spi_dma=yes\0" \
+	""
+
 #endif	/* __CONFIG_H */
-- 
2.17.1

[PATCH v2 14/14] configs: ast2600: Boot kernel FIT in DRAM

[Chia-Wei Wang]

AST2600 leverages the FIT hash/signature verification to fulfill
secure boot trust chain. To improve the performance and save SW
code size for those crypto operations, the two HW crypto engine,
HACE and ARCY, are enabled.

However, both of the engines can only access to data stored in
DRAM space. Therefore, we need to move the FIT image into DRAM
before the booting.

This patch update the CONFIG_BOOTCOMMAND to execute the pre-defined
ENV variable which consists of FIT image copy to memory and booting.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
---
 configs/evb-ast2600_defconfig | 2 +-
 include/configs/evb_ast2600.h | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/configs/evb-ast2600_defconfig b/configs/evb-ast2600_defconfig
index 5049217b55..f87487b82f 100644
--- a/configs/evb-ast2600_defconfig
+++ b/configs/evb-ast2600_defconfig
@@ -27,7 +27,7 @@ CONFIG_SPL_LOAD_FIT_ADDRESS=0x10000
 CONFIG_USE_BOOTARGS=y
 CONFIG_BOOTARGS="console=ttyS4,115200n8 root=/dev/ram rw"
 CONFIG_USE_BOOTCOMMAND=y
-CONFIG_BOOTCOMMAND="bootm 20100000"
+CONFIG_BOOTCOMMAND="run bootspi"
 # CONFIG_DISPLAY_CPUINFO is not set
 CONFIG_SPL_SIZE_LIMIT_SUBTRACT_GD=y
 CONFIG_SPL_SIZE_LIMIT_SUBTRACT_MALLOC=y
diff --git a/include/configs/evb_ast2600.h b/include/configs/evb_ast2600.h
index d2aceb6663..83002db317 100644
--- a/include/configs/evb_ast2600.h
+++ b/include/configs/evb_ast2600.h
@@ -14,7 +14,14 @@
 #define CONFIG_SYS_LOAD_ADDR		0x83000000
 
 /* Misc */
+#define STR_HELPER(s)	#s
+#define STR(s)		STR_HELPER(s)
+
 #define CONFIG_EXTRA_ENV_SETTINGS \
+	"loadaddr=" STR(CONFIG_SYS_LOAD_ADDR) "\0" \
+	"bootspi=fdt addr 20100000 && fdt header get fitsize totalsize && " \
+	"cp.b 20100000 ${loadaddr} ${fitsize} && bootm; " \
+	"echo Error loading kernel FIT image\0" \
 	"verify=yes\0"	\
 	"spi_dma=yes\0" \
 	""
-- 
2.17.1