1 // SPDX-License-Identifier: GPL-2.0
3 * K3: Security functions
5 * Copyright (C) 2018-2022 Texas Instruments Incorporated - http://www.ti.com/
6 * Andrew F. Davis <afd@ti.com>
16 #include <asm/cache.h>
17 #include <linux/soc/ti/ti_sci_protocol.h>
20 #include <asm/arch/sys_proto.h>
24 static bool ti_secure_cert_detected(void *p_image)
26 /* Primitive certificate detection, check for DER starting with
27 * two 4-Octet SEQUENCE tags
29 return (((u8 *)p_image)[0] == 0x30 && ((u8 *)p_image)[1] == 0x82 &&
30 ((u8 *)p_image)[4] == 0x30 && ((u8 *)p_image)[5] == 0x82);
33 void ti_secure_image_post_process(void **p_image, size_t *p_size)
35 struct ti_sci_handle *ti_sci = get_ti_sci_handle();
36 struct ti_sci_proc_ops *proc_ops = &ti_sci->ops.proc_ops;
41 image_addr = (uintptr_t)*p_image;
44 if (!image_size || get_device_type() == K3_DEVICE_TYPE_GP)
47 if (get_device_type() != K3_DEVICE_TYPE_HS_SE &&
48 !ti_secure_cert_detected(*p_image)) {
49 printf("Warning: Did not detect image signing certificate. "
50 "Skipping authentication to prevent boot failure. "
51 "This will fail on Security Enforcing(HS-SE) devices\n");
55 debug("Authenticating image at address 0x%016llx\n", image_addr);
56 debug("Authenticating image of size %d bytes\n", image_size);
58 flush_dcache_range((unsigned long)image_addr,
59 ALIGN((unsigned long)image_addr + image_size,
62 /* Authenticate image */
63 ret = proc_ops->proc_auth_boot_image(ti_sci, &image_addr, &image_size);
65 printf("Authentication failed!\n");
70 invalidate_dcache_range((unsigned long)image_addr,
71 ALIGN((unsigned long)image_addr +
72 image_size, ARCH_DMA_MINALIGN));
75 * The image_size returned may be 0 when the authentication process has
76 * moved the image. When this happens no further processing on the
77 * image is needed or often even possible as it may have also been
78 * placed behind a firewall when moved.
83 * Output notification of successful authentication to re-assure the
84 * user that the secure code is being processed as expected. However
85 * suppress any such log output in case of building for SPL and booting
86 * via YMODEM. This is done to avoid disturbing the YMODEM serial
87 * protocol transactions.
89 if (!(IS_ENABLED(CONFIG_SPL_BUILD) &&
90 IS_ENABLED(CONFIG_SPL_YMODEM_SUPPORT) &&
91 spl_boot_device() == BOOT_DEVICE_UART))
92 printf("Authentication passed\n");