From: Andrew F. Davis <afd@ti.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH] arm: am33xx: security: adds auth support for encrypted images
Date: Wed, 20 Sep 2017 14:37:36 -0500 [thread overview]
Message-ID: <20170920193736.30632-1-afd@ti.com> (raw)
From: Madan Srinivas <madans@ti.com>
This patch adds support for authentication of both plain
text and encrypted binaries. A new SECDEV package is needed
to enable encryption of binaries by default for AM3x.
The ROM authentication API detects encrypted images at
runtime and automatically decrypts the image if the
signature verification passes.
Addition of encryption on AM3x results in a change in the
image format. On AM4x, AM5x and, on AM3x devices signing
clear test images, the signature is appended to the end of the
binary.
On AM3x, when the SECDEV package is used to create signed
and encrypted images, the signature is added as a header
to the start of the binary. So the binary size calculation
has been updated to reflect this change.
The signing tools and encrypted image format for AM3x
cannot be changed to behave like AM4x and AM5x to
maintain backward compatibility with older Sitara
M-Shield releases.
Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
---
arch/arm/mach-omap2/sec-common.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm/mach-omap2/sec-common.c b/arch/arm/mach-omap2/sec-common.c
index 52e1785b4a..2630e7d316 100644
--- a/arch/arm/mach-omap2/sec-common.c
+++ b/arch/arm/mach-omap2/sec-common.c
@@ -41,6 +41,9 @@
#define PPA_SERV_HAL_SETUP_EMIF_FW_REGION (PPA_HAL_SERVICES_START_INDEX + 26)
#define PPA_SERV_HAL_LOCK_EMIF_FW (PPA_HAL_SERVICES_START_INDEX + 27)
+/* Offset of header size if image is signed as ISW */
+#define HEADER_SIZE_OFFSET (0x6D)
+
int tee_loaded = 0;
/* Argument for PPA_SERV_HAL_TEE_LOAD_MASTER */
@@ -125,6 +128,9 @@ int secure_boot_verify_image(void **image, size_t *size)
}
*size = sig_addr - cert_addr; /* Subtract out the signature size */
+ /* Subtract header if present */
+ if (strncmp((char *)sig_addr, "CERT_ISW_", 9) == 0)
+ *size = ((u32 *)*image)[HEADER_SIZE_OFFSET];
cert_size = *size;
/* Check if image load address is 32-bit aligned */
--
2.14.1
next reply other threads:[~2017-09-20 19:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-20 19:37 Andrew F. Davis [this message]
2017-09-29 20:26 ` [U-Boot] arm: am33xx: security: adds auth support for encrypted images Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170920193736.30632-1-afd@ti.com \
--to=afd@ti.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox