[U-Boot] [PATCH v2 0/3] ARM: Add armv7/Kconfig and allow booting in secure mode on non-secure boot capable systems

[U-Boot] [PATCH v2 0/3] ARM: Add armv7/Kconfig and allow booting in secure mode on non-secure boot capable systems

[Hans de Goede]

Hi Albert,

Here is v2 of my patchset to allow booting in secure mode on non-secure boot
capable systems. See inside the patch commit messages for a detailed changelog,
the 3th patch in the set goes to a higher version as it also was posted on
its own 2 times.

The first patch is from Tom, and is included because my patches depend on it,
AFAIK it is ready for merging (so it can go in through your tree), it is just
waiting for someone to actually use the EXPERT option which this patch-set
does.

Please review, and if you're happy with the patches, merge them.

Thanks & Regards,

Hans

[U-Boot] [PATCH v2 1/3] Kconfig: Add EXPERT option

[Hans de Goede]

From: Tom Rini <trini@ti.com>

For similar reasons to why the Linux Kernel has an EXPERT option, we too
want an option to allow for tweaking of some options that while normally
should remain hidden, may need to be changed in some cases.

Signed-off-by: Tom Rini <trini@ti.com>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 Kconfig | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Kconfig b/Kconfig
index f34f341..405b7a6 100644
--- a/Kconfig
+++ b/Kconfig
@@ -58,6 +58,14 @@ config CC_OPTIMIZE_FOR_SIZE
 
 endmenu		# General setup
 
+menuconfig EXPERT
+        bool "Configure standard U-Boot features (expert users)"
+        help
+          This option allows certain base U-Boot options and settings
+          to be disabled or tweaked. This is for specialized
+          environments which can tolerate a "non-standard" U-Boot.
+          Only use this if you really know what you are doing.
+
 menu "Boot images"
 
 config SPL_BUILD
-- 
2.1.0

[U-Boot] [PATCH v2 2/3] ARM: Add arch/arm/cpu/armv7/Kconfig with non-secure and virt options

[Hans de Goede]

Add arch/arm/cpu/armv7/Kconfig with non-secure and virt options, this is a
preparation patch for adding an env variable to choose between secure /
non-secure boot on non-secure boot capable systems, specifically this
prepares for adding CONFIG_CPU_V7_SEC_BY_DEFAULT as a proper Kconfig option.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
--
Changes in v2:
-Drop all the FIXME-s, use proper CPU_V7 and CPU_V7_HAS_foo checks instead
---
 arch/arm/Kconfig                    |  4 ++++
 arch/arm/cpu/armv7/Kconfig          | 23 +++++++++++++++++++++++
 arch/arm/cpu/armv7/exynos/Kconfig   |  2 ++
 board/sunxi/Kconfig                 |  2 ++
 include/configs/arndale.h           |  2 --
 include/configs/sun7i.h             |  2 --
 include/configs/vexpress_ca15_tc2.h |  2 --
 7 files changed, 31 insertions(+), 6 deletions(-)
 create mode 100644 arch/arm/cpu/armv7/Kconfig

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 79ccc06..43ace2c 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -410,6 +410,8 @@ config TARGET_INTEGRATORCP_CM946ES
 config TARGET_VEXPRESS_CA15_TC2
 	bool "Support vexpress_ca15_tc2"
 	select CPU_V7
+	select CPU_V7_HAS_NONSEC
+	select CPU_V7_HAS_VIRT
 
 config TARGET_VEXPRESS_CA5X2
 	bool "Support vexpress_ca5x2"
@@ -809,6 +811,8 @@ source "arch/arm/cpu/arm926ejs/versatile/Kconfig"
 
 source "arch/arm/cpu/armv7/zynq/Kconfig"
 
+source "arch/arm/cpu/armv7/Kconfig"
+
 source "board/aristainetos/Kconfig"
 source "board/BuR/kwb/Kconfig"
 source "board/BuR/tseries/Kconfig"
diff --git a/arch/arm/cpu/armv7/Kconfig b/arch/arm/cpu/armv7/Kconfig
new file mode 100644
index 0000000..15c5155
--- /dev/null
+++ b/arch/arm/cpu/armv7/Kconfig
@@ -0,0 +1,23 @@
+if CPU_V7
+
+config CPU_V7_HAS_NONSEC
+        bool
+
+config CPU_V7_HAS_VIRT
+        bool
+
+config ARMV7_NONSEC
+	boolean "Enable support for booting in non-secure mode" if EXPERT
+	depends on CPU_V7_HAS_NONSEC
+	default y
+	---help---
+	Say Y here to enable support for booting in non-secure / SVC mode.
+
+config ARMV7_VIRT
+	boolean "Enable support for hardware virtualization" if EXPERT
+	depends on CPU_V7_HAS_VIRT && ARMV7_NONSEC
+	default y
+	---help---
+	Say Y here to boot in hypervisor (HYP) mode when booting non-secure.
+
+endif
diff --git a/arch/arm/cpu/armv7/exynos/Kconfig b/arch/arm/cpu/armv7/exynos/Kconfig
index 090be93..e9a102c 100644
--- a/arch/arm/cpu/armv7/exynos/Kconfig
+++ b/arch/arm/cpu/armv7/exynos/Kconfig
@@ -26,6 +26,8 @@ config TARGET_ODROID
 
 config TARGET_ARNDALE
 	bool "Exynos5250 Arndale board"
+	select CPU_V7_HAS_NONSEC
+	select CPU_V7_HAS_VIRT
 	select SUPPORT_SPL
 	select OF_CONTROL if !SPL_BUILD
 
diff --git a/board/sunxi/Kconfig b/board/sunxi/Kconfig
index 0bab31b..e20ea1b 100644
--- a/board/sunxi/Kconfig
+++ b/board/sunxi/Kconfig
@@ -21,6 +21,8 @@ config MACH_SUN6I
 config MACH_SUN7I
 	bool "sun7i (Allwinner A20)"
 	select CPU_V7
+	select CPU_V7_HAS_NONSEC
+	select CPU_V7_HAS_VIRT
 	select SUPPORT_SPL
 
 config MACH_SUN8I
diff --git a/include/configs/arndale.h b/include/configs/arndale.h
index f9ee40f..aa6b631 100644
--- a/include/configs/arndale.h
+++ b/include/configs/arndale.h
@@ -60,6 +60,4 @@
 /* The PERIPHBASE in the CBAR register is wrong on the Arndale, so override it */
 #define CONFIG_ARM_GIC_BASE_ADDRESS	0x10480000
 
-#define CONFIG_ARMV7_VIRT
-
 #endif	/* __CONFIG_H */
diff --git a/include/configs/sun7i.h b/include/configs/sun7i.h
index ea40790..3629587 100644
--- a/include/configs/sun7i.h
+++ b/include/configs/sun7i.h
@@ -22,8 +22,6 @@
 #define CONFIG_USB_MAX_CONTROLLER_COUNT	2
 #endif
 
