GitHub-Mirror/u-boot
2
0
Fork 0
mirror of https://github.com/Fishwaldo/u-boot.git synced 2025-03-21 06:31:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge git://www.denx.de/git/u-boot-marvell

Browse source
This commit is contained in:
Tom Rini 2017-02-01 06:57:35 -05:00
commit f77309d343
22 changed files with 1973 additions and 192 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Makefile
View file

@ -957,7 +957,8 @@ MKIMAGEFLAGS_u-boot.kwb = -n $(srctree)/$(CONFIG_SYS_KWD_CONFIG:"%"=%) \
-T kwbimage -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_TEXT_BASE)
MKIMAGEFLAGS_u-boot-spl.kwb = -n $(srctree)/$(CONFIG_SYS_KWD_CONFIG:"%"=%) \
-T kwbimage -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_TEXT_BASE)
-T kwbimage -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_TEXT_BASE) \
$(if $(KEYDIR),-k $(KEYDIR))
MKIMAGEFLAGS_u-boot.pbl = -n $(srctree)/$(CONFIG_SYS_FSL_PBL_RCW:"%"=%) \
-R $(srctree)/$(CONFIG_SYS_FSL_PBL_PBI:"%"=%) -T pblimage

35
arch/arm/mach-mvebu/Kconfig
View file

@ -1,5 +1,9 @@
if ARCH_MVEBU
config HAVE_MVEBU_EFUSE
bool
default n
config ARMADA_32BIT
bool
select CPU_V7
@ -23,6 +27,7 @@ config ARMADA_375
config ARMADA_38X
bool
select ARMADA_32BIT
select HAVE_MVEBU_EFUSE
config ARMADA_XP
bool
@ -146,4 +151,34 @@ config SYS_VENDOR
config SYS_SOC
default "mvebu"
config MVEBU_EFUSE
bool "Enable eFuse support"
default n
depends on HAVE_MVEBU_EFUSE
help
Enable support for reading and writing eFuses on mvebu SoCs.
config MVEBU_EFUSE_FAKE
bool "Fake eFuse access (dry run)"
default n
depends on MVEBU_EFUSE
help
This enables a "dry run" mode where eFuses are not really programmed.
Instead the eFuse accesses are emulated by writing to and reading
from a memory block.
This is can be used for testing prog scripts.
config SECURED_MODE_IMAGE
bool "Build image for trusted boot"
default false
depends on 88F6820
help
Build an image that employs the ARMADA SoC's trusted boot framework
for securely booting images.
config SECURED_MODE_CSK_INDEX
int "Index of active CSK"
default 0
depends on SECURED_MODE_IMAGE
endif

1
arch/arm/mach-mvebu/Makefile
View file

@ -27,6 +27,7 @@ ifndef CONFIG_SPL_BUILD
obj-$(CONFIG_ARMADA_375) += ../../../drivers/ddr/marvell/axp/xor.o
obj-$(CONFIG_ARMADA_38X) += ../../../drivers/ddr/marvell/a38x/xor.o
obj-$(CONFIG_ARMADA_XP) += ../../../drivers/ddr/marvell/axp/xor.o
obj-$(CONFIG_MVEBU_EFUSE) += efuse.o
endif # CONFIG_SPL_BUILD
obj-y += gpio.o
obj-y += mbus.o

