From 145a23450c7ee0c0ed9a68e33a1a52f23705a6b6 Mon Sep 17 00:00:00 2001 From: Manorit Chawdhry Date: Tue, 21 May 2024 16:26:45 +0530 Subject: include: mach-k3: move k3 security functions to security.h ti_secure_image_post_process and ti_secure_image_check_binary is used for the authentication purposes in the current boot flow. Authentication of remoteproc firmware images require ti_secure_image_post_process to be available outside mach-k3. Signed-off-by: Manorit Chawdhry Signed-off-by: Udit Kumar Signed-off-by: Simon Glass Reviewed-by: Andy Shevchenko # Intel Edison Reviewed-by: Bin Meng --- arch/arm/mach-k3/common.h | 4 ++-- arch/arm/mach-k3/include/mach/security.h | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 arch/arm/mach-k3/include/mach/security.h diff --git a/arch/arm/mach-k3/common.h b/arch/arm/mach-k3/common.h index 53aa186b31a..7bd72da1de8 100644 --- a/arch/arm/mach-k3/common.h +++ b/arch/arm/mach-k3/common.h @@ -2,12 +2,13 @@ /* * K3: Architecture common definitions * - * Copyright (C) 2018 Texas Instruments Incorporated - https://www.ti.com/ + * Copyright (C) 2018-2024 Texas Instruments Incorporated - https://www.ti.com/ * Lokesh Vutla */ #include #include +#include #define K3_FIREWALL_BACKGROUND_BIT (8) @@ -41,7 +42,6 @@ void spl_enable_cache(void); void mmr_unlock(uintptr_t base, u32 partition); bool is_rom_loaded_sysfw(struct rom_extended_boot_data *data); enum k3_device_type get_device_type(void); -void ti_secure_image_post_process(void **p_image, size_t *p_size); struct ti_sci_handle *get_ti_sci_handle(void); void do_board_detect(void); void ti_secure_image_check_binary(void **p_image, size_t *p_size); diff --git a/arch/arm/mach-k3/include/mach/security.h b/arch/arm/mach-k3/include/mach/security.h new file mode 100644 index 00000000000..8502b57bd80 --- /dev/null +++ b/arch/arm/mach-k3/include/mach/security.h @@ -0,0 +1,11 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * K3: Security related definitions + * + * Copyright (C) 2024 Texas Instruments Incorporated - https://www.ti.com/ + * Manorit Chawdhry + */ + +#include + +void ti_secure_image_post_process(void **p_image, size_t *p_size); -- cgit v1.2.3 From 5b5bb51af8b37412f35f6721694e062c59616df4 Mon Sep 17 00:00:00 2001 From: Manorit Chawdhry Date: Tue, 21 May 2024 16:26:46 +0530 Subject: drivers: remoteproc: ti_k3 : enable secure booting with firmware images Remoteproc firmware images aren't authenticated in the current boot flow. Authenticates remoteproc firmware images to complete the root of trust in secure booting. Signed-off-by: Manorit Chawdhry Signed-off-by: Simon Glass Reviewed-by: Andy Shevchenko # Intel Edison Reviewed-by: Bin Meng --- drivers/remoteproc/ti_k3_dsp_rproc.c | 4 ++++ drivers/remoteproc/ti_k3_r5f_rproc.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/drivers/remoteproc/ti_k3_dsp_rproc.c b/drivers/remoteproc/ti_k3_dsp_rproc.c index 57fe1037da0..7617bbb986d 100644 --- a/drivers/remoteproc/ti_k3_dsp_rproc.c +++ b/drivers/remoteproc/ti_k3_dsp_rproc.c @@ -21,6 +21,7 @@ #include #include #include "ti_sci_proc.h" +#include #define KEYSTONE_RPROC_LOCAL_ADDRESS_MASK (SZ_16M - 1) @@ -127,6 +128,7 @@ static int k3_dsp_load(struct udevice *dev, ulong addr, ulong size) struct k3_dsp_privdata *dsp = dev_get_priv(dev); struct k3_dsp_boot_data *data = dsp->data; u32 boot_vector; + void *image_addr = (void *)addr; int ret; if (dsp->in_use) { @@ -148,6 +150,8 @@ static int k3_dsp_load(struct udevice *dev, ulong addr, ulong size) goto proc_release; } + ti_secure_image_post_process(&image_addr, &size); + ret = rproc_elf_load_image(dev, addr, size); if (ret < 0) { dev_err(dev, "Loading elf failed %d\n", ret); diff --git a/drivers/remoteproc/ti_k3_r5f_rproc.c b/drivers/remoteproc/ti_k3_r5f_rproc.c index b55b1dc10d4..b9c6549e185 100644 --- a/drivers/remoteproc/ti_k3_r5f_rproc.c +++ b/drivers/remoteproc/ti_k3_r5f_rproc.c @@ -20,6 +20,7 @@ #include #include #include "ti_sci_proc.h" +#include /* * R5F's view of this address can either be for ATCM or BTCM with the other @@ -301,6 +302,7 @@ static int k3_r5f_load(struct udevice *dev, ulong addr, ulong size) u64 boot_vector; u32 ctrl, sts, cfg = 0; bool mem_auto_init; + void *image_addr = (void *)addr; int ret; dev_dbg(dev, "%s addr = 0x%lx, size = 0x%lx\n", __func__, addr, size); @@ -328,6 +330,8 @@ static int k3_r5f_load(struct udevice *dev, ulong addr, ulong size) k3_r5f_init_tcm_memories(core, mem_auto_init); + ti_secure_image_post_process(&image_addr, &size); + ret = rproc_elf_load_image(dev, addr, size); if (ret < 0) { dev_err(dev, "Loading elf failedi %d\n", ret); -- cgit v1.2.3 From 457d0b5d435cb63e4494e4635a3eeb5b459c6778 Mon Sep 17 00:00:00 2001 From: Udit Kumar Date: Tue, 21 May 2024 16:26:47 +0530 Subject: include: env: ti: Add support for secure firmwares Secure firmwares must be loaded if SOC is secure, currently rproc framework chooses non-secure firmware always. So adding support to load secure firmware, when SOC is secure Signed-off-by: Manorit Chawdhry Signed-off-by: Udit Kumar Signed-off-by: Simon Glass Reviewed-by: Andy Shevchenko # Intel Edison Reviewed-by: Bin Meng --- include/env/ti/k3_rproc.env | 6 +++++- include/env/ti/ti_common.env | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/include/env/ti/k3_rproc.env b/include/env/ti/k3_rproc.env index 87d9d76eba4..d4f0f1708ca 100644 --- a/include/env/ti/k3_rproc.env +++ b/include/env/ti/k3_rproc.env @@ -13,11 +13,15 @@ rproc_load_and_boot_one= boot_rprocs_mmc= env set rproc_id; env set rproc_fw; + env set secure_suffix; + if test ${secure_rprocs} -eq 1; then + env set secure_suffix -sec; + fi; for i in ${rproc_fw_binaries} ; do if test -z "${rproc_id}" ; then env set rproc_id $i; else - env set rproc_fw $i; + env set rproc_fw $i${secure_suffix}; run rproc_load_and_boot_one; env set rproc_id; env set rproc_fw; diff --git a/include/env/ti/ti_common.env b/include/env/ti/ti_common.env index 02b410c3adc..c5c36421770 100644 --- a/include/env/ti/ti_common.env +++ b/include/env/ti/ti_common.env @@ -12,6 +12,7 @@ bootm_size=0x10000000 boot_fdt=try boot_fit=0 +secure_rprocs=0 addr_fit=0x90000000 name_fit=fitImage update_to_fit=setenv loadaddr ${addr_fit}; setenv bootfile ${name_fit} -- cgit v1.2.3 From 4db7d62f858b82b493a7c6a32d5ba25a85a6f9dd Mon Sep 17 00:00:00 2001 From: Manorit Chawdhry Date: Tue, 21 May 2024 16:26:48 +0530 Subject: mach-k3: common.c: add a flag for booting authenticated rproc binaries The flag will be used for booting authenticated remote procs from hs-se devices which can optionally be used in hs-fs devices also. Signed-off-by: Manorit Chawdhry Signed-off-by: Udit Kumar Signed-off-by: Simon Glass Reviewed-by: Andy Shevchenko # Intel Edison Reviewed-by: Bin Meng --- arch/arm/mach-k3/common.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/arm/mach-k3/common.c b/arch/arm/mach-k3/common.c index 1a269d6934a..eaa7d361767 100644 --- a/arch/arm/mach-k3/common.c +++ b/arch/arm/mach-k3/common.c @@ -283,8 +283,10 @@ int misc_init_r(void) } /* Default FIT boot on HS-SE devices */ - if (get_device_type() == K3_DEVICE_TYPE_HS_SE) + if (get_device_type() == K3_DEVICE_TYPE_HS_SE) { env_set("boot_fit", "1"); + env_set("secure_rprocs", "1"); + } return 0; } -- cgit v1.2.3