arm: mvebu: Implement secure boot
The patch implements secure booting for the mvebu architecture.
This includes:
- The addition of secure headers and all needed signatures and keys in
mkimage
- Commands capable of writing the board's efuses to both write the
needed cryptographic data and enable the secure booting mechanism
- The creation of convenience text files containing the necessary
commands to write the efuses
The KAK and CSK keys are expected to reside in the files kwb_kak.key and
kwb_csk.key (OpenSSL 2048 bit private keys) in the top-level directory.
Signed-off-by: Reinhard Pfau <reinhard.pfau@gdsys.cc>
Signed-off-by: Mario Six <mario.six@gdsys.cc>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Stefan Roese <sr@denx.de>
diff --git a/arch/arm/mach-mvebu/Kconfig b/arch/arm/mach-mvebu/Kconfig
index 53117c4..412bda4 100644
--- a/arch/arm/mach-mvebu/Kconfig
+++ b/arch/arm/mach-mvebu/Kconfig
@@ -1,5 +1,9 @@
if ARCH_MVEBU
+config HAVE_MVEBU_EFUSE
+ bool
+ default n
+
config ARMADA_32BIT
bool
select CPU_V7
@@ -23,6 +27,7 @@
config ARMADA_38X
bool
select ARMADA_32BIT
+ select HAVE_MVEBU_EFUSE
config ARMADA_XP
bool
@@ -146,4 +151,34 @@
config SYS_SOC
default "mvebu"
+config MVEBU_EFUSE
+ bool "Enable eFuse support"
+ default n
+ depends on HAVE_MVEBU_EFUSE
+ help
+ Enable support for reading and writing eFuses on mvebu SoCs.
+
+config MVEBU_EFUSE_FAKE
+ bool "Fake eFuse access (dry run)"
+ default n
+ depends on MVEBU_EFUSE
+ help
+ This enables a "dry run" mode where eFuses are not really programmed.
+ Instead the eFuse accesses are emulated by writing to and reading
+ from a memory block.
+ This is can be used for testing prog scripts.
+
+config SECURED_MODE_IMAGE
+ bool "Build image for trusted boot"
+ default false
+ depends on 88F6820
+ help
+ Build an image that employs the ARMADA SoC's trusted boot framework
+ for securely booting images.
+
+config SECURED_MODE_CSK_INDEX
+ int "Index of active CSK"
+ default 0
+ depends on SECURED_MODE_IMAGE
+
endif
diff --git a/arch/arm/mach-mvebu/Makefile b/arch/arm/mach-mvebu/Makefile
index 65e90c4..d4210af 100644
--- a/arch/arm/mach-mvebu/Makefile
+++ b/arch/arm/mach-mvebu/Makefile
@@ -27,6 +27,7 @@
obj-$(CONFIG_ARMADA_375) += ../../../drivers/ddr/marvell/axp/xor.o
obj-$(CONFIG_ARMADA_38X) += ../../../drivers/ddr/marvell/a38x/xor.o
obj-$(CONFIG_ARMADA_XP) += ../../../drivers/ddr/marvell/axp/xor.o
+obj-$(CONFIG_MVEBU_EFUSE) += efuse.o
endif # CONFIG_SPL_BUILD
obj-y += gpio.o
obj-y += mbus.o
diff --git a/arch/arm/mach-mvebu/efuse.c b/arch/arm/mach-mvebu/efuse.c
new file mode 100644
index 0000000..67fcadc
--- /dev/null
+++ b/arch/arm/mach-mvebu/efuse.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) 2015-2016 Reinhard Pfau <reinhard.pfau@gdsys.cc>
+ *
+ * SPDX-License-Identifier: GPL-2.0+
+ */
+
+#include <config.h>
+#include <common.h>
+#include <errno.h>
+#include <asm/io.h>
+#include <asm/arch/cpu.h>
+#include <asm/arch/efuse.h>
+#include <asm/arch/soc.h>
+#include <linux/mbus.h>
+
+#if defined(CONFIG_MVEBU_EFUSE_FAKE)
+#define DRY_RUN
+#else
+#undef DRY_RUN
+#endif
+
+#define MBUS_EFUSE_BASE 0xF6000000
+#define MBUS_EFUSE_SIZE BIT(20)
+
+#define MVEBU_EFUSE_CONTROL (MVEBU_REGISTER(0xE4008))
+
+enum {
+ MVEBU_EFUSE_CTRL_PROGRAM_ENABLE = (1 << 31),
+};
+
+struct mvebu_hd_efuse {
+ u32 bits_31_0;
+ u32 bits_63_32;
+ u32 bit64;
+ u32 reserved0;
+};
+
+#ifndef DRY_RUN
+static struct mvebu_hd_efuse *efuses =
+ (struct mvebu_hd_efuse *)(MBUS_EFUSE_BASE + 0xF9000);
+#else
+static struct mvebu_hd_efuse efuses[EFUSE_LINE_MAX + 1];