-#define CONFIG_ARMV7_VIRT		1
-#define CONFIG_ARMV7_NONSEC		1
 #define CONFIG_ARMV7_PSCI		1
 #define CONFIG_ARMV7_PSCI_NR_CPUS	2
 #define CONFIG_ARMV7_SECURE_BASE	SUNXI_SRAM_B_BASE
diff --git a/include/configs/vexpress_ca15_tc2.h b/include/configs/vexpress_ca15_tc2.h
index 982f4a7..b43afa2 100644
--- a/include/configs/vexpress_ca15_tc2.h
+++ b/include/configs/vexpress_ca15_tc2.h
@@ -18,6 +18,4 @@
 #define CONFIG_SYSFLAGS_ADDR	0x1c010030
 #define CONFIG_SMP_PEN_ADDR	CONFIG_SYSFLAGS_ADDR
 
-#define CONFIG_ARMV7_VIRT
-
 #endif
-- 
2.1.0

[U-Boot] [PATCH v2 3/3] ARM: bootm: Allow booting in secure mode on hyp capable systems

[Hans de Goede]

Older Linux kernels will not properly boot in hyp mode, add support for a
bootm_boot_mode environment variable, which can be set to "sec" or "nonsec"
to force booting in secure or non-secure mode when build with non-sec support.

The default behavior can be selected through CONFIG_ARMV7_BOOT_SEC_DEFAULT,
when this is set booting in secure mode is the default. The default setting
for this Kconfig option is N, preserving the current behavior of booting in
non-secure mode by default when non-secure mode is supported.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Siarhei Siamashka <siarhei.siamashka@gmail.com>
--
Changes in v2:
-Allow changing the default boot mode to secure through defining
 CONFIG_ARMV7_BOOT_SEC_DEFAULT, this is useful for archs which have a Kconfig
 option for compatibility with older kernels
Changes in v3:
-Add an else at the end of the #ifdef NONSEC block so that if do_nonsec_entry
 fails we do not end up re-trying in secure mode
Changes in v4:
-Add a Kconfig option to select to boot in secure or non-secure mode by default
---
 arch/arm/cpu/armv7/Kconfig | 11 +++++++++++
 arch/arm/lib/bootm.c       | 31 ++++++++++++++++++++++++++-----
 2 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/arch/arm/cpu/armv7/Kconfig b/arch/arm/cpu/armv7/Kconfig
index 15c5155..6ee5ff8 100644
--- a/arch/arm/cpu/armv7/Kconfig
+++ b/arch/arm/cpu/armv7/Kconfig
@@ -13,6 +13,17 @@ config ARMV7_NONSEC
 	---help---
 	Say Y here to enable support for booting in non-secure / SVC mode.
 
+config ARMV7_BOOT_SEC_DEFAULT
+	boolean "Boot in secure mode by default" if EXPERT
+	depends on ARMV7_NONSEC
+	default n
+	---help---
+	Say Y here to boot in secure mode by default even if non-secure mode
+	is supported. This option is useful to boot kernels which do not
+	suppport booting in secure mode. Only set this if you need it.
+	This can be overriden at run-time by setting the bootm_boot_mode env.
+	variable to "sec" or "nonsec".
+
 config ARMV7_VIRT
 	boolean "Enable support for hardware virtualization" if EXPERT
 	depends on CPU_V7_HAS_VIRT && ARMV7_NONSEC
diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c
index 4949d57..a7f7c67 100644
--- a/arch/arm/lib/bootm.c
+++ b/arch/arm/lib/bootm.c
@@ -237,6 +237,26 @@ static void boot_prep_linux(bootm_headers_t *images)
 	}
 }
 
+#if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
+static bool boot_nonsec(void)
+{
+	char *s = getenv("bootm_boot_mode");
+#ifdef CONFIG_ARMV7_BOOT_SEC_DEFAULT
+	bool nonsec = false;
+#else
+	bool nonsec = true;
+#endif
+
+	if (s && !strcmp(s, "sec"))
+		nonsec = false;
+
+	if (s && !strcmp(s, "nonsec"))
+		nonsec = true;
+
+	return nonsec;
+}
+#endif
+
 /* Subcommand: GO */
 static void boot_jump_linux(bootm_headers_t *images, int flag)
 {
@@ -285,12 +305,13 @@ static void boot_jump_linux(bootm_headers_t *images, int flag)
 
 	if (!fake) {
 #if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
-		armv7_init_nonsec();
-		secure_ram_addr(_do_nonsec_entry)(kernel_entry,
-						  0, machid, r2);
-#else
-		kernel_entry(0, machid, r2);
+		if (boot_nonsec()) {
+			armv7_init_nonsec();
+			secure_ram_addr(_do_nonsec_entry)(kernel_entry,
+							  0, machid, r2);
+		} else
 #endif
+			kernel_entry(0, machid, r2);
 	}
 #endif
 }
-- 
2.1.0

[U-Boot] [PATCH v2 1/3] Kconfig: Add EXPERT option

[Masahiro Yamada]

This is identical to
http://patchwork.ozlabs.org/patch/399458/
posted by Tom Rini a month ago.
Why is it taking so long for this patch?

I prefer describing the patch dependency in the cover letter
to resending the same patch.




On Thu, 13 Nov 2014 20:37:40 +0100
Hans de Goede <hdegoede@redhat.com> wrote:

> From: Tom Rini <trini@ti.com>
> 
> For similar reasons to why the Linux Kernel has an EXPERT option, we too
> want an option to allow for tweaking of some options that while normally
> should remain hidden, may need to be changed in some cases.
> 
> Signed-off-by: Tom Rini <trini@ti.com>
> Acked-by: Hans de Goede <hdegoede@redhat.com>
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> ---
>  Kconfig | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/Kconfig b/Kconfig
> index f34f341..405b7a6 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -58,6 +58,14 @@ config CC_OPTIMIZE_FOR_SIZE
>  
>  endmenu		# General setup
>  
> +menuconfig EXPERT
> +        bool "Configure standard U-Boot features (expert users)"
> +        help
> +          This option allows certain base U-Boot options and settings
> +          to be disabled or tweaked. This is for specialized
> +          environments which can tolerate a "non-standard" U-Boot.
> +          Only use this if you really know what you are doing.
> +
>  menu "Boot images"
>  
>  config SPL_BUILD
> -- 
> 2.1.0
> 
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot

[U-Boot] [PATCH v2 1/3] Kconfig: Add EXPERT option

[Albert ARIBAUD]

Hello Masahiro,

> I prefer describing the patch dependency in the cover letter
> to resending the same patch.

Ditto -- but since patch numbers won't matter once applied and since
Tom is properly attributed, it won't matter much whether Tom applies
his own patch or I apply it as part of this series.

I'll apply the series.

Amicalement,
-- 
Albert.

[U-Boot] [PATCH v2 1/3] Kconfig: Add EXPERT option

[Masahiro Yamada]

Hi Albert,


On Fri, 14 Nov 2014 08:08:05 +0100
Albert ARIBAUD <albert.u.boot@aribaud.net> wrote:

> Hello Masahiro,
> 
> > I prefer describing the patch dependency in the cover letter
> > to resending the same patch.
> 
> Ditto -- but since patch numbers won't matter once applied and since
> Tom is properly attributed, it won't matter much whether Tom applies
> his own patch or I apply it as part of this series.
> 
> I'll apply the series.
> 

Yup, it won't make much of difference, although I issued my Acked-by to Tom's one
and it is missing from Hans's.


Best Regards
Masahiro Yamada

[U-Boot] [PATCH v2 0/3] ARM: Add armv7/Kconfig and allow booting in secure mode on non-secure boot capable systems

[Albert ARIBAUD]

Hello Hans,

On Thu, 13 Nov 2014 20:37:39 +0100, Hans de Goede <hdegoede@redhat.com>
wrote:
> Hi Albert,
> 
> Here is v2 of my patchset to allow booting in secure mode on non-secure boot
> capable systems. See inside the patch commit messages for a detailed changelog,
> the 3th patch in the set goes to a higher version as it also was posted on
> its own 2 times.

Noted. If you ever find yourself in the same situation again, please
bump up patchset version to the patch version (here, that would have
meant bumping up 0/3, 1/3 and 2/3 to v4).

You can automate a lot of this by using tools/patman. 

> The first patch is from Tom, and is included because my patches depend on it,
> AFAIK it is ready for merging (so it can go in through your tree), it is just
> waiting for someone to actually use the EXPERT option which this patch-set
> does.
>
> Please review, and if you're happy with the patches, merge them.

Reviewing them right now.

> Thanks & Regards,
> 
> Hans

Amicalement,
-- 
Albert.

[U-Boot] [PATCH v2 2/3] ARM: Add arch/arm/cpu/armv7/Kconfig with non-secure and virt options

[Albert ARIBAUD]

Hello Hans,

On Thu, 13 Nov 2014 20:37:41 +0100, Hans de Goede <hdegoede@redhat.com>
wrote:
> Add arch/arm/cpu/armv7/Kconfig with non-secure and virt options, this is a
> preparation patch for adding an env variable to choose between secure /
> non-secure boot on non-secure boot capable systems, specifically this
> prepares for adding CONFIG_CPU_V7_SEC_BY_DEFAULT as a proper Kconfig option.

Does not seem like CONFIG_CPU_V7_SEC_BY_DEFAULT is ever defined once
all three patches are applied.

OTOH, patch 3/3 defines CONFIG_ARMV7_BOOT_SEC_DEFAULT (but see my
comments on it)

> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> --
> Changes in v2:
> -Drop all the FIXME-s, use proper CPU_V7 and CPU_V7_HAS_foo checks instead
> ---
>  arch/arm/Kconfig                    |  4 ++++
>  arch/arm/cpu/armv7/Kconfig          | 23 +++++++++++++++++++++++
>  arch/arm/cpu/armv7/exynos/Kconfig   |  2 ++
>  board/sunxi/Kconfig                 |  2 ++
>  include/configs/arndale.h           |  2 --
>  include/configs/sun7i.h             |  2 --
>  include/configs/vexpress_ca15_tc2.h |  2 --
>  7 files changed, 31 insertions(+), 6 deletions(-)
>  create mode 100644 arch/arm/cpu/armv7/Kconfig
> 
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index 79ccc06..43ace2c 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -410,6 +410,8 @@ config TARGET_INTEGRATORCP_CM946ES
>  config TARGET_VEXPRESS_CA15_TC2
>  	bool "Support vexpress_ca15_tc2"
>  	select CPU_V7
> +	select CPU_V7_HAS_NONSEC
> +	select CPU_V7_HAS_VIRT
>  
>  config TARGET_VEXPRESS_CA5X2
>  	bool "Support vexpress_ca5x2"
> @@ -809,6 +811,8 @@ source "arch/arm/cpu/arm926ejs/versatile/Kconfig"
>  
>  source "arch/arm/cpu/armv7/zynq/Kconfig"
>  
> +source "arch/arm/cpu/armv7/Kconfig"
> +
>  source "board/aristainetos/Kconfig"
>  source "board/BuR/kwb/Kconfig"
>  source "board/BuR/tseries/Kconfig"
> diff --git a/arch/arm/cpu/armv7/Kconfig b/arch/arm/cpu/armv7/Kconfig
> new file mode 100644
> index 0000000..15c5155
> --- /dev/null
> +++ b/arch/arm/cpu/armv7/Kconfig
> @@ -0,0 +1,23 @@
> +if CPU_V7
> +
> +config CPU_V7_HAS_NONSEC
> +        bool
> +
> +config CPU_V7_HAS_VIRT
> +        bool
> +
> +config ARMV7_NONSEC
> +	boolean "Enable support for booting in non-secure mode" if EXPERT
> +	depends on CPU_V7_HAS_NONSEC
> +	default y

I'm not a Kconfig expert, but doesn't this "y" here mean that support
for non-secure mode is enabled by default? And should'nt it be more
logical / secure that the default b "n" to avoid accidentally building
a non-secure-capable U-Boot? 

> +	---help---
> +	Say Y here to enable support for booting in non-secure / SVC mode.
> +
> +config ARMV7_VIRT
> +	boolean "Enable support for hardware virtualization" if EXPERT
> +	depends on CPU_V7_HAS_VIRT && ARMV7_NONSEC
> +	default y

Same here.

