[U-Boot] [PATCH v2 00/10] Add support for secure boot on Keystone2 SoCs

[U-Boot] [PATCH v2 00/10] Add support for secure boot on Keystone2 SoCs

[Andrew F. Davis]

Hello all,

This series adds support for secure Keystone2 K2E, K2G, and K2HK devices,
much of the work is borrowed from the OMAP style devices as the secure
workings are very similar, allowing minimal changes for this support.

Thanks,
Andrew

Changes from v1:
 - Add Reviewed-bys
 - Add k2g_hs_evm_defconfig
 - Rebase on upstream/master

Andrew F. Davis (2):
  defconfig: k2hk_hs_evm: Add k2hk_hs_evm_defconfig
  defconfig: k2g_hs_evm: Add k2g_hs_evm_defconfig

Madan Srinivas (5):
  image: Fixes build warning with CONFIG_FIT_IMAGE_POST_PROCESS
  arm: mach-omap2: Add secure image name common to OMAP and keystone
  ARM: Keystone2: Build secure images for K2
  doc: Updates info on using Keystone2 secure devices
  Kconfig: Adds SYS_TEXT_BASE config option for Keystone2

Vitaly Andrianov (3):
  arm: mach-keystone: Implements FIT post-processing call for keystone
    SoCs
  arm: mach-omap2: Enable Kconfig support for K2 HS devices
  defconfig: k2e_hs_evm: Add k2e_hs_evm_defconfig

 Kconfig                                            |  2 +-
 arch/arm/mach-keystone/config.mk                   |  6 ++
 arch/arm/mach-keystone/mon.c                       | 73 ++++++++++++++++++++++
 arch/arm/mach-omap2/Kconfig                        |  2 +-
 arch/arm/mach-omap2/config_secure.mk               |  6 ++
 configs/k2e_evm_defconfig                          |  1 +
 .../{k2e_evm_defconfig => k2e_hs_evm_defconfig}    | 15 ++---
 configs/k2g_evm_defconfig                          |  1 +
 .../{k2g_evm_defconfig => k2g_hs_evm_defconfig}    | 13 ++--
 configs/k2hk_evm_defconfig                         |  1 +
 .../{k2hk_evm_defconfig => k2hk_hs_evm_defconfig}  | 13 ++--
 configs/k2l_evm_defconfig                          |  1 +
 doc/README.ti-secure                               | 20 ++++++
 include/image.h                                    |  3 +-
 14 files changed, 126 insertions(+), 31 deletions(-)
 copy configs/{k2e_evm_defconfig => k2e_hs_evm_defconfig} (78%)
 copy configs/{k2g_evm_defconfig => k2g_hs_evm_defconfig} (82%)
 copy configs/{k2hk_evm_defconfig => k2hk_hs_evm_defconfig} (80%)

-- 
2.11.0

[U-Boot] [PATCH v2 01/10] image: Fixes build warning with CONFIG_FIT_IMAGE_POST_PROCESS

[Andrew F. Davis]

From: Madan Srinivas <madans@ti.com>

The function 'board_fit_image_post_process' is defined only when the
config option CONFIG_FIT_IMAGE_POST_PROCESS is enabled. For secure
systems that do not use SPL but do use FIT kernel images, only
CONFIG_FIT_IMAGE_POST_PROCESS will be defined, which will result in an
implicit declaration of function 'board_fit_image_post_process' warning
while building u-boot. Fix this warning.

Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 include/image.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/image.h b/include/image.h
index 2372518960..3f26f9bd1f 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1256,7 +1256,8 @@ void android_print_contents(const struct andr_img_hdr *hdr);
  */
 int board_fit_config_name_match(const char *name);
 
-#ifdef CONFIG_SPL_FIT_IMAGE_POST_PROCESS
+#if defined(CONFIG_SPL_FIT_IMAGE_POST_PROCESS) || \
+	defined(CONFIG_FIT_IMAGE_POST_PROCESS)
 /**
  * board_fit_image_post_process() - Do any post-process on FIT binary data
  *
-- 
2.11.0

[U-Boot] [PATCH v2 02/10] arm: mach-keystone: Implements FIT post-processing call for keystone SoCs

[Andrew F. Davis]

From: Vitaly Andrianov <vitalya@ti.com>

This commit implements the board_fit_image_post_process() function for
the keystone architecture. This function calls into the secure boot
monitor for secure authentication/decryption of the image. All needed
work is handled by the boot monitor and, depending on the keystone
platform, the security functions may be offloaded to other secure
processing elements in the SoC.

The boot monitor acts as the gateway to these secure functions and the
boot monitor for secure devices is available as part of the SECDEV
package for KS2. For more details refer doc/README.ti-secure

Signed-off-by: Vitaly Andrianov <vitalya@ti.com>
Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 arch/arm/mach-keystone/mon.c | 73 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/arch/arm/mach-keystone/mon.c b/arch/arm/mach-keystone/mon.c
index 256f6300ed..81009848d0 100644
--- a/arch/arm/mach-keystone/mon.c
+++ b/arch/arm/mach-keystone/mon.c
@@ -10,6 +10,7 @@
 #include <common.h>
 #include <command.h>
 #include <mach/mon.h>
+#include <spl.h>
 asm(".arch_extension sec\n\t");
 
 int mon_install(u32 addr, u32 dpsc, u32 freq)
@@ -61,3 +62,75 @@ int mon_power_off(int core_id)
 		: "cc", "r0", "r1", "memory");
 	return  result;
 }
+
+#ifdef CONFIG_TI_SECURE_DEVICE
+#define KS2_HS_SEC_HEADER_LEN	0x60
+#define KS2_HS_SEC_TAG_OFFSET	0x34
+#define KS2_AUTH_CMD		130
+
+/**
+ * k2_hs_bm_auth() - Invokes security functions using a
+ * proprietary TI interface. This binary and source for
+ * this is available in the secure development package or
+ * SECDEV. For details on how to access this please refer
+ * doc/README.ti-secure
+ *
+ * @cmd: Secure monitor command
+ * @arg1: Argument for command
+ *
+ * returns non-zero value on success, zero on error
+ */
+static int k2_hs_bm_auth(int cmd, void *arg1)
+{
+	int result;
+
+	asm volatile (
+		"stmfd  r13!, {r4-r12, lr}\n"
+		"mov r0, %1\n"
+		"mov r1, %2\n"
+		"smc #2\n"
+		"ldmfd r13!, {r4-r12, lr}\n"
+		: "=&r" (result)
+		: "r" (cmd), "r" (arg1)
+		: "cc", "r0", "r1", "memory");
+
+	return  result;
+}
+
+void board_fit_image_post_process(void **p_image, size_t *p_size)
+{
+	int result = 0;
+	void *image = *p_image;
+
+	if (strncmp(image + KS2_HS_SEC_TAG_OFFSET, "KEYS", 4)) {
+		printf("No signature found in image!\n");
+		hang();
+	}
+
+	result = k2_hs_bm_auth(KS2_AUTH_CMD, image);
+	if (result == 0) {
+		printf("Authentication failed!\n");
+		hang();
+	}
+
+	/*
+	* Overwrite the image headers after authentication
+	* and decryption. Update size to reflect removal
+	* of header.
+	*/
+	memcpy(image, image + KS2_HS_SEC_HEADER_LEN, *p_size);
+	*p_size -= KS2_HS_SEC_HEADER_LEN;
+
+	/*
+	 * Output notification of successful authentication to re-assure the
+	 * user that the secure code is being processed as expected. However
+	 * suppress any such log output in case of building for SPL and booting
+	 * via YMODEM. This is done to avoid disturbing the YMODEM serial
+	 * protocol transactions.
+	 */
+	if (!(IS_ENABLED(CONFIG_SPL_BUILD) &&
+	      IS_ENABLED(CONFIG_SPL_YMODEM_SUPPORT) &&
+	      spl_boot_device() == BOOT_DEVICE_UART))
+		printf("Authentication passed\n");
+}
+#endif
-- 
2.11.0

[U-Boot] [PATCH v2 03/10] arm: mach-omap2: Enable Kconfig support for K2 HS devices

[Andrew F. Davis]

From: Vitaly Andrianov <vitalya@ti.com>

Like the OMAP54xx, AM43xx, & AM33xx family SoCs, the keystone family
of SoCs also have high security enabled models. Allow K2E devices to
be built with HS Device Type Support.

Signed-off-by: Vitaly Andrianov <vitalya@ti.com>
Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 arch/arm/mach-omap2/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mach-omap2/Kconfig b/arch/arm/mach-omap2/Kconfig
index 24bc485195..d74b068abc 100644
--- a/arch/arm/mach-omap2/Kconfig
+++ b/arch/arm/mach-omap2/Kconfig
@@ -1,6 +1,6 @@
 config TI_SECURE_DEVICE
 	bool "HS Device Type Support"
-	depends on OMAP54XX || AM43XX || AM33XX
+	depends on OMAP54XX || AM43XX || AM33XX || ARCH_KEYSTONE
 	help
 	  If a high secure (HS) device type is being used, this config
 	  must be set. This option impacts various aspects of the
-- 
2.11.0

[U-Boot] [PATCH v2 04/10] arm: mach-omap2: Add secure image name common to OMAP and keystone

[Andrew F. Davis]

From: Madan Srinivas <madans@ti.com>

As K2 can directly boot U-Boot, add u-boot_HS_MLO as the secure image
name for secure K2 devices, for all boot modes other than SPI flash.

Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 arch/arm/mach-omap2/config_secure.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/arm/mach-omap2/config_secure.mk b/arch/arm/mach-omap2/config_secure.mk
index 0c843338d7..0346cb93ab 100644
--- a/arch/arm/mach-omap2/config_secure.mk
+++ b/arch/arm/mach-omap2/config_secure.mk
@@ -77,6 +77,12 @@ u-boot-spl_HS_ISSW: $(obj)/u-boot-spl.bin FORCE
 u-boot-spl_HS_SPI_X-LOADER: $(obj)/u-boot-spl.bin FORCE
 	$(call if_changed,mkomapsecimg)
 
+# For supporting single stage boot on keystone, the image is a full u-boot
+# file, not an SPL. This will work for all boot devices, other than SPI
+# flash
+u-boot_HS_MLO: $(obj)/u-boot.bin
+	$(call if_changed,mkomapsecimg)
+
 # For supporting single stage XiP QSPI on AM43xx, the image is a full u-boot
 # file, not an SPL. In this case the mkomapsecimg command looks for a
 # u-boot-HS_* prefix
-- 
2.11.0

[U-Boot] [PATCH v2 05/10] ARM: Keystone2: Build secure images for K2

[Andrew F. Davis]

From: Madan Srinivas <madans@ti.com>

Adds an additional image type needed for supporting secure keystone
devices. The build generates u-boot_HS_MLO which can be used to boot
from all media on secure keystone devices.

Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 arch/arm/mach-keystone/config.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/arm/mach-keystone/config.mk b/arch/arm/mach-keystone/config.mk
index 9ae1e9ac91..db556ea0a8 100644
--- a/arch/arm/mach-keystone/config.mk
+++ b/arch/arm/mach-keystone/config.mk
@@ -5,9 +5,15 @@
 # SPDX-License-Identifier:     GPL-2.0+
 #
 
+include  $(srctree)/arch/arm/mach-omap2/config_secure.mk
+
 ifndef CONFIG_SPL_BUILD
+ifeq ($(CONFIG_TI_SECURE_DEVICE),y)
+ALL-y += u-boot_HS_MLO
+else
 ALL-y += MLO
 endif
+endif
 
 MKIMAGEFLAGS_u-boot-spl.gph = -A $(ARCH) -T gpimage -C none \
 	-a $(CONFIG_SPL_TEXT_BASE) -e $(CONFIG_SPL_TEXT_BASE) -n SPL
-- 
2.11.0

[U-Boot] [PATCH v2 06/10] doc: Updates info on using Keystone2 secure devices

[Andrew F. Davis]

From: Madan Srinivas <madans@ti.com>

Add a section describing the secure boot image used on
Keystone2 secure devices.

Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 doc/README.ti-secure | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/doc/README.ti-secure b/doc/README.ti-secure
index 9b0fbf9732..4b5380c0f3 100644
--- a/doc/README.ti-secure
+++ b/doc/README.ti-secure
@@ -133,6 +133,26 @@ Booting of U-Boot SPL
 	u-boot-spl_HS_X-LOADER - boot image for all other flash memories
 		including QSPI and NOR flash
 
+	Invoking the script for Keystone2 Secure Devices
+	=============================================
+
+	create-boot-image.sh \
+		<UNUSED> <INPUT_FILE> <OUTPUT_FILE> <UNUSED>
+
+	<UNUSED> is currently ignored and reserved for future use.
+
+	<INPUT_FILE> is the full path and filename of the public world boot
+	loader binary file (only u-boot.bin is currently supported on
+	Keystone2 devices, u-boot-spl.bin is not currently supported).
+
+	<OUTPUT_FILE> is the full path and filename of the final secure image.
+	The output binary images should be used in place of the standard
+	non-secure binary images (see the platform-specific user's guides
+	and releases notes for how the non-secure images are typically used)
+	u-boot_HS_MLO - signed and encrypted boot image that can be used to
+		boot from all media. Secure boot from SPI NOR flash is not
+		currently supported.
+
 Booting of Primary U-Boot (u-boot.img)
 ======================================
 
-- 
2.11.0

[U-Boot] [PATCH v2 07/10] Kconfig: Adds SYS_TEXT_BASE config option for Keystone2

[Andrew F. Davis]

From: Madan Srinivas <madans@ti.com>

This patch makes SYS_TEXT_BASE a config option for Keystone2
so that it can be used to load u-boot at different addresses
on secure and non-secure Keystone2 devices.

Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
---
 Kconfig                    | 2 +-
 configs/k2e_evm_defconfig  | 1 +
 configs/k2g_evm_defconfig  | 1 +
 configs/k2hk_evm_defconfig | 1 +
 configs/k2l_evm_defconfig  | 1 +
 5 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/Kconfig b/Kconfig
index bbf4784119..1cf990dfce 100644
--- a/Kconfig
+++ b/Kconfig
@@ -286,7 +286,7 @@ config SYS_EXTRA_OPTIONS
 config SYS_TEXT_BASE
 	depends on ARC || X86 || ARCH_UNIPHIER || ARCH_ZYNQMP || \
 		(M68K && !TARGET_ASTRO_MCF5373L) || MICROBLAZE || MIPS || \
-		ARCH_ZYNQ
+		ARCH_ZYNQ || ARCH_KEYSTONE
 	depends on !EFI_APP
 	hex "Text Base"
 	help
diff --git a/configs/k2e_evm_defconfig b/configs/k2e_evm_defconfig
index d319705b67..63db1aef7c 100644
--- a/configs/k2e_evm_defconfig
+++ b/configs/k2e_evm_defconfig
@@ -7,6 +7,7 @@ CONFIG_SPL_SERIAL_SUPPORT=y
 CONFIG_SPL_SPI_FLASH_SUPPORT=y
 CONFIG_SPL_SPI_SUPPORT=y
 CONFIG_SPL_POWER_SUPPORT=y
+CONFIG_SYS_TEXT_BASE=0x0c000000
 CONFIG_DEFAULT_DEVICE_TREE="keystone-k2e-evm"
 CONFIG_OF_BOARD_SETUP=y
 CONFIG_SYS_CONSOLE_INFO_QUIET=y
diff --git a/configs/k2g_evm_defconfig b/configs/k2g_evm_defconfig
index bbdcc2f136..44c9dff747 100644
--- a/configs/k2g_evm_defconfig
+++ b/configs/k2g_evm_defconfig
@@ -7,6 +7,7 @@ CONFIG_SPL_SERIAL_SUPPORT=y
 CONFIG_SPL_SPI_FLASH_SUPPORT=y
 CONFIG_SPL_SPI_SUPPORT=y
 CONFIG_SPL_POWER_SUPPORT=y
+CONFIG_SYS_TEXT_BASE=0x0c000000
 CONFIG_DEFAULT_DEVICE_TREE="keystone-k2g-evm"
 CONFIG_OF_BOARD_SETUP=y
 CONFIG_SYS_CONSOLE_INFO_QUIET=y
diff --git a/configs/k2hk_evm_defconfig b/configs/k2hk_evm_defconfig
index b22086d477..12b80472d9 100644
--- a/configs/k2hk_evm_defconfig
+++ b/configs/k2hk_evm_defconfig
@@ -7,6 +7,7 @@ CONFIG_SPL_SERIAL_SUPPORT=y
 CONFIG_SPL_SPI_FLASH_SUPPORT=y
 CONFIG_SPL_SPI_SUPPORT=y
 CONFIG_SPL_POWER_SUPPORT=y
+CONFIG_SYS_TEXT_BASE=0x0c000000
 CONFIG_DEFAULT_DEVICE_TREE="keystone-k2hk-evm"
 CONFIG_OF_BOARD_SETUP=y
 CONFIG_SYS_CONSOLE_INFO_QUIET=y
diff --git a/configs/k2l_evm_defconfig b/configs/k2l_evm_defconfig
index 5a28112857..39a992d797 100644
--- a/configs/k2l_evm_defconfig
+++ b/configs/k2l_evm_defconfig
@@ -7,6 +7,7 @@ CONFIG_SPL_SERIAL_SUPPORT=y
 CONFIG_SPL_SPI_FLASH_SUPPORT=y
 CONFIG_SPL_SPI_SUPPORT=y
 CONFIG_SPL_POWER_SUPPORT=y
+CONFIG_SYS_TEXT_BASE=0x0c000000
 CONFIG_DEFAULT_DEVICE_TREE="keystone-k2l-evm"
 CONFIG_OF_BOARD_SETUP=y
 CONFIG_SYS_CONSOLE_INFO_QUIET=y
-- 
2.11.0

[U-Boot] [PATCH v2 08/10] defconfig: k2e_hs_evm: Add k2e_hs_evm_defconfig

[Andrew F. Davis]

From: Vitaly Andrianov <vitalya@ti.com>

TI K2E secure devices have to be built with TI_SECURE_DEVICE, FIT, and
FIT_IMAGE_POST_PROCESS enabled. Add a dedicated defconfig for this.

Signed-off-by: Vitaly Andrianov <vitalya@ti.com>
Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 configs/k2e_hs_evm_defconfig | 51 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 configs/k2e_hs_evm_defconfig

diff --git a/configs/k2e_hs_evm_defconfig b/configs/k2e_hs_evm_defconfig
new file mode 100644
index 0000000000..d515cedaca
--- /dev/null
+++ b/configs/k2e_hs_evm_defconfig
@@ -0,0 +1,51 @@
+CONFIG_ARM=y
+CONFIG_ARCH_KEYSTONE=y
+CONFIG_SYS_TEXT_BASE=0x0c000060
+CONFIG_TARGET_K2E_EVM=y
+CONFIG_TI_SECURE_DEVICE=y
+CONFIG_DEFAULT_DEVICE_TREE="keystone-k2e-evm"
+CONFIG_FIT=y
+CONFIG_FIT_IMAGE_POST_PROCESS=y
+CONFIG_OF_BOARD_SETUP=y
+CONFIG_SYS_CONSOLE_INFO_QUIET=y
+CONFIG_VERSION_VARIABLE=y
+CONFIG_HUSH_PARSER=y
+CONFIG_SYS_PROMPT="K2E HS EVM # "
+CONFIG_CMD_BOOTZ=y
+# CONFIG_CMD_IMLS is not set
+CONFIG_CMD_ASKENV=y
+# CONFIG_CMD_FLASH is not set
+CONFIG_CMD_NAND=y
+CONFIG_CMD_PART=y
+CONFIG_CMD_SF=y
+CONFIG_CMD_SPI=y
+CONFIG_CMD_I2C=y
+CONFIG_CMD_USB=y
+# CONFIG_CMD_SETEXPR is not set
+CONFIG_CMD_DHCP=y
+CONFIG_CMD_MII=y
+CONFIG_CMD_PING=y
+CONFIG_CMD_EXT2=y
+CONFIG_CMD_EXT4=y
+CONFIG_CMD_EXT4_WRITE=y
+CONFIG_CMD_FAT=y
+CONFIG_CMD_FS_GENERIC=y
+CONFIG_CMD_UBI=y
+CONFIG_ISO_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_OF_CONTROL=y
+CONFIG_NET_RANDOM_ETHADDR=y
+CONFIG_DM=y
+CONFIG_TI_AEMIF=y
+# CONFIG_MMC is not set
+CONFIG_DM_SPI_FLASH=y
+CONFIG_SPI_FLASH=y
+CONFIG_SPI_FLASH_STMICRO=y
+CONFIG_DM_ETH=y
+CONFIG_DM_SERIAL=y
+CONFIG_SYS_NS16550=y
+CONFIG_DM_SPI=y
+CONFIG_USB=y
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_XHCI_DWC3=y
+CONFIG_USB_STORAGE=y
-- 
2.11.0

[U-Boot] [PATCH v2 09/10] defconfig: k2hk_hs_evm: Add k2hk_hs_evm_defconfig

[Andrew F. Davis]

TI K2HK secure devices have to be built with TI_SECURE_DEVICE, FIT, and
FIT_IMAGE_POST_PROCESS enabled. Add a dedicated defconfig for this.

Signed-off-by: Andrew F. Davis <afd@ti.com>
---
 configs/k2hk_hs_evm_defconfig | 51 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 configs/k2hk_hs_evm_defconfig

diff --git a/configs/k2hk_hs_evm_defconfig b/configs/k2hk_hs_evm_defconfig
new file mode 100644
index 0000000000..9fe91ea19c
--- /dev/null
+++ b/configs/k2hk_hs_evm_defconfig
@@ -0,0 +1,51 @@
+CONFIG_ARM=y
+CONFIG_ARCH_KEYSTONE=y
+CONFIG_SYS_TEXT_BASE=0x0c000060
+CONFIG_TARGET_K2HK_EVM=y
+CONFIG_TI_SECURE_DEVICE=y
+CONFIG_DEFAULT_DEVICE_TREE="keystone-k2hk-evm"
+CONFIG_FIT=y
+CONFIG_FIT_IMAGE_POST_PROCESS=y
+CONFIG_OF_BOARD_SETUP=y
+CONFIG_SYS_CONSOLE_INFO_QUIET=y
+CONFIG_VERSION_VARIABLE=y
+CONFIG_HUSH_PARSER=y
+CONFIG_SYS_PROMPT="K2HK EVM # "
+CONFIG_CMD_BOOTZ=y
+# CONFIG_CMD_IMLS is not set
+CONFIG_CMD_ASKENV=y
+# CONFIG_CMD_FLASH is not set
+CONFIG_CMD_NAND=y
+CONFIG_CMD_PART=y
+CONFIG_CMD_SF=y
+CONFIG_CMD_SPI=y
+CONFIG_CMD_I2C=y
+CONFIG_CMD_USB=y
+# CONFIG_CMD_SETEXPR is not set
+CONFIG_CMD_DHCP=y
+CONFIG_CMD_MII=y
+CONFIG_CMD_PING=y
+CONFIG_CMD_EXT2=y
+CONFIG_CMD_EXT4=y
+CONFIG_CMD_EXT4_WRITE=y
+CONFIG_CMD_FAT=y
+CONFIG_CMD_FS_GENERIC=y
+CONFIG_CMD_UBI=y
+CONFIG_ISO_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_OF_CONTROL=y
+CONFIG_NET_RANDOM_ETHADDR=y
+CONFIG_DM=y
+CONFIG_TI_AEMIF=y
+# CONFIG_MMC is not set
+CONFIG_DM_SPI_FLASH=y
+CONFIG_SPI_FLASH=y
+CONFIG_SPI_FLASH_STMICRO=y
+CONFIG_DM_ETH=y
+CONFIG_DM_SERIAL=y
+CONFIG_SYS_NS16550=y
+CONFIG_DM_SPI=y
+CONFIG_USB=y
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_XHCI_DWC3=y
+CONFIG_USB_STORAGE=y
-- 
2.11.0

[U-Boot] [PATCH v2 10/10] defconfig: k2g_hs_evm: Add k2g_hs_evm_defconfig

[Andrew F. Davis]

TI K2G secure devices have to be built with TI_SECURE_DEVICE, FIT, and
FIT_IMAGE_POST_PROCESS enabled. Add a dedicated defconfig for this.

