Add a hab_rvt_check_target() step to authenticate_image() as a sanity
check for the target memory region authenticate_image() will run over,
prior to making the BootROM authentication callback itself.
This check is recommended by the HAB documentation so it makes sense to
adhere to the guidance and perform that check as directed.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
This patch implements the basic callback hooks for hab_rvt_check_target()
for BootROM code using the older BootROM address layout - in my test case
the i.MX7. Code based on new BootROM callbacks will just have HAB_SUCCESS
as a result code. Adding support for the new BootROM callbacks is a TODO.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The hab_rvt_check_target() callback according to the HABv4 documentation:
"This function reports whether or not a given target region is allowed for
either peripheral configuration or image loading in memory. It is intended
for use by post-ROM boot stage components, via the ROM Vector Table, in
order to avoid configuring security-sensitive peripherals, or loading
images over sensitive memory regions or outside recognized memory devices
in the address map."
It is a useful function to support as a precursor to calling into
authenticate_image() to validate the target memory region is good.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
This patch enables printout of the IVT entry, dcd and csf data fields.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The IVT gives the absolute address of the CSF. There is no requirement for
the CSF to be located adjacent to the IVT so lets use the address provided
in the IVT header instead of the hard-coded fixed CSF offset currently in
place.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Previous patches added IVT header verification steps. We shouldn't call
hab_rvt_entry() until we have done the basic header verification steps.
This patch changes the time we make the hab_rvt_entry() call so that it
only takes place if we are happy with the IVT header sanity checks.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The IVT is a self-describing structure which contains a self field. The
self field is the absolute physical base address the IVT ought to be at in
memory. Use the IVT self field to validate the calculated ivt_addr bugging
out if the two values differ.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The IVT header contains a magic number, fixed length and one of two version
identifiers. Validate these settings before doing anything with a putative
IVT binary.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The various i.MX BootROMs containing the High Assurance Boot (HAB) block
rely on a data structure called the Image Vector Table (IVT) to describe to
the BootROM where to locate various data-structures used by HAB during
authentication.
This patch adds a definition of the IVT header for use in later patches,
where we will break the current incorrect dependence on fixed offsets in
favour of an IVT described parsing of incoming binaries.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
u-boot command "hab_auth_img" tells a user that it takes
- addr - image hex address
- offset - hex offset of IVT in the image
but in fact the callback hab_auth_img makes to authenticate_image treats
the second 'offset' parameter as an image length.
Furthermore existing code requires the IVT header to be appended to the end
of the image which is not actually a requirement of HABv4.
This patch fixes this situation by
1: Adding a new parameter to hab_auth_img
- addr : image hex address
- length : total length of the image
- offset : offset of IVT from addr
2: Updates the existing call into authenticate_image() in
arch/arm/mach-imx/spl.c:jump_to_image_no_args() to pass
addr, length and IVT offset respectively.
This allows then hab_auth_img to actually operate the way it was specified
in the help text and should still allow existing code to work.
It has the added advantage that the IVT header doesn't have to be appended
to an image given to HAB - it can be prepended for example.
Note prepending the IVT is what u-boot will do when making an IVT for the
BootROM. It should be possible for u-boot properly authenticate images
made by mkimage via HAB.
This patch is the first step in making that happen subsequent patches will
focus on removing hard-coded offsets to the IVT, which again is not
mandated to live at the end of a .imx image.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
CSF_PAD_SIZE should be defined in hab.h, move it to that location now.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The size of the IVT header should be defined in hab.h move it there now.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The current code disjoins an entire block of code on hab_entry pass/fail
resulting in a large chunk of authenticate_image being offset to the right.
Fix this by checking hab_entry() pass/failure and exiting the function
directly if in an error state.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
There is no need to call is_enabled() twice in authenticate_image - it does
nothing but add an additional layer of indentation.
We can check for is_enabled() at the start of the function and return the
result code directly.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
authenticate_image returns 1 for success and 0 for failure. That result
code is mapped directly to the result code for the command line function
hab_auth_img - which means when hab_auth_img succeeds it is returning
CMD_RET_FAILURE (1) instead of CMD_RET_SUCCESS (0).
