MLK-19064 imx8qm: Add secure boot environment

Add the secure boot relevant environment variables to ARM2 and MEK.
When CONFIG_AHAB_BOOT is enabled, we will switch to boot flow:
1. Load the signed OS container to address 0x88000000
2. Using auth_cntr to authenticate the OS container. It will load the
   kernel and FDT to destination addresses.
3. Using booti to boot kernel.

Signed-off-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit eb47b72c1c89deddeaa3b3618d8c28aca05cd4ad)
(cherry picked from commit e469bf980df3fa5c7d4e059aaaed4db296a0b002)

diff --git a/board/freescale/imx8qm_arm2/imx8qm_arm2.c b/board/freescale/imx8qm_arm2/imx8qm_arm2.c
index d3a188f..88564dc 100644 (file)
--- a/board/freescale/imx8qm_arm2/imx8qm_arm2.c
+++ b/board/freescale/imx8qm_arm2/imx8qm_arm2.c
@@ -601,6 +601,11 @@ int board_late_init(void)
        env_set("board_rev", "iMX8QM");
 #endif
 
+       env_set("sec_boot", "no");
+#ifdef CONFIG_AHAB_BOOT
+       env_set("sec_boot", "yes");
+#endif
+
        return 0;
 }
 

diff --git a/board/freescale/imx8qm_mek/imx8qm_mek.c b/board/freescale/imx8qm_mek/imx8qm_mek.c
index 91107c6..a388a2e 100644 (file)
--- a/board/freescale/imx8qm_mek/imx8qm_mek.c
+++ b/board/freescale/imx8qm_mek/imx8qm_mek.c
@@ -476,6 +476,11 @@ int board_late_init(void)
        env_set("board_rev", "iMX8QM");
 #endif
 
+       env_set("sec_boot", "no");
+#ifdef CONFIG_AHAB_BOOT
+       env_set("sec_boot", "yes");
+#endif
+
        return 0;
 }
 

diff --git a/include/configs/imx8qm_arm2.h b/include/configs/imx8qm_arm2.h
index e062567..9609e59 100644 (file)
--- a/include/configs/imx8qm_arm2.h
+++ b/include/configs/imx8qm_arm2.h
@@ -111,6 +111,12 @@
 #define CONFIG_MAX7322_I2C_BUS         2 /* I2C2 */
 #endif
 
