diff options
Diffstat (limited to 'arch/arm')
| -rw-r--r-- | arch/arm/mach-keystone/mon.c | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/arch/arm/mach-keystone/mon.c b/arch/arm/mach-keystone/mon.c index 256f630..8100984 100644 --- a/arch/arm/mach-keystone/mon.c +++ b/arch/arm/mach-keystone/mon.c @@ -10,6 +10,7 @@ #include <common.h> #include <command.h> #include <mach/mon.h> +#include <spl.h> asm(".arch_extension sec\n\t"); int mon_install(u32 addr, u32 dpsc, u32 freq) @@ -61,3 +62,75 @@ int mon_power_off(int core_id) : "cc", "r0", "r1", "memory"); return result; } + +#ifdef CONFIG_TI_SECURE_DEVICE +#define KS2_HS_SEC_HEADER_LEN 0x60 +#define KS2_HS_SEC_TAG_OFFSET 0x34 +#define KS2_AUTH_CMD 130 + +/** + * k2_hs_bm_auth() - Invokes security functions using a + * proprietary TI interface. This binary and source for + * this is available in the secure development package or + * SECDEV. For details on how to access this please refer + * doc/README.ti-secure + * + * @cmd: Secure monitor command + * @arg1: Argument for command + * + * returns non-zero value on success, zero on error + */ +static int k2_hs_bm_auth(int cmd, void *arg1) +{ + int result; + + asm volatile ( + "stmfd r13!, {r4-r12, lr}\n" + "mov r0, %1\n" + "mov r1, %2\n" + "smc #2\n" + "ldmfd r13!, {r4-r12, lr}\n" + : "=&r" (result) + : "r" (cmd), "r" (arg1) + : "cc", "r0", "r1", "memory"); + + return result; +} + +void board_fit_image_post_process(void **p_image, size_t *p_size) +{ + int result = 0; + void *image = *p_image; + + if (strncmp(image + KS2_HS_SEC_TAG_OFFSET, "KEYS", 4)) { + printf("No signature found in image!\n"); + hang(); + } + + result = k2_hs_bm_auth(KS2_AUTH_CMD, image); + if (result == 0) { + printf("Authentication failed!\n"); + hang(); + } + + /* + * Overwrite the image headers after authentication + * and decryption. Update size to reflect removal + * of header. + */ + memcpy(image, image + KS2_HS_SEC_HEADER_LEN, *p_size); + *p_size -= KS2_HS_SEC_HEADER_LEN; + + /* + * Output notification of successful authentication to re-assure the + * user that the secure code is being processed as expected. However + * suppress any such log output in case of building for SPL and booting + * via YMODEM. This is done to avoid disturbing the YMODEM serial + * protocol transactions. + */ + if (!(IS_ENABLED(CONFIG_SPL_BUILD) && + IS_ENABLED(CONFIG_SPL_YMODEM_SUPPORT) && + spl_boot_device() == BOOT_DEVICE_UART)) + printf("Authentication passed\n"); +} +#endif |