arm: mvebu: Implement secure boot

The patch implements secure booting for the mvebu architecture. This includes: - The addition of secure headers and all needed signatures and keys in mkimage - Commands capable of writing the board's efuses to both write the needed cryptographic data and enable the secure booting mechanism - The creation of convenience text files containing the necessary commands to write the efuses The KAK and CSK keys are expected to reside in the files kwb_kak.key and kwb_csk.key (OpenSSL 2048 bit private keys) in the top-level directory. Signed-off-by: Reinhard Pfau <[email protected]> Signed-off-by: Mario Six <[email protected]> Reviewed-by: Stefan Roese <[email protected]> Reviewed-by: Simon Glass <[email protected]> Signed-off-by: Stefan Roese <[email protected]>
t-akashi · Feb 1, 2017 · a1b6b0a · a1b6b0a
1 parent 4991b4f
commit a1b6b0a
Show file tree

Hide file tree

Showing 10 changed files with 1,526 additions and 8 deletions.
diff --git a/Makefile b/Makefile
@@ -957,7 +957,8 @@ MKIMAGEFLAGS_u-boot.kwb = -n $(srctree)/$(CONFIG_SYS_KWD_CONFIG:"%"=%) \
 	-T kwbimage -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_TEXT_BASE)
 
 MKIMAGEFLAGS_u-boot-spl.kwb = -n $(srctree)/$(CONFIG_SYS_KWD_CONFIG:"%"=%) \
-	-T kwbimage -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_TEXT_BASE)
+	-T kwbimage -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_TEXT_BASE) \
+	$(if $(KEYDIR),-k $(KEYDIR))
 
 MKIMAGEFLAGS_u-boot.pbl = -n $(srctree)/$(CONFIG_SYS_FSL_PBL_RCW:"%"=%) \
 		-R $(srctree)/$(CONFIG_SYS_FSL_PBL_PBI:"%"=%) -T pblimage

diff --git a/arch/arm/mach-mvebu/Kconfig b/arch/arm/mach-mvebu/Kconfig
@@ -1,5 +1,9 @@
 if ARCH_MVEBU
 
+config HAVE_MVEBU_EFUSE
+	bool
+	default n
+
 config ARMADA_32BIT
 	bool
 	select CPU_V7
@@ -23,6 +27,7 @@ config ARMADA_375
 config ARMADA_38X
 	bool
 	select ARMADA_32BIT
+	select HAVE_MVEBU_EFUSE
 
 config ARMADA_XP
 	bool
@@ -146,4 +151,34 @@ config SYS_VENDOR
 config SYS_SOC
 	default "mvebu"
 
+config MVEBU_EFUSE
+	bool "Enable eFuse support"
+	default n
+	depends on HAVE_MVEBU_EFUSE
+	help
+	  Enable support for reading and writing eFuses on mvebu SoCs.
+
+config MVEBU_EFUSE_FAKE
+	bool "Fake eFuse access (dry run)"
+	default n
+	depends on MVEBU_EFUSE
+	help
+	  This enables a "dry run" mode where eFuses are not really programmed.
+	  Instead the eFuse accesses are emulated by writing to and reading
+	  from a memory block.
+	  This is can be used for testing prog scripts.
+
+config SECURED_MODE_IMAGE
+	bool "Build image for trusted boot"
+	default false
+	depends on 88F6820
+	help
+	  Build an image that employs the ARMADA SoC's trusted boot framework
+	  for securely booting images.
+
+config SECURED_MODE_CSK_INDEX
+	int "Index of active CSK"
+	default 0
+	depends on SECURED_MODE_IMAGE
+
 endif
diff --git a/arch/arm/mach-mvebu/Makefile b/arch/arm/mach-mvebu/Makefile
@@ -27,6 +27,7 @@ ifndef CONFIG_SPL_BUILD
 obj-$(CONFIG_ARMADA_375) += ../../../drivers/ddr/marvell/axp/xor.o
 obj-$(CONFIG_ARMADA_38X) += ../../../drivers/ddr/marvell/a38x/xor.o
 obj-$(CONFIG_ARMADA_XP) += ../../../drivers/ddr/marvell/axp/xor.o
+obj-$(CONFIG_MVEBU_EFUSE) += efuse.o
 endif # CONFIG_SPL_BUILD
 obj-y	+= gpio.o
 obj-y	+= mbus.o

diff --git a/arch/arm/mach-mvebu/efuse.c b/arch/arm/mach-mvebu/efuse.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) 2015-2016 Reinhard Pfau <[email protected]>
+ *
+ * SPDX-License-Identifier:	GPL-2.0+
+ */
+
+#include <config.h>
+#include <common.h>
+#include <errno.h>
+#include <asm/io.h>
+#include <asm/arch/cpu.h>
+#include <asm/arch/efuse.h>
+#include <asm/arch/soc.h>
+#include <linux/mbus.h>
+
+#if defined(CONFIG_MVEBU_EFUSE_FAKE)
+#define DRY_RUN
+#else
+#undef DRY_RUN
+#endif
+
+#define MBUS_EFUSE_BASE 0xF6000000
+#define MBUS_EFUSE_SIZE BIT(20)
+
+#define MVEBU_EFUSE_CONTROL (MVEBU_REGISTER(0xE4008))
+
+enum {
+	MVEBU_EFUSE_CTRL_PROGRAM_ENABLE = (1 << 31),
+};
+
+struct mvebu_hd_efuse {
+	u32 bits_31_0;
+	u32 bits_63_32;
+	u32 bit64;
+	u32 reserved0;
+};
+
+#ifndef DRY_RUN
+static struct mvebu_hd_efuse *efuses =
+	(struct mvebu_hd_efuse *)(MBUS_EFUSE_BASE + 0xF9000);
+#else
+static struct mvebu_hd_efuse efuses[EFUSE_LINE_MAX + 1];
+#endif
+
+static int efuse_initialised;
+
+static struct mvebu_hd_efuse *get_efuse_line(int nr)
+{
+	if (nr < 0 || nr > 63 || !efuse_initialised)
+		return NULL;
+
+	return efuses + nr;
+}
+
+static void enable_efuse_program(void)
+{
+#ifndef DRY_RUN
+	setbits_le32(MVEBU_EFUSE_CONTROL, MVEBU_EFUSE_CTRL_PROGRAM_ENABLE);
+#endif
+}
+
+static void disable_efuse_program(void)
+{
+#ifndef DRY_RUN
+	clrbits_le32(MVEBU_EFUSE_CONTROL, MVEBU_EFUSE_CTRL_PROGRAM_ENABLE);
+#endif
+}
+
+static int do_prog_efuse(struct mvebu_hd_efuse *efuse,
+			 struct efuse_val *new_val, u32 mask0, u32 mask1)
+{
+	struct efuse_val val;
+
+	val.dwords.d[0] = readl(&efuse->bits_31_0);
+	val.dwords.d[1] = readl(&efuse->bits_63_32);
+	val.lock = readl(&efuse->bit64);
+
+	if (val.lock & 1)
+		return -EPERM;
+
+	val.dwords.d[0] |= (new_val->dwords.d[0] & mask0);
+	val.dwords.d[1] |= (new_val->dwords.d[1] & mask1);
+	val.lock |= new_val->lock;
+
+	writel(val.dwords.d[0], &efuse->bits_31_0);
+	mdelay(1);
+	writel(val.dwords.d[1], &efuse->bits_63_32);
+	mdelay(1);
+	writel(val.lock, &efuse->bit64);
+	mdelay(5);
+
+	return 0;
+}
+
+static int prog_efuse(int nr, struct efuse_val *new_val, u32 mask0, u32 mask1)
+{
+	struct mvebu_hd_efuse *efuse;
+	int res = 0;
+
+	res = mvebu_efuse_init_hw();
+	if (res)
+		return res;
+
+	efuse = get_efuse_line(nr);
+	if (!efuse)
+		return -ENODEV;
+
+	if (!new_val)
+		return -EINVAL;
+
+	/* only write a fuse line with lock bit */
+	if (!new_val->lock)
+		return -EINVAL;
+
+	/* according to specs ECC protection bits must be 0 on write */
+	if (new_val->bytes.d[7] & 0xFE)
+		return -EINVAL;
+
+	if (!new_val->dwords.d[0] && !new_val->dwords.d[1] && (mask0 | mask1))
+		return 0;
+
+	enable_efuse_program();
+
+	res = do_prog_efuse(efuse, new_val, mask0, mask1);
+
+	disable_efuse_program();
+
+	return res;
+}
+
+int mvebu_efuse_init_hw(void)
+{
+	int ret;
+
+	if (efuse_initialised)
+		return 0;
+
+	ret = mvebu_mbus_add_window_by_id(