264
arch/arm/mach-mvebu/efuse.c Normal file
View file

@ -0,0 +1,264 @@
/*
* Copyright (C) 2015-2016 Reinhard Pfau <reinhard.pfau@gdsys.cc>
*
* SPDX-License-Identifier: GPL-2.0+
*/
#include <config.h>
#include <common.h>
#include <errno.h>
#include <asm/io.h>
#include <asm/arch/cpu.h>
#include <asm/arch/efuse.h>
#include <asm/arch/soc.h>
#include <linux/mbus.h>
#if defined(CONFIG_MVEBU_EFUSE_FAKE)
#define DRY_RUN
#else
#undef DRY_RUN
#endif
#define MBUS_EFUSE_BASE 0xF6000000
#define MBUS_EFUSE_SIZE BIT(20)
#define MVEBU_EFUSE_CONTROL (MVEBU_REGISTER(0xE4008))
enum {
MVEBU_EFUSE_CTRL_PROGRAM_ENABLE = (1 << 31),
};
struct mvebu_hd_efuse {
u32 bits_31_0;
u32 bits_63_32;
u32 bit64;
u32 reserved0;
};
#ifndef DRY_RUN
static struct mvebu_hd_efuse *efuses =
(struct mvebu_hd_efuse *)(MBUS_EFUSE_BASE + 0xF9000);
#else
static struct mvebu_hd_efuse efuses[EFUSE_LINE_MAX + 1];
#endif
static int efuse_initialised;
static struct mvebu_hd_efuse *get_efuse_line(int nr)
{
if (nr < 0 || nr > 63 || !efuse_initialised)
return NULL;
return efuses + nr;
}
static void enable_efuse_program(void)
{
#ifndef DRY_RUN
setbits_le32(MVEBU_EFUSE_CONTROL, MVEBU_EFUSE_CTRL_PROGRAM_ENABLE);
#endif
}
static void disable_efuse_program(void)
{
#ifndef DRY_RUN
clrbits_le32(MVEBU_EFUSE_CONTROL, MVEBU_EFUSE_CTRL_PROGRAM_ENABLE);
#endif
}
static int do_prog_efuse(struct mvebu_hd_efuse *efuse,
struct efuse_val *new_val, u32 mask0, u32 mask1)
{
struct efuse_val val;
val.dwords.d[0] = readl(&efuse->bits_31_0);
val.dwords.d[1] = readl(&efuse->bits_63_32);
val.lock = readl(&efuse->bit64);
if (val.lock & 1)
return -EPERM;
val.dwords.d[0] |= (new_val->dwords.d[0] & mask0);
val.dwords.d[1] |= (new_val->dwords.d[1] & mask1);
val.lock |= new_val->lock;
writel(val.dwords.d[0], &efuse->bits_31_0);
mdelay(1);
writel(val.dwords.d[1], &efuse->bits_63_32);
mdelay(1);
writel(val.lock, &efuse->bit64);
mdelay(5);
return 0;
}
static int prog_efuse(int nr, struct efuse_val *new_val, u32 mask0, u32 mask1)
{
struct mvebu_hd_efuse *efuse;
int res = 0;
res = mvebu_efuse_init_hw();
if (res)
return res;
efuse = get_efuse_line(nr);
if (!efuse)
return -ENODEV;
if (!new_val)
return -EINVAL;
/* only write a fuse line with lock bit */
if (!new_val->lock)
return -EINVAL;
/* according to specs ECC protection bits must be 0 on write */
if (new_val->bytes.d[7] & 0xFE)
return -EINVAL;
if (!new_val->dwords.d[0] && !new_val->dwords.d[1] && (mask0 | mask1))
return 0;
enable_efuse_program();
res = do_prog_efuse(efuse, new_val, mask0, mask1);
disable_efuse_program();
return res;
}
int mvebu_efuse_init_hw(void)
{
int ret;
if (efuse_initialised)
return 0;
ret = mvebu_mbus_add_window_by_id(
CPU_TARGET_SATA23_DFX, 0xA, MBUS_EFUSE_BASE, MBUS_EFUSE_SIZE);
if (ret)
return ret;
efuse_initialised = 1;
return 0;
}
int mvebu_read_efuse(int nr, struct efuse_val *val)
{
struct mvebu_hd_efuse *efuse;
int res;
res = mvebu_efuse_init_hw();
if (res)
return res;
efuse = get_efuse_line(nr);
if (!efuse)
return -ENODEV;
if (!val)
return -EINVAL;
val->dwords.d[0] = readl(&efuse->bits_31_0);
val->dwords.d[1] = readl(&efuse->bits_63_32);
val->lock = readl(&efuse->bit64);
return 0;
}
int mvebu_write_efuse(int nr, struct efuse_val *val)
{
return prog_efuse(nr, val, ~0, ~0);
}
int mvebu_lock_efuse(int nr)
{
struct efuse_val val = {
.lock = 1,
};
return prog_efuse(nr, &val, 0, 0);
}
/*
* wrapper funcs providing the fuse API
*
* we use the following mapping:
* "bank" -> eFuse line
* "word" -> 0: bits 0-31
* 1: bits 32-63
* 2: bit 64 (lock)
*/
static struct efuse_val prog_val;
static int valid_prog_words;
int fuse_read(u32 bank, u32 word, u32 *val)
{
struct efuse_val fuse_line;
int res;
if (bank < EFUSE_LINE_MIN || bank > EFUSE_LINE_MAX || word > 2)
return -EINVAL;
res = mvebu_read_efuse(bank, &fuse_line);
if (res)
return res;
if (word < 2)
*val = fuse_line.dwords.d[word];
else
*val = fuse_line.lock;
return res;
}
int fuse_sense(u32 bank, u32 word, u32 *val)
{
/* not supported */
return -ENOSYS;
}
int fuse_prog(u32 bank, u32 word, u32 val)
{
int res = 0;
/*
* NOTE: Fuse line should be written as whole.
* So how can we do that with this API?
* For now: remember values for word == 0 and word == 1 and write the
* whole line when word == 2.
* This implies that we always require all 3 fuse prog cmds (one for
* for each word) to write a single fuse line.
* Exception is a single write to word 2 which will lock the fuse line.
*
* Hope that will be OK.
*/
if (bank < EFUSE_LINE_MIN || bank > EFUSE_LINE_MAX || word > 2)
return -EINVAL;
if (word < 2) {
prog_val.dwords.d[word] = val;
valid_prog_words |= (1 << word);
} else if ((valid_prog_words & 3) == 0 && val) {
res = mvebu_lock_efuse(bank);
valid_prog_words = 0;
} else if ((valid_prog_words & 3) != 3 || !val) {
res = -EINVAL;
} else {
prog_val.lock = val != 0;
res = mvebu_write_efuse(bank, &prog_val);
valid_prog_words = 0;
}
return res;
}
int fuse_override(u32 bank, u32 word, u32 val)
{
/* not supported */
return -ENOSYS;
}

2
arch/arm/mach-mvebu/include/mach/cpu.h
View file

@ -36,7 +36,9 @@ enum cpu_target {
CPU_TARGET_ETH01 = 0x7,
CPU_TARGET_PCIE13 = 0x8,
CPU_TARGET_SASRAM = 0x9,
CPU_TARGET_SATA01 = 0xa, /* A38X */
CPU_TARGET_NAND = 0xd,
CPU_TARGET_SATA23_DFX = 0xe, /* A38X */
};
enum cpu_attrib {