+#ifdef CONFIG_AHAB_BOOT
+#define AHAB_ENV "sec_boot=yes\0"
+#else
+#define AHAB_ENV "sec_boot=no\0"
+#endif
+
 /* Boot M4 */
 #define M4_BOOT_ENV \
        "m4_0_image=m4_0.bin\0" \
@@ -159,6 +165,7 @@
 #define CONFIG_EXTRA_ENV_SETTINGS              \
        XEN_BOOT_ENV \
        M4_BOOT_ENV \
+       AHAB_ENV \
        "script=boot.scr\0" \
        "image=Image\0" \
        "panel=NULL\0" \
@@ -166,6 +173,8 @@
        "earlycon=lpuart32,0x5a060000\0" \
        "fdt_addr=0x83000000\0"                 \
        "fdt_high=0xffffffffffffffff\0"         \
+       "cntr_addr=0x98000000\0"                        \
+       "cntr_file=os_cntr_signed.bin\0" \
        "boot_fdt=try\0" \
        "fdt_file=" CONFIG_DEFAULT_FDT_FILE "\0" \
        "initrd_addr=0x83100000\0" \
@@ -183,17 +192,27 @@
        "hdp_addr=0x84000000\0" \
        "hdp_file=dpfw.bin\0" \
        "loadhdp=fatload mmc ${mmcdev}:${mmcpart} ${hdp_addr} ${hdp_file}\0" \
+       "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \
+       "auth_os=auth_cntr ${cntr_addr}\0" \
        "mmcboot=echo Booting from mmc ...; " \
                "if run loadhdp; then; hdp load ${hdp_addr}; fi;" \
                "run mmcargs; " \
-               "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
-                       "if run loadfdt; then " \
+               "if test ${sec_boot} = yes; then " \
+                       "if run auth_os; then " \
                                "booti ${loadaddr} - ${fdt_addr}; " \
                        "else " \
-                               "echo WARN: Cannot load the DT; " \
+                               "echo ERR: failed to authenticate; " \
                        "fi; " \
                "else " \
-                       "echo wait for boot; " \
+                       "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
+                               "if run loadfdt; then " \
+                                       "booti ${loadaddr} - ${fdt_addr}; " \
+                               "else " \
+                                       "echo WARN: Cannot load the DT; " \
+                               "fi; " \
+                       "else " \
+                               "echo wait for boot; " \
+                       "fi;" \
                "fi;\0" \
        "netargs=setenv bootargs console=${console},${baudrate} earlycon=${earlycon},${baudrate} " \
                "root=/dev/nfs " \
@@ -206,15 +225,24 @@
                        "setenv get_cmd tftp; " \
                "fi; " \
                "if ${get_cmd} ${hdp_addr} ${hdp_file}; then; hdp load ${hdp_addr}; fi;" \
-               "${get_cmd} ${loadaddr} ${image}; " \
-               "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
-                       "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \
+               "if test ${sec_boot} = yes; then " \
+                       "${get_cmd} ${cntr_addr} ${cntr_file}; " \
+                       "if run auth_os; then " \
                                "booti ${loadaddr} - ${fdt_addr}; " \
                        "else " \
-                               "echo WARN: Cannot load the DT; " \
+                               "echo ERR: failed to authenticate; " \
                        "fi; " \
                "else " \
-                       "booti; " \
+                       "${get_cmd} ${loadaddr} ${image}; " \
+                       "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
+                               "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \
+                                       "booti ${loadaddr} - ${fdt_addr}; " \
+                               "else " \
+                                       "echo WARN: Cannot load the DT; " \
+                               "fi; " \
+                       "else " \
+                               "booti; " \
+                       "fi;" \
                "fi;\0"
 
 #define CONFIG_BOOTCOMMAND \
@@ -222,10 +250,17 @@
                   "if run loadbootscript; then " \
                           "run bootscript; " \
                   "else " \
-                          "if run loadimage; then " \
-                                  "run mmcboot; " \
-                          "else run netboot; " \
-                          "fi; " \
+                          "if test ${sec_boot} = yes; then " \
+                                  "if run loadcntr; then " \
+                                          "run mmcboot; " \
+                                  "else run netboot; " \
+                                  "fi; " \
+                           "else " \
+                                  "if run loadimage; then " \
+                                          "run mmcboot; " \
+                                  "else run netboot; " \
+                                  "fi; " \
+                        "fi; " \
                   "fi; " \
           "else booti ${loadaddr} - ${fdt_addr}; fi"
 

diff --git a/include/configs/imx8qm_mek.h b/include/configs/imx8qm_mek.h
index 33bfde0..2cc9427 100644 (file)
--- a/include/configs/imx8qm_mek.h
+++ b/include/configs/imx8qm_mek.h
@@ -101,6 +101,11 @@
 #define CONFIG_LIB_RAND
 #define CONFIG_NET_RANDOM_ETHADDR
 
+#ifdef CONFIG_AHAB_BOOT
+#define AHAB_ENV "sec_boot=yes\0"
+#else
+#define AHAB_ENV "sec_boot=no\0"
+#endif
 
