The patch implements secure booting for the mvebu architecture.
This includes:
- The addition of secure headers and all needed signatures and keys in
mkimage
- Commands capable of writing the board's efuses to both write the
needed cryptographic data and enable the secure booting mechanism
- The creation of convenience text files containing the necessary
commands to write the efuses
The KAK and CSK keys are expected to reside in the files kwb_kak.key and
kwb_csk.key (OpenSSL 2048 bit private keys) in the top-level directory.
Signed-off-by: Reinhard Pfau <reinhard.pfau@gdsys.cc>
Signed-off-by: Mario Six <mario.six@gdsys.cc>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Stefan Roese <sr@denx.de>
To being able to sign created binaries, we need to know the HAB Blocks
for that image. Especially for the imximage type the HAB Blocks are
only available during creation of the image. We want to preserve the
information until we get to sign the files.
In the verbose case we still get them printed out instead of writing
to log files.
Cc: sbabic@denx.de
v2-Changes:
- No usage of MKIMAGEOUTPUT_$(@F) macro.
- Predefine default value /dev/null in every involved Makefile.
Signed-off-by: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Reviewed-by: George McCollister <george.mccollister@gmail.com>
Tested-by: George McCollister <george.mccollister@gmail.com>
When we want to use Secure Boot with HAB from SPL over U-Boot.img,
we need to append the IVT to the image and leave space for the CSF.
Images generated as firmware_ivt can directly be signed using the
Freescale code signing tool. For creation of a CSF, mkimage outputs
the correct HAB Blocks for the image.
The changes to the usual firmware image class are quite small,
that is why I implemented that directly into the default_image.
Cc: sbabic@denx.de
v2-Changes: None
Signed-off-by: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Reviewed-by: George McCollister <george.mccollister@gmail.com>
Tested-by: George McCollister <george.mccollister@gmail.com>
Change x86 boards to use binman to produce the ROM. This involves adding the
image definition to the device tree and using it in the Makefile. The
existing ifdtool features are no-longer needed.
Note that the u-boot.dtsi file is common and is used for all x86 boards which
use microcode. A separate emulation-u-boot-dtsi is used for the others.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
Move sunxi boards to use binman. This involves adding the image definition
to the device tree and using it in the Makefile.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Add a standard command definition for binman so that it can be used in
makefiles.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
A common requirement when converting CONFIG options to Kconfig is to check
that the effective configuration has not changed due to the conversion. Add
a target which creates this configuration (in the form of u-boot.cfg) but
does not build U-Boot. This speeds up the checking.
Signed-off-by: Simon Glass <sjg@chromium.org>
These files now need to be in a standard place so that they can be located
by generic Makefile rules. Move them to the 'lib' directory.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
When building an EFI app we need three things:
- start-up code
- relocation code
- link script
These are all different for each architecture. We also need special
compiler flags in some cases.
Add top-level Makefile variables for these along with documentation.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
CONFIG_SUNXI -> CONFIG_ARCH_SUNXI
and removed CONFIG_SUNIX from config_whitelist.txt
Cc: Simon Glass <sjg@chromium.org>
Cc: Ian Campbell <ijc@hellion.org.uk>
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jagan Teki <jteki@openedev.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Our build system still parses ad-hoc CONFIG options in header files
and generates include/autoconf.mk so that Makefiles can reference
them. This gimmick was introduced in the pre-Kconfig days and will
be kept until Kconfig migration is completed.
The include/autoconf.mk is generated like follows:
[1] Preprocess include/common.h with -DDO_DEPS_ONLY and
retrieve macros into include/autoconf.mk.tmp
[2] Reformat include/autoconf.mk.dep into include/autoconf.mk
with tools/scripts/define2mk.sed script
[3] Remove include/autoconf.mk.tmp
Here, include/autoconf.mk.tmp is similar to u-boot.cfg, which is
also generated by preprocessing include/config.h with -DDO_DEPS_ONLY.
In other words, there is much overlap among include/autoconf.mk and
u-boot.cfg build rules.
So, the idea is to split the build rule of include/autoconf.mk
into two stages. The first preprocesses headers into u-boot.cfg.
The second parses the u-boot.cfg into include/autoconf.mk. The
build rules of u-boot.cfg in Makefile and spl/Makefile will be gone.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
I am going to move the build rule of u-boot.cfg. Before that,
no_new_adhoc_configs_check must be tweaked to not depend on it.
The ad-hoc option check can be done at the end of build, along
with other checks.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This format can be flashed directly at address 0 of
the NAND FLASH, as it contains all necessary headers.
Signed-off-by: Albert ARIBAUD (3ADEV) <albert.aribaud@3adev.fr>
Prior to the previous patch, a freshly created .u-boot.cfg.cmd may not
correctly represent all dependencies for u-boot.cfg. The previous change
only solved this issue for fresh builds; when performing an incremental
build, the deficient .u-boot.cfg.cmd is already present, so u-boot.cfg
is not rebuilt, and hence .u-boot.cfg.cmd is not rebuilt with the correct
content.
