aboutsummaryrefslogtreecommitdiff
path: root/drivers/renesas/rcar/auth/auth_mod.c
diff options
context:
space:
mode:
authorJorge Ramirez-Ortiz <jramirez@baylibre.com>2018-09-23 09:38:24 +0200
committerldts <jorge.ramirez.ortiz@gmail.com>2018-10-17 18:39:49 +0200
commit2f473cc96a2722fb69b8166c10b7c7962243ecb2 (patch)
tree908e3b92fdffe3e0add7c2e96de2da9271786b89 /drivers/renesas/rcar/auth/auth_mod.c
parent6ac2892a1781ee6039da536c7bc1bae7645813a4 (diff)
downloadtrusted-firmware-a-2f473cc96a2722fb69b8166c10b7c7962243ecb2.tar.gz
rcar_gen3: drivers: authentication
Signed-off-by: ldts <jramirez@baylibre.com>
Diffstat (limited to 'drivers/renesas/rcar/auth/auth_mod.c')
-rw-r--r--drivers/renesas/rcar/auth/auth_mod.c171
1 files changed, 171 insertions, 0 deletions
diff --git a/drivers/renesas/rcar/auth/auth_mod.c b/drivers/renesas/rcar/auth/auth_mod.c
new file mode 100644
index 0000000000..04ed279287
--- /dev/null
+++ b/drivers/renesas/rcar/auth/auth_mod.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (c) 2015-2017, Renesas Electronics Corporation. All rights
+ * reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <arch_helpers.h>
+#include <debug.h>
+#include <mmio.h>
+#include <platform.h>
+#include <platform_def.h>
+#include <stddef.h>
+
+#include "rom_api.h"
+
+typedef int32_t(*secure_boot_api_f) (uint32_t a, uint32_t b, void *c);
+extern int32_t rcar_get_certificate(const int32_t name, uint32_t *cert_addr);
+
+#define RCAR_IMAGE_ID_MAX (10)
+#define RCAR_CERT_MAGIC_NUM (0xE291F358U)
+#define RCAR_BOOT_KEY_CERT (0xE6300C00U)
+#define RCAR_BOOT_KEY_CERT_NEW (0xE6300F00U)
+#define RST_BASE (0xE6160000U)
+#define RST_MODEMR (RST_BASE + 0x0060U)
+#define MFISSOFTMDR (0xE6260600U)
+#define MODEMR_MD5_MASK (0x00000020U)
+#define MODEMR_MD5_SHIFT (5U)
+#define SOFTMD_BOOTMODE_MASK (0x00000001U)
+#define SOFTMD_NORMALBOOT (0x1U)
+
+static secure_boot_api_f secure_boot_api;
+
+int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id)
+{
+ return 1;
+}
+
+int auth_mod_verify_img(unsigned int img_id, void *ptr, unsigned int len)
+{
+ int32_t ret = 0, index = 0;
+ uint32_t cert_addr = 0U;
+ static const struct img_to_cert_t {
+ uint32_t id;
+ int32_t cert;
+ const char *name;
+ } image[RCAR_IMAGE_ID_MAX] = {
+ { BL31_IMAGE_ID, SOC_FW_CONTENT_CERT_ID, "BL31" },
+ { BL32_IMAGE_ID, TRUSTED_OS_FW_CONTENT_CERT_ID, "BL32" },
+ { BL33_IMAGE_ID, NON_TRUSTED_FW_CONTENT_CERT_ID, "BL33" },
+ { BL332_IMAGE_ID, BL332_CERT_ID, "BL332" },
+ { BL333_IMAGE_ID, BL333_CERT_ID, "BL333" },
+ { BL334_IMAGE_ID, BL334_CERT_ID, "BL334" },
+ { BL335_IMAGE_ID, BL335_CERT_ID, "BL335" },
+ { BL336_IMAGE_ID, BL336_CERT_ID, "BL336" },
+ { BL337_IMAGE_ID, BL337_CERT_ID, "BL337" },
+ { BL338_IMAGE_ID, BL338_CERT_ID, "BL338" },
+ };
+
+#if IMAGE_BL2
+ switch (img_id) {
+ case TRUSTED_KEY_CERT_ID:
+ case SOC_FW_KEY_CERT_ID:
+ case TRUSTED_OS_FW_KEY_CERT_ID:
+ case NON_TRUSTED_FW_KEY_CERT_ID:
+ case BL332_KEY_CERT_ID:
+ case BL333_KEY_CERT_ID:
+ case BL334_KEY_CERT_ID:
+ case BL335_KEY_CERT_ID:
+ case BL336_KEY_CERT_ID:
+ case BL337_KEY_CERT_ID:
+ case BL338_KEY_CERT_ID:
+ case SOC_FW_CONTENT_CERT_ID:
+ case TRUSTED_OS_FW_CONTENT_CERT_ID:
+ case NON_TRUSTED_FW_CONTENT_CERT_ID:
+ case BL332_CERT_ID:
+ case BL333_CERT_ID:
+ case BL334_CERT_ID:
+ case BL335_CERT_ID:
+ case BL336_CERT_ID:
+ case BL337_CERT_ID:
+ case BL338_CERT_ID:
+ return ret;
+ case BL31_IMAGE_ID:
+ case BL32_IMAGE_ID:
+ case BL33_IMAGE_ID:
+ case BL332_IMAGE_ID:
+ case BL333_IMAGE_ID:
+ case BL334_IMAGE_ID:
+ case BL335_IMAGE_ID:
+ case BL336_IMAGE_ID:
+ case BL337_IMAGE_ID:
+ case BL338_IMAGE_ID:
+ goto verify_image;
+ default:
+ return -1;
+ }
+
+verify_image:
+ for (index = 0; index < RCAR_IMAGE_ID_MAX; index++) {
+ if (img_id != image[index].id)
+ continue;
+
+ ret = rcar_get_certificate(image[index].cert, &cert_addr);
+ break;
+ }
+
+ if (ret || (index == RCAR_IMAGE_ID_MAX)) {
+ ERROR("Verification Failed for image id = %d\n", img_id);
+ return ret;
+ }
+#if RCAR_BL2_DCACHE == 1
+ /* clean and disable */
+ write_sctlr_el1(read_sctlr_el1() & ~SCTLR_C_BIT);
+ dcsw_op_all(DCCISW);
+#endif
+ ret = (mmio_read_32(RCAR_BOOT_KEY_CERT_NEW) == RCAR_CERT_MAGIC_NUM) ?
+ secure_boot_api(RCAR_BOOT_KEY_CERT_NEW, cert_addr, NULL) :
+ secure_boot_api(RCAR_BOOT_KEY_CERT, cert_addr, NULL);
+ if (ret)
+ ERROR("Verification Failed 0x%x, %s\n", ret, image[index].name);
+
+#if RCAR_BL2_DCACHE == 1
+ /* enable */
+ write_sctlr_el1(read_sctlr_el1() | SCTLR_C_BIT);
+#endif
+
+#endif
+ return ret;
+}
+
+static int32_t normal_boot_verify(uint32_t a, uint32_t b, void *c)
+{
+ return 0;
+}
+
+void auth_mod_init(void)
+{
+#if RCAR_SECURE_BOOT
+ uint32_t soft_md = mmio_read_32(MFISSOFTMDR) & SOFTMD_BOOTMODE_MASK;
+ uint32_t md = mmio_read_32(RST_MODEMR) & MODEMR_MD5_MASK;
+ uint32_t lcs, ret;
+
+ secure_boot_api = (secure_boot_api_f) &rcar_rom_secure_boot_api;
+
+ ret = rcar_rom_get_lcs(&lcs);
+ if (ret) {
+ ERROR("BL2: Failed to get the LCS. (%d)\n", ret);
+ panic();
+ }
+
+ switch (lcs) {
+ case LCS_SE:
+ if (soft_md == SOFTMD_NORMALBOOT)
+ secure_boot_api = &normal_boot_verify;
+ break;
+ case LCS_SD:
+ secure_boot_api = &normal_boot_verify;
+ break;
+ default:
+ if (md >> MODEMR_MD5_SHIFT)
+ secure_boot_api = &normal_boot_verify;
+ }
+
+ NOTICE("BL2: %s boot\n",
+ secure_boot_api == &normal_boot_verify ? "Normal" : "Secure");
+#else
+ NOTICE("BL2: Normal boot\n");
+ secure_boot_api = &normal_boot_verify;
+#endif
+}