bcm63xx/u-boot/include/fsl_validate.h, branch master

SPDX: Convert all of our single license tags to Linux Kernel style

2018-05-07T13:34:12Z

When U-Boot started using SPDX tags we were among the early adopters and there weren't a lot of other examples to borrow from. So we picked the area of the file that usually had a full license text and replaced it with an appropriate SPDX-License-Identifier: entry. Since then, the Linux Kernel has adopted SPDX tags and they place it as the very first line in a file (except where shebangs are used, then it's second line) and with slightly different comment styles than us. In part due to community overlap, in part due to better tag visibility and in part for other minor reasons, switch over to that style. This commit changes all instances where we have a single declared license in the tag as both the before and after are identical in tag contents. There's also a few places where I found we did not have a tag and have introduced one. Signed-off-by: Tom Rini

fsl: Secure Boot: Enable IE (Key extention) Feature

2017-03-28T16:03:04Z

For validating images from uboot (Such as Kernel Image), either keys from SoC fuses can be used or keys from a verified table of public keys can be used. The latter feature is called IE Key Extension Feature. For Layerscape Chasis 3 based platforms, IE table is validated by Bootrom and address of this table is written in scratch registers 13 and 14 via PBI commands. Following are the steps describing usage of this feature: 1) Verify IE Table in ISBC phase using keys stored in fuses. 2) Install IE table. (To be used across verification of multiple images stored in a static global structure.) 3) Use keys from IE table, to verify further images. Signed-off-by: Aneesh Bansal Signed-off-by: Saksham Jain Signed-off-by: Udit Agarwal Reviewed-by: York Sun

powerpc/mpc85xx: SECURE BOOT- Enable chain of trust in SPL

2016-07-21T18:09:23Z

As part of Chain of Trust for Secure boot, the SPL U-Boot will validate the next level U-boot image. Add a new function spl_validate_uboot to perform the validation. Enable hardware crypto operations in SPL using SEC block. In case of Secure Boot, PAMU is not bypassed. For allowing SEC block access to CPC configured as SRAM, configure PAMU. Reviewed-by: Ruchika Gupta Signed-off-by: Aneesh Bansal Signed-off-by: Sumit Garg Reviewed-by: Simon Glass Reviewed-by: York Sun

SECURE BOOT: Change fsl_secboot_validate func to pass image addr

2016-03-29T15:46:23Z

Use a pointer to pass image address to fsl_secboot_validate(), instead of using environmental variable "img_addr". Signed-off-by: Aneesh Bansal Signed-off-by: Saksham Jain Reviewed-by: York Sun

SECURE BOOT: Halt execution when secure boot fail

2016-03-29T15:46:23Z

In case of fatal failure during secure boot execution (e.g. header not found), reset is asserted to stop execution. If the RESET_REQ is not tied to HRESET, this allows the execution to continue. Add esbh_halt() after the reset to make sure execution stops. Signed-off-by: Aneesh Bansal Signed-off-by: Saksham Jain Reviewed-by: York Sun

armv8: fsl-lsch3: Add new header for secure boot

2016-03-29T15:46:20Z

For secure boot, a header is used to identify key table, signature and image address. A new header structure is added for lsch3. Currently key extension (IE) feature is not supported. Single key feature is not supported. Keys must be in table format. Hence, SRK (key table) must be present. Max key number has increase from 4 to 8. The 8th key is irrevocable. A new barker Code is used. Signed-off-by: Aneesh Bansal Signed-off-by: Saksham Jain Reviewed-by: York Sun

secure_boot: enable chain of trust for ARM platforms

2016-01-27T16:12:49Z

Chain of Trust is enabled for ARM platforms (LS1021 and LS1043). In board_late_init(), fsl_setenv_chain_of_trust() is called which will perform the following: - If boot mode is non-secure, return (No Change) - If boot mode is secure, set the following environmet variables: bootdelay = 0 (To disable Boot Prompt) bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script) Signed-off-by: Aneesh Bansal Acked-by: Ruchika Gupta Reviewed-by: York Sun

SECURE BOOT: support for validation of dynamic image

2016-01-25T16:24:16Z

Some images to be validated are relocated to a dynamic address at run time. So, these addresses cannot be known befor hand while signing the images and creating the header offline. So, support is required to pass the image address to the validate function as an argument. If an address is provided to the function, the address field in Header is not read and is treated as a reserved field. Signed-off-by: Saksham Jain Signed-off-by: Aneesh Bansal Acked-by: Ruchika Gupta Reviewed-by: York Sun

SECURE BOOT: change prototype of fsl_secboot_validate function

2016-01-25T16:24:16Z

The prototype and defination of function fsl_secboot_validate has been changed to support calling this function from another function within u-boot. Only two aruments needed: 1) header address - Mandatory 2) SHA256 string - optional Signed-off-by: Saksham Jain Signed-off-by: Aneesh Bansal Acked-by: Ruchika Gupta Reviewed-by: York Sun

armv8/ls1043ardb: add SECURE BOOT target for NOR

2015-12-15T00:57:35Z

LS1043ARDB Secure Boot Target from NOR has been added. - Configs defined to enable esbc_validate. - ESBC Address in header is made 64 bit. - SMMU is re-configured in Bypass mode. Signed-off-by: Aneesh Bansal Reviewed-by: York Sun