> +	---help---
> +	Say Y here to boot in hypervisor (HYP) mode when booting non-secure.
> +
> +endif
> diff --git a/arch/arm/cpu/armv7/exynos/Kconfig b/arch/arm/cpu/armv7/exynos/Kconfig
> index 090be93..e9a102c 100644
> --- a/arch/arm/cpu/armv7/exynos/Kconfig
> +++ b/arch/arm/cpu/armv7/exynos/Kconfig
> @@ -26,6 +26,8 @@ config TARGET_ODROID
>  
>  config TARGET_ARNDALE
>  	bool "Exynos5250 Arndale board"
> +	select CPU_V7_HAS_NONSEC
> +	select CPU_V7_HAS_VIRT
>  	select SUPPORT_SPL
>  	select OF_CONTROL if !SPL_BUILD
>  
> diff --git a/board/sunxi/Kconfig b/board/sunxi/Kconfig
> index 0bab31b..e20ea1b 100644
> --- a/board/sunxi/Kconfig
> +++ b/board/sunxi/Kconfig
> @@ -21,6 +21,8 @@ config MACH_SUN6I
>  config MACH_SUN7I
>  	bool "sun7i (Allwinner A20)"
>  	select CPU_V7
> +	select CPU_V7_HAS_NONSEC
> +	select CPU_V7_HAS_VIRT
>  	select SUPPORT_SPL
>  
>  config MACH_SUN8I
> diff --git a/include/configs/arndale.h b/include/configs/arndale.h
> index f9ee40f..aa6b631 100644
> --- a/include/configs/arndale.h
> +++ b/include/configs/arndale.h
> @@ -60,6 +60,4 @@
>  /* The PERIPHBASE in the CBAR register is wrong on the Arndale, so override it */
>  #define CONFIG_ARM_GIC_BASE_ADDRESS	0x10480000
>  
> -#define CONFIG_ARMV7_VIRT
> -
>  #endif	/* __CONFIG_H */
> diff --git a/include/configs/sun7i.h b/include/configs/sun7i.h
> index ea40790..3629587 100644
> --- a/include/configs/sun7i.h
> +++ b/include/configs/sun7i.h
> @@ -22,8 +22,6 @@
>  #define CONFIG_USB_MAX_CONTROLLER_COUNT	2
>  #endif
>  
> -#define CONFIG_ARMV7_VIRT		1
> -#define CONFIG_ARMV7_NONSEC		1
>  #define CONFIG_ARMV7_PSCI		1
>  #define CONFIG_ARMV7_PSCI_NR_CPUS	2
>  #define CONFIG_ARMV7_SECURE_BASE	SUNXI_SRAM_B_BASE
> diff --git a/include/configs/vexpress_ca15_tc2.h b/include/configs/vexpress_ca15_tc2.h
> index 982f4a7..b43afa2 100644
> --- a/include/configs/vexpress_ca15_tc2.h
> +++ b/include/configs/vexpress_ca15_tc2.h
> @@ -18,6 +18,4 @@
>  #define CONFIG_SYSFLAGS_ADDR	0x1c010030
>  #define CONFIG_SMP_PEN_ADDR	CONFIG_SYSFLAGS_ADDR
>  
> -#define CONFIG_ARMV7_VIRT
> -
>  #endif
> -- 
> 2.1.0
> 



Amicalement,
-- 
Albert.

[U-Boot] [PATCH v2 3/3] ARM: bootm: Allow booting in secure mode on hyp capable systems

[Albert ARIBAUD]

Hello Hans,

On Thu, 13 Nov 2014 20:37:42 +0100, Hans de Goede <hdegoede@redhat.com>
wrote:
> Older Linux kernels will not properly boot in hyp mode, add support for a
> bootm_boot_mode environment variable, which can be set to "sec" or "nonsec"
> to force booting in secure or non-secure mode when build with non-sec support.
> 
> The default behavior can be selected through CONFIG_ARMV7_BOOT_SEC_DEFAULT,
> when this is set booting in secure mode is the default. The default setting
> for this Kconfig option is N, preserving the current behavior of booting in
> non-secure mode by default when non-secure mode is supported.
> 
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> Acked-by: Marc Zyngier <marc.zyngier@arm.com>
> Acked-by: Siarhei Siamashka <siarhei.siamashka@gmail.com>
> --
> Changes in v2:
> -Allow changing the default boot mode to secure through defining
>  CONFIG_ARMV7_BOOT_SEC_DEFAULT, this is useful for archs which have a Kconfig
>  option for compatibility with older kernels
> Changes in v3:
> -Add an else at the end of the #ifdef NONSEC block so that if do_nonsec_entry
>  fails we do not end up re-trying in secure mode
> Changes in v4:
> -Add a Kconfig option to select to boot in secure or non-secure mode by default
> ---
>  arch/arm/cpu/armv7/Kconfig | 11 +++++++++++
>  arch/arm/lib/bootm.c       | 31 ++++++++++++++++++++++++++-----
>  2 files changed, 37 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/arm/cpu/armv7/Kconfig b/arch/arm/cpu/armv7/Kconfig
> index 15c5155..6ee5ff8 100644
> --- a/arch/arm/cpu/armv7/Kconfig
> +++ b/arch/arm/cpu/armv7/Kconfig
> @@ -13,6 +13,17 @@ config ARMV7_NONSEC
>  	---help---
>  	Say Y here to enable support for booting in non-secure / SVC mode.
>  
> +config ARMV7_BOOT_SEC_DEFAULT
> +	boolean "Boot in secure mode by default" if EXPERT
> +	depends on ARMV7_NONSEC
> +	default n
> +	---help---
> +	Say Y here to boot in secure mode by default even if non-secure mode
> +	is supported. This option is useful to boot kernels which do not
> +	suppport booting in secure mode. Only set this if you need it.
> +	This can be overriden at run-time by setting the bootm_boot_mode env.
> +	variable to "sec" or "nonsec".

Not sure I'm getting this right, but it seems to me that forcing secure
boot mode for kernels that don't support secure boot mode is kind of
contradictory. Did you mean "... for kernels which do not suport
booting in *non*-secure mode..." ?

>  config ARMV7_VIRT
>  	boolean "Enable support for hardware virtualization" if EXPERT
>  	depends on CPU_V7_HAS_VIRT && ARMV7_NONSEC
> diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c
> index 4949d57..a7f7c67 100644
> --- a/arch/arm/lib/bootm.c
> +++ b/arch/arm/lib/bootm.c
> @@ -237,6 +237,26 @@ static void boot_prep_linux(bootm_headers_t *images)
>  	}
>  }
>  
> +#if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
> +static bool boot_nonsec(void)
> +{
> +	char *s = getenv("bootm_boot_mode");
> +#ifdef CONFIG_ARMV7_BOOT_SEC_DEFAULT
> +	bool nonsec = false;
> +#else
> +	bool nonsec = true;
> +#endif
> +
> +	if (s && !strcmp(s, "sec"))
> +		nonsec = false;
> +
> +	if (s && !strcmp(s, "nonsec"))
> +		nonsec = true;
> +
> +	return nonsec;
> +}
> +#endif
> +
>  /* Subcommand: GO */
>  static void boot_jump_linux(bootm_headers_t *images, int flag)
>  {
> @@ -285,12 +305,13 @@ static void boot_jump_linux(bootm_headers_t *images, int flag)
>  
>  	if (!fake) {
>  #if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
> -		armv7_init_nonsec();
> -		secure_ram_addr(_do_nonsec_entry)(kernel_entry,
> -						  0, machid, r2);
> -#else
> -		kernel_entry(0, machid, r2);
> +		if (boot_nonsec()) {
> +			armv7_init_nonsec();
> +			secure_ram_addr(_do_nonsec_entry)(kernel_entry,
> +							  0, machid, r2);
> +		} else
>  #endif
> +			kernel_entry(0, machid, r2);
>  	}
>  #endif
>  }
> -- 
> 2.1.0
> 



Amicalement,
-- 
Albert.

