From: Tom Rini Date: Fri, 17 Jun 2022 20:24:34 +0000 (-0400) Subject: powerpc: Clean up CHAIN_OF_TRUST related options X-Git-Url: http://git.dujemihanovic.xyz/posts?a=commitdiff_plain;h=f4cd75e96a461e1b138c3af85a4085e2772e4f7c;p=u-boot.git powerpc: Clean up CHAIN_OF_TRUST related options As things stand currently, there is only one PowerPC platform that enables the options for CHAIN_OF_TRUST. From the board header files, remove a number of never-set options. Remove board specific values from arch/powerpc/include/asm/fsl_secure_boot.h as well. Rework include/config_fsl_chain_trust.h to not abuse the CONFIG namespace for constructing CHAIN_BOOT_CMD. Migrate all of the configurable addresses to Kconfig. If any platforms are re-introduced with secure boot support, everything required should still be here, but now in Kconfig, or requires migration of an option to Kconfig. Cc: Peng Fan Signed-off-by: Tom Rini --- diff --git a/arch/Kconfig.nxp b/arch/Kconfig.nxp index ccbf684bdb..03b73d4cc3 100644 --- a/arch/Kconfig.nxp +++ b/arch/Kconfig.nxp @@ -75,6 +75,46 @@ config SPL_UBOOT_KEY_HASH 41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b. Otherwise leave this empty. +if PPC + +config BOOTSCRIPT_COPY_RAM + bool "Secure boot copies boot script to RAM" + help + On systems that support chain of trust booting, a number of addresses + are required to set variables that are used in the copying and then + verification of different parts of the system. If enabled, the subsequent + options are for what location to use in each step. + +config BS_ADDR_DEVICE + hex "Address in RAM for bs_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_SIZE + hex "The size of bs_size which is the amount read from bs_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_ADDR_RAM + hex "Address in RAM for bs_ram" + depends on BOOTSCRIPT_COPY_RAM + +config BS_HDR_ADDR_DEVICE + hex "Address in RAM for bs_hdr_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_HDR_SIZE + hex "The size of bs_hdr_size which is the amount read from bs_hdr_device" + depends on BOOTSCRIPT_COPY_RAM + +config BS_HDR_ADDR_RAM + hex "Address in RAM for bs_hdr_ram" + depends on BOOTSCRIPT_COPY_RAM + +config BOOTSCRIPT_HDR_ADDR + hex "CONFIG_BOOTSCRIPT_HDR_ADDR" + default BS_ADDR_RAM if BOOTSCRIPT_COPY_RAM + +endif + config SYS_FSL_SRK_LE def_bool y depends on ARM diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h index c062fa5c19..a96a1ac5d7 100644 --- a/arch/powerpc/include/asm/fsl_secure_boot.h +++ b/arch/powerpc/include/asm/fsl_secure_boot.h @@ -10,19 +10,12 @@ #ifdef CONFIG_NXP_ESBC #if defined(CONFIG_FSL_CORENET) #define CONFIG_SYS_PBI_FLASH_BASE 0xc0000000 -#elif defined(CONFIG_TARGET_BSC9132QDS) -#define CONFIG_SYS_PBI_FLASH_BASE 0xc8000000 -#elif defined(CONFIG_TARGET_C29XPCIE) -#define CONFIG_SYS_PBI_FLASH_BASE 0xcc000000 #else #define CONFIG_SYS_PBI_FLASH_BASE 0xce000000 #endif #define CONFIG_SYS_PBI_FLASH_WINDOW 0xcff80000 -#if defined(CONFIG_TARGET_B4860QDS) || \ - defined(CONFIG_TARGET_B4420QDS) || \ - defined(CONFIG_TARGET_T4240QDS) || \ - defined(CONFIG_TARGET_T2080QDS) || \ +#if defined(CONFIG_TARGET_T2080QDS) || \ defined(CONFIG_TARGET_T2080RDB) || \ defined(CONFIG_TARGET_T1042RDB) || \ defined(CONFIG_TARGET_T1042D4RDB) || \ @@ -78,40 +71,6 @@ #endif /* ifdef CONFIG_SPL_BUILD */ #ifndef CONFIG_SPL_BUILD -/* - * fsl_setenv_chain_of_trust() must be called from - * board_late_init() - */ - -/* If Boot Script is not on NOR and is required to be copied on RAM */ -#ifdef CONFIG_BOOTSCRIPT_COPY_RAM -#define CONFIG_BS_HDR_ADDR_RAM 0x00010000 -#define CONFIG_BS_HDR_ADDR_DEVICE 0x00800000 -#define CONFIG_BS_HDR_SIZE 0x00002000 -#define CONFIG_BS_ADDR_RAM 0x00012000 -#define CONFIG_BS_ADDR_DEVICE 0x00802000 -#define CONFIG_BS_SIZE 0x00001000 - -#define CONFIG_BOOTSCRIPT_HDR_ADDR CONFIG_BS_HDR_ADDR_RAM -#else - -/* The bootscript header address is different for B4860 because the NOR - * mapping is different on B4 due to reduced NOR size. - */ -#if defined(CONFIG_TARGET_B4860QDS) || defined(CONFIG_TARGET_B4420QDS) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xecc00000 -#elif defined(CONFIG_FSL_CORENET) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xe8e00000 -#elif defined(CONFIG_TARGET_BSC9132QDS) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0x88020000 -#elif defined(CONFIG_TARGET_C29XPCIE) -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xec020000 -#else -#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee020000 -#endif - -#endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */ - #include #endif /* #ifndef CONFIG_SPL_BUILD */ #endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ diff --git a/board/freescale/common/fsl_chain_of_trust.c b/board/freescale/common/fsl_chain_of_trust.c index 7ffb315bc9..d31fb82181 100644 --- a/board/freescale/common/fsl_chain_of_trust.c +++ b/board/freescale/common/fsl_chain_of_trust.c @@ -12,6 +12,7 @@ #include #include #include +#include #if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_FRAMEWORK) #include @@ -76,14 +77,14 @@ int fsl_setenv_chain_of_trust(void) /* If Boot mode is Secure, set the environment variables * bootdelay = 0 (To disable Boot Prompt) - * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) + * bootcmd = CHAIN_BOOT_CMD (Validate and execute Boot script) */ env_set("bootdelay", "-2"); #ifdef CONFIG_ARM env_set("secureboot", "y"); #else - env_set("bootcmd", CONFIG_CHAIN_BOOT_CMD); + env_set("bootcmd", CHAIN_BOOT_CMD); #endif return 0; diff --git a/configs/T2080QDS_SECURE_BOOT_defconfig b/configs/T2080QDS_SECURE_BOOT_defconfig index 0a3e55b0f3..00d36ff759 100644 --- a/configs/T2080QDS_SECURE_BOOT_defconfig +++ b/configs/T2080QDS_SECURE_BOOT_defconfig @@ -1,8 +1,13 @@ CONFIG_PPC=y CONFIG_SYS_TEXT_BASE=0xEFF40000 CONFIG_ENV_SIZE=0x2000 -CONFIG_NXP_ESBC=y CONFIG_DEFAULT_DEVICE_TREE="t2080qds" +CONFIG_MPC85xx=y +CONFIG_TARGET_T2080QDS=y +CONFIG_MPC85XX_HAVE_RESET_VECTOR=y +CONFIG_ENABLE_36BIT_PHYS=y +CONFIG_NXP_ESBC=y +CONFIG_BOOTSCRIPT_HDR_ADDR=0xee020000 CONFIG_FSL_USE_PCA9547_MUX=y CONFIG_VID=y CONFIG_VID_FLS_ENV="t208xqds_vdd_mv" @@ -10,10 +15,6 @@ CONFIG_VOL_MONITOR_IR36021_READ=y CONFIG_VOL_MONITOR_IR36021_SET=y CONFIG_FSL_QIXIS=y # CONFIG_QIXIS_I2C_ACCESS is not set -CONFIG_MPC85xx=y -CONFIG_TARGET_T2080QDS=y -CONFIG_MPC85XX_HAVE_RESET_VECTOR=y -CONFIG_ENABLE_36BIT_PHYS=y # CONFIG_SYS_MALLOC_F is not set CONFIG_MP=y CONFIG_FIT=y diff --git a/include/config_fsl_chain_trust.h b/include/config_fsl_chain_trust.h index dd01e96689..380c906ba8 100644 --- a/include/config_fsl_chain_trust.h +++ b/include/config_fsl_chain_trust.h @@ -18,21 +18,21 @@ */ #ifdef CONFIG_USE_BOOTARGS -#define CONFIG_SET_BOOTARGS "setenv bootargs \'" CONFIG_BOOTARGS" \';" +#define SET_BOOTARGS "setenv bootargs \'" CONFIG_BOOTARGS" \';" #else -#define CONFIG_SET_BOOTARGS "setenv bootargs \'root=/dev/ram " \ +#define SET_BOOTARGS "setenv bootargs \'root=/dev/ram " \ "rw console=ttyS0,115200 ramdisk_size=600000\';" #endif -#define CONFIG_SECBOOT \ +#define