 #define JAILHOUSE_ENV \
        "jh_mmcboot=" \
@@ -163,6 +168,7 @@
        M4_BOOT_ENV \
        XEN_BOOT_ENV \
        JAILHOUSE_ENV\
+       AHAB_ENV \
        "script=boot.scr\0" \
        "image=Image\0" \
        "panel=NULL\0" \
@@ -170,6 +176,8 @@
        "earlycon=lpuart32,0x5a060000\0" \
        "fdt_addr=0x83000000\0"                 \
        "fdt_high=0xffffffffffffffff\0"         \
+       "cntr_addr=0x98000000\0"                        \
+       "cntr_file=os_cntr_signed.bin\0" \
        "boot_fdt=try\0" \
        "fdt_file=fsl-imx8qm-mek.dtb\0" \
        "initrd_addr=0x83100000\0" \
@@ -191,18 +199,28 @@
        "loadhdp=fatload mmc ${mmcdev}:${mmcpart} ${hdp_addr} ${hdp_file}\0" \
        "loadhdprx=fatload mmc ${mmcdev}:${mmcpart} ${hdprx_addr} ${hdprx_file}\0" \
        "boot_os=booti ${loadaddr} - ${fdt_addr};\0" \
+       "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \
+       "auth_os=auth_cntr ${cntr_addr}\0" \
        "mmcboot=echo Booting from mmc ...; " \
                "if run loadhdp; then; hdp load ${hdp_addr}; fi;" \
                "if run loadhdprx; then; hdprx load ${hdprx_addr}; fi;" \
                "run mmcargs; " \
-               "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
-                       "if run loadfdt; then " \
+               "if test ${sec_boot} = yes; then " \
+                       "if run auth_os; then " \
                                "run boot_os; " \
                        "else " \
-                               "echo WARN: Cannot load the DT; " \
+                               "echo ERR: failed to authenticate; " \
                        "fi; " \
                "else " \
-                       "echo wait for boot; " \
+                       "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
+                               "if run loadfdt; then " \
+                                       "run boot_os; " \
+                               "else " \
+                                       "echo WARN: Cannot load the DT; " \
+                               "fi; " \
+                       "else " \
+                               "echo wait for boot; " \
+                       "fi;" \
                "fi;\0" \
        "netargs=setenv bootargs console=${console},${baudrate} earlycon=${earlycon},${baudrate} " \
                "root=/dev/nfs " \
@@ -216,15 +234,24 @@
                "fi; " \
                "if ${get_cmd} ${hdp_addr} ${hdp_file}; then; hdp load ${hdp_addr}; fi;" \
                "if ${get_cmd} ${hdprx_addr} ${hdprx_file}; then; hdprx load ${hdprx_addr}; fi;" \
-               "${get_cmd} ${loadaddr} ${image}; " \
-               "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
-                       "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \
+               "if test ${sec_boot} = yes; then " \
+                       "${get_cmd} ${cntr_addr} ${cntr_file}; " \
+                       "if run auth_os; then " \
                                "run boot_os; " \
                        "else " \
-                               "echo WARN: Cannot load the DT; " \
+                               "echo ERR: failed to authenticate; " \
                        "fi; " \
                "else " \
-                       "booti; " \
+                       "${get_cmd} ${loadaddr} ${image}; " \
+                       "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
+                               "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \
+                                       "run boot_os; " \
+                               "else " \
+                                       "echo WARN: Cannot load the DT; " \
+                               "fi; " \
+                       "else " \
+                               "booti; " \
+                       "fi;" \
                "fi;\0"
 
 #define CONFIG_BOOTCOMMAND \
@@ -232,10 +259,17 @@
                   "if run loadbootscript; then " \
                           "run bootscript; " \
                   "else " \
-                          "if run loadimage; then " \
-                                  "run mmcboot; " \
-                          "else run netboot; " \
-                          "fi; " \
+                          "if test ${sec_boot} = yes; then " \
+                                  "if run loadcntr; then " \
+                                          "run mmcboot; " \
+                                  "else run netboot; " \
+                                  "fi; " \
+                           "else " \
+                                  "if run loadimage; then " \
+                                          "run mmcboot; " \
+                                  "else run netboot; " \
+                                  "fi; " \
+                        "fi; " \
                   "fi; " \
           "else booti ${loadaddr} - ${fdt_addr}; fi"