mirror of
https://xff.cz/git/u-boot/
synced 2025-11-01 19:05:51 +01:00
arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
Vendor Authorized Boot is a security feature for authenticating the images such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and etc loaded from FIT. After those images are loaded from FIT, the VAB certificate and signature block appended at the end of each image are sent to Secure Device Manager (SDM) for authentication. U-Boot will validate the SHA384 of the image against the SHA384 hash stored in the VAB certificate before sending the image to SDM for authentication. Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> Reviewed-by: Ley Foon Tan <ley.foon.tan@intel.com>
This commit is contained in:
Siew Chin Lim
committed by
Ley Foon Tan
Ley Foon Tan
parent
9a5bbdfd1a
commit
1bc20897c1
@@ -6,14 +6,17 @@
|
||||
*/
|
||||
|
||||
#include <common.h>
|
||||
#include <errno.h>
|
||||
#include <fdtdec.h>
|
||||
#include <init.h>
|
||||
#include <asm/arch/reset_manager.h>
|
||||
#include <asm/arch/clock_manager.h>
|
||||
#include <asm/arch/misc.h>
|
||||
#include <asm/arch/reset_manager.h>
|
||||
#include <asm/arch/secure_vab.h>
|
||||
#include <asm/global_data.h>
|
||||
#include <asm/io.h>
|
||||
#include <errno.h>
|
||||
#include <fdtdec.h>
|
||||
#include <hang.h>
|
||||
#include <image.h>
|
||||
#include <init.h>
|
||||
#include <log.h>
|
||||
#include <usb.h>
|
||||
#include <usb/dwc2_udc.h>
|
||||
@@ -98,3 +101,37 @@ __weak int board_fit_config_name_match(const char *name)
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if IS_ENABLED(CONFIG_FIT_IMAGE_POST_PROCESS)
|
||||
void board_fit_image_post_process(void **p_image, size_t *p_size)
|
||||
{
|
||||
if (IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH)) {
|
||||
if (socfpga_vendor_authentication(p_image, p_size))
|
||||
hang();
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
#if !IS_ENABLED(CONFIG_SPL_BUILD) && IS_ENABLED(CONFIG_FIT)
|
||||
void board_prep_linux(bootm_headers_t *images)
|
||||
{
|
||||
if (!IS_ENABLED(CONFIG_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE)) {
|
||||
/*
|
||||
* Ensure the OS is always booted from FIT and with
|
||||
* VAB signed certificate
|
||||
*/
|
||||
if (!images->fit_uname_cfg) {
|
||||
printf("Please use FIT with VAB signed images!\n");
|
||||
hang();
|
||||
}
|
||||
|
||||
env_set_hex("fdt_addr", (ulong)images->ft_addr);
|
||||
debug("images->ft_addr = 0x%08lx\n", (ulong)images->ft_addr);
|
||||
}
|
||||
|
||||
if (IS_ENABLED(CONFIG_CADENCE_QSPI)) {
|
||||
if (env_get("linux_qspi_enable"))
|
||||
run_command(env_get("linux_qspi_enable"), 0);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user