69
arch/arm/mach-mvebu/include/mach/efuse.h Normal file
View file

@ -0,0 +1,69 @@
/*
* Copyright (C) 2015 Reinhard Pfau <reinhard.pfau@gdsys.cc>
*
* SPDX-License-Identifier: GPL-2.0+
*/
#ifndef _MVEBU_EFUSE_H
#define _MVEBU_EFUSE_H
#include <common.h>
struct efuse_val {
union {
struct {
u8 d[8];
} bytes;
struct {
u16 d[4];
} words;
struct {
u32 d[2];
} dwords;
};
u32 lock;
};
#if defined(CONFIG_ARMADA_38X)
enum efuse_line {
EFUSE_LINE_SECURE_BOOT = 24,
EFUSE_LINE_PUBKEY_DIGEST_0 = 26,
EFUSE_LINE_PUBKEY_DIGEST_1 = 27,
EFUSE_LINE_PUBKEY_DIGEST_2 = 28,
EFUSE_LINE_PUBKEY_DIGEST_3 = 29,
EFUSE_LINE_PUBKEY_DIGEST_4 = 30,
EFUSE_LINE_CSK_0_VALID = 31,
EFUSE_LINE_CSK_1_VALID = 32,
EFUSE_LINE_CSK_2_VALID = 33,
EFUSE_LINE_CSK_3_VALID = 34,
EFUSE_LINE_CSK_4_VALID = 35,
EFUSE_LINE_CSK_5_VALID = 36,
EFUSE_LINE_CSK_6_VALID = 37,
EFUSE_LINE_CSK_7_VALID = 38,
EFUSE_LINE_CSK_8_VALID = 39,
EFUSE_LINE_CSK_9_VALID = 40,
EFUSE_LINE_CSK_10_VALID = 41,
EFUSE_LINE_CSK_11_VALID = 42,
EFUSE_LINE_CSK_12_VALID = 43,
EFUSE_LINE_CSK_13_VALID = 44,
EFUSE_LINE_CSK_14_VALID = 45,
EFUSE_LINE_CSK_15_VALID = 46,
EFUSE_LINE_FLASH_ID = 47,
EFUSE_LINE_BOX_ID = 48,
EFUSE_LINE_MIN = 0,
EFUSE_LINE_MAX = 63,
};
#endif
int mvebu_efuse_init_hw(void);
int mvebu_read_efuse(int nr, struct efuse_val *val);
int mvebu_write_efuse(int nr, struct efuse_val *val);
int mvebu_lock_efuse(int nr);
#endif

1
arch/arm/mach-mvebu/include/mach/soc.h
View file

@ -67,6 +67,7 @@
#define MVEBU_REG_PCIE_BASE (MVEBU_REGISTER(0x40000))
#define MVEBU_AXP_USB_BASE (MVEBU_REGISTER(0x50000))
#define MVEBU_USB20_BASE (MVEBU_REGISTER(0x58000))
#define MVEBU_REG_PCIE0_BASE (MVEBU_REGISTER(0x80000))
#define MVEBU_AXP_SATA_BASE (MVEBU_REGISTER(0xa0000))
#define MVEBU_SATA0_BASE (MVEBU_REGISTER(0xa8000))
#define MVEBU_NAND_BASE (MVEBU_REGISTER(0xd0000))

8
arch/arm/mach-mvebu/serdes/a38x/ctrl_pex.c
View file

@ -13,6 +13,11 @@
#include "ctrl_pex.h"
#include "sys_env_lib.h"
__weak void board_pex_config(void)
{
/* nothing in this weak default implementation */
}
int hws_pex_config(const struct serdes_map *serdes_map, u8 count)
{
u32 pex_idx, tmp, next_busno, first_busno, temp_pex_reg,
@ -77,6 +82,9 @@ int hws_pex_config(const struct serdes_map *serdes_map, u8 count)
/* Support gen1/gen2 */
DEBUG_INIT_FULL_S("Support gen1/gen2\n");
board_pex_config();
next_busno = 0;
mdelay(150);

2
arch/arm/mach-mvebu/serdes/a38x/ctrl_pex.h
View file

@ -83,4 +83,6 @@ int pex_local_bus_num_set(u32 pex_if, u32 bus_num);
int pex_local_dev_num_set(u32 pex_if, u32 dev_num);
u32 pex_config_read(u32 pex_if, u32 bus, u32 dev, u32 func, u32 reg_off);
void board_pex_config(void);
#endif

2
arch/arm/mach-mvebu/spl.c
View file

@ -13,8 +13,6 @@
#include <asm/arch/cpu.h>
#include <asm/arch/soc.h>
DECLARE_GLOBAL_DATA_PTR;
static u32 get_boot_device(void)
{
u32 val;

9
board/gdsys/p1022/controlcenterd-id.c
View file

@ -43,15 +43,6 @@
#define CCDM_AUTO_FIRST_STAGE
#endif
/* enums from TCG specs */
enum {
/* capability areas */
TPM_CAP_NV_INDEX = 0x00000011,
TPM_CAP_HANDLE = 0x00000014,
/* resource types */
TPM_RT_KEY = 0x00000001,
};
/* CCDM specific contants */
enum {
/* NV indices */

70
cmd/tpm.c
View file

@ -646,6 +646,64 @@ TPM_COMMAND_NO_ARG(tpm_end_oiap)
#endif /* CONFIG_TPM_AUTH_SESSIONS */
#ifdef CONFIG_TPM_FLUSH_RESOURCES
static int do_tpm_flush(cmd_tbl_t *cmdtp, int flag, int argc,
char * const argv[])
{
int type = 0;
if (argc != 2)
return CMD_RET_USAGE;
if (strcasecmp(argv[1], "key"))
type = TPM_RT_KEY;
else if (strcasecmp(argv[1], "auth"))
type = TPM_RT_AUTH;
else if (strcasecmp(argv[1], "hash"))
type = TPM_RT_HASH;
else if (strcasecmp(argv[1], "trans"))
type = TPM_RT_TRANS;
else if (strcasecmp(argv[1], "context"))
type = TPM_RT_CONTEXT;
else if (strcasecmp(argv[1], "counter"))
type = TPM_RT_COUNTER;
else if (strcasecmp(argv[1], "delegate"))
type = TPM_RT_DELEGATE;
else if (strcasecmp(argv[1], "daa_tpm"))
type = TPM_RT_DAA_TPM;
else if (strcasecmp(argv[1], "daa_v0"))
type = TPM_RT_DAA_V0;
else if (strcasecmp(argv[1], "daa_v1"))
type = TPM_RT_DAA_V1;
if (strcasecmp(argv[2], "all")) {
uint16_t res_count;
uint8_t buf[288];
uint8_t *ptr;
int err;
uint i;
/* fetch list of already loaded resources in the TPM */
err = tpm_get_capability(TPM_CAP_HANDLE, type, buf,
sizeof(buf));
if (err)
return -1;
res_count = get_unaligned_be16(buf);
ptr = buf + 2;
for (i = 0; i < res_count; ++i, ptr += 4)
tpm_flush_specific(get_unaligned_be32(ptr), type);
} else {
uint32_t handle = simple_strtoul(argv[2], NULL, 0);
if (!handle)
return -1;
tpm_flush_specific(cpu_to_be32(handle), type);
}
return 0;
}
#endif /* CONFIG_TPM_FLUSH_RESOURCES */
#define MAKE_TPM_CMD_ENTRY(cmd) \
U_BOOT_CMD_MKENT(cmd, 0, 1, do_tpm_ ## cmd, "", "")
@ -701,6 +759,10 @@ static cmd_tbl_t tpm_commands[] = {
U_BOOT_CMD_MKENT(get_pub_key_oiap, 0, 1,
do_tpm_get_pub_key_oiap, "", ""),
#endif /* CONFIG_TPM_AUTH_SESSIONS */
#ifdef CONFIG_TPM_FLUSH_RESOURCES
U_BOOT_CMD_MKENT(flush, 0, 1,
do_tpm_flush, "", ""),
#endif /* CONFIG_TPM_FLUSH_RESOURCES */
};
static int do_tpm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
@ -750,6 +812,14 @@ U_BOOT_CMD(tpm, CONFIG_SYS_MAXARGS, 1, do_tpm,
" get_capability cap_area sub_cap addr count\n"
" - Read <count> bytes of TPM capability indexed by <cap_area> and\n"
" <sub_cap> to memory address <addr>.\n"
#ifdef CONFIG_TPM_FLUSH_RESOURCES
"Resource management functions\n"
" flush resource_type id\n"
" - flushes a resource of type <resource_type> (may be one of key, auth,\n"
" hash, trans, context, counter, delegate, daa_tpm, daa_v0, daa_v1),\n"
" and id <id> from the TPM. Use an <id> of \"all\" to flush all\n"
" resources of that type.\n"
#endif /* CONFIG_TPM_FLUSH_RESOURCES */
#ifdef CONFIG_TPM_AUTH_SESSIONS
"Storage functions\n"
" loadkey2_oiap parent_handle key_addr key_len usage_auth\n"

373
doc/README.armada-secureboot Normal file
View file

@ -0,0 +1,373 @@
The trusted boot framework on Marvell Armada 38x
================================================
Contents:
1. Overview of the trusted boot
2. Terminology
3. Boot image layout
4. The secured header
5. The secured boot flow
6. Usage example
7. Work to be done
8. Bibliography
1. Overview of the trusted boot
-------------------------------
The Armada's trusted boot framework enables the SoC to cryptographically verify
a specially prepared boot image. This can be used to establish a chain of trust
from the boot firmware all the way to the OS.
To achieve this, the Armada SoC requires a specially prepared boot image, which
contains the relevant cryptographic data, as well as other information
pertaining to the boot process. Furthermore, a eFuse structure (a
one-time-writeable memory) need to be configured in the correct way.
Roughly, the secure boot process works as follows:
* Load the header block of the boot image, extract a special "root" public RSA
key from it, and verify its SHA-256 hash against a SHA-256 stored in a eFuse
field.
* Load an array of code signing public RSA keys from the header block, and
verify its RSA signature (contained in the header block as well) using the
"root" RSA key.
* Choose a code signing key, and use it to verify the header block (excluding
the key array).
* Verify the binary image's signature (contained in the header block) using the
code signing key.
* If all checks pass successfully, boot the image.
The chain of trust is thus as follows:
* The SHA-256 value in the eFuse field verifies the "root" public key.
* The "root" public key verifies the code signing key array.
* The selected code signing key verifies the header block and the binary image.
In the special case of building a boot image containing U-Boot as the binary
image, which employs this trusted boot framework, the following tasks need to
be addressed:
1. Creation of the needed cryptographic key material.
2. Creation of a conforming boot image containing the U-Boot image as binary
image.
3. Burning the necessary eFuse values.
(1) will be addressed later, (2) will be taken care of by U-Boot's build
system (some user configuration is required, though), and for (3) the necessary
data (essentially a series of U-Boot commands to be entered at the U-Boot
command prompt) will be created by the build system as well.
The documentation of the trusted boot mode is contained in part 1, chapter
7.2.5 in the functional specification [1], and in application note [2].
2. Terminology
--------------
CSK - Code Signing Key(s): An array of RSA key pairs, which
are used to sign and verify the secured header and the
boot loader image.
KAK - Key Authentication Key: A RSA key pair, which is used
to sign and verify the array of CSKs.
Header block - The first part of the boot image, which contains the
image's headers (also known as "headers block", "boot
header", and "image header")
eFuse - A one-time-writeable memory.
BootROM - The Armada's built-in boot firmware, which is
responsible for verifying and starting secure images.
Boot image - The complete image the SoC's boot firmware loads
(contains the header block and the binary image)
Main header - The header in the header block containing information
and data pertaining to the boot process (used for both
the regular and secured boot processes)
Binary image - The binary code payload of the boot image; in this
case the U-Boot's code (also known as "source image",
or just "image")
Secured header - The specialized header in the header block that
contains information and data pertaining to the
trusted boot (also known as "security header")
Secured boot mode - A special boot mode of the Armada SoC in which secured
images are verified (non-secure images won't boot);
the mode is activated by setting a eFuse field.
Trusted debug mode - A special mode for the trusted boot that allows
debugging of devices employing the trusted boot
framework in a secure manner (untested in the current
implementation).
Trusted boot framework - The ARMADA SoC's implementation of a secure verified
boot process.
3. Boot image layout
--------------------
+-- Boot image --------------------------------------------+
| |
| +-- Header block --------------------------------------+ |
| | Main header | |
| +------------------------------------------------------+ |
| | Secured header | |
| +------------------------------------------------------+ |
| | BIN header(s) | |
| +------------------------------------------------------+ |
| | REG header(s) | |
| +------------------------------------------------------+ |
| | Padding | |
| +------------------------------------------------------+ |
| |
| +------------------------------------------------------+ |
| | Binary image + checksum | |
| +------------------------------------------------------+ |
+----------------------------------------------------------+
4. The secured header
---------------------
For the trusted boot framework, a additional header is added to the boot image.
The following data are relevant for the secure boot:
KAK: The KAK is contained in the secured header in the form
of a RSA-2048 public key in DER format with a length of
524 bytes.
Header block signature: The RSA signature of the header block (excluding the
CSK array), created using the selected CSK.
Binary image signature: The RSA signature of the binary image, created using
the selected CSK.
CSK array: The array of the 16 CSKs as RSA-2048 public keys in DER
format with a length of 8384 = 16 * 524 bytes.
CSK block signature: The RSA signature of the CSK array, created using the
KAK.
NOTE: The JTAG delay, Box ID, and Flash ID header fields do play a role in the
trusted boot process to enable and configure secure debugging, but they were
not tested in the current implementation of the trusted boot in U-Boot.
5. The secured boot flow
------------------------
The steps in the boot flow that are relevant for the trusted boot framework
proceed as follows:
1) Check if trusted boot is enabled, and perform regular boot if it is not.
2) Load the secured header, and verify its checksum.
3) Select the lowest valid CSK from CSK0 to CSK15.
4) Verify the SHA-256 hash of the KAK embedded in the secured header.
5) Verify the RSA signature of the CSK block from the secured header with the
KAK.
6) Verify the header block signature (which excludes the CSK block) from the
secured header with the selected CSK.
7) Load the binary image to the main memory and verify its checksum.
8) Verify the binary image's RSA signature from the secured header with the
selected CSK.
9) Continue the boot process as in the case of the regular boot.
NOTE: All RSA signatures are verified according to the PKCS #1 v2.1 standard
described in [3].
NOTE: The Box ID and Flash ID are checked after step 6, and the trusted debug
mode may be entered there, but since this mode is untested in the current
implementation, it is not described further.
6. Usage example
----------------
### Create key material
To employ the trusted boot framework, cryptographic key material needs to be
created. In the current implementation, two keys are needed to build a valid
secured boot image: The KAK private key and a CSK private key (both have to be
2048 bit RSA keys in PEM format). Note that the usage of more than one CSK is
currently not supported.
NOTE: Since the public key can be generated from the private key, it is
sufficient to store the private key for each key pair.
OpenSSL can be used to generate the needed files kwb_kak.key and kwb_csk.key
(the names of these files have to be configured, see the next section on
kwbimage.cfg settings):
openssl genrsa -out kwb_kak.key 2048
openssl genrsa -out kwb_csk.key 2048
The generated files have to be placed in the U-Boot root directory.
Alternatively, instead of copying the files, symlinks to the private keys can
be placed in the U-Boot root directory.
WARNING: Knowledge of the KAK or CSK private key would enable an attacker to
generate secured boot images containing arbitrary code. Hence, the private keys
