[U-Boot] [PATCH 0/4] Add default secure boot env for K2x

[U-Boot] [PATCH 0/4] Add default secure boot env for K2x

[Andrew F. Davis]

Hello all,

This series adds the default environment variables needed to boot
K2x family secure devices.

Thanks,
Andrew

Andrew F. Davis (2):
  configs: k2x_evm: Adds FIT loading environment variables
  configs: k2x_evm: Reorder default boot command

Madan Srinivas (2):
  configs: k2x_evm: Adds environment variables for secure devices
  arm: mach-keystone: Updates mon_install for K2G HS

 arch/arm/mach-keystone/cmd_mon.c          |  8 ++++++--
 arch/arm/mach-keystone/include/mach/mon.h |  2 +-
 arch/arm/mach-keystone/mon.c              |  7 ++++---
 include/configs/k2e_evm.h                 |  9 +++++++++
 include/configs/k2g_evm.h                 | 23 ++++++++++++++++++++---
 include/configs/k2hk_evm.h                |  9 +++++++++
 include/configs/ti_armv7_keystone2.h      | 30 +++++++++++++++++++++++++++---
 7 files changed, 76 insertions(+), 12 deletions(-)

-- 
2.13.0

[U-Boot] [PATCH 1/4] configs: k2x_evm: Adds FIT loading environment variables

[Andrew F. Davis]

Updates the default u-boot environment variables to support FIT image
loading.

Signed-off-by: Andrew F. Davis <afd@ti.com>
---
 include/configs/k2e_evm.h            |  9 +++++++++
 include/configs/k2g_evm.h            |  1 +
 include/configs/k2hk_evm.h           |  9 +++++++++
 include/configs/ti_armv7_keystone2.h | 10 +++++++++-
 4 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/include/configs/k2e_evm.h b/include/configs/k2e_evm.h
index b186bfc891..edbc48301e 100644
--- a/include/configs/k2e_evm.h
+++ b/include/configs/k2e_evm.h
@@ -15,9 +15,18 @@
 /* Platform type */
 #define CONFIG_SOC_K2E
 
+#ifdef CONFIG_TI_SECURE_DEVICE
+#define DEFAULT_SEC_BOOT_ENV						\
+	DEFAULT_FIT_TI_ARGS						\
+	"findfdt=setenv fdtfile ${name_fdt}\0"
+#else
+#define DEFAULT_SEC_BOOT_ENV
+#endif
+
 /* U-Boot general configuration */
 #define CONFIG_EXTRA_ENV_KS2_BOARD_SETTINGS				\
 	DEFAULT_FW_INITRAMFS_BOOT_ENV					\
+	DEFAULT_SEC_BOOT_ENV						\
 	"boot=ubi\0"							\
 	"args_ubi=setenv bootargs ${bootargs} rootfstype=ubifs "	\
 	"root=ubi0:rootfs rootflags=sync rw ubi.mtd=ubifs,2048\0"	\
diff --git a/include/configs/k2g_evm.h b/include/configs/k2g_evm.h
index 5bf630e7f2..95317bb001 100644
--- a/include/configs/k2g_evm.h
+++ b/include/configs/k2g_evm.h
@@ -23,6 +23,7 @@
 	DEFAULT_MMC_TI_ARGS						\
 	DEFAULT_PMMC_BOOT_ENV						\
 	DEFAULT_FW_INITRAMFS_BOOT_ENV					\
+	DEFAULT_FIT_TI_ARGS						\
 	"boot=mmc\0"							\
 	"console=ttyS0,115200n8\0"					\
 	"bootpart=0:2\0"						\
diff --git a/include/configs/k2hk_evm.h b/include/configs/k2hk_evm.h
index 9598bc6976..22587fc4c5 100644
--- a/include/configs/k2hk_evm.h
+++ b/include/configs/k2hk_evm.h
@@ -15,9 +15,18 @@
 /* Platform type */
 #define CONFIG_SOC_K2HK
 
+#ifdef CONFIG_TI_SECURE_DEVICE
+#define DEFAULT_SEC_BOOT_ENV						\
+	DEFAULT_FIT_TI_ARGS						\
+	"findfdt=setenv fdtfile ${name_fdt}\0"
+#else
+#define DEFAULT_SEC_BOOT_ENV
+#endif
+
 /* U-Boot general configuration */
 #define CONFIG_EXTRA_ENV_KS2_BOARD_SETTINGS				\
 	DEFAULT_FW_INITRAMFS_BOOT_ENV					\
+	DEFAULT_SEC_BOOT_ENV						\
 	"boot=ubi\0"							\
 	"args_ubi=setenv bootargs ${bootargs} rootfstype=ubifs "	\
 	"root=ubi0:rootfs rootflags=sync rw ubi.mtd=ubifs,2048\0"	\
diff --git a/include/configs/ti_armv7_keystone2.h b/include/configs/ti_armv7_keystone2.h
index ac8dabd9ca..e7706c4818 100644
--- a/include/configs/ti_armv7_keystone2.h
+++ b/include/configs/ti_armv7_keystone2.h
@@ -266,7 +266,13 @@
 	"get_kern_ubi=ubifsload ${loadaddr} ${bootdir}/${name_kern}\0"		\
 	"get_mon_net=dhcp ${addr_mon} ${tftp_root}/${name_mon}\0"	\
 	"get_mon_nfs=nfs ${addr_mon} ${nfs_root}/boot/${name_mon}\0"	\
-	"get_mon_ubi=ubifsload ${addr_mon} ${bootdir}/${name_mon}\0"		\
+	"get_mon_ubi=ubifsload ${addr_mon} ${bootdir}/${name_mon}\0"	\
+	"get_fit_net=dhcp ${fit_loadaddr} ${tftp_root}"			\
+						"/${fit_bootfile}\0"	\
+	"get_fit_nfs=nfs ${fit_loadaddr} ${nfs_root}/boot/${fit_bootfile}\0"\
+	"get_fit_ubi=ubifsload ${fit_loadaddr} ${bootdir}/${fit_bootfile}\0"\
+	"get_fit_mmc=load mmc ${bootpart} ${fit_loadaddr} "		\
+					"${bootdir}/${fit_bootfile}\0"	\
 	"get_uboot_net=dhcp ${loadaddr} ${tftp_root}/${name_uboot}\0"	\
 	"get_uboot_nfs=nfs ${loadaddr} ${nfs_root}/boot/${name_uboot}\0" \
 	"burn_uboot_spi=sf probe; sf erase 0 0x80000; "		\
@@ -282,6 +288,8 @@
 	"get_fdt_ramfs=dhcp ${fdtaddr} ${tftp_root}/${name_fdt}\0"	\
 	"get_kern_ramfs=dhcp ${loadaddr} ${tftp_root}/${name_kern}\0"	\
 	"get_mon_ramfs=dhcp ${addr_mon} ${tftp_root}/${name_mon}\0"	\
+	"get_fit_ramfs=dhcp ${fit_loadaddr} ${tftp_root}"		\
+						"/${fit_bootfile}\0"	\
 	"get_fs_ramfs=dhcp ${rdaddr} ${tftp_root}/${name_fs}\0"	\
 	"get_ubi_net=dhcp ${addr_ubi} ${tftp_root}/${name_ubi}\0"	\
 	"get_ubi_nfs=nfs ${addr_ubi} ${nfs_root}/boot/${name_ubi}\0"	\
-- 
2.13.0

[U-Boot] [PATCH 2/4] configs: k2x_evm: Adds environment variables for secure devices

[Andrew F. Davis]

From: Madan Srinivas <madans@ti.com>

Updates the default u-boot environment variables to support secure
boot. On secure devices, a secure boot monitor (sec-bm) needs to
be installed by u-boot.