Signed-off-by: Andrew F. Davis <afd@ti.com>
---
 configs/k2g_hs_evm_defconfig | 55 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 configs/k2g_hs_evm_defconfig

diff --git a/configs/k2g_hs_evm_defconfig b/configs/k2g_hs_evm_defconfig
new file mode 100644
index 0000000000..9c21867408
--- /dev/null
+++ b/configs/k2g_hs_evm_defconfig
@@ -0,0 +1,55 @@
+CONFIG_ARM=y
+CONFIG_ARCH_KEYSTONE=y
+CONFIG_TARGET_K2G_EVM=y
+CONFIG_TI_SECURE_DEVICE=y
+CONFIG_SYS_TEXT_BASE=0x0c000060
+CONFIG_DEFAULT_DEVICE_TREE="keystone-k2g-evm"
+CONFIG_FIT=y
+CONFIG_OF_BOARD_SETUP=y
+CONFIG_FIT_IMAGE_POST_PROCESS=y
+CONFIG_SYS_CONSOLE_INFO_QUIET=y
+CONFIG_VERSION_VARIABLE=y
+CONFIG_HUSH_PARSER=y
+CONFIG_CMD_BOOTZ=y
+# CONFIG_CMD_IMLS is not set
+CONFIG_CMD_ASKENV=y
+# CONFIG_CMD_FLASH is not set
+CONFIG_CMD_MMC=y
+CONFIG_CMD_PART=y
+CONFIG_CMD_SF=y
+CONFIG_CMD_SPI=y
+CONFIG_CMD_I2C=y
+CONFIG_CMD_USB=y
+CONFIG_CMD_REMOTEPROC=y
+# CONFIG_CMD_SETEXPR is not set
+CONFIG_CMD_DHCP=y
+CONFIG_CMD_MII=y
+CONFIG_CMD_PING=y
+CONFIG_CMD_EXT2=y
+CONFIG_CMD_EXT4=y
+CONFIG_CMD_EXT4_WRITE=y
+CONFIG_CMD_FAT=y
+CONFIG_CMD_FS_GENERIC=y
+CONFIG_CMD_UBI=y
+CONFIG_ISO_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_OF_CONTROL=y
+CONFIG_DM=y
+# CONFIG_BLK is not set
+CONFIG_DM_MMC=y
+# CONFIG_DM_MMC_OPS is not set
+CONFIG_MMC_OMAP_HS=y
+CONFIG_DM_SPI_FLASH=y
+CONFIG_SPI_FLASH=y
+CONFIG_SPI_FLASH_BAR=y
+CONFIG_SPI_FLASH_SPANSION=y
+CONFIG_SPI_FLASH_STMICRO=y
+CONFIG_DM_ETH=y
+CONFIG_REMOTEPROC_TI_POWER=y
+CONFIG_DM_SERIAL=y
+CONFIG_SYS_NS16550=y
+CONFIG_DM_SPI=y
+CONFIG_USB=y
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_XHCI_DWC3=y
+CONFIG_USB_STORAGE=y
-- 
2.11.0

[U-Boot] [PATCH v2 01/10] image: Fixes build warning with CONFIG_FIT_IMAGE_POST_PROCESS

[Lokesh Vutla]

On 4/7/2017 8:30 PM, Andrew F. Davis wrote:
> From: Madan Srinivas <madans@ti.com>
> 
> The function 'board_fit_image_post_process' is defined only when the
> config option CONFIG_FIT_IMAGE_POST_PROCESS is enabled. For secure
> systems that do not use SPL but do use FIT kernel images, only
> CONFIG_FIT_IMAGE_POST_PROCESS will be defined, which will result in an
> implicit declaration of function 'board_fit_image_post_process' warning
> while building u-boot. Fix this warning.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Thanks and regards,
Lokesh

[U-Boot] [PATCH v2 02/10] arm: mach-keystone: Implements FIT post-processing call for keystone SoCs

[Lokesh Vutla]

On 4/7/2017 8:30 PM, Andrew F. Davis wrote:
> From: Vitaly Andrianov <vitalya@ti.com>
> 
> This commit implements the board_fit_image_post_process() function for
> the keystone architecture. This function calls into the secure boot
> monitor for secure authentication/decryption of the image. All needed
> work is handled by the boot monitor and, depending on the keystone
> platform, the security functions may be offloaded to other secure
> processing elements in the SoC.
> 
> The boot monitor acts as the gateway to these secure functions and the
> boot monitor for secure devices is available as part of the SECDEV
> package for KS2. For more details refer doc/README.ti-secure
> 
> Signed-off-by: Vitaly Andrianov <vitalya@ti.com>
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Thanks and regards,
Lokesh

[U-Boot] [PATCH v2 03/10] arm: mach-omap2: Enable Kconfig support for K2 HS devices

[Lokesh Vutla]

