diff --git a/plat/nxp/common/aarch64/bl2_mem_params_desc.c b/plat/nxp/common/aarch64/bl2_mem_params_desc.c index 7f0688a8442..726c78015d6 100644 --- a/plat/nxp/common/aarch64/bl2_mem_params_desc.c +++ b/plat/nxp/common/aarch64/bl2_mem_params_desc.c @@ -37,8 +37,14 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = { SET_STATIC_PARAM_HEAD(image_info, PARAM_EP, VERSION_2, image_info_t, IMAGE_ATTRIB_PLAT_SETUP), +#ifdef CSF_HEADER_PREPENDED + .image_info.image_base = BL31_BASE - CSF_HDR_SZ, + .image_info.image_max_size = (BL31_LIMIT - BL31_BASE) + + CSF_HDR_SZ, +#else .image_info.image_base = BL31_BASE, .image_info.image_max_size = (BL31_LIMIT - BL31_BASE), +#endif # ifdef NXP_LOAD_BL32 .next_handoff_image_id = BL32_IMAGE_ID, @@ -57,8 +63,14 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = { SET_STATIC_PARAM_HEAD(image_info, PARAM_EP, VERSION_2, image_info_t, 0), +#ifdef CSF_HEADER_PREPENDED + .image_info.image_base = BL32_BASE - CSF_HDR_SZ, + .image_info.image_max_size = (BL32_LIMIT - BL32_BASE) + + CSF_HDR_SZ, +#else .image_info.image_base = BL32_BASE, .image_info.image_max_size = (BL32_LIMIT - BL32_BASE), +#endif .next_handoff_image_id = BL33_IMAGE_ID, }, # endif /* BL32_BASE */ @@ -72,8 +84,14 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = { SET_STATIC_PARAM_HEAD(image_info, PARAM_EP, VERSION_2, image_info_t, 0), +#ifdef CSF_HEADER_PREPENDED + .image_info.image_base = BL33_BASE - CSF_HDR_SZ, + .image_info.image_max_size = (BL33_LIMIT - BL33_BASE) + + CSF_HDR_SZ, +#else .image_info.image_base = BL33_BASE, .image_info.image_max_size = BL33_LIMIT - BL33_BASE, +#endif .ep_info.spsr = SPSR_64(MODE_EL1, MODE_SP_ELX, DISABLE_ALL_EXCEPTIONS), diff --git a/plat/nxp/common/error_handler.c b/plat/nxp/common/error_handler.c index 7a050c43763..0dc4d0c0869 100644 --- a/plat/nxp/common/error_handler.c +++ b/plat/nxp/common/error_handler.c @@ -12,16 +12,33 @@ #include #include +#if TRUSTED_BOARD_BOOT +#include +#endif /* * Error handler */ void plat_error_handler(int err) { +#if TRUSTED_BOARD_BOOT + uint32_t mode; + bool sb = check_boot_mode_secure(&mode); +#endif switch (err) { case -ENOENT: case -EAUTH: + printf("Authentication failure\n"); +#if TRUSTED_BOARD_BOOT + /* For SB production mode i.e ITS = 1 */ + if (sb == true) { + if (mode == 1) + transition_snvs_soft_fail(); + else + transition_snvs_non_secure(); + } +#endif break; default: /* Unexpected error */ diff --git a/plat/nxp/common/layerscape/README.TRUSTED_BOOT b/plat/nxp/common/layerscape/README.TRUSTED_BOOT new file mode 100644 index 00000000000..4b314574490 --- /dev/null +++ b/plat/nxp/common/layerscape/README.TRUSTED_BOOT @@ -0,0 +1,81 @@ +TRUSTED_BOARD_BOOT option can be enabled by specifying +TRUSTED_BOARD_BOOT=1 on command line during make + +By default the build considers that with TRUSTED_BOARD_BOOT option, +boot is being booted with secure boot i.e either SB_EN=1 or ITS=1. +This would mean that bl2.bin would get signed and header would be +embedded in the "bl2__sec.pbl" +To explicity disable secure boot, use option SECURE_BOOT=false from +command line + +2 options are provided