powerpc/mpc85xx: SECURE BOOT- Enable chain of trust in SPL

As part of Chain of Trust for Secure boot, the SPL U-Boot will validate
the next level U-boot image. Add a new function spl_validate_uboot to
perform the validation.

Enable hardware crypto operations in SPL using SEC block.
In case of Secure Boot, PAMU is not bypassed. For allowing SEC block
access to CPC configured as SRAM, configure PAMU.

Reviewed-by: Ruchika Gupta <[email protected]>
Signed-off-by: Aneesh Bansal <[email protected]>
Signed-off-by: Sumit Garg <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: York Sun <[email protected]>

1 files changed, 24 insertions, 0 deletions

diff --git a/drivers/mtd/nand/fsl_ifc_spl.c b/drivers/mtd/nand/fsl_ifc_spl.c
index cbeb74a5bb8..4e49a4e1546 100644
--- a/drivers/mtd/nand/fsl_ifc_spl.c
+++ b/drivers/mtd/nand/fsl_ifc_spl.c
@@ -11,6 +11,9 @@
 #include <asm/io.h>
 #include <fsl_ifc.h>
 #include <linux/mtd/nand.h>
+#ifdef CONFIG_CHAIN_OF_TRUST
+#include <fsl_validate.h>
+#endif
 
 static inline int is_blank(uchar *addr, int page_size)
 {
@@ -268,6 +271,27 @@ void nand_boot(void)
 	 */
 	flush_cache(CONFIG_SYS_NAND_U_BOOT_DST, CONFIG_SYS_NAND_U_BOOT_SIZE);
 #endif
+
+#ifdef CONFIG_CHAIN_OF_TRUST
+	/*
+	 * U-Boot header is appended at end of U-boot image, so
+	 * calculate U-boot header address using U-boot header size.
+	 */
+#define CONFIG_U_BOOT_HDR_ADDR \
+		((CONFIG_SYS_NAND_U_BOOT_START + \
+		  CONFIG_SYS_NAND_U_BOOT_SIZE) - \
+		 CONFIG_U_BOOT_HDR_SIZE)
+	spl_validate_uboot(CONFIG_U_BOOT_HDR_ADDR,
+			   CONFIG_SYS_NAND_U_BOOT_START);
+	/*
+	 * In case of failure in validation, spl_validate_uboot would
+	 * not return back in case of Production environment with ITS=1.
+	 * Thus U-Boot will not start.
+	 * In Development environment (ITS=0 and SB_EN=1), the function
+	 * may return back in case of non-fatal failures.
+	 */
+#endif
+
 	uboot = (void *)CONFIG_SYS_NAND_U_BOOT_START;
 	uboot();
 }