SECBOOT \ "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \ - CONFIG_SET_BOOTARGS \ + SET_BOOTARGS \ "esbc_validate $bs_hdraddr;" \ "source $img_addr;" \ "esbc_halt\0" #ifdef CONFIG_BOOTSCRIPT_COPY_RAM -#define CONFIG_BS_COPY_ENV \ +#define BS_COPY_ENV \ "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \ "setenv bs_hdr_device " __stringify(CONFIG_BS_HDR_ADDR_DEVICE)";" \ "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \ @@ -43,33 +43,28 @@ /* For secure boot flow, default environment used will be used */ #if defined(CONFIG_SYS_RAMBOOT) || defined(CONFIG_NAND_BOOT) || \ defined(CONFIG_SD_BOOT) -#if defined(CONFIG_RAMBOOT_NAND) || defined(CONFIG_NAND_BOOT) -#define CONFIG_BS_COPY_CMD \ +#if defined(CONFIG_NAND_BOOT) +#define BS_COPY_CMD \ "nand read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \ "nand read $bs_ram $bs_device $bs_size ;" #elif defined(CONFIG_SD_BOOT) -#define CONFIG_BS_COPY_CMD \ +#define BS_COPY_CMD \ "mmc read $bs_hdr_ram $bs_hdr_device $bs_hdr_size ;" \ "mmc read $bs_ram $bs_device $bs_size ;" #endif #else -#define CONFIG_BS_COPY_CMD \ +#define BS_COPY_CMD \ "cp.b $bs_hdr_device $bs_hdr_ram $bs_hdr_size ;" \ "cp.b $bs_device $bs_ram $bs_size ;" #endif +#else /* !CONFIG_BOOTSCRIPT_COPY_RAM */ +#define BS_COPY_ENV +#define BS_COPY_CMD #endif /* CONFIG_BOOTSCRIPT_COPY_RAM */ -#ifndef CONFIG_BS_COPY_ENV -#define CONFIG_BS_COPY_ENV -#endif - -#ifndef CONFIG_BS_COPY_CMD -#define CONFIG_BS_COPY_CMD -#endif - -#define CONFIG_CHAIN_BOOT_CMD CONFIG_BS_COPY_ENV \ - CONFIG_BS_COPY_CMD \ - CONFIG_SECBOOT +#define CHAIN_BOOT_CMD BS_COPY_ENV \ + BS_COPY_CMD \ + SECBOOT #endif #endif diff --git a/include/configs/P1010RDB.h b/include/configs/P1010RDB.h index 200b88050c..19aebb810c 100644 --- a/include/configs/P1010RDB.h +++ b/include/configs/P1010RDB.h @@ -53,7 +53,6 @@ #endif #ifdef CONFIG_NAND_SECBOOT /* NAND Boot */ -#define CONFIG_RAMBOOT_NAND #define CONFIG_RESET_VECTOR_ADDRESS 0x110bfffc #endif @@ -348,8 +347,7 @@ extern unsigned long get_sdram_size(void); FTIM2_GPCM_TWP(0x1f)) #define CONFIG_SYS_CS3_FTIM3 0x0 -#if defined(CONFIG_RAMBOOT_SDCARD) || defined(CONFIG_RAMBOOT_SPIFLASH) || \ - defined(CONFIG_RAMBOOT_NAND) +#if defined(CONFIG_RAMBOOT_SDCARD) || defined(CONFIG_RAMBOOT_SPIFLASH) #define CONFIG_SYS_RAMBOOT #else #undef CONFIG_SYS_RAMBOOT diff --git a/include/configs/T104xRDB.h b/include/configs/T104xRDB.h index f1738b32c5..1c2052608e 100644 --- a/include/configs/T104xRDB.h +++ b/include/configs/T104xRDB.h @@ -66,14 +66,6 @@ #define CONFIG_PCIE3 /* PCIE controller 3 */ #define CONFIG_PCIE4 /* PCIE controller 4 */ -#if defined(CONFIG_SPIFLASH) -#elif defined(CONFIG_MTD_RAW_NAND) -#ifdef CONFIG_NXP_ESBC -#define CONFIG_RAMBOOT_NAND -#define CONFIG_BOOTSCRIPT_COPY_RAM -#endif -#endif - /* * These can be toggled for performance analysis, otherwise use default. */ diff --git a/include/configs/corenet_ds.h b/include/configs/corenet_ds.h index 51bc772e23..6a4fd90ded 100644 --- a/include/configs/corenet_ds.h +++ b/include/configs/corenet_ds.h @@ -15,17 +15,8 @@ #include "../board/freescale/common/ics307_clk.h" #ifdef CONFIG_RAMBOOT_PBL -#ifdef CONFIG_NXP_ESBC #define CONFIG_RAMBOOT_TEXT_BASE CONFIG_SYS_TEXT_BASE #define CONFIG_RESET_VECTOR_ADDRESS 0xfffffffc -#ifdef CONFIG_MTD_RAW_NAND -#define CONFIG_RAMBOOT_NAND -#endif -#define CONFIG_BOOTSCRIPT_COPY_RAM -#else -#define CONFIG_RAMBOOT_TEXT_BASE CONFIG_SYS_TEXT_BASE -#define CONFIG_RESET_VECTOR_ADDRESS 0xfffffffc -#endif #endif #ifdef CONFIG_SRIO_PCIE_BOOT_SLAVE