should be carefully guarded.
### Create/Modifiy kwbimage.cfg
The Kirkwook architecture in U-Boot employs a special board-specific
configuration file (kwbimage.cfg), which controls various boot image settings
that are interpreted by the BootROM, such as the boot medium. The support the
trusted boot framework, several new options were added to faciliate
configuration of the secured boot.
The configuration file's layout has been retained, only the following new
options were added:
KAK - The name of the KAK RSA private key file in the U-Boot
root directory, without the trailing extension of ".key".
CSK - The name of the (active) CSK RSA private key file in the
U-Boot root directory, without the trailing extension of
".key".
BOX_ID - The BoxID to be used for trusted debugging (a integer
value).
FLASH_ID - The FlashID to be used for trusted debugging (a integer
value).
JTAG_DELAY - The JTAG delay to be used for trusted debugging (a
integer value).
CSK_INDEX - The index of the active CSK (a integer value).
SEC_SPECIALIZED_IMG - Flag to indicate whether to include the BoxID and FlashID
in the image (that is, whether to use the trusted debug
mode or not); no parameters.
SEC_BOOT_DEV - The boot device from which the trusted boot is allowed to
proceed, identified via a numeric ID. The tested values
are 0x34 = NOR flash, 0x31 = SDIO/MMC card; for
additional ID values, consult the documentation in [1].
SEC_FUSE_DUMP - Dump the "fuse prog" commands necessary for writing the
correct eFuse values to a text file in the U-Boot root
directory. The parameter is the architecture for which to
dump the commands (currently only "a38x" is supported).
The parameter values may be hardcoded into the file, but it is also possible to
employ a dynamic approach of creating a Autoconf-like kwbimage.cfg.in, then
reading configuration values from Kconfig options or from the board config
file, and generating the actual kwbimage.cfg from this template using Makefile
mechanisms (see board/gdsys/a38x/Makefile as an example for this approach).
### Set config options
To enable the generation of trusted boot images, the corresponding support
needs to be activated, and a index for the active CSK needs to be selected as
well.
Furthermore, eFuse writing support has to be activated in order to burn the
eFuse structure's values (this option is just needed for programming the eFuse
structure; production boot images may disable it).
ARM architecture
-> [*] Build image for trusted boot
(0) Index of active CSK
-> [*] Enable eFuse support
[ ] Fake eFuse access (dry run)
### Build and test boot image
The creation of the boot image is done via the usual invocation of make (with a
suitably set CROSS_COMPILE environment variable, of course). The resulting boot
image u-boot-spl.kwb can then be tested, if so desired. The hdrparser from [5]
can be used for this purpose. To build the tool, invoke make in the
'tools/marvell/doimage_mv' directory of [5], which builds a stand-alone
hdrparser executable. A test can be conducted by calling hdrparser with the
produced boot image and the following (mandatory) parameters:
./hdrparser -k 0 -t u-boot-spl.kwb
Here we assume that the CSK index is 0 and the boot image file resides in the
same directory (adapt accordingly if needed). The tool should report that all
checksums are valid ("GOOD"), that all signature verifications succeed
("PASSED"), and, finally, that the overall test was successful
("T E S T S U C C E E D E D" in the last line of output).
### Burn eFuse structure
+----------------------------------------------------------+
| WARNING: Burning the eFuse structure is a irreversible |
| operation! Should wrong or corrupted values be used, the |
| board won't boot anymore, and recovery is likely |
| impossible! |
+----------------------------------------------------------+
After the build process has finished, and the SEC_FUSE_DUMP option was set in
the kwbimage.cfg was set, a text file kwb_fuses_a38x.txt should be present in
the U-Boot top-level directory. It contains all the necessary commands to set
the eFuse structure to the values needed for the used KAK digest, as well as
the CSK index, Flash ID and Box ID that were selected in kwbimage.cfg.
Sequentially executing the commands in this file at the U-Boot command prompt
will write these values to the eFuse structure.
If the SEC_FUSE_DUMP option was not set, the commands needed to burn the fuses
have to be crafted by hand. The needed fuse lines can be looked up in [1]; a
rough overview of the process is:
* Burn the KAK public key hash. The hash itself can be found in the file
pub_kak_hash.txt in the U-Boot top-level directory; be careful to account for
the endianness!
* Burn the CSK selection, BoxID, and FlashID
* Enable trusted boot by burning the corresponding fuse (WARNING: this must be
the last fuse line written!)
* Lock the unused fuse lines
The command to employ is the "fuse prog" command previously enabled by setting
the corresponding configuration option.
For the trusted boot, the fuse prog command has a special syntax, since the
ARMADA SoC demands that whole fuse lines (64 bit values) have to be written as
a whole. The fuse prog command itself allows lists of 32 bit words to be
written at a time, but this is translated to a series of single 32 bit write
operations to the fuse line, where the individual 32 bit words are identified
by a "word" counter that is increased for each write.
To work around this restriction, we interpret each line to have three "words"
(0-2): The first and second words are the values to be written to the fuse
line, and the third is a lock flag, which is supposed to lock the fuse line
when set to 1. Writes to the first and second words are memoized between
function calls, and the fuse line is only really written and locked (on writing
the third word) if both words were previously set, so that "incomplete" writes
are prevented. An exception to this is a single write to the third word (index
2) without previously writing neither the first nor the second word, which
locks the fuse line without setting any value; this is needed to lock the
unused fuse lines.
As an example, to write the value 0011223344556677 to fuse line 10, we would
use the following command:
fuse prog -y 10 0 00112233 44556677 1
Here 10 is the fuse line number, 0 is the index of the first word to be
written, 00112233 and 44556677 are the values to be written to the fuse line
(first and second word) and the trailing 1 is the value for the third word
responsible for locking the line.
A "lock-only" command would look like this:
fuse prog -y 11 2 1
Here 11 is the fuse number, 2 is the index of the first word to be written
(notice that we only write to word 2 here; the third word for fuse line
locking), and the 1 is the value for the word we are writing to.
WARNING: According to application note [4], the VHV pin of the SoC must be
connected to a 1.8V source during eFuse programming, but *must* be disconnected
for normal operation. The AN [4] describes a software-controlled circuit (based
on a N-channel or P-channel FET and a free GPIO pin of the SoC) to achieve
this, but a jumper-based circuit should suffice as well. Regardless of the
chosen circuit, the issue needs to be addressed accordingly!
7. Work to be done
------------------
* Add the ability to populate more than one CSK
* Test secure debug
* Test on Armada XP
8. Bibliography
---------------
[1] ARMADA(R) 38x Family High-Performance Single/Dual CPU System on Chip
Functional Specification; MV-S109094-00, Rev. C; August 2, 2015,
Preliminary
[2] AN-383: ARMADA(R) 38x Families Secure Boot Mode Support; MV-S302501-00
Rev. A; March 11, 2015, Preliminary
[3] Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
Specifications Version 2.1; February 2003;
https://www.ietf.org/rfc/rfc3447.txt
[4] AN-389: ARMADA(R) VHV Power; MV-S302545-00 Rev. B; January 28, 2016,
Released
[5] Marvell Armada 38x U-Boot support; November 25, 2015;
https://github.com/MarvellEmbeddedProcessors/u-boot-marvell
2017-01-05, Mario Six <mario.six@gdsys.cc>