Solve this by explicitly detecting when the dependency file .u-boot.cfg.d
has not been integrated into .u-boot.cfg.cmd, and force u-boot.cfg to be
rebuilt in this case by deleting it first. This is possible since
if_changed_dep will always delete .u-boot.cfg.d when it executes
successfully, so its presence means either that the previous build was
made by a source tree that contained a Makefile that didn't include the
previous patch, or that the build failed part way through executing
if_changed_dep for u-boot.cfg. Forcing a rebuild of u-boot.cfg is required
in the former case, and will cause no additional work in the latter case,
since the file would be rebuilt anyway for the same reason it was being
rebuilt by the previous build.
Signed-off-by: Stephen Warren <swarren@nvidia.com>
cmd_cpp_cfg generates a dependency output, but because it's invoked using
if_changed rather than if_changed_dep, that dependency file is ignored.
This results in Kbuild not knowing about which files u-boot.cfg depends
on, so it may not be rebuilt when required.
A practical result of this is that u-boot.cfg may continue to reference
CONFIG_ options that no longer exist in the source tree, and this can
cause the adhoc config options check to fail.
This change modifies Makefile to use if_changed_dep, which in turn causes
all dependencies to be known to the next make invocation.
Signed-off-by: Stephen Warren <swarren@nvidia.com>
New CONFIG options should be added via Kconfig. To help prevent new ad-hoc
CONFIGs from being added, give a build error when these are detected.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Stephen Warren <swarren@nvidia.com>
Tested-by: Stephen Warren <swarren@nvidia.com>
This general MMDC driver adds basic support for Freescale MMDC
(Multi Mode DDR Controller). Currently MMDC is integrated on ARMv8
LS1012A SoC for DDR3L, there will be a update to this driver to
support more flexible configuration if new features (DDR4, multiple
controllers/chip selections, etc) are implimented in future.
Meantime, reuse common MMDC driver for LS1012ARDB/LS1012AQDS/
LS1012AFRDM.
Signed-off-by: Shengzhou Liu <Shengzhou.Liu@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
make tags creates a symbolic link called tags to ctags. Remove this file
on make mrproper or make distclean.
Signed-off-by: Vignesh R <vigneshr@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
This adds a bunch of unit tests for the "fdt apply" command.
They've all been run successfully in the sandbox. However, as you still
require an out-of-tree dtc with overlay support, this is disabled by
default.
Acked-by: Simon Glass <sjg@chromium.org>
Acked-by: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
The Xtensa processor architecture is a configurable, extensible,
and synthesizable 32-bit RISC processor core provided by Cadence.
This is the first part of the basic architecture port with changes to
common files. The 'arch/xtensa' directory, and boards and additional
drivers will be in separate commits.
Signed-off-by: Chris Zankel <chris@zankel.net>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Add this shortcut for running tests. Unfortunately 'make test' cannot be
used as it is an existing directory.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: Teddy Reed <teddy.reed@gmail.com>
Many SoCs allow power to be applied to or removed from portions of the SoC
(power domains). This may be used to save power. This API provides the
means to control such power management hardware.
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Acked-by: Simon Glass <sjg@chromium.org>
Sandbox includes this code to provide build coverage. While we retain this
feature we should have sandbox build it. Sandbox does not in fact use the
I2C compatibility mode. Showing a warning for sandbox is just confusing,
since no conversion is expected.
Drop the warning for sandbox.
Signed-off-by: Simon Glass <sjg@chromium.org>
Sometimes it is useful to build tools with debugging information included so
that line-number information is available when run under gdb. Add a Kconfig
option to support this.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
If the final targets depend on both "dtbs" and "dts/dt.dtb",
and -j option is given to the command line, multiple threads
descend into the dts/ directory, which causes build error.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Tested-by: Andreas Dannenberg <dannenberg@ti.com>
The output reported may be locale-dependent, which results in
unreproducible builds.
$ LANG=C ld --version | head -n 1
GNU ld (GNU Binutils for Debian) 2.26
$ LANG=it_CH.UTF-8 ld --version | head -n 1
ld di GNU (GNU Binutils for Debian) 2.26
Forcing LC_ALL=C ensures the output is consistant regardless of the
build environment.
Thanks to HW42 for debugging the issue:
https://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20160606/005722.html
For more information about reproducible builds:
https://reproducible-builds.org/
Signed-off-by: Vagrant Cascadian <vagrant@debian.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Remove the warning from the Makefile, since boards that do not use generic
board will no longer build. Also update documentation.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Andreas Bießmann <andreas@biessmann.org>
For boards that support ACPI, there are dsdt.aml, dsdt.asl.tmp and
dsdt.c in the board directory after a successful build. These are
intermediate files generated by IASL, and should be removed during
a 'make clean'.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>