Signed-off-by: Madan Srinivas <madans@ti.com>
---
 include/configs/k2g_evm.h            |  7 +++++++
 include/configs/ti_armv7_keystone2.h | 10 ++++++++++
 2 files changed, 17 insertions(+)

diff --git a/include/configs/k2g_evm.h b/include/configs/k2g_evm.h
index 95317bb001..3c999df350 100644
--- a/include/configs/k2g_evm.h
+++ b/include/configs/k2g_evm.h
@@ -52,11 +52,18 @@
 	"get_mon_mmc=load mmc ${bootpart} ${addr_mon} ${bootdir}/${name_mon}\0"\
 	"name_fs=arago-base-tisdk-image-k2g-evm.cpio\0"
 
+#ifndef CONFIG_TI_SECURE_DEVICE
 #define CONFIG_BOOTCOMMAND						\
 	"run envboot; "							\
 	"run set_name_pmmc init_${boot} init_fw_rd_${boot} "		\
 	"get_pmmc_${boot} run_pmmc get_mon_${boot} run_mon "		\
 	"findfdt get_fdt_${boot} get_kern_${boot} run_kern"
+#else
+#define CONFIG_BOOTCOMMAND						\
+	"run envboot; run run_mon_hs set_name_pmmc init_${boot} "	\
+	"get_pmmc_${boot} run_pmmc findfdt get_fit_${boot};"		\
+	"bootm ${fit_loadaddr}#${name_fdt} "
+#endif
 
 /* SPL SPI Loader Configuration */
 #define CONFIG_SPL_TEXT_BASE		0x0c080000
diff --git a/include/configs/ti_armv7_keystone2.h b/include/configs/ti_armv7_keystone2.h
index e7706c4818..e7dc522da2 100644
--- a/include/configs/ti_armv7_keystone2.h
+++ b/include/configs/ti_armv7_keystone2.h
@@ -252,7 +252,11 @@
 	"addr_secdb_key=0xc000000\0"					\
 	"name_kern=zImage\0"						\
 	"addr_mon=0x87000000\0"						\
+	"addr_non_sec_mon=0x0c087fc0\0"					\
+	"addr_load_sec_bm=0x0c08c000\0"					\
 	"run_mon=mon_install ${addr_mon}\0"				\
+	"run_mon_hs=mon_install ${addr_non_sec_mon} "			\
+			"${addr_load_sec_bm}\0"				\
 	"run_kern=bootz ${loadaddr} ${rd_spec} ${fdtaddr}\0"		\
 	"init_net=run args_all args_net\0"				\
 	"init_nfs=setenv autoload no; dhcp; run args_all args_net\0"	\
@@ -304,9 +308,15 @@
 		"1024k(bootloader)ro,512k(params)ro,-(ubifs)\0"
 
 #ifndef CONFIG_BOOTCOMMAND
+#ifndef CONFIG_TI_SECURE_DEVICE
 #define CONFIG_BOOTCOMMAND						\
 	"run init_${boot} get_mon_${boot} run_mon init_fw_rd_${boot} "	\
 	"get_fdt_${boot} get_kern_${boot} run_kern"
+#else
+#define CONFIG_BOOTCOMMAND						\
+	"run run_mon_hs init_${boot} init_fw_rd_${boot} "		\
+	"get_fit_${boot}; bootm ${fit_loadaddr}#${name_fdt}"
+#endif
 #endif
 
 #define CONFIG_BOOTARGS							\
-- 
2.13.0

[U-Boot] [PATCH 3/4] configs: k2x_evm: Reorder default boot command

[Andrew F. Davis]

We first split the CONFIG_BOOTCOMMAND into its components to improve
readability. We then make the following order changes:

 - Run findfdt first so the fdt name can be used in envboot like OMAP
 - Install the boot monitor before running the PMMC so we can make any
     needed secure changes before PMMC, do this on both HS and non-HS
 - Move set_name_pmmc to just before get_pmmc_${boot}