This patch fixes this behaviour by making authenticate_image() return 0 for
success and 1 for failure. Both users of authenticate_image() as a result
have some minimal churn. The upshot is once done when hab_auth_img is
called from the command line we set $? in the standard way for scripting
functions to act on.
Fixes: 36c1ca4d46 ("imx: Support i.MX6 High Assurance Boot
authentication")
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Both usages of authenticate_image treat the result code as a simple binary.
The command line usage of authenticate_image directly returns the result
code of authenticate_image as a success/failure code.
Right now when calling hab_auth_img and test the result code in a shell a
passing hab_auth_img will appear to the shell as a fail.
The first step in fixing this behaviour is to fix-up the result code return
by authenticate_image() itself, subsequent patches fix the interpretation
of authenticate_image so that zero will return CMD_RET_SUCCESS and non-zero
will return CMD_RET_FAILURE.
The first step is fixing the return type in authenticate_image() so do that
now.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Like many other i.MX6 based boards, there are multiple variants of
the cm-fx6 module featuring different SoC variants. Furthermore, the
module can be paired with multiple baseboards.
At the same time modern distribution like Fedora require U-Boot to
select a proper devicetree which depends on the SoC variant and the
baseboard.
Thus, export the SoC variant and the actual board to the environment
following the conventions of other i.MX6 devices (e.g. the NXP boards)
such that the environment can select a devicetree file to load.
For now, we only know for sure that the cm-fx6 module and the SB-fx6m
baseboard amount to a Utilite Computer variant (depending on the SoC).
Further combinations may be added in the future; e.g. CompuLab's
evaluation board once someone can verify the identification string
stored in its eeprom.
Signed-off-by: Christopher Spinrath <christopher.spinrath@rwth-aachen.de>
Reviewed-by: Stefano Babic <sbabic@denx.de>
The "clocks" and "bootaux" commands are only usable in full U-Boot, not
SPL, so do not link them inside of SPL. Rework a little of the bootaux
related code to make use of __weak and declare parts of it static as
it's local to the file.
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
To support QSPI DM driver
- Add spi0 alias for qspi node. Which is used for bus number 0.
- Modify the n25q256a@0 compatible property to "spi-flash".
- Modify spi4 (gpio_spi) node to spi5
- Define DM SPI/QSPI related config to enable QSPI
Signed-off-by: Peng Fan <peng.fan@nxp.com>
i.MX6ULL also does not have a MMDC_P1_BASE_ADDR, so do not try to
access it.
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Stefano Babic <ssbabic@denx.de>
Compile-off mp.c and libfdt.c in case of SPL build. SPL size reduces
by approx 2k.
Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
855873: An eviction might overtake a cache clean operation
Workaround: The erratum can be avoided by upgrading cache clean by
address operations to cache clean and invalidate operations. For
Cortex-A53 r0p3 and later release, this can be achieved by setting
CPUACTLR.ENDCCASCI to 1.
This patch is to implement the workaround for this erratum.
Signed-off-by: Alison Wang <alison.wang@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
This patch adds changes necessary to move functionality present in
PowerPC folders with ARM architectures that have DPAA1 QBMan hardware
- Create new board/freescale/common/fsl_portals.c to house shared
device tree fixups for DPAA1 devices with ARM and PowerPC cores
- Add new header file to top includes directory to allow files in
both architectures to grab the function prototypes
- Port inhibit_portals() from PowerPC to ARM. This function is used in
setup to disable interrupts on all QMan and BMan portals. It is
needed because the interrupts are enabled by default for all portals
including unused/uninitialised portals. When the kernel attempts to
go to deep sleep the unused portals prevent it from doing so
Signed-off-by: Ahmed Mansour <ahmed.mansour@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
Sata registers PP2C and PP3C are used to control the configuration
of the PHY control OOB timing for the COMINIT/COMWAKE parameters
respectively. Calculate those parameters from port clock frequency.