for TRUSTED_BOARD_BOOT: +------------------------------------------------------------------------- +Option 1: +CoT using X 509 certificates +------------------------------------------------------------------------- + +This CoT is as provided by ARM. +To use this option user needs to specify mbedtld dir path in +MBEDTLS_DIR. +GENERATE_COT=1 adds the certificates to the FIP image + +ROTPK for x.509 certificates is generated and embedded in bl2.bin +and verified as part of CoT by Boot ROM during secure boot. + +Typical command line to build this option + + make PLAT= all fip pbl SPD=opteed BL32=tee.bin BL33=u-boot.bin \ + RCW = \ + TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 MBEDTLS_DIR= + +------------------------------------------------------------------------- +Option 2: +CoT using traditional CSF headers. +------------------------------------------------------------------------- + +This option is automatically selected when TRUSTED_BOARD_BOOT is set +but MBEDTLS_DIR path is not specified. + +CSF header is embedded to each of the BL31, BL32 and BL33 image. + +To generate CSF header, path of CST repository needs to be specified +as CST_DIR + +Default input files for CSF header generation is added in this repo. +Default input file requires user to generate RSA key pair named +srk.pri and srk.pub and add them in ATF repo. The keys can be generated +using gen_keys tool of CST. + +To change the input file , user can use the options +BL33_INPUT_FILE, BL32_INPUT_FILE, BL31_INPUT_FILE + +There are 2 paths in secure boot flow : +1. development Mode (sb_en = 1, its = 0) +In this flow , even on ROTPK comparison failure, flow would continue. +However SNVS is transitioned to non-secure state + +2. Production mode (ITS =1) +Any failure is fatal failure + +TRUSTED_BOARD_BOOT can be enabled in non secure boot flow also. ROTPK +would be ignored in that case and failures won't result in snvs transition. + +1. Generate the SRK Key Pair. +From CST +./gen_keys + Copy srk.pri/srk.pub to TF-A repo + +(To change the key/key-names change the requierd input file in +drivers/nxp/csf_hdr_parser/ + +(For more details of CST refer to NXP QorIQ LSDK documentation) + +2. make PLAT= all fip pbl SPD=opteed BL32=tee.bin BL33=u-boot.bin \ + RCW = \ + TRUSTED_BOARD_BOOT=1 CST_DIR= + +To use user provided input files : +make PLAT= all fip pbl SPD=opteed BL32=tee.bin BL33=u-boot.bin \ + RCW = \ + TRUSTED_BOARD_BOOT=1 CST_DIR= BL33_INPUT_FILE= BL32_INPUT_FILE= \ + BL31_INPUT_FILE = diff --git a/plat/nxp/common/layerscape/csf_tbbr.c b/plat/nxp/common/layerscape/csf_tbbr.c new file mode 100644 index 00000000000..be63f0b8f27 --- /dev/null +++ b/plat/nxp/common/layerscape/csf_tbbr.c @@ -0,0 +1,77 @@ +/* + * Copyright 2018-2019 NXP + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + +#include +#include +#include +#include + +#include +#include +#include + +extern bool rotpk_not_dpld; +extern uint8_t rotpk_hash_table[MAX_KEY_ENTRIES][SHA256_BYTES]; +extern uint8_t num_rotpk_hash_entries; + +/* + * In case of secure boot, return ptr of rotpk_hash table in key_ptr and + * number of