[U-Boot] [PATCH v2 3/3] ARM: bootm: Allow booting in secure mode on hyp capable systems

[Hans de Goede]

Hi,

On 11/14/2014 08:33 AM, Albert ARIBAUD wrote:
> Hello Hans,
> 
> On Thu, 13 Nov 2014 20:37:42 +0100, Hans de Goede <hdegoede@redhat.com>
> wrote:
>> Older Linux kernels will not properly boot in hyp mode, add support for a
>> bootm_boot_mode environment variable, which can be set to "sec" or "nonsec"
>> to force booting in secure or non-secure mode when build with non-sec support.
>>
>> The default behavior can be selected through CONFIG_ARMV7_BOOT_SEC_DEFAULT,
>> when this is set booting in secure mode is the default. The default setting
>> for this Kconfig option is N, preserving the current behavior of booting in
>> non-secure mode by default when non-secure mode is supported.
>>
>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>> Acked-by: Marc Zyngier <marc.zyngier@arm.com>
>> Acked-by: Siarhei Siamashka <siarhei.siamashka@gmail.com>
>> --
>> Changes in v2:
>> -Allow changing the default boot mode to secure through defining
>>  CONFIG_ARMV7_BOOT_SEC_DEFAULT, this is useful for archs which have a Kconfig
>>  option for compatibility with older kernels
>> Changes in v3:
>> -Add an else at the end of the #ifdef NONSEC block so that if do_nonsec_entry
>>  fails we do not end up re-trying in secure mode
>> Changes in v4:
>> -Add a Kconfig option to select to boot in secure or non-secure mode by default
>> ---
>>  arch/arm/cpu/armv7/Kconfig | 11 +++++++++++
>>  arch/arm/lib/bootm.c       | 31 ++++++++++++++++++++++++++-----
>>  2 files changed, 37 insertions(+), 5 deletions(-)
>>
>> diff --git a/arch/arm/cpu/armv7/Kconfig b/arch/arm/cpu/armv7/Kconfig
>> index 15c5155..6ee5ff8 100644
>> --- a/arch/arm/cpu/armv7/Kconfig
>> +++ b/arch/arm/cpu/armv7/Kconfig
>> @@ -13,6 +13,17 @@ config ARMV7_NONSEC
>>  	---help---
>>  	Say Y here to enable support for booting in non-secure / SVC mode.
>>  
>> +config ARMV7_BOOT_SEC_DEFAULT
>> +	boolean "Boot in secure mode by default" if EXPERT
>> +	depends on ARMV7_NONSEC
>> +	default n
>> +	---help---
>> +	Say Y here to boot in secure mode by default even if non-secure mode
>> +	is supported. This option is useful to boot kernels which do not
>> +	suppport booting in secure mode. Only set this if you need it.
>> +	This can be overriden at run-time by setting the bootm_boot_mode env.
>> +	variable to "sec" or "nonsec".
> 
> Not sure I'm getting this right, but it seems to me that forcing secure
> boot mode for kernels that don't support secure boot mode is kind of
> contradictory. Did you mean "... for kernels which do not suport
> booting in *non*-secure mode..." ?

Yes, my bad will fix in v5.

> 
>>  config ARMV7_VIRT
>>  	boolean "Enable support for hardware virtualization" if EXPERT
>>  	depends on CPU_V7_HAS_VIRT && ARMV7_NONSEC
>> diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c
>> index 4949d57..a7f7c67 100644
>> --- a/arch/arm/lib/bootm.c
>> +++ b/arch/arm/lib/bootm.c
>> @@ -237,6 +237,26 @@ static void boot_prep_linux(bootm_headers_t *images)
>>  	}
>>  }
>>  
>> +#if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
>> +static bool boot_nonsec(void)
>> +{
>> +	char *s = getenv("bootm_boot_mode");
>> +#ifdef CONFIG_ARMV7_BOOT_SEC_DEFAULT
>> +	bool nonsec = false;
>> +#else
>> +	bool nonsec = true;
>> +#endif
>> +
>> +	if (s && !strcmp(s, "sec"))
>> +		nonsec = false;
>> +
>> +	if (s && !strcmp(s, "nonsec"))
>> +		nonsec = true;
>> +
>> +	return nonsec;
>> +}
>> +#endif
>> +
>>  /* Subcommand: GO */
>>  static void boot_jump_linux(bootm_headers_t *images, int flag)
>>  {
>> @@ -285,12 +305,13 @@ static void boot_jump_linux(bootm_headers_t *images, int flag)
>>  
>>  	if (!fake) {
>>  #if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
>> -		armv7_init_nonsec();
>> -		secure_ram_addr(_do_nonsec_entry)(kernel_entry,
>> -						  0, machid, r2);
>> -#else
>> -		kernel_entry(0, machid, r2);
>> +		if (boot_nonsec()) {
>> +			armv7_init_nonsec();
>> +			secure_ram_addr(_do_nonsec_entry)(kernel_entry,
>> +							  0, machid, r2);
>> +		} else
>>  #endif
>> +			kernel_entry(0, machid, r2);
>>  	}
>>  #endif
>>  }
>> -- 
>> 2.1.0

Regards,

Hans

[U-Boot] [PATCH v2 1/3] Kconfig: Add EXPERT option

[Albert ARIBAUD]

Hello Masahiro,

On Fri, 14 Nov 2014 16:15:01 +0900, Masahiro Yamada
<yamada.m@jp.panasonic.com> wrote:
> Hi Albert,
> 
> 
> On Fri, 14 Nov 2014 08:08:05 +0100
> Albert ARIBAUD <albert.u.boot@aribaud.net> wrote:
> 
> > Hello Masahiro,
> > 
> > > I prefer describing the patch dependency in the cover letter
> > > to resending the same patch.
> > 
> > Ditto -- but since patch numbers won't matter once applied and since
> > Tom is properly attributed, it won't matter much whether Tom applies
> > his own patch or I apply it as part of this series.
> > 
> > I'll apply the series.
> > 
> 
> Yup, it won't make much of difference, although I issued my Acked-by to Tom's one
> and it is missing from Hans's.

Fair point. I'll make sure I add your Acked-by if I'm the one applying
this patch.
> 
> Best Regards
> Masahiro Yamada

Amicalement,
-- 
Albert.

