public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed
From: Anatolij Gustschin <agust@denx.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH v3 1/6] x86: baytrail: Add fsp-header verification for secure boot FSP
Date: Fri, 17 Nov 2017 02:13:05 +0100	[thread overview]
Message-ID: <20171117011305.5655-1-agust@denx.de> (raw)

From: Markus Valentin <mv@denx.de>

Introduce a new Kconfig variable for secure boot on Bay Trail based
platforms. If this variable is set, the build process tries to use
fsp-sb.bin instead of fsp.bin (-sb is the secure boot enabled FSP).

Also check the two FSP headers against each other and print if secure
boot is enabled or not.

Signed-off-by: Markus Valentin <mv@denx.de>
Signed-off-by: Anatolij Gustschin <agust@denx.de>
---
Changes in v3:
 - move BAYTRAIL_SECURE_BOOT to arch/x86/cpu/baytrail/Kconfig
 - Kconfig help text improvements
 - fix crownbay build breakage

Changes in v2:
 - use if (IS_ENABLED(CONFIG_*)) instead of #ifdef
 - s/SB/Secure Boot/
 - minor Kconfig help cleanup

 arch/x86/Kconfig                       |  3 ++-
 arch/x86/cpu/baytrail/Kconfig          | 10 ++++++++++
 arch/x86/include/asm/fsp/fsp_support.h |  2 ++
 arch/x86/lib/fsp/fsp_support.c         | 24 ++++++++++++++++++++++++
 4 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 98c56ad7dc..6755e92748 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -350,7 +350,8 @@ config HAVE_FSP
 config FSP_FILE
 	string "Firmware Support Package binary filename"
 	depends on HAVE_FSP
-	default "fsp.bin"
+	default "fsp.bin" if !BAYTRAIL_SECURE_BOOT
+	default "fsp-sb.bin" if BAYTRAIL_SECURE_BOOT
 	help
 	  The filename of the file to use as Firmware Support Package binary
 	  in the board directory.
diff --git a/arch/x86/cpu/baytrail/Kconfig b/arch/x86/cpu/baytrail/Kconfig
index 1d876b1927..ff244fcd68 100644
--- a/arch/x86/cpu/baytrail/Kconfig
+++ b/arch/x86/cpu/baytrail/Kconfig
@@ -39,4 +39,14 @@ config DEBUG_UART
 	bool
 	select DEBUG_UART_BOARD_INIT
 
+config BAYTRAIL_SECURE_BOOT
+	bool "Enable Secure Boot on Bay Trail"
+	depends on HAVE_FSP
+	default n
+	help
+	  Use the secure boot feature of the Bay Trail platform. This switch
+	  enables the usage of the secure-boot enabled fsp.bin (fsp-sb.bin).
+	  For your board you need to provide this yourself. You can reconfigure
+	  your FSP with the Intel BCT tool to enable secure boot.
+
 endif
diff --git a/arch/x86/include/asm/fsp/fsp_support.h b/arch/x86/include/asm/fsp/fsp_support.h
index df3add008c..124a4148a0 100644
--- a/arch/x86/include/asm/fsp/fsp_support.h
+++ b/arch/x86/include/asm/fsp/fsp_support.h
@@ -22,6 +22,8 @@
 #define FSP_LOWMEM_BASE		0x100000UL
 #define FSP_HIGHMEM_BASE	0x100000000ULL
 #define UPD_TERMINATOR		0x55AA
+#define FSP_FIRST_HEADER_OFFSET		0x94
+#define FSP_SECOND_HEADER_OFFSET	0x20494
 
 
 /**
diff --git a/arch/x86/lib/fsp/fsp_support.c b/arch/x86/lib/fsp/fsp_support.c
index e0c49be635..d79a6e900a 100644
--- a/arch/x86/lib/fsp/fsp_support.c
+++ b/arch/x86/lib/fsp/fsp_support.c
@@ -97,6 +97,8 @@ void fsp_continue(u32 status, void *hob_list)
 	fsp_init_done(hob_list);
 }
 
+#define SB_PRFX		"Secure Boot:"
+
 void fsp_init(u32 stack_top, u32 boot_mode, void *nvs_buf)
 {
 	struct fsp_config_data config_data;
@@ -116,6 +118,14 @@ void fsp_init(u32 stack_top, u32 boot_mode, void *nvs_buf)
 		panic("Invalid FSP header");
 	}
 
+	if (IS_ENABLED(CONFIG_BAYTRAIL_SECURE_BOOT)) {
+		/* Compare primary and secondary header */
+		if (memcmp((void *)(CONFIG_FSP_ADDR + FSP_FIRST_HEADER_OFFSET),
+			   (void *)(CONFIG_FSP_ADDR + FSP_SECOND_HEADER_OFFSET),
+			   fsp_hdr->hdr_len))
+			panic("%s 1st & 2nd FSP headers don't match", SB_PRFX);
+	}
+
 	config_data.common.fsp_hdr = fsp_hdr;
 	config_data.common.stack_top = stack_top;
 	config_data.common.boot_mode = boot_mode;
@@ -130,6 +140,20 @@ void fsp_init(u32 stack_top, u32 boot_mode, void *nvs_buf)
 
 	fsp_upd = &config_data.fsp_upd;
 
+	/*
+	 * On some platforms there is no 'enable_secure_boot' field
+	 * in VPD region struct, so we have to use ifdef here.
+	 */
+	#ifdef CONFIG_BAYTRAIL_SECURE_BOOT
+	/*
+	 * If the enable secure boot flag is not 1, secure boot has not
+	 * been activated in the FSP which results in the TXE-Engine not
+	 * getting loaded
+	 */
+	printf("FSP: Secure Boot %sabled\n",
+	       fsp_vpd->enable_secure_boot == 1 ? "en" : "dis");
+	#endif
+
 	/* Copy default data from Flash */
 	memcpy(fsp_upd, (void *)(fsp_hdr->img_base + fsp_vpd->upd_offset),
 	       sizeof(struct upd_region));
-- 
2.11.0

             reply	other threads:[~2017-11-17  1:13 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-17  1:13 Anatolij Gustschin [this message]
2017-11-20 15:40 ` [U-Boot] [PATCH v3 1/6] x86: baytrail: Add fsp-header verification for secure boot FSP Simon Glass
2017-11-21 15:01 ` Bin Meng
2017-11-28 13:27   ` Anatolij Gustschin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171117011305.5655-1-agust@denx.de \
    --to=agust@denx.de \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox