From: Vinitha Pillai-B57223 Date: Wed, 22 Nov 2017 05:08:35 +0000 (+0530) Subject: SECURE BOOT: Add fall back option X-Git-Url: http://git.dujemihanovic.xyz/img/sics.gif?a=commitdiff_plain;h=9b457cc6d16dadc29f3e7ed560171a9a20b9c5d7;p=u-boot.git SECURE BOOT: Add fall back option Add fall back option, to boot from NOR/QSPI/SD for LS1043, LS1046, LS1021 in case of distro boot failure. For LS1046, add kernel validation in case of secure boot in sd_bootcmd and qspi_bootcmd. For LS1043 and LS1021, add kernel validation in case of secure boot in sd_bootcmd, qspi_bootcmdand nor_bootcmd. Signed-off-by: Vinitha Pillai Reviewed-by: York Sun --- diff --git a/include/configs/ls1021atwr.h b/include/configs/ls1021atwr.h index 5be61ad7b6..3db7ef12b0 100644 --- a/include/configs/ls1021atwr.h +++ b/include/configs/ls1021atwr.h @@ -420,16 +420,22 @@ "initrd_high=0xffffffff\0" \ "fdt_high=0xffffffff\0" \ "fdt_addr=0x64f00000\0" \ - "kernel_addr=0x65000000\0" \ + "kernel_addr=0x61000000\0" \ + "kernelheader_addr=0x60800000\0" \ "scriptaddr=0x80000000\0" \ "scripthdraddr=0x80080000\0" \ "fdtheader_addr_r=0x80100000\0" \ "kernelheader_addr_r=0x80200000\0" \ "kernel_addr_r=0x81000000\0" \ + "kernelheader_size=0x40000\0" \ "fdt_addr_r=0x90000000\0" \ "ramdisk_addr_r=0xa0000000\0" \ "load_addr=0xa0000000\0" \ "kernel_size=0x2800000\0" \ + "kernel_addr_sd=0x8000\0" \ + "kernel_size_sd=0x14000\0" \ + "kernelhdr_addr_sd=0x4000\0" \ + "kernelhdr_size_sd=0x10\0" \ BOOTENV \ "boot_scripts=ls1021atwr_boot.scr\0" \ "boot_script_hdr=hdr_ls1021atwr_bs.out\0" \ @@ -460,26 +466,35 @@ "source ${scriptaddr}\0" \ "qspi_bootcmd=echo Trying load from qspi..;" \ "sf probe && sf read $load_addr " \ - "$kernel_addr $kernel_size && bootm $load_addr#$board\0" \ + "$kernel_addr $kernel_size; env exists secureboot " \ + "&& sf read $kernelheader_addr_r $kernelheader_addr " \ + "$kernelheader_size && esbc_validate ${kernelheader_addr_r}; " \ + "bootm $load_addr#$board\0" \ "nor_bootcmd=echo Trying load from nor..;" \ "cp.b $kernel_addr $load_addr " \ - "$kernel_size && bootm $load_addr#$board\0" \ + "$kernel_size; env exists secureboot " \ + "&& cp.b $kernelheader_addr $kernelheader_addr_r " \ + "$kernelheader_size && esbc_validate ${kernelheader_addr_r}; " \ + "bootm $load_addr#$board\0" \ "sd_bootcmd=echo Trying load from SD ..;" \ "mmcinfo && mmc read $load_addr " \ "$kernel_addr_sd $kernel_size_sd && " \ + "env exists secureboot && mmc read $kernelheader_addr_r " \ + "$kernelhdr_addr_sd $kernelhdr_size_sd " \ + " && esbc_validate ${kernelheader_addr_r};" \ "bootm $load_addr#$board\0" #endif #undef CONFIG_BOOTCOMMAND #if defined(CONFIG_QSPI_BOOT) || defined(CONFIG_SD_BOOT_QSPI) -#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot" \ - "&& esbc_halt; run qspi_bootcmd;" +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; run qspi_bootcmd" \ + "env exists secureboot && esbc_halt" #elif defined(CONFIG_SD_BOOT) -#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot" \ - "&& esbc_halt; run sd_bootcmd;" +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; run sd_bootcmd; " \ + "env exists secureboot && esbc_halt;" #else -#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot" \ - "&& esbc_halt; run nor_bootcmd;" +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; run nor_bootcmd;" \ + "env exists secureboot && esbc_halt;" #endif /* diff --git a/include/configs/ls1043a_common.h b/include/configs/ls1043a_common.h index a4cd09aa90..67b5ea715e 100644 --- a/include/configs/ls1043a_common.h +++ b/include/configs/ls1043a_common.h @@ -252,7 +252,7 @@ "fdt_high=0xffffffffffffffff\0" \ "initrd_high=0xffffffffffffffff\0" \ "fdt_addr=0x64f00000\0" \ - "kernel_addr=0x65000000\0" \ + "kernel_addr=0x61000000\0" \ "scriptaddr=0x80000000\0" \ "scripthdraddr=0x80080000\0" \ "fdtheader_addr_r=0x80100000\0" \ @@ -260,9 +260,13 @@ "kernel_addr_r=0x81000000\0" \ "fdt_addr_r=0x90000000\0" \ "load_addr=0xa0000000\0" \ + "kernelheader_addr=0x60800000\0" \ "kernel_size=0x2800000\0" \ + "kernelheader_size=0x40000\0" \ "kernel_addr_sd=0x8000\0" \ "kernel_size_sd=0x14000\0" \ + "kernelhdr_addr_sd=0x4000\0" \ + "kernelhdr_size_sd=0x10\0" \ "console=ttyS0,115200\0" \ "boot_os=y\0" \ "mtdparts=" CONFIG_MTDPARTS_DEFAULT "\0" \ @@ -295,26 +299,35 @@ "source ${scriptaddr}\0" \ "qspi_bootcmd=echo Trying load from qspi..;" \ "sf probe && sf read $load_addr " \ - "$kernel_addr $kernel_size && bootm $load_addr#$board\0" \ + "$kernel_addr $kernel_size; env exists secureboot " \ + "&& sf read $kernelheader_addr_r $kernelheader_addr " \ + "$kernelheader_size && esbc_validate ${kernelheader_addr_r}; " \ + "bootm $load_addr#$board\0" \ "nor_bootcmd=echo Trying load from nor..;" \ "cp.b $kernel_addr $load_addr " \ - "$kernel_size && bootm $load_addr#$board\0" \ + "$kernel_size; env exists secureboot " \ + "&& cp.b $kernelheader_addr $kernelheader_addr_r " \ + "$kernelheader_size && esbc_validate ${kernelheader_addr_r}; " \ + "bootm $load_addr#$board\0" \ "sd_bootcmd=echo Trying load from SD ..;" \ "mmcinfo; mmc read $load_addr " \ "$kernel_addr_sd $kernel_size_sd && " \ + "env exists secureboot && mmc read $kernelheader_addr_r " \ + "$kernelhdr_addr_sd $kernelhdr_size_sd " \ + " && esbc_validate ${kernelheader_addr_r};" \ "bootm $load_addr#$board\0" #undef CONFIG_BOOTCOMMAND #if defined(CONFIG_QSPI_BOOT) || defined(CONFIG_SD_BOOT_QSPI) -#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot" \ - "&& esbc_halt; run qspi_bootcmd;" +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; run qspi_bootcmd; " \ + "env exists secureboot && esbc_halt;" #elif defined(CONFIG_SD_BOOT) -#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot" \ - "&& esbc_halt; run sd_bootcmd;" +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; run sd_bootcmd; " \ + "env exists secureboot && esbc_halt;" #else -#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot" \ - "&& esbc_halt; run nor_bootcmd;" +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; run nor_bootcmd; " \ + "env exists secureboot && esbc_halt;" #endif #endif diff --git a/include/configs/ls1046a_common.h b/include/configs/ls1046a_common.h index 11f2a28743..e208f7d2de 100644 --- a/include/configs/ls1046a_common.h +++ b/include/configs/ls1046a_common.h @@ -225,10 +225,14 @@ "fdt_addr_r=0x90000000\0" \ "ramdisk_addr_r=0xa0000000\0" \ "kernel_start=0x1000000\0" \ + "kernelheader_start=0x800000\0" \ "kernel_load=0xa0000000\0" \ "kernel_size=0x2800000\0" \ + "kernelheader_size=0x40000\0" \ "kernel_addr_sd=0x8000\0" \ "kernel_size_sd=0x14000\0" \ + "kernelhdr_addr_sd=0x4000\0" \ + "kernelhdr_size_sd=0x10\0" \ "console=ttyS0,115200\0" \ CONFIG_MTDPARTS_DEFAULT "\0" \ BOOTENV \ @@ -261,10 +265,16 @@ "source ${scriptaddr}\0" \ "qspi_bootcmd=echo Trying load from qspi..;" \ "sf probe && sf read $load_addr " \ - "$kernel_start $kernel_size && bootm $load_addr#$board\0" \ + "$kernel_start $kernel_size; env exists secureboot " \ + "&& sf read $kernelheader_addr_r $kernelheader_start " \ + "$kernelheader_size && esbc_validate ${kernelheader_addr_r}; " \ + "bootm $load_addr#$board\0" \ "sd_bootcmd=echo Trying load from SD ..;" \ "mmcinfo; mmc read $load_addr " \ "$kernel_addr_sd $kernel_size_sd && " \ + "env exists secureboot && mmc read $kernelheader_addr_r " \ + "$kernelhdr_addr_sd $kernelhdr_size_sd " \ + " && esbc_validate ${kernelheader_addr_r};" \ "bootm $load_addr#$board\0" #endif diff --git a/include/configs/ls1046ardb.h b/include/configs/ls1046ardb.h index d001b80270..5afd5c64bb 100644 --- a/include/configs/ls1046ardb.h +++ b/include/configs/ls1046ardb.h @@ -226,11 +226,11 @@ #ifndef SPL_NO_MISC #undef CONFIG_BOOTCOMMAND #if defined(CONFIG_QSPI_BOOT) -#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot" \ - "&& esbc_halt; run qspi_bootcmd;" +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; run qspi_bootcmd; " \ + "env exists secureboot && esbc_halt;;" #elif defined(CONFIG_SD_BOOT) -#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot" \ - "&& esbc_halt; run sd_bootcmd;" +#define CONFIG_BOOTCOMMAND "run distro_bootcmd;run sd_bootcmd; " \ + "env exists secureboot && esbc_halt;" #endif #endif