1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright 2018-2019 NXP
4 */
5
6 #include <common.h>
7 #include <errno.h>
8 #include <log.h>
9 #include <spl.h>
10 #include <asm/arch/image.h>
11 #include <asm/arch/sci/sci.h>
12
13 #define SEC_SECURE_RAM_BASE 0x31800000UL
14 #define SEC_SECURE_RAM_END_BASE (SEC_SECURE_RAM_BASE + 0xFFFFUL)
15 #define SECO_LOCAL_SEC_SEC_SECURE_RAM_BASE 0x60000000UL
16
17 #define SECO_PT 2U
18
19 #ifdef CONFIG_AHAB_BOOT
authenticate_image(struct boot_img_t * img,int image_index)20 static int authenticate_image(struct boot_img_t *img, int image_index)
21 {
22 sc_faddr_t start, end;
23 sc_rm_mr_t mr;
24 int err;
25 int ret = 0;
26
27 debug("img %d, dst 0x%x, src 0x%x, size 0x%x\n",
28 image_index, (uint32_t)img->dst, img->offset, img->size);
29
30 /* Find the memreg and set permission for seco pt */
31 err = sc_rm_find_memreg(-1, &mr,
32 img->dst & ~(CONFIG_SYS_CACHELINE_SIZE - 1),
33 ALIGN(img->dst + img->size, CONFIG_SYS_CACHELINE_SIZE) - 1);
34
35 if (err) {
36 printf("can't find memreg for image %d load address 0x%x, error %d\n",
37 image_index, img->dst & ~(CONFIG_SYS_CACHELINE_SIZE - 1), err);
38 return -ENOMEM;
39 }
40
41 err = sc_rm_get_memreg_info(-1, mr, &start, &end);
42 if (!err)
43 debug("memreg %u 0x%x -- 0x%x\n", mr, start, end);
44
45 err = sc_rm_set_memreg_permissions(-1, mr,
46 SECO_PT, SC_RM_PERM_FULL);
47 if (err) {
48 printf("set permission failed for img %d, error %d\n",
49 image_index, err);
50 return -EPERM;
51 }
52
53 err = sc_seco_authenticate(-1, SC_SECO_VERIFY_IMAGE,
54 1 << image_index);
55 if (err) {
56 printf("authenticate img %d failed, return %d\n",
57 image_index, err);
58 ret = -EIO;
59 }
60
61 err = sc_rm_set_memreg_permissions(-1, mr,
62 SECO_PT, SC_RM_PERM_NONE);
63 if (err) {
64 printf("remove permission failed for img %d, error %d\n",
65 image_index, err);
66 ret = -EPERM;
67 }
68
69 return ret;
70 }
71 #endif
72
read_auth_image(struct spl_image_info * spl_image,struct spl_load_info * info,struct container_hdr * container,int image_index,u32 container_sector)73 static struct boot_img_t *read_auth_image(struct spl_image_info *spl_image,
74 struct spl_load_info *info,
75 struct container_hdr *container,
76 int image_index,
77 u32 container_sector)
78 {
79 struct boot_img_t *images;
80 ulong sector;
81 u32 sectors;
82
83 if (image_index > container->num_images) {
84 debug("Invalid image number\n");
85 return NULL;
86 }
87
88 images = (struct boot_img_t *)((u8 *)container +
89 sizeof(struct container_hdr));
90
91 if (images[image_index].offset % info->bl_len) {
92 printf("%s: image%d offset not aligned to %u\n",
93 __func__, image_index, info->bl_len);
94 return NULL;
95 }
96
97 sectors = roundup(images[image_index].size, info->bl_len) /
98 info->bl_len;
99 sector = images[image_index].offset / info->bl_len +
100 container_sector;
101
102 debug("%s: container: %p sector: %lu sectors: %u\n", __func__,
103 container, sector, sectors);
104 if (info->read(info, sector, sectors,
105 (void *)images[image_index].entry) != sectors) {
106 printf("%s wrong\n", __func__);
107 return NULL;
108 }
109
110 #ifdef CONFIG_AHAB_BOOT
111 if (authenticate_image(&images[image_index], image_index)) {
112 printf("Failed to authenticate image %d\n", image_index);
113 return NULL;
114 }
115 #endif
116
117 return &images[image_index];
118 }
119
read_auth_container(struct spl_image_info * spl_image,struct spl_load_info * info,ulong sector)120 static int read_auth_container(struct spl_image_info *spl_image,
121 struct spl_load_info *info, ulong sector)
122 {
123 struct container_hdr *container = NULL;
124 u16 length;
125 u32 sectors;
126 int i, size, ret = 0;
127
128 size = roundup(CONTAINER_HDR_ALIGNMENT, info->bl_len);
129 sectors = size / info->bl_len;
130
131 /*
132 * It will not override the ATF code, so safe to use it here,
133 * no need malloc
134 */
135 container = (struct container_hdr *)spl_get_load_buffer(-size, size);
136
137 debug("%s: container: %p sector: %lu sectors: %u\n", __func__,
138 container, sector, sectors);
139 if (info->read(info, sector, sectors, container) != sectors)
140 return -EIO;
141
142 if (container->tag != 0x87 && container->version != 0x0) {
143 printf("Wrong container header");
144 return -ENOENT;
145 }
146
147 if (!container->num_images) {
148 printf("Wrong container, no image found");
149 return -ENOENT;
150 }
151
152 length = container->length_lsb + (container->length_msb << 8);
153 debug("Container length %u\n", length);
154
155 if (length > CONTAINER_HDR_ALIGNMENT) {
156 size = roundup(length, info->bl_len);
157 sectors = size / info->bl_len;
158
159 container = (struct container_hdr *)spl_get_load_buffer(-size, size);
160
161 debug("%s: container: %p sector: %lu sectors: %u\n",
162 __func__, container, sector, sectors);
163 if (info->read(info, sector, sectors, container) !=
164 sectors)
165 return -EIO;
166 }
167
168 #ifdef CONFIG_AHAB_BOOT
169 memcpy((void *)SEC_SECURE_RAM_BASE, (const void *)container,
170 ALIGN(length, CONFIG_SYS_CACHELINE_SIZE));
171
172 ret = sc_seco_authenticate(-1, SC_SECO_AUTH_CONTAINER,
173 SECO_LOCAL_SEC_SEC_SECURE_RAM_BASE);
174 if (ret) {
175 printf("authenticate container hdr failed, return %d\n", ret);
176 return ret;
177 }
178 #endif
179
180 for (i = 0; i < container->num_images; i++) {
181 struct boot_img_t *image = read_auth_image(spl_image, info,
182 container, i,
183 sector);
184
185 if (!image) {
186 ret = -EINVAL;
187 goto end_auth;
188 }
189
190 if (i == 0) {
191 spl_image->load_addr = image->dst;
192 spl_image->entry_point = image->entry;
193 }
194 }
195
196 end_auth:
197 #ifdef CONFIG_AHAB_BOOT
198 if (sc_seco_authenticate(-1, SC_SECO_REL_CONTAINER, 0))
199 printf("Error: release container failed!\n");
200 #endif
201 return ret;
202 }
203
spl_load_imx_container(struct spl_image_info * spl_image,struct spl_load_info * info,ulong sector)204 int spl_load_imx_container(struct spl_image_info *spl_image,
205 struct spl_load_info *info, ulong sector)
206 {
207 return read_auth_container(spl_image, info, sector);
208 }
209