+#endif
+
+static int efuse_initialised;
+
+static struct mvebu_hd_efuse *get_efuse_line(int nr)
+{
+ if (nr < 0 || nr > 63 || !efuse_initialised)
+ return NULL;
+
+ return efuses + nr;
+}
+
+static void enable_efuse_program(void)
+{
+#ifndef DRY_RUN
+ setbits_le32(MVEBU_EFUSE_CONTROL, MVEBU_EFUSE_CTRL_PROGRAM_ENABLE);
+#endif
+}
+
+static void disable_efuse_program(void)
+{
+#ifndef DRY_RUN
+ clrbits_le32(MVEBU_EFUSE_CONTROL, MVEBU_EFUSE_CTRL_PROGRAM_ENABLE);
+#endif
+}
+
+static int do_prog_efuse(struct mvebu_hd_efuse *efuse,
+ struct efuse_val *new_val, u32 mask0, u32 mask1)
+{
+ struct efuse_val val;
+
+ val.dwords.d[0] = readl(&efuse->bits_31_0);
+ val.dwords.d[1] = readl(&efuse->bits_63_32);
+ val.lock = readl(&efuse->bit64);
+
+ if (val.lock & 1)
+ return -EPERM;
+
+ val.dwords.d[0] |= (new_val->dwords.d[0] & mask0);
+ val.dwords.d[1] |= (new_val->dwords.d[1] & mask1);
+ val.lock |= new_val->lock;
+
+ writel(val.dwords.d[0], &efuse->bits_31_0);
+ mdelay(1);
+ writel(val.dwords.d[1], &efuse->bits_63_32);
+ mdelay(1);
+ writel(val.lock, &efuse->bit64);
+ mdelay(5);
+
+ return 0;
+}
+
+static int prog_efuse(int nr, struct efuse_val *new_val, u32 mask0, u32 mask1)
+{
+ struct mvebu_hd_efuse *efuse;
+ int res = 0;
+
+ res = mvebu_efuse_init_hw();
+ if (res)
+ return res;
+
+ efuse = get_efuse_line(nr);
+ if (!efuse)
+ return -ENODEV;
+
+ if (!new_val)
+ return -EINVAL;
+
+ /* only write a fuse line with lock bit */
+ if (!new_val->lock)
+ return -EINVAL;
+
+ /* according to specs ECC protection bits must be 0 on write */
+ if (new_val->bytes.d[7] & 0xFE)
+ return -EINVAL;
+
+ if (!new_val->dwords.d[0] && !new_val->dwords.d[1] && (mask0 | mask1))
+ return 0;
+
+ enable_efuse_program();
+
+ res = do_prog_efuse(efuse, new_val, mask0, mask1);
+
+ disable_efuse_program();
+
+ return res;
+}
+
+int mvebu_efuse_init_hw(void)
+{
+ int ret;
+
+ if (efuse_initialised)
+ return 0;
+
+ ret = mvebu_mbus_add_window_by_id(
+ CPU_TARGET_SATA23_DFX, 0xA, MBUS_EFUSE_BASE, MBUS_EFUSE_SIZE);
+
+ if (ret)
+ return ret;
+
+ efuse_initialised = 1;
+
+ return 0;
+}
+
+int mvebu_read_efuse(int nr, struct efuse_val *val)
+{
+ struct mvebu_hd_efuse *efuse;
+ int res;
+
+ res = mvebu_efuse_init_hw();
+ if (res)
+ return res;
+
+ efuse = get_efuse_line(nr);
+ if (!efuse)
+ return -ENODEV;
+
+ if (!val)
+ return -EINVAL;
+
+ val->dwords.d[0] = readl(&efuse->bits_31_0);
+ val->dwords.d[1] = readl(&efuse->bits_63_32);
+ val->lock = readl(&efuse->bit64);
+ return 0;
+}
+
+int mvebu_write_efuse(int nr, struct efuse_val *val)
+{
+ return prog_efuse(nr, val, ~0, ~0);
+}
+
+int mvebu_lock_efuse(int nr)
+{
+ struct efuse_val val = {
+ .lock = 1,
+ };
+
+ return prog_efuse(nr, &val, 0, 0);
+}
+
+/*
+ * wrapper funcs providing the fuse API
+ *
+ * we use the following mapping:
+ * "bank" -> eFuse line
+ * "word" -> 0: bits 0-31
+ * 1: bits 32-63
+ * 2: bit 64 (lock)
+ */
+
+static struct efuse_val prog_val;
+static int valid_prog_words;
+
+int fuse_read(u32 bank, u32 word, u32 *val)
+{
+ struct efuse_val fuse_line;
+ int res;
+
+ if (bank < EFUSE_LINE_MIN || bank > EFUSE_LINE_MAX || word > 2)
+ return -EINVAL;
+
+ res = mvebu_read_efuse(bank, &fuse_line);
+ if (res)
+ return res;
+
+ if (word < 2)
+ *val = fuse_line.dwords.d[word];
+ else
+ *val = fuse_line.lock;
+
+ return res;
+}
+
+int fuse_sense(u32 bank, u32 word, u32 *val)
+{
+ /* not supported */
+ return -ENOSYS;
+}
+
+int fuse_prog(u32 bank, u32 word, u32 val)
+{
+ int res = 0;
+
+ /*
+ * NOTE: Fuse line should be written as whole.
