arch/arm/mach-k3/security.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * K3: Security functions
   4  *
   5  * Copyright (C) 2018-2022 Texas Instruments Incorporated - http://www.ti.com/
   6  *      Andrew F. Davis <afd@ti.com>
   7  */
   8
   9 #include <asm/io.h>
  10 #include <common.h>
  11 #include <cpu_func.h>
  12 #include <dm.h>
  13 #include <hang.h>
  14 #include <image.h>
  15 #include <log.h>
  16 #include <asm/cache.h>
  17 #include <linux/soc/ti/ti_sci_protocol.h>
  18 #include <mach/spl.h>
  19 #include <spl.h>
  20 #include <asm/arch/sys_proto.h>
  21
  22 #include "common.h"
  23
  24 static bool ti_secure_cert_detected(void *p_image)
  25 {
  26         /* Primitive certificate detection, check for DER starting with
  27          * two 4-Octet SEQUENCE tags
  28          */
  29         return (((u8 *)p_image)[0] == 0x30 && ((u8 *)p_image)[1] == 0x82 &&
  30                 ((u8 *)p_image)[4] == 0x30 && ((u8 *)p_image)[5] == 0x82);
  31 }
  32
  33 void ti_secure_image_post_process(void **p_image, size_t *p_size)
  34 {
  35         struct ti_sci_handle *ti_sci = get_ti_sci_handle();
  36         struct ti_sci_proc_ops *proc_ops = &ti_sci->ops.proc_ops;
  37         u64 image_addr;
  38         u32 image_size;
  39         int ret;
  40
  41         image_addr = (uintptr_t)*p_image;
  42         image_size = *p_size;
  43
  44         if (!image_size || get_device_type() == K3_DEVICE_TYPE_GP)
  45                 return;
  46
  47         if (get_device_type() != K3_DEVICE_TYPE_HS_SE &&
  48             !ti_secure_cert_detected(*p_image)) {
  49                 printf("Warning: Did not detect image signing certificate. "
  50                        "Skipping authentication to prevent boot failure. "
  51                        "This will fail on Security Enforcing(HS-SE) devices\n");
  52                 return;
  53         }
  54
  55         debug("Authenticating image at address 0x%016llx\n", image_addr);
  56         debug("Authenticating image of size %d bytes\n", image_size);
  57
  58         flush_dcache_range((unsigned long)image_addr,
  59                            ALIGN((unsigned long)image_addr + image_size,
  60                                  ARCH_DMA_MINALIGN));
  61
  62         /* Authenticate image */
  63         ret = proc_ops->proc_auth_boot_image(ti_sci, &image_addr, &image_size);
  64         if (ret) {
  65                 printf("Authentication failed!\n");
  66                 hang();
  67         }
  68
  69         if (image_size)
  70                 invalidate_dcache_range((unsigned long)image_addr,
  71                                         ALIGN((unsigned long)image_addr +
  72                                               image_size, ARCH_DMA_MINALIGN));
  73
  74         /*
  75          * The image_size returned may be 0 when the authentication process has
  76          * moved the image. When this happens no further processing on the
  77          * image is needed or often even possible as it may have also been
  78          * placed behind a firewall when moved.
  79          */
  80         *p_size = image_size;
  81
  82         /*
  83          * Output notification of successful authentication to re-assure the
  84          * user that the secure code is being processed as expected. However
  85          * suppress any such log output in case of building for SPL and booting
  86          * via YMODEM. This is done to avoid disturbing the YMODEM serial
  87          * protocol transactions.
  88          */
  89         if (!(IS_ENABLED(CONFIG_SPL_BUILD) &&
  90               IS_ENABLED(CONFIG_SPL_YMODEM_SUPPORT) &&
  91               spl_boot_device() == BOOT_DEVICE_UART))
  92                 printf("Authentication passed\n");
  93 }