1 /*
2  * Copyright (c) 2015-2020, Renesas Electronics Corporation. All rights
3  * reserved.
4  *
5  * SPDX-License-Identifier: BSD-3-Clause
6  */
7 
8 #include <stddef.h>
9 
10 #include <arch_helpers.h>
11 #include <common/debug.h>
12 #include <lib/mmio.h>
13 #include <plat/common/platform.h>
14 
15 #include <platform_def.h>
16 #include "rom_api.h"
17 
18 typedef int32_t(*secure_boot_api_f) (uint32_t a, uint32_t b, void *c);
19 extern int32_t rcar_get_certificate(const int32_t name, uint32_t *cert_addr);
20 
21 #define RCAR_IMAGE_ID_MAX	(10)
22 #define RCAR_CERT_MAGIC_NUM	(0xE291F358U)
23 #define RCAR_BOOT_KEY_CERT	(0xE6300C00U)
24 #define RCAR_BOOT_KEY_CERT_NEW	(0xE6300F00U)
25 #define RST_BASE		(0xE6160000U)
26 #define RST_MODEMR		(RST_BASE + 0x0060U)
27 #define MFISOFTMDR		(0xE6260600U)
28 #define MODEMR_MD5_MASK		(0x00000020U)
29 #define MODEMR_MD5_SHIFT	(5U)
30 #define SOFTMD_BOOTMODE_MASK	(0x00000001U)
31 #define SOFTMD_NORMALBOOT	(0x1U)
32 
33 static secure_boot_api_f secure_boot_api;
34 
auth_mod_get_parent_id(unsigned int img_id,unsigned int * parent_id)35 int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id)
36 {
37 	return 1;
38 }
39 
auth_mod_verify_img(unsigned int img_id,void * ptr,unsigned int len)40 int auth_mod_verify_img(unsigned int img_id, void *ptr, unsigned int len)
41 {
42 	int32_t ret = 0, index = 0;
43 	uint32_t cert_addr = 0U;
44 	static const struct img_to_cert_t {
45 		uint32_t id;
46 		int32_t cert;
47 		const char *name;
48 	} image[RCAR_IMAGE_ID_MAX] = {
49 		{ BL31_IMAGE_ID, SOC_FW_CONTENT_CERT_ID, "BL31" },
50 		{ BL32_IMAGE_ID, TRUSTED_OS_FW_CONTENT_CERT_ID, "BL32" },
51 		{ BL33_IMAGE_ID, NON_TRUSTED_FW_CONTENT_CERT_ID, "BL33" },
52 		{ BL332_IMAGE_ID, BL332_CERT_ID, "BL332" },
53 		{ BL333_IMAGE_ID, BL333_CERT_ID, "BL333" },
54 		{ BL334_IMAGE_ID, BL334_CERT_ID, "BL334" },
55 		{ BL335_IMAGE_ID, BL335_CERT_ID, "BL335" },
56 		{ BL336_IMAGE_ID, BL336_CERT_ID, "BL336" },
57 		{ BL337_IMAGE_ID, BL337_CERT_ID, "BL337" },
58 		{ BL338_IMAGE_ID, BL338_CERT_ID, "BL338" },
59 	};
60 
61 #if IMAGE_BL2
62 	switch (img_id) {
63 	case TRUSTED_KEY_CERT_ID:
64 	case SOC_FW_KEY_CERT_ID:
65 	case TRUSTED_OS_FW_KEY_CERT_ID:
66 	case NON_TRUSTED_FW_KEY_CERT_ID:
67 	case BL332_KEY_CERT_ID:
68 	case BL333_KEY_CERT_ID:
69 	case BL334_KEY_CERT_ID:
70 	case BL335_KEY_CERT_ID:
71 	case BL336_KEY_CERT_ID:
72 	case BL337_KEY_CERT_ID:
73 	case BL338_KEY_CERT_ID:
74 	case SOC_FW_CONTENT_CERT_ID:
75 	case TRUSTED_OS_FW_CONTENT_CERT_ID:
76 	case NON_TRUSTED_FW_CONTENT_CERT_ID:
77 	case BL332_CERT_ID:
78 	case BL333_CERT_ID:
79 	case BL334_CERT_ID:
80 	case BL335_CERT_ID:
81 	case BL336_CERT_ID:
82 	case BL337_CERT_ID:
83 	case BL338_CERT_ID:
84 		return ret;
85 	case BL31_IMAGE_ID:
86 	case BL32_IMAGE_ID:
87 	case BL33_IMAGE_ID:
88 	case BL332_IMAGE_ID:
89 	case BL333_IMAGE_ID:
90 	case BL334_IMAGE_ID:
91 	case BL335_IMAGE_ID:
92 	case BL336_IMAGE_ID:
93 	case BL337_IMAGE_ID:
94 	case BL338_IMAGE_ID:
95 		goto verify_image;
96 	default:
97 		return -1;
98 	}
99 
100 verify_image:
101 	for (index = 0; index < RCAR_IMAGE_ID_MAX; index++) {
102 		if (img_id != image[index].id)
103 			continue;
104 
105 		ret = rcar_get_certificate(image[index].cert, &cert_addr);
106 		break;
107 	}
108 
109 	if (ret || (index == RCAR_IMAGE_ID_MAX)) {
110 		ERROR("Verification Failed for image id = %d\n", img_id);
111 		return ret;
112 	}
113 #if RCAR_BL2_DCACHE == 1
114 	/* clean and disable */
115 	write_sctlr_el3(read_sctlr_el3() & ~SCTLR_C_BIT);
116 	dcsw_op_all(DCCISW);
117 #endif
118 	ret = (mmio_read_32(RCAR_BOOT_KEY_CERT_NEW) == RCAR_CERT_MAGIC_NUM) ?
119 	    secure_boot_api(RCAR_BOOT_KEY_CERT_NEW, cert_addr, NULL) :
120 	    secure_boot_api(RCAR_BOOT_KEY_CERT, cert_addr, NULL);
121 	if (ret)
122 		ERROR("Verification Failed 0x%x, %s\n", ret, image[index].name);
123 
124 #if RCAR_BL2_DCACHE == 1
125 	/* enable */
126 	write_sctlr_el3(read_sctlr_el3() | SCTLR_C_BIT);
127 #endif /* RCAR_BL2_DCACHE */
128 
129 #endif /* IMAGE_BL2 */
130 	return ret;
131 }
132 
normal_boot_verify(uint32_t a,uint32_t b,void * c)133 static int32_t normal_boot_verify(uint32_t a, uint32_t b, void *c)
134 {
135 	return 0;
136 }
137 
auth_mod_init(void)138 void auth_mod_init(void)
139 {
140 #if RCAR_SECURE_BOOT
141 	uint32_t soft_md = mmio_read_32(MFISOFTMDR) & SOFTMD_BOOTMODE_MASK;
142 	uint32_t md = mmio_read_32(RST_MODEMR) & MODEMR_MD5_MASK;
143 	uint32_t lcs, ret;
144 
145 	secure_boot_api = (secure_boot_api_f) &rcar_rom_secure_boot_api;
146 
147 	ret = rcar_rom_get_lcs(&lcs);
148 	if (ret) {
149 		ERROR("BL2: Failed to get the LCS. (%d)\n", ret);
150 		panic();
151 	}
152 
153 	switch (lcs) {
154 	case LCS_SE:
155 		if (soft_md == SOFTMD_NORMALBOOT)
156 			secure_boot_api = &normal_boot_verify;
157 		break;
158 	case LCS_SD:
159 		secure_boot_api = &normal_boot_verify;
160 		break;
161 	default:
162 		if (md >> MODEMR_MD5_SHIFT)
163 			secure_boot_api = &normal_boot_verify;
164 	}
165 
166 	NOTICE("BL2: %s boot\n",
167 	       secure_boot_api == &normal_boot_verify ? "Normal" : "Secure");
168 #else
169 	NOTICE("BL2: Normal boot\n");
170 	secure_boot_api = &normal_boot_verify;
171 #endif
172 }
173