imx: imx8: ahab: sha256: enable image verification using ARMv8 crypto extension

add support for SHA-256 secure hash algorithm using the ARM v8
SHA-256 instructions for verifying image hash.

Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>

diff --git a/arch/arm/mach-imx/imx8/ahab.c b/arch/arm/mach-imx/imx8/ahab.c
index c878743feeb0dba3536d1aefdea60078ed579ed6..b58b14ca9b4d5488984b736edced3c211ef1ac70 100644 (file)
--- a/arch/arm/mach-imx/imx8/ahab.c
+++ b/arch/arm/mach-imx/imx8/ahab.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
- * Copyright 2018-2019 NXP
+ * Copyright 2018-2019, 2022 NXP
  */
 
 #include <common.h>
@@ -16,6 +16,7 @@
 #include <asm/mach-imx/image.h>
 #include <console.h>
 #include <cpu_func.h>
+#include "u-boot/sha256.h"
 #include <asm/mach-imx/ahab.h>
 
 DECLARE_GLOBAL_DATA_PTR;
@@ -25,6 +26,8 @@ DECLARE_GLOBAL_DATA_PTR;
 #define SECO_LOCAL_SEC_SEC_SECURE_RAM_BASE  (0x60000000UL)
 
 #define SECO_PT                 2U
+#define AHAB_HASH_TYPE_MASK    0x00000700
+#define AHAB_HASH_TYPE_SHA256  0
 
 int ahab_auth_cntr_hdr(struct container_hdr *container, u16 length)
 {
@@ -128,6 +131,9 @@ int authenticate_os_container(ulong addr)
        u16 length;
        struct boot_img_t *img;
        unsigned long s, e;
+#ifdef CONFIG_ARMV8_CE_SHA256
+       u8 hash_value[SHA256_SUM_LEN];
+#endif
 
        if (addr % 4) {
                puts("Error: Image's address is not 4 byte aligned\n");
@@ -177,9 +183,23 @@ int authenticate_os_container(ulong addr)
 
                flush_dcache_range(s, e);
 
-               ret = ahab_verify_cntr_image(img, i);
-               if (ret)
-                       goto exit;
+#ifdef CONFIG_ARMV8_CE_SHA256
+               if (((img->hab_flags & AHAB_HASH_TYPE_MASK) >> 8) == AHAB_HASH_TYPE_SHA256) {
+                       sha256_csum_wd((void *)img->dst, img->size, hash_value, CHUNKSZ_SHA256);
+                       err = memcmp(&img->hash, &hash_value, SHA256_SUM_LEN);
+                       if (err) {
+                               printf("img %d hash comparison failed, error %d\n", i, err);
+                               ret = -EIO;
+                               goto exit;
+                       }
+               } else {
+#endif
+                       ret = ahab_verify_cntr_image(img, i);
+                       if (ret)
+                               goto exit;
+#ifdef CONFIG_ARMV8_CE_SHA256
+               }
+#endif
        }
 
 exit: