TBB: abort boot if BL3-2 cannot be authenticated
BL3-2 image (Secure Payload) is optional. If the image cannot be
loaded a warning message is printed and the boot process continues.
According to the TBBR document, this behaviour should not apply in
case of an authentication error, where the boot process should be
aborted.
This patch modifies the load_auth_image() function to distinguish
between a load error and an authentication error. The caller uses
the return value to abort the boot process or continue.
In case of authentication error, the memory region used to store
the image is wiped clean.
Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
diff --git a/common/bl_common.c b/common/bl_common.c
index b8558a6..3088cb0 100644
--- a/common/bl_common.c
+++ b/common/bl_common.c
@@ -37,6 +37,7 @@
#include <errno.h>
#include <io_storage.h>
#include <platform.h>
+#include <string.h>
unsigned long page_align(unsigned long value, unsigned dir)
{
@@ -331,7 +332,7 @@
if (rc == 0) {
rc = load_auth_image(mem_layout, parent_id, image_base,
image_data, NULL);
- if (rc != IO_SUCCESS) {
+ if (rc != LOAD_SUCCESS) {
return rc;
}
}
@@ -341,7 +342,7 @@
rc = load_image(mem_layout, image_id, image_base, image_data,
entry_point_info);
if (rc != IO_SUCCESS) {
- return rc;
+ return LOAD_ERR;
}
#if TRUSTED_BOARD_BOOT
@@ -350,7 +351,11 @@
(void *)image_data->image_base,
image_data->image_size);
if (rc != 0) {
- return IO_FAIL;
+ memset((void *)image_data->image_base, 0x00,
+ image_data->image_size);
+ flush_dcache_range(image_data->image_base,
+ image_data->image_size);
+ return LOAD_AUTH_ERR;
}
/* After working with data, invalidate the data cache */
@@ -358,5 +363,5 @@
(size_t)image_data->image_size);
#endif /* TRUSTED_BOARD_BOOT */
- return IO_SUCCESS;
+ return LOAD_SUCCESS;
}