+ * So how can we do that with this API?
+ * For now: remember values for word == 0 and word == 1 and write the
+ * whole line when word == 2.
+ * This implies that we always require all 3 fuse prog cmds (one for
+ * for each word) to write a single fuse line.
+ * Exception is a single write to word 2 which will lock the fuse line.
+ *
+ * Hope that will be OK.
+ */
+
+ if (bank < EFUSE_LINE_MIN || bank > EFUSE_LINE_MAX || word > 2)
+ return -EINVAL;
+
+ if (word < 2) {
+ prog_val.dwords.d[word] = val;
+ valid_prog_words |= (1 << word);
+ } else if ((valid_prog_words & 3) == 0 && val) {
+ res = mvebu_lock_efuse(bank);
+ valid_prog_words = 0;
+ } else if ((valid_prog_words & 3) != 3 || !val) {
+ res = -EINVAL;
+ } else {
+ prog_val.lock = val != 0;
+ res = mvebu_write_efuse(bank, &prog_val);
+ valid_prog_words = 0;
+ }
+
+ return res;
+}
+
+int fuse_override(u32 bank, u32 word, u32 val)
+{
+ /* not supported */
+ return -ENOSYS;
+}
diff --git a/arch/arm/mach-mvebu/include/mach/cpu.h b/arch/arm/mach-mvebu/include/mach/cpu.h
index 66f7680..d241eea 100644
--- a/arch/arm/mach-mvebu/include/mach/cpu.h
+++ b/arch/arm/mach-mvebu/include/mach/cpu.h
@@ -36,7 +36,9 @@
CPU_TARGET_ETH01 = 0x7,
CPU_TARGET_PCIE13 = 0x8,
CPU_TARGET_SASRAM = 0x9,
+ CPU_TARGET_SATA01 = 0xa, /* A38X */
CPU_TARGET_NAND = 0xd,
+ CPU_TARGET_SATA23_DFX = 0xe, /* A38X */
};
enum cpu_attrib {
diff --git a/arch/arm/mach-mvebu/include/mach/efuse.h b/arch/arm/mach-mvebu/include/mach/efuse.h
new file mode 100644
index 0000000..ef693e6
--- /dev/null
+++ b/arch/arm/mach-mvebu/include/mach/efuse.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2015 Reinhard Pfau <reinhard.pfau@gdsys.cc>
+ *
+ * SPDX-License-Identifier: GPL-2.0+
+ */
+
+#ifndef _MVEBU_EFUSE_H
+#define _MVEBU_EFUSE_H
+
+#include <common.h>
+
+struct efuse_val {
+ union {
+ struct {
+ u8 d[8];
+ } bytes;
+ struct {
+ u16 d[4];
+ } words;
+ struct {
+ u32 d[2];
+ } dwords;
+ };
+ u32 lock;
+};
+
+#if defined(CONFIG_ARMADA_38X)
+
+enum efuse_line {
+ EFUSE_LINE_SECURE_BOOT = 24,
+ EFUSE_LINE_PUBKEY_DIGEST_0 = 26,
+ EFUSE_LINE_PUBKEY_DIGEST_1 = 27,
+ EFUSE_LINE_PUBKEY_DIGEST_2 = 28,
+ EFUSE_LINE_PUBKEY_DIGEST_3 = 29,
+ EFUSE_LINE_PUBKEY_DIGEST_4 = 30,
+ EFUSE_LINE_CSK_0_VALID = 31,
+ EFUSE_LINE_CSK_1_VALID = 32,
+ EFUSE_LINE_CSK_2_VALID = 33,
+ EFUSE_LINE_CSK_3_VALID = 34,
+ EFUSE_LINE_CSK_4_VALID = 35,
+ EFUSE_LINE_CSK_5_VALID = 36,
+ EFUSE_LINE_CSK_6_VALID = 37,
+ EFUSE_LINE_CSK_7_VALID = 38,
+ EFUSE_LINE_CSK_8_VALID = 39,
+ EFUSE_LINE_CSK_9_VALID = 40,
+ EFUSE_LINE_CSK_10_VALID = 41,
+ EFUSE_LINE_CSK_11_VALID = 42,
+ EFUSE_LINE_CSK_12_VALID = 43,
+ EFUSE_LINE_CSK_13_VALID = 44,
+ EFUSE_LINE_CSK_14_VALID = 45,
+ EFUSE_LINE_CSK_15_VALID = 46,
+ EFUSE_LINE_FLASH_ID = 47,
+ EFUSE_LINE_BOX_ID = 48,
+
+ EFUSE_LINE_MIN = 0,
+ EFUSE_LINE_MAX = 63,
+};
+
+#endif
+
+int mvebu_efuse_init_hw(void);
+
+int mvebu_read_efuse(int nr, struct efuse_val *val);
+
+int mvebu_write_efuse(int nr, struct efuse_val *val);
+
+int mvebu_lock_efuse(int nr);
+
+#endif