Signed-off-by: Andrew F. Davis <afd@ti.com>
---
 include/configs/k2g_evm.h            | 21 +++++++++++++++------
 include/configs/ti_armv7_keystone2.h | 14 ++++++++++----
 2 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/include/configs/k2g_evm.h b/include/configs/k2g_evm.h
index 3c999df350..e9d3334f9f 100644
--- a/include/configs/k2g_evm.h
+++ b/include/configs/k2g_evm.h
@@ -54,15 +54,24 @@
 
 #ifndef CONFIG_TI_SECURE_DEVICE
 #define CONFIG_BOOTCOMMAND						\
+	"run findfdt; "							\
 	"run envboot; "							\
-	"run set_name_pmmc init_${boot} init_fw_rd_${boot} "		\
-	"get_pmmc_${boot} run_pmmc get_mon_${boot} run_mon "		\
-	"findfdt get_fdt_${boot} get_kern_${boot} run_kern"
+	"run init_${boot}; "						\
+	"run get_mon_${boot} run_mon; "					\
+	"run set_name_pmmc get_pmmc_${boot} run_pmmc; "			\
+	"run get_kern_${boot}; "					\
+	"run init_fw_rd_${boot}; "					\
+	"run get_fdt_${boot}; "						\
+	"run run_kern"
 #else
 #define CONFIG_BOOTCOMMAND						\
-	"run envboot; run run_mon_hs set_name_pmmc init_${boot} "	\
-	"get_pmmc_${boot} run_pmmc findfdt get_fit_${boot};"		\
-	"bootm ${fit_loadaddr}#${name_fdt} "
+	"run findfdt; "							\
+	"run envboot; "							\
+	"run run_mon_hs; "						\
+	"run init_${boot}; "						\
+	"run set_name_pmmc get_pmmc_${boot} run_pmmc; "			\
+	"run get_fit_${boot}; "						\
+	"bootm ${fit_loadaddr}#${name_fdt}"
 #endif
 
 /* SPL SPI Loader Configuration */
diff --git a/include/configs/ti_armv7_keystone2.h b/include/configs/ti_armv7_keystone2.h
index e7dc522da2..e9c51636b0 100644
--- a/include/configs/ti_armv7_keystone2.h
+++ b/include/configs/ti_armv7_keystone2.h
@@ -310,12 +310,18 @@
 #ifndef CONFIG_BOOTCOMMAND
 #ifndef CONFIG_TI_SECURE_DEVICE
 #define CONFIG_BOOTCOMMAND						\
-	"run init_${boot} get_mon_${boot} run_mon init_fw_rd_${boot} "	\
-	"get_fdt_${boot} get_kern_${boot} run_kern"
+	"run init_${boot}; "						\
+	"run get_mon_${boot} run_mon; "					\
+	"run get_kern_${boot}; "					\
+	"run init_fw_rd_${boot}; "					\
+	"run get_fdt_${boot}; "						\
+	"run run_kern"
 #else
 #define CONFIG_BOOTCOMMAND						\
-	"run run_mon_hs init_${boot} init_fw_rd_${boot} "		\
-	"get_fit_${boot}; bootm ${fit_loadaddr}#${name_fdt}"
+	"run run_mon_hs; "						\
+	"run init_${boot}; "						\
+	"run get_fit_${boot}; "						\
+	"bootm ${fit_loadaddr}#${name_fdt}"
 #endif
 #endif
 
-- 
2.13.0

[U-Boot] [PATCH 4/4] arm: mach-keystone: Updates mon_install for K2G HS

[Andrew F. Davis]

From: Madan Srinivas <madans@ti.com>

On early K2 devices (eg. K2HK) the secure ROM code does not support
loading secure code to firewall protected memory, before decrypting,
authenticating and executing it.

To load the boot monitor on these devices, it is necessary to first
authenticate and run a copy loop from non-secure memory that copies
the boot monitor behind firewall protected memory, before decrypting
and executing it.

On K2G, the secure ROM does not allow secure code executing from
unprotected memory. Further, ROM first copies the signed and encrypted
image into firewall protected memory, then decrypts, authenticates
and executes it.

As a result of this, we cannot use the copy loop for K2G. The
mon_install has to be modified to pass the address the signed and
encrypted secure boot monitor image to the authentication API.

For backward compatibility with other K2 devices and K2G GP,
the mon_install API still supports a single argument. In this case
the second argument is set to 0 by u-boot and is ignored by ROM

Signed-off-by: Thanh Tran <thanh-tran@ti.com>
Signed-off-by: Madan Srinivas <madans@ti.com>
---
 arch/arm/mach-keystone/cmd_mon.c          | 8 ++++++--
 arch/arm/mach-keystone/include/mach/mon.h | 2 +-
 arch/arm/mach-keystone/mon.c              | 7 ++++---
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/arch/arm/mach-keystone/cmd_mon.c b/arch/arm/mach-keystone/cmd_mon.c
index 591e75826b..c2525bd756 100644
--- a/arch/arm/mach-keystone/cmd_mon.c
+++ b/arch/arm/mach-keystone/cmd_mon.c
@@ -19,6 +19,7 @@ static int do_mon_install(cmd_tbl_t *cmdtp, int flag, int argc,
 	u32 addr, dpsc_base = 0x1E80000, freq, load_addr, size;
 	int     rcode = 0;
 	struct image_header *header;
+	u32 ecrypt_bm_addr = 0;
 
 	if (argc < 2)
 		return CMD_RET_USAGE;
@@ -39,14 +40,17 @@ static int do_mon_install(cmd_tbl_t *cmdtp, int flag, int argc,
 	memcpy((void *)load_addr, (void *)(addr + sizeof(struct image_header)),
 	       size);
 
-	rcode = mon_install(load_addr, dpsc_base, freq);
+	if (argc >=  3)
+		ecrypt_bm_addr = simple_strtoul(argv[2], NULL, 16);
+
+	rcode = mon_install(load_addr, dpsc_base, freq, ecrypt_bm_addr);
 	printf("## installed monitor @ 0x%x, freq [%d], status %d\n",
 	       load_addr, freq, rcode);
 
 	return 0;
 }
 
-U_BOOT_CMD(mon_install, 2, 0, do_mon_install,
+U_BOOT_CMD(mon_install, 3, 0, do_mon_install,
 	   "Install boot kernel at 'addr'",
 	   ""
 );
diff --git a/arch/arm/mach-keystone/include/mach/mon.h b/arch/arm/mach-keystone/include/mach/mon.h
index eb7aa938af..30c57e0f8f 100644
--- a/arch/arm/mach-keystone/include/mach/mon.h
+++ b/arch/arm/mach-keystone/include/mach/mon.h
@@ -10,7 +10,7 @@
 #ifndef _MACH_MON_H_
 #define _MACH_MON_H_
 
-int mon_install(u32 addr, u32 dpsc, u32 freq);
+int mon_install(u32 addr, u32 dpsc, u32 freq, u32 bm_addr);
 int mon_power_on(int core_id, void *ep);
 int mon_power_off(int core_id);
 
diff --git a/arch/arm/mach-keystone/mon.c b/arch/arm/mach-keystone/mon.c
index ebfb483a1b..7076a2a67b 100644
--- a/arch/arm/mach-keystone/mon.c
+++ b/arch/arm/mach-keystone/mon.c
@@ -13,7 +13,7 @@
 #include <spl.h>
 asm(".arch_extension sec\n\t");
 
-int mon_install(u32 addr, u32 dpsc, u32 freq)
+int mon_install(u32 addr, u32 dpsc, u32 freq, u32 bm_addr)
 {
 	int result;
 
@@ -22,11 +22,12 @@ int mon_install(u32 addr, u32 dpsc, u32 freq)
 		"mov r0, %1\n"
 		"mov r1, %2\n"
 		"mov r2, %3\n"
+		"mov r3, %4\n"
 		"blx r0\n"
 		"ldmfd r13!, {lr}\n"
 		: "=&r" (result)
-		: "r" (addr), "r" (dpsc), "r" (freq)
-		: "cc", "r0", "r1", "r2", "memory");
+		: "r" (addr), "r" (dpsc), "r" (freq), "r" (bm_addr)
+		: "cc", "r0", "r1", "r2", "r3", "memory");
 	return result;
 }
 
-- 
2.13.0

[U-Boot] [PATCH 0/4] Add default secure boot env for K2x

[Tom Rini]

On Mon, Jul 17, 2017 at 12:59:11PM -0500, Andrew F. Davis wrote:

> Hello all,
> 
> This series adds the default environment variables needed to boot
> K2x family secure devices.
> 
> Thanks,
> Andrew
> 
> Andrew F. Davis (2):
>   configs: k2x_evm: Adds FIT loading environment variables
>   configs: k2x_evm: Reorder default boot command
> 
> Madan Srinivas (2):
>   configs: k2x_evm: Adds environment variables for secure devices
>   arm: mach-keystone: Updates mon_install for K2G HS
> 
>  arch/arm/mach-keystone/cmd_mon.c          |  8 ++++++--
>  arch/arm/mach-keystone/include/mach/mon.h |  2 +-
>  arch/arm/mach-keystone/mon.c              |  7 ++++---
>  include/configs/k2e_evm.h                 |  9 +++++++++
>  include/configs/k2g_evm.h                 | 23 ++++++++++++++++++++---
>  include/configs/k2hk_evm.h                |  9 +++++++++
>  include/configs/ti_armv7_keystone2.h      | 30 +++++++++++++++++++++++++++---
>  7 files changed, 76 insertions(+), 12 deletions(-)

Overall, we need to look at, as a follow up, moving things into
include/environment/ti/, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170718/4fe89fd1/attachment.sig>

[U-Boot] [PATCH 1/4] configs: k2x_evm: Adds FIT loading environment variables

[Tom Rini]

On Mon, Jul 17, 2017 at 12:59:12PM -0500, Andrew F. Davis wrote:

> Updates the default u-boot environment variables to support FIT image
> loading.
> 
> Signed-off-by: Andrew F. Davis <afd@ti.com>

Reviewed-by: Tom Rini <trini@konsulko.com>

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170718/41467073/attachment.sig>

[U-Boot] [PATCH 2/4] configs: k2x_evm: Adds environment variables for secure devices

[Tom Rini]

On Mon, Jul 17, 2017 at 12:59:13PM -0500, Andrew F. Davis wrote:

> From: Madan Srinivas <madans@ti.com>
> 
> Updates the default u-boot environment variables to support secure
> boot. On secure devices, a secure boot monitor (sec-bm) needs to
> be installed by u-boot.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>

Reviewed-by: Tom Rini <trini@konsulko.com>

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170718/98428f9e/attachment.sig>

[U-Boot] [PATCH 3/4] configs: k2x_evm: Reorder default boot command

[Tom Rini]

On Mon, Jul 17, 2017 at 12:59:14PM -0500, Andrew F. Davis wrote:

> We first split the CONFIG_BOOTCOMMAND into its components to improve
> readability. We then make the following order changes:
> 
>  - Run findfdt first so the fdt name can be used in envboot like OMAP
>  - Install the boot monitor before running the PMMC so we can make any
>      needed secure changes before PMMC, do this on both HS and non-HS
>  - Move set_name_pmmc to just before get_pmmc_${boot}
> 
> Signed-off-by: Andrew F. Davis <afd@ti.com>

Reviewed-by: Tom Rini <trini@konsulko.com>

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170718/429f601b/attachment.sig>

[U-Boot] [PATCH 4/4] arm: mach-keystone: Updates mon_install for K2G HS

[Tom Rini]

On Mon, Jul 17, 2017 at 12:59:15PM -0500, Andrew F. Davis wrote:

