Commit 545c8fe1 authored by Ye Li's avatar Ye Li
Browse files

MLK-18129-2 imx8qxp: Add secure boot environment



Add the secure boot relevant environment variables to ARM2 and MEK.
When CONFIG_AHAB_BOOT is enabled, we will switch to boot in this
new way:
1. Load the OS container to address 0x88000000
2. Using auth_cntr to authenticate the OS container. It will load the
   kernel and FDT to destination address.
3. Using booti to boot kernel.
Signed-off-by: default avatarYe Li <ye.li@nxp.com>
Acked-by: default avatarPeng Fan <peng.fan@nxp.com>
parent 3b0496c2
......@@ -647,6 +647,11 @@ int board_late_init(void)
setenv("board_rev", "iMX8QXP");
#endif
setenv("sec_boot", "no");
#ifdef CONFIG_AHAB_BOOT
setenv("sec_boot", "yes");
#endif
#ifdef CONFIG_ENV_IS_IN_MMC
board_late_mmc_env_init();
#endif
......
......@@ -612,6 +612,11 @@ int board_late_init(void)
setenv("board_rev", "iMX8QXP");
#endif
setenv("sec_boot", "no");
#ifdef CONFIG_AHAB_BOOT
setenv("sec_boot", "yes");
#endif
#ifdef CONFIG_ENV_IS_IN_MMC
board_late_mmc_env_init();
#endif
......
......@@ -135,6 +135,8 @@
"console=ttyLP0,115200 earlycon=lpuart32,0x5a060000,115200\0" \
"fdt_addr=0x83000000\0" \
"fdt_high=0xffffffffffffffff\0" \
"cntr_addr=0x88000000\0" \
"cntr_file=os_cntr_signed.bin\0" \
"boot_fdt=try\0" \
"fdt_file=fsl-imx8qxp-lpddr4-arm2.dtb\0" \
"initrd_addr=0x83800000\0" \
......@@ -150,16 +152,26 @@
"source\0" \
"loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}\0" \
"loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}\0" \
"loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \
"auth_os=auth_cntr ${cntr_addr}\0" \
"mmcboot=echo Booting from mmc ...; " \
"run mmcargs; " \
"if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
"if run loadfdt; then " \
"if test ${sec_boot} = yes; then " \
"if run auth_os; then " \
"booti ${loadaddr} - ${fdt_addr}; " \
"else " \
"echo WARN: Cannot load the DT; " \
"echo ERR: failed to authenticate; " \
"fi; " \
"else " \
"echo wait for boot; " \
"if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
"if run loadfdt; then " \
"booti ${loadaddr} - ${fdt_addr}; " \
"else " \
"echo WARN: Cannot load the DT; " \
"fi; " \
"else " \
"echo wait for boot; " \
"fi;" \
"fi;\0" \
"netargs=setenv bootargs console=${console} " \
"root=/dev/nfs " \
......@@ -172,15 +184,24 @@
"else " \
"setenv get_cmd tftp; " \
"fi; " \
"${get_cmd} ${loadaddr} ${image}; " \
"if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
"if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \
"if test ${sec_boot} = yes; then " \
"${get_cmd} ${cntr_addr} ${cntr_file}; " \
"if run auth_os; then " \
"booti ${loadaddr} - ${fdt_addr}; " \
"else " \
"echo WARN: Cannot load the DT; " \
"echo ERR: failed to authenticate; " \
"fi; " \
"else " \
"booti; " \
"${get_cmd} ${loadaddr} ${image}; " \
"if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
"if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \
"booti ${loadaddr} - ${fdt_addr}; " \
"else " \
"echo WARN: Cannot load the DT; " \
"fi; " \
"else " \
"booti; " \
"fi;" \
"fi;\0"
#endif
......@@ -195,10 +216,17 @@
"if run loadbootscript; then " \
"run bootscript; " \
"else " \
"if run loadimage; then " \
"run mmcboot; " \
"else run netboot; " \
"fi; " \
"if test ${sec_boot} = yes; then " \
"if run loadcntr; then " \
"run mmcboot; " \
"else run netboot; " \
"fi; " \
"else " \
"if run loadimage; then " \
"run mmcboot; " \
"else run netboot; " \
"fi; " \
"fi; " \
"fi; " \
"else booti ${loadaddr} - ${fdt_addr}; fi"
#endif
......
......@@ -148,6 +148,8 @@
"console=ttyLP0,115200 earlycon=lpuart32,0x5a060000,115200\0" \
"fdt_addr=0x83000000\0" \
"fdt_high=0xffffffffffffffff\0" \
"cntr_addr=0x88000000\0" \
"cntr_file=os_cntr_signed.bin\0" \
"boot_fdt=try\0" \
"fdt_file=fsl-imx8qxp-mek.dtb\0" \
"initrd_addr=0x83800000\0" \
......@@ -163,16 +165,26 @@
"source\0" \
"loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}\0" \
"loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}\0" \
"loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \
"auth_os=auth_cntr ${cntr_addr}\0" \
"mmcboot=echo Booting from mmc ...; " \
"run mmcargs; " \
"if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
"if run loadfdt; then " \
"if test ${sec_boot} = yes; then " \
"if run auth_os; then " \
"booti ${loadaddr} - ${fdt_addr}; " \
"else " \
"echo WARN: Cannot load the DT; " \
"echo ERR: failed to authenticate; " \
"fi; " \
"else " \
"echo wait for boot; " \
"if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
"if run loadfdt; then " \
"booti ${loadaddr} - ${fdt_addr}; " \
"else " \
"echo WARN: Cannot load the DT; " \
"fi; " \
"else " \
"echo wait for boot; " \
"fi;" \
"fi;\0" \
"netargs=setenv bootargs console=${console} " \
"root=/dev/nfs " \
......@@ -185,15 +197,24 @@
"else " \
"setenv get_cmd tftp; " \
"fi; " \
"${get_cmd} ${loadaddr} ${image}; " \
"if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
"if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \
"if test ${sec_boot} = yes; then " \
"${get_cmd} ${cntr_addr} ${cntr_file}; " \
"if run auth_os; then " \
"booti ${loadaddr} - ${fdt_addr}; " \
"else " \
"echo WARN: Cannot load the DT; " \
"echo ERR: failed to authenticate; " \
"fi; " \
"else " \
"booti; " \
"${get_cmd} ${loadaddr} ${image}; " \
"if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
"if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \
"booti ${loadaddr} - ${fdt_addr}; " \
"else " \
"echo WARN: Cannot load the DT; " \
"fi; " \
"else " \
"booti; " \
"fi;" \
"fi;\0"
#define CONFIG_BOOTCOMMAND \
......@@ -201,10 +222,17 @@
"if run loadbootscript; then " \
"run bootscript; " \
"else " \
"if run loadimage; then " \
"run mmcboot; " \
"else run netboot; " \
"fi; " \
"if test ${sec_boot} = yes; then " \
"if run loadcntr; then " \
"run mmcboot; " \
"else run netboot; " \
"fi; " \
"else " \
"if run loadimage; then " \
"run mmcboot; " \
"else run netboot; " \
"fi; " \
"fi; " \
"fi; " \
"else booti ${loadaddr} - ${fdt_addr}; fi"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment