Fman microcode is executable code (AFAICT) loaded into a
coprocessor. As such, if verified boot is enabled, it must be verified
like other executable code. However, this is not currently done.
This commit adds verified boot functionality by encapsulating the
microcode in a FIT, which can then be signed/verified as normal. By
default we allow fallback to unencapsulated firmware, but if
CONFIG_FIT_SIGNATURE is enabled, then we make it mandatory. Because
existing Layerscape do not use this config (instead enabling
CONFIG_CHAIN_OF_TRUST), this should not break any existing boards.
An example (mildly-abbreviated) its is provided below:
/ {
#address-cells = <1>;
images {
firmware {
data = /incbin/(/path/to/firmware);
type = "firmware";
arch = "arm64";
compression = "none";
signature {
algo = "sha256,rsa2048";
key-name-hint = "your key name";
};
};
};
configurations {
default = "conf";
conf {
description = "Load FMAN microcode";
fman = "firmware";
};
};
};
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
*/
#include <common.h>
#include <env.h>
+#include <image.h>
#include <malloc.h>
#include <asm/io.h>
#include <linux/errno.h>
void *addr = NULL;
#endif
+ rc = fit_check_format(addr, CONFIG_SYS_QE_FMAN_FW_LENGTH);
+ if (!rc) {
+ size_t unused;
+ const void *new_addr;
+
+ rc = fit_get_data_conf_prop(addr, "fman", &new_addr, &unused);
+ if (rc)
+ return rc;
+ addr = (void *)new_addr;
+ } else if (CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
+ /*
+ * Using a (signed) FIT wrapper is mandatory if we are
+ * doing verified boot.
+ */
+ return rc;
+ }
+
/* Upload the Fman microcode if it's present */
rc = fman_upload_firmware(index, ®->fm_imem, addr);
if (rc)
projects / platform / kernel / u-boot.git / commitdiff