[U-Boot] [PATCH v2 2/3] ARM: Add arch/arm/cpu/armv7/Kconfig with non-secure and virt options

[Hans de Goede]

Hi,

On 11/14/2014 08:29 AM, Albert ARIBAUD wrote:
> Hello Hans,
> 
> On Thu, 13 Nov 2014 20:37:41 +0100, Hans de Goede <hdegoede@redhat.com>
> wrote:
>> Add arch/arm/cpu/armv7/Kconfig with non-secure and virt options, this is a
>> preparation patch for adding an env variable to choose between secure /
>> non-secure boot on non-secure boot capable systems, specifically this
>> prepares for adding CONFIG_CPU_V7_SEC_BY_DEFAULT as a proper Kconfig option.
> 
> Does not seem like CONFIG_CPU_V7_SEC_BY_DEFAULT is ever defined once
> all three patches are applied.
> 
> OTOH, patch 3/3 defines CONFIG_ARMV7_BOOT_SEC_DEFAULT (but see my
> comments on it)

Yes, my bad, I'll fix up the commit message.

> 
>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>> --
>> Changes in v2:
>> -Drop all the FIXME-s, use proper CPU_V7 and CPU_V7_HAS_foo checks instead
>> ---
>>  arch/arm/Kconfig                    |  4 ++++
>>  arch/arm/cpu/armv7/Kconfig          | 23 +++++++++++++++++++++++
>>  arch/arm/cpu/armv7/exynos/Kconfig   |  2 ++
>>  board/sunxi/Kconfig                 |  2 ++
>>  include/configs/arndale.h           |  2 --
>>  include/configs/sun7i.h             |  2 --
>>  include/configs/vexpress_ca15_tc2.h |  2 --
>>  7 files changed, 31 insertions(+), 6 deletions(-)
>>  create mode 100644 arch/arm/cpu/armv7/Kconfig
>>
>> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
>> index 79ccc06..43ace2c 100644
>> --- a/arch/arm/Kconfig
>> +++ b/arch/arm/Kconfig
>> @@ -410,6 +410,8 @@ config TARGET_INTEGRATORCP_CM946ES
>>  config TARGET_VEXPRESS_CA15_TC2
>>  	bool "Support vexpress_ca15_tc2"
>>  	select CPU_V7
>> +	select CPU_V7_HAS_NONSEC
>> +	select CPU_V7_HAS_VIRT
>>  
>>  config TARGET_VEXPRESS_CA5X2
>>  	bool "Support vexpress_ca5x2"
>> @@ -809,6 +811,8 @@ source "arch/arm/cpu/arm926ejs/versatile/Kconfig"
>>  
>>  source "arch/arm/cpu/armv7/zynq/Kconfig"
>>  
>> +source "arch/arm/cpu/armv7/Kconfig"
>> +
>>  source "board/aristainetos/Kconfig"
>>  source "board/BuR/kwb/Kconfig"
>>  source "board/BuR/tseries/Kconfig"
>> diff --git a/arch/arm/cpu/armv7/Kconfig b/arch/arm/cpu/armv7/Kconfig
>> new file mode 100644
>> index 0000000..15c5155
>> --- /dev/null
>> +++ b/arch/arm/cpu/armv7/Kconfig
>> @@ -0,0 +1,23 @@
>> +if CPU_V7
>> +
>> +config CPU_V7_HAS_NONSEC
>> +        bool
>> +
>> +config CPU_V7_HAS_VIRT
>> +        bool
>> +
>> +config ARMV7_NONSEC
>> +	boolean "Enable support for booting in non-secure mode" if EXPERT
>> +	depends on CPU_V7_HAS_NONSEC
>> +	default y
> 
> I'm not a Kconfig expert, but doesn't this "y" here mean that support
> for non-secure mode is enabled by default?

It does.

> And should'nt it be more
> logical / secure that the default b "n" to avoid accidentally building
> a non-secure-capable U-Boot? 

This is preserving the current default behavior, where all non-secure boot
capable platforms default to building with non-secure boot enabled.

> 
>> +	---help---
>> +	Say Y here to enable support for booting in non-secure / SVC mode.
>> +
>> +config ARMV7_VIRT
>> +	boolean "Enable support for hardware virtualization" if EXPERT
>> +	depends on CPU_V7_HAS_VIRT && ARMV7_NONSEC
>> +	default y
> 
> Same here.

Same.

> 
>> +	---help---
>> +	Say Y here to boot in hypervisor (HYP) mode when booting non-secure.
>> +
>> +endif
>> diff --git a/arch/arm/cpu/armv7/exynos/Kconfig b/arch/arm/cpu/armv7/exynos/Kconfig
>> index 090be93..e9a102c 100644
>> --- a/arch/arm/cpu/armv7/exynos/Kconfig
>> +++ b/arch/arm/cpu/armv7/exynos/Kconfig
>> @@ -26,6 +26,8 @@ config TARGET_ODROID
>>  
>>  config TARGET_ARNDALE
>>  	bool "Exynos5250 Arndale board"
>> +	select CPU_V7_HAS_NONSEC
>> +	select CPU_V7_HAS_VIRT
>>  	select SUPPORT_SPL
>>  	select OF_CONTROL if !SPL_BUILD
>>  
>> diff --git a/board/sunxi/Kconfig b/board/sunxi/Kconfig
>> index 0bab31b..e20ea1b 100644
>> --- a/board/sunxi/Kconfig
>> +++ b/board/sunxi/Kconfig
>> @@ -21,6 +21,8 @@ config MACH_SUN6I
>>  config MACH_SUN7I
>>  	bool "sun7i (Allwinner A20)"
>>  	select CPU_V7
>> +	select CPU_V7_HAS_NONSEC
>> +	select CPU_V7_HAS_VIRT
>>  	select SUPPORT_SPL
>>  
>>  config MACH_SUN8I
>> diff --git a/include/configs/arndale.h b/include/configs/arndale.h
>> index f9ee40f..aa6b631 100644
>> --- a/include/configs/arndale.h
>> +++ b/include/configs/arndale.h
>> @@ -60,6 +60,4 @@
>>  /* The PERIPHBASE in the CBAR register is wrong on the Arndale, so override it */
>>  #define CONFIG_ARM_GIC_BASE_ADDRESS	0x10480000
>>  
>> -#define CONFIG_ARMV7_VIRT
>> -
>>  #endif	/* __CONFIG_H */
>> diff --git a/include/configs/sun7i.h b/include/configs/sun7i.h
>> index ea40790..3629587 100644
>> --- a/include/configs/sun7i.h
>> +++ b/include/configs/sun7i.h
>> @@ -22,8 +22,6 @@
>>  #define CONFIG_USB_MAX_CONTROLLER_COUNT	2
>>  #endif
>>  
>> -#define CONFIG_ARMV7_VIRT		1
>> -#define CONFIG_ARMV7_NONSEC		1
>>  #define CONFIG_ARMV7_PSCI		1
>>  #define CONFIG_ARMV7_PSCI_NR_CPUS	2
>>  #define CONFIG_ARMV7_SECURE_BASE	SUNXI_SRAM_B_BASE
>> diff --git a/include/configs/vexpress_ca15_tc2.h b/include/configs/vexpress_ca15_tc2.h
>> index 982f4a7..b43afa2 100644
>> --- a/include/configs/vexpress_ca15_tc2.h
>> +++ b/include/configs/vexpress_ca15_tc2.h
>> @@ -18,6 +18,4 @@
>>  #define CONFIG_SYSFLAGS_ADDR	0x1c010030
>>  #define CONFIG_SMP_PEN_ADDR	CONFIG_SYSFLAGS_ADDR
>>  
>> -#define CONFIG_ARMV7_VIRT
>> -
>>  #endif
>> -- 
>> 2.1.0