Overwrite those registers with calculated values to get better OOB
timing.
Signed-off-by: Tang Yuantian <andy.tang@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
Given gcc-6.1 and later we can now safely have strings discarded when
the functions are unused. This lets us drop certain cases of not
building something so that we don't have the strings brought in when the
code was discarded. Simplify the code now by dropping guards we don't
need now.
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Chander Kashyap <k.chander@samsung.com>
Cc: Thomas Abraham <thomas.ab@samsung.com>
Cc: Vipin Kumar <vipin.kumar@st.com>
Cc: Wenyou Yang <wenyou.yang@microchip.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
BCM2835 ARM Peripherals doc shows gpio pins 4, 5, 6, 12 and 13 carry altenate
function, ALT5 for ARM JTAG
Signed-off-by: Henry Zhang <henryzhang62@yahoo.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add DT nodes to enable ARM_PL180_MMCI IP support for STM32F746
and STM32F769 discovery boards
There is a hardware issue on these boards, it misses a pullup on the GPIO line
used as card detect to allow correct SD card detection.
As workaround, cd-gpios property is not present in DT.
So SD card is always considered present in the slot.
Signed-off-by: Christophe Priouzeau <christophe.priouzeau@st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This board offers :
_ STM32F469NIH6 microcontroller featuring 2 Mbytes of Flash memory
and 324 Kbytes of RAM in BGA216 package
_ On-board ST-LINK/V2-1 SWD debugger, supporting USB reenumeration capability:
_ Mbed-enabled (mbed.org)
_ USB functions: USB virtual COM port, mass storage, debug port
_ 4 inches 800x480 pixel TFT color LCD with MIPI DSI interface and capacitive
touch screen
_ SAI Audio DAC, with a stereo headphone output jack
_ 3 MEMS microphones
_ MicroSD card connector
_ I2C extension connector
_ 4Mx32bit SDRAM
_ 128-Mbit Quad-SPI NOR Flash
_ Reset and wake-up buttons
_ 4 color user LEDs
_ USB OTG FS with Micro-AB connector
_ Three power supply options:
_ Expansion connectors and Arduino™ UNO V3 connectors
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
This DT file comes from kernel v4.15-rc1
stm32f469-pinctrl.dtsi header has been updated with correct
STMicroelectronics Copyright.
Remove the paragraph about writing to the Free Software
Foundation's mailing address as requested by checkpatch.
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
Use available DM stm32f7_gpio.c and pinctrl_stm32.c drivers
instead of board GPIO initialization.
Remove stm32_gpio.c which is no more used and migrate
structs stm32_gpio_regs and stm32_gpio_priv into
arch-stm32f4/gpio.h to not break compilation.
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
Use available DM clk_stm32f.c driver instead of dedicated
mach-stm32/stm32f4/clock.c.
Migrate periph_clock defines from stm32_periph.h directly in
CLK driver. These periph_clock defines will be removed when STMMAC,
TIMER2 and SYSCFG drivers will support DM CLK.
Enable also CLK flag.
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
In order to use common clock driver between STM32F4 and
STM32F7, remove clock_get() call
As APB_PSC is always set to 2, only case when
clock_get(CLOCK_AHB) != clock_get(CLOCK_APB1) is kept
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
Remove serial_stm32.c driver and uart init from board file,
use available DM serial_stm32x7.c driver compatible for
STM32F4/F7 and H7 SoCs.
The serial_stm32x7.c driver will be renamed later with a more
generic name as it's shared with all STM32 Socs.
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
_ Add gpio compatible and aliases for stm32f429
_ Add FMC sdram node with associated new bindings value to
manage second bank (ie bank 1).
_ Add "u-boot,dm-pre-reloc" for rcc, fmc, fixed-clock, pinctrl,
pwrcfg and gpio nodes.
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
All these files comes from kernel v4.15-rc1.
Update some header with correct STMicroelectronics Copyright.
Remove the paragraph about writing to the Free Software
Foundation's mailing address as requested by checkpatch.
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>