hashes in key_len + */ +int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len, + unsigned int *flags) +{ + uint32_t mode = 0; + *flags = ROTPK_NOT_DEPLOYED; + + /* ROTPK hash table must be available for secure boot */ + if (rotpk_not_dpld == true) { + if (check_boot_mode_secure(&mode) == true) { + /* Production mode, don;t continue further */ + if (mode == 1) + return -EAUTH; + + /* For development mode, rotpk flag false + * indicates that SRK hash comparison might + * have failed. This is not fatal error. + * Continue in this case but transition SNVS + * to non-secure state + */ + transition_snvs_non_secure(); + return 0; + } else { + return 0; + } + } + + /* + * We return the complete hash table and number of entries in + * table for NXP platform specific implementation. + * Here hash is always assume as SHA-256 + */ + *key_ptr = rotpk_hash_table; + *key_len = num_rotpk_hash_entries; + *flags = ROTPK_IS_HASH; + + return 0; +} + +int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr) +{ + /* + * No support for non-volatile counter. Update the ROT key to protect + * the system against rollback. + */ + *nv_ctr = 0; + + return 0; +} + +int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr) +{ + return 0; +} diff --git a/plat/nxp/common/layerscape/ls_common.mk b/plat/nxp/common/layerscape/ls_common.mk index 3e7dc2c49ae..389d4462a73 100644 --- a/plat/nxp/common/layerscape/ls_common.mk +++ b/plat/nxp/common/layerscape/ls_common.mk @@ -13,4 +13,10 @@ ifeq ($(ERRATA), yes) include ${PLAT_COMMON_PATH}/layerscape/errata.mk endif +ifeq (${TRUSTED_BOARD_BOOT},1) +ifeq ($(SECURE_BOOT),) +SECURE_BOOT := yes +endif +endif + include $(PLAT_TOOL_PATH)/create_pbl.mk diff --git a/plat/nxp/common/layerscape/nxp_rotpk.S b/plat/nxp/common/layerscape/nxp_rotpk.S new file mode 100644 index 00000000000..43950454da3 --- /dev/null +++ b/plat/nxp/common/layerscape/nxp_rotpk.S @@ -0,0 +1,17 @@ +/* + * Copyright 2018-2019 NXP + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + + .global nxp_rotpk_hash + .global nxp_rotpk_hash_end + .section .rodata.nxp_rotpk_hash, "a" +nxp_rotpk_hash: + /* DER header */ + .byte 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48 + .byte 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 + /* SHA256 */ + .incbin ROTPK_HASH +nxp_rotpk_hash_end: diff --git a/plat/nxp/common/layerscape/tbbr.mk b/plat/nxp/common/layerscape/tbbr.mk new file mode 100644 index 00000000000..a45f5d84706 --- /dev/null +++ b/plat/nxp/common/layerscape/tbbr.mk @@ -0,0 +1,73 @@ +# +# Copyright 2018-2019 NXP +# +# SPDX-License-Identifier: BSD-3-Clause +# + +# For TRUSTED_BOARD_BOOT platforms need to include this makefile +# Following definations are to be provided by platform.mk file or +# by user - BL33_INPUT_FILE, BL32_INPUT_FILE, BL31_INPUT_FILE + +PLAT_INCLUDES += -Iinclude/common/tbbr \ + -I$(PLAT_DRIVERS_PATH)/security_monitor/ + +# Generic files for authentication framework +BL2_SOURCES += drivers/auth/auth_mod.c \ + drivers/auth/crypto_mod.c \ + drivers/auth/img_parser_mod.c \ + plat/common/tbbr/plat_tbbr.c \ + $(PLAT_DRIVERS_PATH)/security_monitor/snvs.c + +# If MBEDTLS_DIR is not specified, use CSF Header option +ifeq (${MBEDTLS_DIR},) + PLAT_AUTH_PATH := $(PLAT_COMMON_PATH)/layerscape/ + PLAT_INCLUDES += -I$(PLAT_DRIVERS_PATH)/sfp + BL2_SOURCES += $(PLAT_AUTH_PATH)/tbbr/tbbr_cot.c \ + $(PLAT_COMMON_PATH)/layerscape/csf_tbbr.c + # IMG PARSER here is CSF header parser + include $(PLAT_DRIVERS_PATH)/csf_hdr_parser/csf_hdr.mk + BL2_SOURCES += $(CSF_HDR_SOURCES) + + SCP_BL2_PRE_TOOL_FILTER := CST_SCP_BL2 + BL31_PRE_TOOL_FILTER := CST_BL31 + BL32_PRE_TOOL_FILTER := CST_BL32 + BL33_PRE_TOOL_FILTER := CST_BL33 +else +# For Mbedtls currently crypto is not supported via CAAM +# enable it when that support is there + CAAM_INTEG := 0 + $(eval $(call add_define,MBEDTLS_X509)) + include drivers/auth/mbedtls/mbedtls_x509.mk + BL2_SOURCES += drivers/auth/tbbr/tbbr_cot.c \ + $(PLAT_COMMON_PATH)/layerscape/nxp_rotpk.S \ + $(PLAT_COMMON_PATH)/layerscape/x509_tbbr.c + +#ROTPK key is embedded in BL2 image +ROT_KEY = $(BUILD_PLAT)/rot_key.pem +ROTPK_HASH = $(BUILD_PLAT)/rotpk_sha256.bin + +$(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"')) + +$(BUILD_PLAT)/bl2/nxp_rotpk.o: $(ROTPK_HASH) + +certificates: $(ROT_KEY) +$(ROT_KEY): | $(BUILD_PLAT) + @echo " OPENSSL $@" + $(Q)openssl genrsa 2048 > $@ 2>/dev/null + +$(ROTPK_HASH): $(ROT_KEY) + @echo " OPENSSL $@" + $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ + openssl dgst -sha256 -binary > $@ 2>/dev/null + +endif #MBEDTLS_DIR + +# If CAAM_INTEG is not defined (would be scenario with MBED TLS) +# include mbedtls_crypto +ifeq (${CAAM_INTEG},0) + include drivers/auth/mbedtls/mbedtls_crypto.mk +else + include $(PLAT_DRIVERS_PATH)/crypto/caam/src/auth/auth.mk + BL2_SOURCES += ${AUTH_SOURCES} +endif + diff --git a/plat/nxp/common/layerscape/tbbr/tbbr_cot.c b/plat/nxp/common/layerscape/tbbr/tbbr_cot.c new file mode 100644 index 00000000000..69ddd1612d2 --- /dev/null +++ b/plat/nxp/common/layerscape/tbbr/tbbr_cot.c @@ -0,0 +1,270 @@ +/* + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include +#include + +#if USE_TBBR_DEFS +#include +#else +#include +#endif + + +/* + * The platform must allocate buffers to store the authentication parameters + * extracted from the certificates. In this case, because of the way the CoT is + * established, we can reuse some of the buffers on different stages + */ +static auth_param_type_desc_t sig = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_SIG, 0); +static auth_param_type_desc_t sig_alg = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_SIG_ALG, 0); +static auth_param_type_desc_t sig_hash = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_HASH, 0); + +static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC( + AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID); + +/* + * TBBR Chain of trust definition + */ +static const auth_img_desc_t cot_desc[] = { + /* + * Non-Trusted Firmware + */ + /* CSF header for Bl33 - Non Trusted FW ..chain ends at Platform RoT */ + [BL31_IMAGE_ID] = { + .img_id = BL31_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [SCP_BL2_IMAGE_ID] = { + .img_id = SCP_BL2_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [BL32_IMAGE_ID] = { + .img_id = BL32_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [BL33_IMAGE_ID] = { + .img_id = BL33_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, +#if 0 + [FUSE_PROV_IMAGE_ID] = { + .img_id = FUSE_PROV_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [FUSE_UP_IMAGE_ID] = { + .img_id = FUSE_UP_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [DDR_IMEM_UDIMM_1D_IMAGE_ID] = { + .img_id = DDR_IMEM_UDIMM_1D_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [DDR_IMEM_UDIMM_2D_IMAGE_ID] = { + .img_id = DDR_IMEM_UDIMM_2D_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [DDR_DMEM_UDIMM_1D_IMAGE_ID] = { + .img_id = DDR_DMEM_UDIMM_1D_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [DDR_DMEM_UDIMM_2D_IMAGE_ID] = { + .img_id = DDR_DMEM_UDIMM_2D_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [DDR_IMEM_RDIMM_1D_IMAGE_ID] = { + .img_id = DDR_IMEM_RDIMM_1D_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [DDR_IMEM_RDIMM_2D_IMAGE_ID] = { + .img_id = DDR_IMEM_RDIMM_2D_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [DDR_DMEM_RDIMM_1D_IMAGE_ID] = { + .img_id = DDR_DMEM_RDIMM_1D_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + }, + [DDR_DMEM_RDIMM_2D_IMAGE_ID] = { + .img_id = DDR_DMEM_RDIMM_2D_IMAGE_ID, + .img_type = IMG_PLAT, + .parent = NULL, + .img_auth_methods = { + [0] = { + .type = AUTH_METHOD_SIG, + .param.sig = { + .pk = &non_trusted_world_pk, + .sig = &sig, + .alg = &sig_alg, + .data = &sig_hash, + } + } + } + } +#endif +}; + +/* Register the CoT in the authentication module */ +REGISTER_COT(cot_desc); diff --git a/plat/nxp/common/layerscape/x509_tbbr.c b/plat/nxp/common/layerscape/x509_tbbr.c new file mode 100644 index 00000000000..46de80850d0 --- /dev/null +++ b/plat/nxp/common/layerscape/x509_tbbr.c @@ -0,0 +1,36 @@ +/* + * Copyright 2018-2019 NXP + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + +#include + +extern char nxp_rotpk_hash[], nxp_rotpk_hash_end[]; + +int plat_get_rotpk_info(void *cookie, void **key_ptr, unsigned int *key_len, + unsigned int *flags) +{ + *key_ptr = nxp_rotpk_hash; + *key_len = nxp_rotpk_hash_end - nxp_rotpk_hash; + *flags = ROTPK_IS_HASH; + + return 0; +} + +int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr) +{ + /* + * No support for non-volatile counter. Update the ROT key to protect + * the system against rollback. + */ + *nv_ctr = 0; + + return 0; +} + +int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr) +{ + return 0; +} diff --git a/plat/nxp/common/security.mk b/plat/nxp/common/security.mk index 1043835870e..bee91860f0c 100644 --- a/plat/nxp/common/security.mk +++ b/plat/nxp/common/security.mk @@ -23,13 +23,71 @@ SECURITY_SOURCES += ${PLAT_COMMON_PATH}/layerscape/secure_boot.c \ PLAT_INCLUDES += -I${PLAT_DRIVERS_PATH}/sfp \ +#GET SEC_SOURCES defined +include $(PLAT_DRIVERS_PATH)/crypto/caam/caam.mk + SECURITY_SOURCES += ${SEC_SOURCES} -endif + ifeq ($(CHASSIS), 2) SECURITY_SOURCES += ${PLAT_DRIVERS_PATH}/csu/csu.c PLAT_INCLUDES += -I${PLAT_DRIVERS_PATH}/csu +CSF_FILE := input_blx_ch${CHASSIS} +BL2_CSF_FILE := input_bl2_ch${CHASSIS} +else +ifeq ($(CHASSIS), 3) +CSF_FILE := input_blx_ch${CHASSIS} +BL2_CSF_FILE := input_bl2_ch${CHASSIS} +PBI_CSF_FILE := input_pbi_ch${CHASSIS} +$(eval $(call add_define, CSF_HDR_CH3)) +else +ifeq ($(CHASSIS), 3_2) +CSF_FILE := input_blx_ch3 +BL2_CSF_FILE := input_bl2_ch${CHASSIS} +PBI_CSF_FILE := input_pbi_ch${CHASSIS} +$(eval $(call add_define, CSF_HDR_CH3)) +else + $(error -> CHASSIS not set!) +endif +endif endif +# Trusted Boot configuration +ifeq (${TRUSTED_BOARD_BOOT},1) + +include ${PLAT_COMMON_PATH}/layerscape/tbbr.mk + +ifeq (${MBEDTLS_DIR},) + # Generic image processing filters to prepend CSF header + ifeq (${BL33_INPUT_FILE},) + BL33_INPUT_FILE:= drivers/nxp/csf_hdr_parser/${CSF_FILE} + endif + + ifeq (${BL31_INPUT_FILE},) + BL31_INPUT_FILE:= drivers/nxp/csf_hdr_parser/${CSF_FILE} + endif + + ifeq (${BL32_INPUT_FILE},) + BL32_INPUT_FILE:= drivers/nxp/csf_hdr_parser/${CSF_FILE} + endif + + ifeq (${FUSE_INPUT_FILE},) + FUSE_INPUT_FILE:= drivers/nxp/csf_hdr_parser/${CSF_FILE} + endif + +endif #MBEDTLS_DIR + + ifeq (${BL2_INPUT_FILE},) + BL2_INPUT_FILE:= drivers/nxp/csf_hdr_parser/${BL2_CSF_FILE} + endif + + ifeq (${PBI_INPUT_FILE},) + PBI_INPUT_FILE:= drivers/nxp/csf_hdr_parser/${PBI_CSF_FILE} + endif + + +endif #TRUSTED_BOARD_BOOT + +endif #LAYERSCAPE # ----------------------------------------------------------------------------- diff --git a/tools/nxp/pbl_ch2.mk b/tools/nxp/pbl_ch2.mk index bfb5fbaf099..9ca0d347ab5 100644 --- a/tools/nxp/pbl_ch2.mk +++ b/tools/nxp/pbl_ch2.mk @@ -11,6 +11,32 @@ HOST_GCC := gcc .PHONY: pbl pbl: ${BUILD_PLAT}/bl2.bin +ifeq ($(SECURE_BOOT),yes) +pbl: ${BUILD_PLAT}/bl2.bin +ifeq ($(RCW),"") + ${Q}echo "Platform ${PLAT} requires rcw file. Please set RCW to point to the right RCW file for boot mode ${BOOT_MODE}" +else + # Generate header for bl2.bin + $(Q)$(CST_DIR)/create_hdr_isbc --in ${BUILD_PLAT}/bl2.bin --out ${BUILD_PLAT}/hdr_bl2 ${BL2_INPUT_FILE} + # Compile create_pbl tool + ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" --no-print-directory -C ${PLAT_TOOL_PATH};\ + # Add bl2.bin to RCW + ${CREATE_PBL} -r ${RCW} -i ${BUILD_PLAT}/bl2.bin -b ${BOOT_MODE} -c ${SOC_NUM} -d ${BL2_BASE} -e ${BL2_BASE}\ + -o ${BUILD_PLAT}/bl2_${BOOT_MODE}.pbl ;\ + # Add header to RCW + ${CREATE_PBL} -r ${BUILD_PLAT}/bl2_${BOOT_MODE}.pbl -i ${BUILD_PLAT}/hdr_bl2 -b ${BOOT_MODE} -c ${SOC_NUM} \ + -d ${BL2_HDR_LOC} -e ${BL2_HDR_LOC} -o ${BUILD_PLAT}/bl2_${BOOT_MODE}_sec.pbl -s;\ + rm ${BUILD_PLAT}/bl2_${BOOT_MODE}.pbl +# Swapping of RCW is required for QSPi Chassis 2 devices +ifeq (${BOOT_MODE}, qspi) +ifeq ($(SWAP),1) + ${Q}echo "Byteswapping RCW for QSPI" + ${BYTE_SWAP} ${BUILD_PLAT}/bl2_${BOOT_MODE}_sec.pbl; +endif # SWAP +endif # BOOT_MODE + cd ${PLAT_TOOL_PATH}; ${MAKE} clean ; cd -; +endif +else # NON SECURE_BOOT ifeq ($(RCW),"") ${Q}echo "Platform ${PLAT} requires rcw file. Please set RCW to point to the right RCW file for boot mode ${BOOT_MODE}" else @@ -27,3 +53,4 @@ endif # SWAP endif # BOOT_MODE cd ${PLAT_TOOL_PATH}; ${MAKE} clean ; cd -; endif +endif