54
drivers/net/phy/marvell.c
View file

@ -480,6 +480,49 @@ static int m88e1310_config(struct phy_device *phydev)
return genphy_config_aneg(phydev);
}
static int m88e1680_config(struct phy_device *phydev)
{
/*
* As per Marvell Release Notes - Alaska V 88E1680 Rev A2
* Errata Section 4.1
*/
u16 reg;
int res;
/* Matrix LED mode (not neede if single LED mode is used */
phy_write(phydev, MDIO_DEVAD_NONE, MIIM_88E1118_PHY_PAGE, 0x0004);
reg = phy_read(phydev, MDIO_DEVAD_NONE, 27);
reg |= (1 << 5);
phy_write(phydev, MDIO_DEVAD_NONE, 27, reg);
/* QSGMII TX amplitude change */
phy_write(phydev, MDIO_DEVAD_NONE, MIIM_88E1118_PHY_PAGE, 0x00fd);
phy_write(phydev, MDIO_DEVAD_NONE, 8, 0x0b53);
phy_write(phydev, MDIO_DEVAD_NONE, 7, 0x200d);
phy_write(phydev, MDIO_DEVAD_NONE, MIIM_88E1118_PHY_PAGE, 0x0000);
/* EEE initialization */
phy_write(phydev, MDIO_DEVAD_NONE, MIIM_88E1118_PHY_PAGE, 0x00ff);
phy_write(phydev, MDIO_DEVAD_NONE, 17, 0xb030);
phy_write(phydev, MDIO_DEVAD_NONE, 16, 0x215c);
phy_write(phydev, MDIO_DEVAD_NONE, 22, 0x00fc);
phy_write(phydev, MDIO_DEVAD_NONE, 24, 0x888c);
phy_write(phydev, MDIO_DEVAD_NONE, 25, 0x888c);
phy_write(phydev, MDIO_DEVAD_NONE, MIIM_88E1118_PHY_PAGE, 0x0000);
phy_write(phydev, MDIO_DEVAD_NONE, 0, 0x9140);
res = genphy_config_aneg(phydev);
if (res < 0)
return res;
/* soft reset */
reg = phy_read(phydev, MDIO_DEVAD_NONE, MII_BMCR);
reg |= BMCR_RESET;
phy_write(phydev, MDIO_DEVAD_NONE, MII_BMCR, reg);
return 0;
}
static struct phy_driver M88E1011S_driver = {
.name = "Marvell 88E1011S",
.uid = 0x1410c60,
@ -580,6 +623,16 @@ static struct phy_driver M88E1310_driver = {
.shutdown = &genphy_shutdown,
};
static struct phy_driver M88E1680_driver = {
.name = "Marvell 88E1680",
.uid = 0x1410ed0,
.mask = 0xffffff0,
.features = PHY_GBIT_FEATURES,
.config = &m88e1680_config,
.startup = &genphy_startup,
.shutdown = &genphy_shutdown,
};
int phy_marvell_init(void)
{
phy_register(&M88E1310_driver);
@ -592,6 +645,7 @@ int phy_marvell_init(void)
phy_register(&M88E1011S_driver);
phy_register(&M88E1510_driver);
phy_register(&M88E1518_driver);
phy_register(&M88E1680_driver);
return 0;
}

25
drivers/pci/pci_mvebu.c
View file

@ -91,25 +91,26 @@ static void __iomem *mvebu_pcie_membase = (void __iomem *)MBUS_PCI_MEM_BASE;
#if defined(CONFIG_ARMADA_38X)
#define PCIE_BASE(if) \
((if) == 0 ? \
MVEBU_REG_PCIE_BASE + 0x40000 : \
MVEBU_REG_PCIE_BASE + 0x4000 * (if))
MVEBU_REG_PCIE0_BASE : \
(MVEBU_REG_PCIE_BASE + 0x4000 * (if - 1)))
/*
* On A38x MV6820 these PEX ports are supported:
* 0 - Port 0.0
* 1 - Port 0.1
* 2 - Port 0.2
* 1 - Port 1.0
* 2 - Port 2.0
* 3 - Port 3.0
*/
#define MAX_PEX 3
#define MAX_PEX 4
static struct mvebu_pcie pcie_bus[MAX_PEX];
static void mvebu_get_port_lane(struct mvebu_pcie *pcie, int pex_idx,
int *mem_target, int *mem_attr)
{
u8 port[] = { 0, 1, 2 };
u8 lane[] = { 0, 0, 0 };
u8 target[] = { 8, 4, 4 };
u8 attr[] = { 0xe8, 0xe8, 0xd8 };
u8 port[] = { 0, 1, 2, 3 };
u8 lane[] = { 0, 0, 0, 0 };
u8 target[] = { 8, 4, 4, 4 };
u8 attr[] = { 0xe8, 0xe8, 0xd8, 0xb8 };
pcie->port = port[pex_idx];
pcie->lane = lane[pex_idx];
@ -351,9 +352,9 @@ void pci_init_board(void)
mvebu_get_port_lane(pcie, i, &mem_target, &mem_attr);
/* Don't read at all from pci registers if port power is down */
if (pcie->lane == 0 && SELECT(soc_ctrl, pcie->port) == 0) {
i += 3;
debug("%s: skipping port %d\n", __func__, pcie->port);
if (SELECT(soc_ctrl, pcie->port) == 0) {
if (pcie->lane == 0)
debug("%s: skipping port %d\n", __func__, pcie->port);
continue;
}

7
drivers/phy/marvell/comphy_a3700.c
View file

@ -884,11 +884,10 @@ void comphy_dedicated_phys_init(void)
}
node = fdt_node_offset_by_compatible(blob, -1,
"marvell,armada-3700-sdio");
"marvell,armada-8k-sdhci");
if (node <= 0) {
debug("No SDIO node in DT, looking for MMC one\n");
node = fdt_node_offset_by_compatible(blob, -1,
"marvell,xenon-sdhci");
node = fdt_node_offset_by_compatible(
blob, -1, "marvell,armada-3700-sdhci");
}
if (node > 0) {

6
drivers/tpm/Kconfig
View file

@ -82,4 +82,10 @@ config TPM_ST33ZP24_SPI
to the device using the standard TPM Interface Specification (TIS)
protocol
config TPM_FLUSH_RESOURCES
bool "Enable TPM resource flushing support"
depends on TPM
help
Enable support to flush specific resources (e.g. keys) from the TPM.
The functionality is available via the 'tpm' command as well.
endmenu