Regards,

Hans

[U-Boot] [PATCH v2 1/3] Kconfig: Add EXPERT option

[Albert ARIBAUD]

Hello Hans,

On Thu, 13 Nov 2014 20:37:40 +0100, Hans de Goede <hdegoede@redhat.com> wrote:
> From: Tom Rini <trini@ti.com>
> 
> For similar reasons to why the Linux Kernel has an EXPERT option, we too
> want an option to allow for tweaking of some options that while normally
> should remain hidden, may need to be changed in some cases.
> 
> Signed-off-by: Tom Rini <trini@ti.com>
> Acked-by: Hans de Goede <hdegoede@redhat.com>
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> ---
>  Kconfig | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/Kconfig b/Kconfig
> index f34f341..405b7a6 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -58,6 +58,14 @@ config CC_OPTIMIZE_FOR_SIZE
>  
>  endmenu		# General setup
>  
> +menuconfig EXPERT
> +        bool "Configure standard U-Boot features (expert users)"
> +        help
> +          This option allows certain base U-Boot options and settings
> +          to be disabled or tweaked. This is for specialized
> +          environments which can tolerate a "non-standard" U-Boot.
> +          Only use this if you really know what you are doing.
> +
>  menu "Boot images"
>  
>  config SPL_BUILD
> -- 
> 2.1.0
> 

Applied to u-boot-arm/master, thanks!

Amicalement,
-- 
Albert.

[U-Boot] [PATCH v2 2/3] ARM: Add arch/arm/cpu/armv7/Kconfig with non-secure and virt options

[Albert ARIBAUD]

Hello Hans,

On Thu, 13 Nov 2014 20:37:41 +0100, Hans de Goede <hdegoede@redhat.com> wrote:
> Add arch/arm/cpu/armv7/Kconfig with non-secure and virt options, this is a
> preparation patch for adding an env variable to choose between secure /
> non-secure boot on non-secure boot capable systems, specifically this
> prepares for adding CONFIG_CPU_V7_SEC_BY_DEFAULT as a proper Kconfig option.
> 
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> --
> Changes in v2:
> -Drop all the FIXME-s, use proper CPU_V7 and CPU_V7_HAS_foo checks instead
> ---
>  arch/arm/Kconfig                    |  4 ++++
>  arch/arm/cpu/armv7/Kconfig          | 23 +++++++++++++++++++++++
>  arch/arm/cpu/armv7/exynos/Kconfig   |  2 ++
>  board/sunxi/Kconfig                 |  2 ++
>  include/configs/arndale.h           |  2 --
>  include/configs/sun7i.h             |  2 --
>  include/configs/vexpress_ca15_tc2.h |  2 --
>  7 files changed, 31 insertions(+), 6 deletions(-)
>  create mode 100644 arch/arm/cpu/armv7/Kconfig
> 
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index 79ccc06..43ace2c 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -410,6 +410,8 @@ config TARGET_INTEGRATORCP_CM946ES
>  config TARGET_VEXPRESS_CA15_TC2
>  	bool "Support vexpress_ca15_tc2"
>  	select CPU_V7
> +	select CPU_V7_HAS_NONSEC
> +	select CPU_V7_HAS_VIRT
>  
>  config TARGET_VEXPRESS_CA5X2
>  	bool "Support vexpress_ca5x2"
> @@ -809,6 +811,8 @@ source "arch/arm/cpu/arm926ejs/versatile/Kconfig"
>  
>  source "arch/arm/cpu/armv7/zynq/Kconfig"
>  
> +source "arch/arm/cpu/armv7/Kconfig"
> +
>  source "board/aristainetos/Kconfig"
>  source "board/BuR/kwb/Kconfig"
>  source "board/BuR/tseries/Kconfig"
> diff --git a/arch/arm/cpu/armv7/Kconfig b/arch/arm/cpu/armv7/Kconfig
> new file mode 100644
> index 0000000..15c5155
> --- /dev/null
> +++ b/arch/arm/cpu/armv7/Kconfig
> @@ -0,0 +1,23 @@
> +if CPU_V7
> +
> +config CPU_V7_HAS_NONSEC
> +        bool
> +
> +config CPU_V7_HAS_VIRT
> +        bool
> +
> +config ARMV7_NONSEC
> +	boolean "Enable support for booting in non-secure mode" if EXPERT
> +	depends on CPU_V7_HAS_NONSEC
> +	default y
> +	---help---
> +	Say Y here to enable support for booting in non-secure / SVC mode.
> +
> +config ARMV7_VIRT
> +	boolean "Enable support for hardware virtualization" if EXPERT
> +	depends on CPU_V7_HAS_VIRT && ARMV7_NONSEC
> +	default y
> +	---help---
> +	Say Y here to boot in hypervisor (HYP) mode when booting non-secure.
> +
> +endif
> diff --git a/arch/arm/cpu/armv7/exynos/Kconfig b/arch/arm/cpu/armv7/exynos/Kconfig
> index 090be93..e9a102c 100644
> --- a/arch/arm/cpu/armv7/exynos/Kconfig
> +++ b/arch/arm/cpu/armv7/exynos/Kconfig
> @@ -26,6 +26,8 @@ config TARGET_ODROID
>  
>  config TARGET_ARNDALE
>  	bool "Exynos5250 Arndale board"
> +	select CPU_V7_HAS_NONSEC
> +	select CPU_V7_HAS_VIRT
>  	select SUPPORT_SPL
>  	select OF_CONTROL if !SPL_BUILD
>  
> diff --git a/board/sunxi/Kconfig b/board/sunxi/Kconfig
> index 0bab31b..e20ea1b 100644
> --- a/board/sunxi/Kconfig
> +++ b/board/sunxi/Kconfig
> @@ -21,6 +21,8 @@ config MACH_SUN6I
>  config MACH_SUN7I
>  	bool "sun7i (Allwinner A20)"
>  	select CPU_V7
> +	select CPU_V7_HAS_NONSEC
> +	select CPU_V7_HAS_VIRT
>  	select SUPPORT_SPL
>  
>  config MACH_SUN8I
> diff --git a/include/configs/arndale.h b/include/configs/arndale.h
> index f9ee40f..aa6b631 100644
> --- a/include/configs/arndale.h
> +++ b/include/configs/arndale.h
> @@ -60,6 +60,4 @@
>  /* The PERIPHBASE in the CBAR register is wrong on the Arndale, so override it */
>  #define CONFIG_ARM_GIC_BASE_ADDRESS	0x10480000
>  
> -#define CONFIG_ARMV7_VIRT
> -
>  #endif	/* __CONFIG_H */
> diff --git a/include/configs/sun7i.h b/include/configs/sun7i.h
> index ea40790..3629587 100644
> --- a/include/configs/sun7i.h
> +++ b/include/configs/sun7i.h
> @@ -22,8 +22,6 @@
>  #define CONFIG_USB_MAX_CONTROLLER_COUNT	2
>  #endif
>  
> -#define CONFIG_ARMV7_VIRT		1
> -#define CONFIG_ARMV7_NONSEC		1
>  #define CONFIG_ARMV7_PSCI		1
>  #define CONFIG_ARMV7_PSCI_NR_CPUS	2
>  #define CONFIG_ARMV7_SECURE_BASE	SUNXI_SRAM_B_BASE
> diff --git a/include/configs/vexpress_ca15_tc2.h b/include/configs/vexpress_ca15_tc2.h
> index 982f4a7..b43afa2 100644
> --- a/include/configs/vexpress_ca15_tc2.h
> +++ b/include/configs/vexpress_ca15_tc2.h
> @@ -18,6 +18,4 @@
>  #define CONFIG_SYSFLAGS_ADDR	0x1c010030
>  #define CONFIG_SMP_PEN_ADDR	CONFIG_SYSFLAGS_ADDR
>  
> -#define CONFIG_ARMV7_VIRT
> -
>  #endif
> -- 
> 2.1.0
> 

