MLK-16787-2 iMX8M: Add support to enable CONFIG_SECURE_BOOT

Add some SOC level codes and build configurations to use HAB lib for
CONFIG_SECURE_BOOT, like adding the SEC_CONFIG fuse, enable fuse driver,
CAAM clock function, and add CAAM secure RAM to MMU table.

The FSL_CAAM is temporally not enabled for iMX8M when CONFIG_SECURE_BOOT is set,
because we don't need the CAAM driver for SPL.

Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

diff --git a/arch/arm/cpu/armv8/imx8m/clock.c b/arch/arm/cpu/armv8/imx8m/clock.c
index e7795c9..a445a7a 100644 (file)
--- a/arch/arm/cpu/armv8/imx8m/clock.c
+++ b/arch/arm/cpu/armv8/imx8m/clock.c
@@ -13,6 +13,13 @@
 
 DECLARE_GLOBAL_DATA_PTR;
 
+#ifdef CONFIG_SECURE_BOOT
+void hab_caam_clock_enable(unsigned char enable)
+{
+       /* The CAAM clock is always on for iMX8M */
+}
+#endif
+
 #ifdef CONFIG_MXC_OCOTP
 void enable_ocotp_clk(unsigned char enable)
 {

diff --git a/arch/arm/cpu/armv8/imx8m/soc.c b/arch/arm/cpu/armv8/imx8m/soc.c
index c8038a7..1a1e908 100644 (file)
--- a/arch/arm/cpu/armv8/imx8m/soc.c
+++ b/arch/arm/cpu/armv8/imx8m/soc.c
@@ -9,6 +9,7 @@
 #include <asm/io.h>
 #include <asm/arch/clock.h>
 #include <asm/arch/sys_proto.h>
+#include <asm/imx-common/hab.h>
 #include <asm/imx-common/boot_mode.h>
 #include <asm/armv8/mmu.h>
 #include <errno.h>
@@ -16,6 +17,13 @@
 
 DECLARE_GLOBAL_DATA_PTR;
 
+#if defined(CONFIG_SECURE_BOOT)
+struct imx_sec_config_fuse_t const imx_sec_config_fuse = {
+       .bank = 1,
+       .word = 3,
+};
+#endif
+
 /*
  * OCOTP_TESTER3[9:8] (see Fusemap Description Table offset 0x440)
  * defines a 2-bit SPEED_GRADING
@@ -155,6 +163,13 @@ static struct mm_region imx8m_mem_map[] = {
                .size = 0x100000UL,
                .attrs = PTE_BLOCK_MEMTYPE(MT_NORMAL) |
                         PTE_BLOCK_OUTER_SHARE
+       }, {
+               .virt = 0x100000UL,
+               .phys = 0x100000UL,
+               .size = 0x8000UL,
+               .attrs = PTE_BLOCK_MEMTYPE(MT_DEVICE_NGNRNE) |
+                        PTE_BLOCK_NON_SHARE |
+                        PTE_BLOCK_PXN | PTE_BLOCK_UXN
        }, {
                .virt = 0x7C0000UL,
                .phys = 0x7C0000UL,

diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig
index 883bdba..be488df 100644 (file)
--- a/arch/arm/imx-common/Kconfig
+++ b/arch/arm/imx-common/Kconfig
@@ -39,8 +39,8 @@ config USE_IMXIMG_PLUGIN
 
 config SECURE_BOOT
        bool "Support i.MX HAB features"
-       depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
-       select FSL_CAAM if !MX6ULL && !MX6SLL && !MX6SL
+       depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 || ARCH_IMX8M
+       select FSL_CAAM if !MX6ULL && !MX6SLL && !MX6SL && !IMX8M
        help
          This option enables the support for secure boot (HAB).
          See doc/README.mxc_hab for more details.

diff --git a/arch/arm/imx-common/Makefile b/arch/arm/imx-common/Makefile
index 30d18a3..8972ec9 100644 (file)
--- a/arch/arm/imx-common/Makefile
+++ b/arch/arm/imx-common/Makefile
@@ -13,6 +13,7 @@ endif
 ifeq ($(SOC),$(filter $(SOC),imx8m))
 obj-$(CONFIG_IMX_BOOTAUX) += imx_bootaux.o
 obj-$(CONFIG_SYS_I2C_MXC) += i2c-mxv7.o
+obj-$(CONFIG_SECURE_BOOT) += hab.o
 obj-y += cpu.o
 endif
 

diff --git a/arch/arm/include/asm/arch-imx8m/clock.h b/arch/arm/include/asm/arch-imx8m/clock.h
index dd3599b..c6e9a66 100644 (file)
--- a/arch/arm/include/asm/arch-imx8m/clock.h
+++ b/arch/arm/include/asm/arch-imx8m/clock.h
@@ -859,5 +859,5 @@ int enable_i2c_clk(unsigned char enable, unsigned i2c_num);
 #ifdef CONFIG_FEC_MXC
 int set_clk_enet(enum enet_freq type);
 #endif
-
+void hab_caam_clock_enable(unsigned char enable);
 #endif

diff --git a/include/configs/imx8mq_evk.h b/include/configs/imx8mq_evk.h
index baaf77e..ded5b1a 100644 (file)
--- a/include/configs/imx8mq_evk.h
+++ b/include/configs/imx8mq_evk.h
@@ -10,6 +10,10 @@
 #include <linux/sizes.h>
 #include <asm/arch/imx-regs.h>
 
+#ifdef CONFIG_SECURE_BOOT
+#define CONFIG_CSF_SIZE                        0x2000 /* 8K region */
+#endif
+
 #define CONFIG_SPL_FRAMEWORK
 #define CONFIG_SPL_TEXT_BASE           0x7E1000
 #define CONFIG_SPL_MAX_SIZE            (124 * 1024)
@@ -21,6 +25,7 @@
 #ifdef CONFIG_SPL_BUILD
 /*#define CONFIG_ENABLE_DDR_TRAINING_DEBUG*/
 #define CONFIG_SPL_WATCHDOG_SUPPORT
+#define CONFIG_SPL_DRIVERS_MISC_SUPPORT
 #define CONFIG_SPL_POWER_SUPPORT
 #define CONFIG_SPL_I2C_SUPPORT
 #define CONFIG_SPL_BOARD_INIT