> From: Madan Srinivas <madans@ti.com>
> 
> On early K2 devices (eg. K2HK) the secure ROM code does not support
> loading secure code to firewall protected memory, before decrypting,
> authenticating and executing it.
> 
> To load the boot monitor on these devices, it is necessary to first
> authenticate and run a copy loop from non-secure memory that copies
> the boot monitor behind firewall protected memory, before decrypting
> and executing it.
> 
> On K2G, the secure ROM does not allow secure code executing from
> unprotected memory. Further, ROM first copies the signed and encrypted
> image into firewall protected memory, then decrypts, authenticates
> and executes it.
> 
> As a result of this, we cannot use the copy loop for K2G. The
> mon_install has to be modified to pass the address the signed and
> encrypted secure boot monitor image to the authentication API.
> 
> For backward compatibility with other K2 devices and K2G GP,
> the mon_install API still supports a single argument. In this case
> the second argument is set to 0 by u-boot and is ignored by ROM
> 
> Signed-off-by: Thanh Tran <thanh-tran@ti.com>
> Signed-off-by: Madan Srinivas <madans@ti.com>

Reviewed-by: Tom Rini <trini@konsulko.com>

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170718/56aeddbe/attachment.sig>

[U-Boot] [U-Boot, 1/4] configs: k2x_evm: Adds FIT loading environment variables

[Tom Rini]

On Mon, Jul 17, 2017 at 12:59:12PM -0500, Andrew F. Davis wrote:

> Updates the default u-boot environment variables to support FIT image
> loading.
> 
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170726/3d384944/attachment.sig>

[U-Boot] [U-Boot, 2/4] configs: k2x_evm: Adds environment variables for secure devices

[Tom Rini]

On Mon, Jul 17, 2017 at 12:59:13PM -0500, Andrew F. Davis wrote:

> From: Madan Srinivas <madans@ti.com>
> 
> Updates the default u-boot environment variables to support secure
> boot. On secure devices, a secure boot monitor (sec-bm) needs to
> be installed by u-boot.
> 
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170726/dd09ddb5/attachment.sig>

[U-Boot] [U-Boot, 3/4] configs: k2x_evm: Reorder default boot command

[Tom Rini]

On Mon, Jul 17, 2017 at 12:59:14PM -0500, Andrew F. Davis wrote:

> We first split the CONFIG_BOOTCOMMAND into its components to improve
> readability. We then make the following order changes:
> 
>  - Run findfdt first so the fdt name can be used in envboot like OMAP
>  - Install the boot monitor before running the PMMC so we can make any
>      needed secure changes before PMMC, do this on both HS and non-HS
>  - Move set_name_pmmc to just before get_pmmc_${boot}
> 
> Signed-off-by: Andrew F. Davis <afd@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170726/43cce0f0/attachment.sig>

[U-Boot] [U-Boot, 4/4] arm: mach-keystone: Updates mon_install for K2G HS

[Tom Rini]

On Mon, Jul 17, 2017 at 12:59:15PM -0500, Andrew F. Davis wrote:

> From: Madan Srinivas <madans@ti.com>
> 
> On early K2 devices (eg. K2HK) the secure ROM code does not support
> loading secure code to firewall protected memory, before decrypting,
> authenticating and executing it.
> 
> To load the boot monitor on these devices, it is necessary to first
> authenticate and run a copy loop from non-secure memory that copies
> the boot monitor behind firewall protected memory, before decrypting
> and executing it.
> 
> On K2G, the secure ROM does not allow secure code executing from
> unprotected memory. Further, ROM first copies the signed and encrypted
> image into firewall protected memory, then decrypts, authenticates
> and executes it.
> 
> As a result of this, we cannot use the copy loop for K2G. The
> mon_install has to be modified to pass the address the signed and
> encrypted secure boot monitor image to the authentication API.
> 
> For backward compatibility with other K2 devices and K2G GP,
> the mon_install API still supports a single argument. In this case
> the second argument is set to 0 by u-boot and is ignored by ROM
> 
> Signed-off-by: Thanh Tran <thanh-tran@ti.com>
> Signed-off-by: Madan Srinivas <madans@ti.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170726/ddbe3976/attachment.sig>