Applied to u-boot-arm/master, thanks!

Amicalement,
-- 
Albert.

[U-Boot] [PATCH v2 3/3] ARM: bootm: Allow booting in secure mode on hyp capable systems

[Albert ARIBAUD]

Hello Hans,

On Thu, 13 Nov 2014 20:37:42 +0100, Hans de Goede <hdegoede@redhat.com> wrote:
> Older Linux kernels will not properly boot in hyp mode, add support for a
> bootm_boot_mode environment variable, which can be set to "sec" or "nonsec"
> to force booting in secure or non-secure mode when build with non-sec support.
> 
> The default behavior can be selected through CONFIG_ARMV7_BOOT_SEC_DEFAULT,
> when this is set booting in secure mode is the default. The default setting
> for this Kconfig option is N, preserving the current behavior of booting in
> non-secure mode by default when non-secure mode is supported.
> 
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> Acked-by: Marc Zyngier <marc.zyngier@arm.com>
> Acked-by: Siarhei Siamashka <siarhei.siamashka@gmail.com>
> --
> Changes in v2:
> -Allow changing the default boot mode to secure through defining
>  CONFIG_ARMV7_BOOT_SEC_DEFAULT, this is useful for archs which have a Kconfig
>  option for compatibility with older kernels
> Changes in v3:
> -Add an else at the end of the #ifdef NONSEC block so that if do_nonsec_entry
>  fails we do not end up re-trying in secure mode
> Changes in v4:
> -Add a Kconfig option to select to boot in secure or non-secure mode by default
> ---
>  arch/arm/cpu/armv7/Kconfig | 11 +++++++++++
>  arch/arm/lib/bootm.c       | 31 ++++++++++++++++++++++++++-----
>  2 files changed, 37 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/arm/cpu/armv7/Kconfig b/arch/arm/cpu/armv7/Kconfig
> index 15c5155..6ee5ff8 100644
> --- a/arch/arm/cpu/armv7/Kconfig
> +++ b/arch/arm/cpu/armv7/Kconfig
> @@ -13,6 +13,17 @@ config ARMV7_NONSEC
>  	---help---
>  	Say Y here to enable support for booting in non-secure / SVC mode.
>  
> +config ARMV7_BOOT_SEC_DEFAULT
> +	boolean "Boot in secure mode by default" if EXPERT
> +	depends on ARMV7_NONSEC
> +	default n
> +	---help---
> +	Say Y here to boot in secure mode by default even if non-secure mode
> +	is supported. This option is useful to boot kernels which do not
> +	suppport booting in secure mode. Only set this if you need it.
> +	This can be overriden at run-time by setting the bootm_boot_mode env.
> +	variable to "sec" or "nonsec".
> +
>  config ARMV7_VIRT
>  	boolean "Enable support for hardware virtualization" if EXPERT
>  	depends on CPU_V7_HAS_VIRT && ARMV7_NONSEC
> diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c
> index 4949d57..a7f7c67 100644
> --- a/arch/arm/lib/bootm.c
> +++ b/arch/arm/lib/bootm.c
> @@ -237,6 +237,26 @@ static void boot_prep_linux(bootm_headers_t *images)
>  	}
>  }
>  
> +#if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
> +static bool boot_nonsec(void)
> +{
> +	char *s = getenv("bootm_boot_mode");
> +#ifdef CONFIG_ARMV7_BOOT_SEC_DEFAULT
> +	bool nonsec = false;
> +#else
> +	bool nonsec = true;
> +#endif
> +
> +	if (s && !strcmp(s, "sec"))
> +		nonsec = false;
> +
> +	if (s && !strcmp(s, "nonsec"))
> +		nonsec = true;
> +
> +	return nonsec;
> +}
> +#endif
> +
>  /* Subcommand: GO */
>  static void boot_jump_linux(bootm_headers_t *images, int flag)
>  {
> @@ -285,12 +305,13 @@ static void boot_jump_linux(bootm_headers_t *images, int flag)
>  
>  	if (!fake) {
>  #if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
> -		armv7_init_nonsec();
> -		secure_ram_addr(_do_nonsec_entry)(kernel_entry,
> -						  0, machid, r2);
> -#else
> -		kernel_entry(0, machid, r2);
> +		if (boot_nonsec()) {
> +			armv7_init_nonsec();
> +			secure_ram_addr(_do_nonsec_entry)(kernel_entry,
> +							  0, machid, r2);
> +		} else
>  #endif
> +			kernel_entry(0, machid, r2);
>  	}
>  #endif
>  }
> -- 
> 2.1.0
> 

Applied to u-boot-arm/master, thanks!

Amicalement,
-- 
Albert.