On 4/7/2017 8:30 PM, Andrew F. Davis wrote:
> From: Vitaly Andrianov <vitalya@ti.com>
> 
> Like the OMAP54xx, AM43xx, & AM33xx family SoCs, the keystone family
> of SoCs also have high security enabled models. Allow K2E devices to
> be built with HS Device Type Support.
> 
> Signed-off-by: Vitaly Andrianov <vitalya@ti.com>
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Thanks and regards,
Lokesh

[U-Boot] [PATCH v2 04/10] arm: mach-omap2: Add secure image name common to OMAP and keystone

[Lokesh Vutla]

On 4/7/2017 8:30 PM, Andrew F. Davis wrote:
> From: Madan Srinivas <madans@ti.com>
> 
> As K2 can directly boot U-Boot, add u-boot_HS_MLO as the secure image
> name for secure K2 devices, for all boot modes other than SPI flash.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Thanks and regards,
Lokesh

[U-Boot] [PATCH v2 05/10] ARM: Keystone2: Build secure images for K2

[Lokesh Vutla]

On 4/7/2017 8:30 PM, Andrew F. Davis wrote:
> From: Madan Srinivas <madans@ti.com>
> 
> Adds an additional image type needed for supporting secure keystone
> devices. The build generates u-boot_HS_MLO which can be used to boot
> from all media on secure keystone devices.

SPI boot has a different image on non-HS devices. Does this cover here?

> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Thanks and regards,
Lokesh

[U-Boot] [PATCH v2 06/10] doc: Updates info on using Keystone2 secure devices

[Lokesh Vutla]

On 4/7/2017 8:30 PM, Andrew F. Davis wrote:
> From: Madan Srinivas <madans@ti.com>
> 
> Add a section describing the secure boot image used on
> Keystone2 secure devices.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Thanks and regards,
Lokesh

[U-Boot] [PATCH v2 07/10] Kconfig: Adds SYS_TEXT_BASE config option for Keystone2

[Lokesh Vutla]

On 4/7/2017 8:30 PM, Andrew F. Davis wrote:
> From: Madan Srinivas <madans@ti.com>
> 
> This patch makes SYS_TEXT_BASE a config option for Keystone2
> so that it can be used to load u-boot at different addresses
> on secure and non-secure Keystone2 devices.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Thanks and regards,
Lokesh

[U-Boot] [PATCH v2 08/10] defconfig: k2e_hs_evm: Add k2e_hs_evm_defconfig

[Lokesh Vutla]

On 4/7/2017 8:30 PM, Andrew F. Davis wrote:
> From: Vitaly Andrianov <vitalya@ti.com>
> 
> TI K2E secure devices have to be built with TI_SECURE_DEVICE, FIT, and
> FIT_IMAGE_POST_PROCESS enabled. Add a dedicated defconfig for this.
> 
> Signed-off-by: Vitaly Andrianov <vitalya@ti.com>
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Can you update Maintainers file or else buildman will complain.

Thanks and regards,
Lokesh

[U-Boot] [PATCH v2 01/10] image: Fixes build warning with CONFIG_FIT_IMAGE_POST_PROCESS

[Simon Glass]

On 7 April 2017 at 09:00, Andrew F. Davis <afd@ti.com> wrote:
> From: Madan Srinivas <madans@ti.com>
>
> The function 'board_fit_image_post_process' is defined only when the
> config option CONFIG_FIT_IMAGE_POST_PROCESS is enabled. For secure
> systems that do not use SPL but do use FIT kernel images, only
> CONFIG_FIT_IMAGE_POST_PROCESS will be defined, which will result in an
> implicit declaration of function 'board_fit_image_post_process' warning
> while building u-boot. Fix this warning.
>
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>
> ---
>  include/image.h | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Reviewed-by: Simon Glass <sjg@chromium.org>

[U-Boot] [U-Boot, v2, 01/10] image: Fixes build warning with CONFIG_FIT_IMAGE_POST_PROCESS

[Tom Rini]

On Fri, Apr 07, 2017 at 10:00:02AM -0500, Andrew F. Davis wrote:

> From: Madan Srinivas <madans@ti.com>
> 
> The function 'board_fit_image_post_process' is defined only when the
> config option CONFIG_FIT_IMAGE_POST_PROCESS is enabled. For secure
> systems that do not use SPL but do use FIT kernel images, only
> CONFIG_FIT_IMAGE_POST_PROCESS will be defined, which will result in an
> implicit declaration of function 'board_fit_image_post_process' warning
> while building u-boot. Fix this warning.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>
> Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170410/f6d0a36b/attachment.sig>

[U-Boot] [U-Boot, v2, 02/10] arm: mach-keystone: Implements FIT post-processing call for keystone SoCs

[Tom Rini]

On Fri, Apr 07, 2017 at 10:00:03AM -0500, Andrew F. Davis wrote:

> From: Vitaly Andrianov <vitalya@ti.com>
> 
> This commit implements the board_fit_image_post_process() function for
> the keystone architecture. This function calls into the secure boot
> monitor for secure authentication/decryption of the image. All needed
> work is handled by the boot monitor and, depending on the keystone
> platform, the security functions may be offloaded to other secure
> processing elements in the SoC.
> 
> The boot monitor acts as the gateway to these secure functions and the
> boot monitor for secure devices is available as part of the SECDEV
> package for KS2. For more details refer doc/README.ti-secure
> 
> Signed-off-by: Vitaly Andrianov <vitalya@ti.com>
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>
> Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170410/19b69e33/attachment.sig>

[U-Boot] [U-Boot, v2, 03/10] arm: mach-omap2: Enable Kconfig support for K2 HS devices

[Tom Rini]

On Fri, Apr 07, 2017 at 10:00:04AM -0500, Andrew F. Davis wrote:

> From: Vitaly Andrianov <vitalya@ti.com>
> 
> Like the OMAP54xx, AM43xx, & AM33xx family SoCs, the keystone family
> of SoCs also have high security enabled models. Allow K2E devices to
> be built with HS Device Type Support.
> 
> Signed-off-by: Vitaly Andrianov <vitalya@ti.com>
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>
> Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170410/140aa939/attachment.sig>

[U-Boot] [U-Boot, v2, 04/10] arm: mach-omap2: Add secure image name common to OMAP and keystone

[Tom Rini]

On Fri, Apr 07, 2017 at 10:00:05AM -0500, Andrew F. Davis wrote:

> From: Madan Srinivas <madans@ti.com>
> 
> As K2 can directly boot U-Boot, add u-boot_HS_MLO as the secure image
> name for secure K2 devices, for all boot modes other than SPI flash.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>
> Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170410/87a33d55/attachment.sig>

[U-Boot] [U-Boot, v2, 05/10] ARM: Keystone2: Build secure images for K2

[Tom Rini]

On Fri, Apr 07, 2017 at 10:00:06AM -0500, Andrew F. Davis wrote:

> From: Madan Srinivas <madans@ti.com>
> 
> Adds an additional image type needed for supporting secure keystone
> devices. The build generates u-boot_HS_MLO which can be used to boot
> from all media on secure keystone devices.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>
> Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170410/ad07806e/attachment.sig>

[U-Boot] [U-Boot, v2, 06/10] doc: Updates info on using Keystone2 secure devices

[Tom Rini]

On Fri, Apr 07, 2017 at 10:00:07AM -0500, Andrew F. Davis wrote:

> From: Madan Srinivas <madans@ti.com>
> 
> Add a section describing the secure boot image used on
> Keystone2 secure devices.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>
> Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170410/14fd9160/attachment.sig>

[U-Boot] [U-Boot, v2, 07/10] Kconfig: Adds SYS_TEXT_BASE config option for Keystone2

[Tom Rini]

On Fri, Apr 07, 2017 at 10:00:08AM -0500, Andrew F. Davis wrote:

> From: Madan Srinivas <madans@ti.com>
> 
> This patch makes SYS_TEXT_BASE a config option for Keystone2
> so that it can be used to load u-boot at different addresses
> on secure and non-secure Keystone2 devices.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>
> Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170410/a12dea70/attachment.sig>

[U-Boot] [U-Boot, v2, 08/10] defconfig: k2e_hs_evm: Add k2e_hs_evm_defconfig

[Tom Rini]

On Fri, Apr 07, 2017 at 10:00:09AM -0500, Andrew F. Davis wrote:

> From: Vitaly Andrianov <vitalya@ti.com>
> 
> TI K2E secure devices have to be built with TI_SECURE_DEVICE, FIT, and
> FIT_IMAGE_POST_PROCESS enabled. Add a dedicated defconfig for this.
> 
> Signed-off-by: Vitaly Andrianov <vitalya@ti.com>
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170410/b74ab416/attachment.sig>

[U-Boot] [U-Boot, v2, 09/10] defconfig: k2hk_hs_evm: Add k2hk_hs_evm_defconfig

[Tom Rini]

On Fri, Apr 07, 2017 at 10:00:10AM -0500, Andrew F. Davis wrote:

> TI K2HK secure devices have to be built with TI_SECURE_DEVICE, FIT, and
> FIT_IMAGE_POST_PROCESS enabled. Add a dedicated defconfig for this.
> 
> Signed-off-by: Andrew F. Davis <afd@ti.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170410/c11794ea/attachment.sig>

[U-Boot] [U-Boot, v2, 10/10] defconfig: k2g_hs_evm: Add k2g_hs_evm_defconfig

[Tom Rini]

On Fri, Apr 07, 2017 at 10:00:11AM -0500, Andrew F. Davis wrote:

> TI K2G secure devices have to be built with TI_SECURE_DEVICE, FIT, and
> FIT_IMAGE_POST_PROCESS enabled. Add a dedicated defconfig for this.
> 
> Signed-off-by: Andrew F. Davis <afd@ti.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170410/cf6002a3/attachment.sig>