45
include/tpm.h
View file

@ -47,6 +47,42 @@ enum tpm_nv_index {
TPM_NV_INDEX_DIR = 0x10000001,
};
enum tpm_resource_type {
TPM_RT_KEY = 0x00000001,
TPM_RT_AUTH = 0x00000002,
TPM_RT_HASH = 0x00000003,
TPM_RT_TRANS = 0x00000004,
TPM_RT_CONTEXT = 0x00000005,
TPM_RT_COUNTER = 0x00000006,
TPM_RT_DELEGATE = 0x00000007,
TPM_RT_DAA_TPM = 0x00000008,
TPM_RT_DAA_V0 = 0x00000009,
TPM_RT_DAA_V1 = 0x0000000A,
};
enum tpm_capability_areas {
TPM_CAP_ORD = 0x00000001,
TPM_CAP_ALG = 0x00000002,
TPM_CAP_PID = 0x00000003,
TPM_CAP_FLAG = 0x00000004,
TPM_CAP_PROPERTY = 0x00000005,
TPM_CAP_VERSION = 0x00000006,
TPM_CAP_KEY_HANDLE = 0x00000007,
TPM_CAP_CHECK_LOADED = 0x00000008,
TPM_CAP_SYM_MODE = 0x00000009,
TPM_CAP_KEY_STATUS = 0x0000000C,
TPM_CAP_NV_LIST = 0x0000000D,
TPM_CAP_MFR = 0x00000010,
TPM_CAP_NV_INDEX = 0x00000011,
TPM_CAP_TRANS_ALG = 0x00000012,
TPM_CAP_HANDLE = 0x00000014,
TPM_CAP_TRANS_ES = 0x00000015,
TPM_CAP_AUTH_ENCRYPT = 0x00000017,
TPM_CAP_SELECT_SIZE = 0x00000018,
TPM_CAP_DA_LOGIC = 0x00000019,
TPM_CAP_VERSION_VAL = 0x0000001A,
};
#define TPM_NV_PER_GLOBALLOCK (1U << 15)
#define TPM_NV_PER_PPWRITE (1U << 0)
#define TPM_NV_PER_READ_STCLEAR (1U << 31)
@ -594,4 +630,13 @@ uint32_t tpm_get_permanent_flags(struct tpm_permanent_flags *pflags);
*/
uint32_t tpm_get_permissions(uint32_t index, uint32_t *perm);
/**
* Flush a resource with a given handle and type from the TPM
*
* @param key_handle handle of the resource
* @param resource_type type of the resource
* @return return code of the operation
*/
uint32_t tpm_flush_specific(uint32_t key_handle, uint32_t resource_type);
#endif /* __TPM_H */

29
lib/tpm.c
View file

@ -645,6 +645,35 @@ uint32_t tpm_get_permissions(uint32_t index, uint32_t *perm)
return 0;
}
#ifdef CONFIG_TPM_FLUSH_RESOURCES
uint32_t tpm_flush_specific(uint32_t key_handle, uint32_t resource_type)
{
const uint8_t command[18] = {
0x00, 0xc1, /* TPM_TAG */
0x00, 0x00, 0x00, 0x12, /* parameter size */
0x00, 0x00, 0x00, 0xba, /* TPM_COMMAND_CODE */
0x00, 0x00, 0x00, 0x00, /* key handle */
0x00, 0x00, 0x00, 0x00, /* resource type */
};
const size_t key_handle_offset = 10;
const size_t resource_type_offset = 14;
uint8_t buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
size_t response_length = sizeof(response);
uint32_t err;
if (pack_byte_string(buf, sizeof(buf), "sdd",
0, command, sizeof(command),
key_handle_offset, key_handle,
resource_type_offset, resource_type))
return TPM_LIB_ERROR;
err = tpm_sendrecv_command(buf, response, &response_length);
if (err)
return err;
return 0;
}
#endif /* CONFIG_TPM_FLUSH_RESOURCES */
#ifdef CONFIG_TPM_AUTH_SESSIONS
/**

6
tools/Makefile
View file

@ -142,8 +142,12 @@ ifdef CONFIG_SYS_U_BOOT_OFFS
HOSTCFLAGS_kwbimage.o += -DCONFIG_SYS_U_BOOT_OFFS=$(CONFIG_SYS_U_BOOT_OFFS)
endif
ifneq ($(CONFIG_ARMADA_38X)$(CONFIG_ARMADA_39X),)
HOSTCFLAGS_kwbimage.o += -DCONFIG_KWB_SECURE
endif
# MXSImage needs LibSSL
ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_FIT_SIGNATURE),)
ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_ARMADA_39X)$(CONFIG_FIT_SIGNATURE),)
HOSTLOADLIBES_mkimage += \
$(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto")

1117
tools/kwbimage.c
View file

File diff suppressed because it is too large Load diff

37
tools/kwbimage.h
View file

@ -113,6 +113,43 @@ struct opt_hdr_v1 {
char data[0];
};
/*
* Public Key data in DER format
*/
struct pubkey_der_v1 {
uint8_t key[524];
};
/*
* Signature (RSA 2048)
*/
struct sig_v1 {
uint8_t sig[256];
};
/*
* Structure of secure header (Armada 38x)
*/
struct secure_hdr_v1 {
uint8_t headertype; /* 0x0 */
uint8_t headersz_msb; /* 0x1 */
uint16_t headersz_lsb; /* 0x2 - 0x3 */
uint32_t reserved1; /* 0x4 - 0x7 */
struct pubkey_der_v1 kak; /* 0x8 - 0x213 */
uint8_t jtag_delay; /* 0x214 */
uint8_t reserved2; /* 0x215 */
uint16_t reserved3; /* 0x216 - 0x217 */
uint32_t boxid; /* 0x218 - 0x21B */
uint32_t flashid; /* 0x21C - 0x21F */
struct sig_v1 hdrsig; /* 0x220 - 0x31F */
struct sig_v1 imgsig; /* 0x320 - 0x41F */
struct pubkey_der_v1 csk[16]; /* 0x420 - 0x24DF */
struct sig_v1 csksig; /* 0x24E0 - 0x25DF */
uint8_t next; /* 0x25E0 */
uint8_t reserved4; /* 0x25E1 */
uint16_t reserved5; /* 0x25E2 - 0x25E3 */
};
/*
* Various values for the opt_hdr_v1->headertype field, describing the
* different types of optional headers. The "secure" header contains