+		CPU_TARGET_SATA23_DFX, 0xA, MBUS_EFUSE_BASE, MBUS_EFUSE_SIZE);
+
+	if (ret)
+		return ret;
+
+	efuse_initialised = 1;
+
+	return 0;
+}
+
+int mvebu_read_efuse(int nr, struct efuse_val *val)
+{
+	struct mvebu_hd_efuse *efuse;
+	int res;
+
+	res = mvebu_efuse_init_hw();
+	if (res)
+		return res;
+
+	efuse = get_efuse_line(nr);
+	if (!efuse)
+		return -ENODEV;
+
+	if (!val)
+		return -EINVAL;
+
+	val->dwords.d[0] = readl(&efuse->bits_31_0);
+	val->dwords.d[1] = readl(&efuse->bits_63_32);
+	val->lock = readl(&efuse->bit64);
+	return 0;
+}
+
+int mvebu_write_efuse(int nr, struct efuse_val *val)
+{
+	return prog_efuse(nr, val, ~0, ~0);
+}
+
+int mvebu_lock_efuse(int nr)
+{
+	struct efuse_val val = {
+		.lock = 1,
+	};
+
+	return prog_efuse(nr, &val, 0, 0);
+}
+
+/*
+ * wrapper funcs providing the fuse API
+ *
+ * we use the following mapping:
+ *   "bank" ->	eFuse line
+ *   "word" ->	0: bits 0-31
+ *		1: bits 32-63
+ *		2: bit 64 (lock)
+ */
+
+static struct efuse_val prog_val;
+static int valid_prog_words;
+
+int fuse_read(u32 bank, u32 word, u32 *val)
+{
+	struct efuse_val fuse_line;
+	int res;
+
+	if (bank < EFUSE_LINE_MIN || bank > EFUSE_LINE_MAX || word > 2)
+		return -EINVAL;
+
+	res = mvebu_read_efuse(bank, &fuse_line);
+	if (res)
+		return res;
+
+	if (word < 2)
+		*val = fuse_line.dwords.d[word];
+	else
+		*val = fuse_line.lock;
+
+	return res;
+}
+
+int fuse_sense(u32 bank, u32 word, u32 *val)
+{
+	/* not supported */
+	return -ENOSYS;
+}
+
+int fuse_prog(u32 bank, u32 word, u32 val)
+{
+	int res = 0;
+
+	/*
+	 * NOTE: Fuse line should be written as whole.
+	 * So how can we do that with this API?
+	 * For now: remember values for word == 0 and word == 1 and write the
+	 * whole line when word == 2.
+	 * This implies that we always require all 3 fuse prog cmds (one for
+	 * for each word) to write a single fuse line.
+	 * Exception is a single write to word 2 which will lock the fuse line.
+	 *
+	 * Hope that will be OK.
+	 */
+
+	if (bank < EFUSE_LINE_MIN || bank > EFUSE_LINE_MAX || word > 2)
+		return -EINVAL;
+
+	if (word < 2) {
+		prog_val.dwords.d[word] = val;
+		valid_prog_words |= (1 << word);
+	} else if ((valid_prog_words & 3) == 0 && val) {
+		res = mvebu_lock_efuse(bank);
+		valid_prog_words = 0;
+	} else if ((valid_prog_words & 3) != 3 || !val) {
+		res = -EINVAL;
+	} else {
+		prog_val.lock = val != 0;
+		res = mvebu_write_efuse(bank, &prog_val);
+		valid_prog_words = 0;
+	}
+
+	return res;
+}
+
+int fuse_override(u32 bank, u32 word, u32 val)
+{
+	/* not supported */
+	return -ENOSYS;
+}
diff --git a/arch/arm/mach-mvebu/include/mach/cpu.h b/arch/arm/mach-mvebu/include/mach/cpu.h
@@ -36,7 +36,9 @@ enum cpu_target {
 	CPU_TARGET_ETH01 = 0x7,
 	CPU_TARGET_PCIE13 = 0x8,
 	CPU_TARGET_SASRAM = 0x9,
+	CPU_TARGET_SATA01 = 0xa, /* A38X */
 	CPU_TARGET_NAND = 0xd,
+	CPU_TARGET_SATA23_DFX = 0xe, /* A38X */
 };
 
 enum cpu_attrib {