blob: 092588f4b5e64db205781946490863de9efc4e04 [file] [log] [blame]
Andrew F. Davis2ed41072019-04-12 12:54:45 -04001// SPDX-License-Identifier: GPL-2.0
2/*
3 * K3: Security functions
4 *
Andrew Davise74e3bb2022-07-15 11:34:33 -05005 * Copyright (C) 2018-2022 Texas Instruments Incorporated - http://www.ti.com/
Andrew F. Davis2ed41072019-04-12 12:54:45 -04006 * Andrew F. Davis <afd@ti.com>
7 */
8
Andrew Davise74e3bb2022-07-15 11:34:33 -05009#include <asm/io.h>
Andrew F. Davis2ed41072019-04-12 12:54:45 -040010#include <common.h>
Andrew F. Davis2dc1e6e2020-01-07 18:22:29 -050011#include <cpu_func.h>
Andrew F. Davis2ed41072019-04-12 12:54:45 -040012#include <dm.h>
Simon Glassf11478f2019-12-28 10:45:07 -070013#include <hang.h>
Simon Glass2dc9c342020-05-10 11:40:01 -060014#include <image.h>
Simon Glass0f2af882020-05-10 11:40:05 -060015#include <log.h>
Simon Glass274e0b02020-05-10 11:39:56 -060016#include <asm/cache.h>
Andrew F. Davis2ed41072019-04-12 12:54:45 -040017#include <linux/soc/ti/ti_sci_protocol.h>
18#include <mach/spl.h>
19#include <spl.h>
Lokesh Vutlaac9ca952019-09-09 12:47:38 +053020#include <asm/arch/sys_proto.h>
Andrew Davisd95fcd82022-10-07 12:12:29 -050021#include <linux/dma-mapping.h>
Andrew F. Davis2ed41072019-04-12 12:54:45 -040022
Andrew Davise74e3bb2022-07-15 11:34:33 -050023#include "common.h"
24
25static bool ti_secure_cert_detected(void *p_image)
26{
27 /* Primitive certificate detection, check for DER starting with
28 * two 4-Octet SEQUENCE tags
29 */
30 return (((u8 *)p_image)[0] == 0x30 && ((u8 *)p_image)[1] == 0x82 &&
31 ((u8 *)p_image)[4] == 0x30 && ((u8 *)p_image)[5] == 0x82);
32}
33
Andrew Davis0ce85432022-07-15 11:34:35 -050034/* Primitive certificate length, assumes one 2-Octet sized SEQUENCE */
35static size_t ti_secure_cert_length(void *p_image)
36{
37 size_t seq_length = be16_to_cpu(readw_relaxed(p_image + 2));
38 /* Add 4 for the SEQUENCE tag length */
39 return seq_length + 4;
40}
41
Tero Kristo738c5902021-06-11 11:45:19 +030042void ti_secure_image_post_process(void **p_image, size_t *p_size)
Andrew F. Davis2ed41072019-04-12 12:54:45 -040043{
Lokesh Vutlaac9ca952019-09-09 12:47:38 +053044 struct ti_sci_handle *ti_sci = get_ti_sci_handle();
45 struct ti_sci_proc_ops *proc_ops = &ti_sci->ops.proc_ops;
Andrew Davis0ce85432022-07-15 11:34:35 -050046 size_t cert_length;
Andrew F. Davis2ed41072019-04-12 12:54:45 -040047 u64 image_addr;
48 u32 image_size;
49 int ret;
50
Andrew F. Davis2dc1e6e2020-01-07 18:22:29 -050051 image_size = *p_size;
Andrew F. Davis2ed41072019-04-12 12:54:45 -040052
Andrew Davis0ce85432022-07-15 11:34:35 -050053 if (!image_size)
54 return;
55
56 if (get_device_type() == K3_DEVICE_TYPE_GP) {
57 if (ti_secure_cert_detected(*p_image)) {
58 printf("Warning: Detected image signing certificate on GP device. "
59 "Skipping certificate to prevent boot failure. "
60 "This will fail if the image was also encrypted\n");
61
62 cert_length = ti_secure_cert_length(*p_image);
63 if (cert_length > *p_size) {
64 printf("Invalid signing certificate size\n");
65 return;
66 }
67
68 *p_image += cert_length;
69 *p_size -= cert_length;
70 }
71
Andrew Davis2045cf12022-07-15 11:34:34 -050072 return;
Andrew Davis0ce85432022-07-15 11:34:35 -050073 }
Andrew Davis2045cf12022-07-15 11:34:34 -050074
Andrew Davise74e3bb2022-07-15 11:34:33 -050075 if (get_device_type() != K3_DEVICE_TYPE_HS_SE &&
76 !ti_secure_cert_detected(*p_image)) {
77 printf("Warning: Did not detect image signing certificate. "
78 "Skipping authentication to prevent boot failure. "
79 "This will fail on Security Enforcing(HS-SE) devices\n");
80 return;
81 }
82
Andrew Davisd95fcd82022-10-07 12:12:29 -050083 /* Clean out image so it can be seen by system firmware */
84 image_addr = dma_map_single(*p_image, *p_size, DMA_BIDIRECTIONAL);
85
Andrew F. Davis2ed41072019-04-12 12:54:45 -040086 debug("Authenticating image at address 0x%016llx\n", image_addr);
Andrew F. Davis2dc1e6e2020-01-07 18:22:29 -050087 debug("Authenticating image of size %d bytes\n", image_size);
88
Andrew F. Davis2ed41072019-04-12 12:54:45 -040089 /* Authenticate image */
90 ret = proc_ops->proc_auth_boot_image(ti_sci, &image_addr, &image_size);
91 if (ret) {
92 printf("Authentication failed!\n");
93 hang();
94 }
95
Andrew Davisd95fcd82022-10-07 12:12:29 -050096 /* Invalidate any stale lines over data written by system firmware */
Andrew F. Davis2dc1e6e2020-01-07 18:22:29 -050097 if (image_size)
Andrew Davisd95fcd82022-10-07 12:12:29 -050098 dma_unmap_single(image_addr, image_size, DMA_BIDIRECTIONAL);
Andrew F. Davis2dc1e6e2020-01-07 18:22:29 -050099
Andrew F. Davis2ed41072019-04-12 12:54:45 -0400100 /*
101 * The image_size returned may be 0 when the authentication process has
102 * moved the image. When this happens no further processing on the
103 * image is needed or often even possible as it may have also been
104 * placed behind a firewall when moved.
105 */
106 *p_size = image_size;
107
108 /*
109 * Output notification of successful authentication to re-assure the
110 * user that the secure code is being processed as expected. However
111 * suppress any such log output in case of building for SPL and booting
112 * via YMODEM. This is done to avoid disturbing the YMODEM serial
113 * protocol transactions.
114 */
115 if (!(IS_ENABLED(CONFIG_SPL_BUILD) &&
116 IS_ENABLED(CONFIG_SPL_YMODEM_SUPPORT) &&
117 spl_boot_device() == BOOT_DEVICE_UART))
118 printf("Authentication passed\n");
119}