1 /*
2 * Copyright (c) 2015-2020, Renesas Electronics Corporation. All rights
3 * reserved.
4 *
5 * SPDX-License-Identifier: BSD-3-Clause
6 */
7
8 #include <stddef.h>
9
10 #include <arch_helpers.h>
11 #include <common/debug.h>
12 #include <lib/mmio.h>
13 #include <plat/common/platform.h>
14
15 #include <platform_def.h>
16 #include "rom_api.h"
17
18 typedef int32_t(*secure_boot_api_f) (uint32_t a, uint32_t b, void *c);
19 extern int32_t rcar_get_certificate(const int32_t name, uint32_t *cert_addr);
20
21 #define RCAR_IMAGE_ID_MAX (10)
22 #define RCAR_CERT_MAGIC_NUM (0xE291F358U)
23 #define RCAR_BOOT_KEY_CERT (0xE6300C00U)
24 #define RCAR_BOOT_KEY_CERT_NEW (0xE6300F00U)
25 #define RST_BASE (0xE6160000U)
26 #define RST_MODEMR (RST_BASE + 0x0060U)
27 #define MFISOFTMDR (0xE6260600U)
28 #define MODEMR_MD5_MASK (0x00000020U)
29 #define MODEMR_MD5_SHIFT (5U)
30 #define SOFTMD_BOOTMODE_MASK (0x00000001U)
31 #define SOFTMD_NORMALBOOT (0x1U)
32
33 static secure_boot_api_f secure_boot_api;
34
auth_mod_get_parent_id(unsigned int img_id,unsigned int * parent_id)35 int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id)
36 {
37 return 1;
38 }
39
auth_mod_verify_img(unsigned int img_id,void * ptr,unsigned int len)40 int auth_mod_verify_img(unsigned int img_id, void *ptr, unsigned int len)
41 {
42 int32_t ret = 0, index = 0;
43 uint32_t cert_addr = 0U;
44 static const struct img_to_cert_t {
45 uint32_t id;
46 int32_t cert;
47 const char *name;
48 } image[RCAR_IMAGE_ID_MAX] = {
49 { BL31_IMAGE_ID, SOC_FW_CONTENT_CERT_ID, "BL31" },
50 { BL32_IMAGE_ID, TRUSTED_OS_FW_CONTENT_CERT_ID, "BL32" },
51 { BL33_IMAGE_ID, NON_TRUSTED_FW_CONTENT_CERT_ID, "BL33" },
52 { BL332_IMAGE_ID, BL332_CERT_ID, "BL332" },
53 { BL333_IMAGE_ID, BL333_CERT_ID, "BL333" },
54 { BL334_IMAGE_ID, BL334_CERT_ID, "BL334" },
55 { BL335_IMAGE_ID, BL335_CERT_ID, "BL335" },
56 { BL336_IMAGE_ID, BL336_CERT_ID, "BL336" },
57 { BL337_IMAGE_ID, BL337_CERT_ID, "BL337" },
58 { BL338_IMAGE_ID, BL338_CERT_ID, "BL338" },
59 };
60
61 #if IMAGE_BL2
62 switch (img_id) {
63 case TRUSTED_KEY_CERT_ID:
64 case SOC_FW_KEY_CERT_ID:
65 case TRUSTED_OS_FW_KEY_CERT_ID:
66 case NON_TRUSTED_FW_KEY_CERT_ID:
67 case BL332_KEY_CERT_ID:
68 case BL333_KEY_CERT_ID:
69 case BL334_KEY_CERT_ID:
70 case BL335_KEY_CERT_ID:
71 case BL336_KEY_CERT_ID:
72 case BL337_KEY_CERT_ID:
73 case BL338_KEY_CERT_ID:
74 case SOC_FW_CONTENT_CERT_ID:
75 case TRUSTED_OS_FW_CONTENT_CERT_ID:
76 case NON_TRUSTED_FW_CONTENT_CERT_ID:
77 case BL332_CERT_ID:
78 case BL333_CERT_ID:
79 case BL334_CERT_ID:
80 case BL335_CERT_ID:
81 case BL336_CERT_ID:
82 case BL337_CERT_ID:
83 case BL338_CERT_ID:
84 return ret;
85 case BL31_IMAGE_ID:
86 case BL32_IMAGE_ID:
87 case BL33_IMAGE_ID:
88 case BL332_IMAGE_ID:
89 case BL333_IMAGE_ID:
90 case BL334_IMAGE_ID:
91 case BL335_IMAGE_ID:
92 case BL336_IMAGE_ID:
93 case BL337_IMAGE_ID:
94 case BL338_IMAGE_ID:
95 goto verify_image;
96 default:
97 return -1;
98 }
99
100 verify_image:
101 for (index = 0; index < RCAR_IMAGE_ID_MAX; index++) {
102 if (img_id != image[index].id)
103 continue;
104
105 ret = rcar_get_certificate(image[index].cert, &cert_addr);
106 break;
107 }
108
109 if (ret || (index == RCAR_IMAGE_ID_MAX)) {
110 ERROR("Verification Failed for image id = %d\n", img_id);
111 return ret;
112 }
113 #if RCAR_BL2_DCACHE == 1
114 /* clean and disable */
115 write_sctlr_el3(read_sctlr_el3() & ~SCTLR_C_BIT);
116 dcsw_op_all(DCCISW);
117 #endif
118 ret = (mmio_read_32(RCAR_BOOT_KEY_CERT_NEW) == RCAR_CERT_MAGIC_NUM) ?
119 secure_boot_api(RCAR_BOOT_KEY_CERT_NEW, cert_addr, NULL) :
120 secure_boot_api(RCAR_BOOT_KEY_CERT, cert_addr, NULL);
121 if (ret)
122 ERROR("Verification Failed 0x%x, %s\n", ret, image[index].name);
123
124 #if RCAR_BL2_DCACHE == 1
125 /* enable */
126 write_sctlr_el3(read_sctlr_el3() | SCTLR_C_BIT);
127 #endif /* RCAR_BL2_DCACHE */
128
129 #endif /* IMAGE_BL2 */
130 return ret;
131 }
132
normal_boot_verify(uint32_t a,uint32_t b,void * c)133 static int32_t normal_boot_verify(uint32_t a, uint32_t b, void *c)
134 {
135 return 0;
136 }
137
auth_mod_init(void)138 void auth_mod_init(void)
139 {
140 #if RCAR_SECURE_BOOT
141 uint32_t soft_md = mmio_read_32(MFISOFTMDR) & SOFTMD_BOOTMODE_MASK;
142 uint32_t md = mmio_read_32(RST_MODEMR) & MODEMR_MD5_MASK;
143 uint32_t lcs, ret;
144
145 secure_boot_api = (secure_boot_api_f) &rcar_rom_secure_boot_api;
146
147 ret = rcar_rom_get_lcs(&lcs);
148 if (ret) {
149 ERROR("BL2: Failed to get the LCS. (%d)\n", ret);
150 panic();
151 }
152
153 switch (lcs) {
154 case LCS_SE:
155 if (soft_md == SOFTMD_NORMALBOOT)
156 secure_boot_api = &normal_boot_verify;
157 break;
158 case LCS_SD:
159 secure_boot_api = &normal_boot_verify;
160 break;
161 default:
162 if (md >> MODEMR_MD5_SHIFT)
163 secure_boot_api = &normal_boot_verify;
164 }
165
166 NOTICE("BL2: %s boot\n",
167 secure_boot_api == &normal_boot_verify ? "Normal" : "Secure");
168 #else
169 NOTICE("BL2: Normal boot\n");
170 secure_boot_api = &normal_boot_verify;
171 #endif
172 }
173