Add secure boot infrastructure for A3xx/ALP

- Add changes to build script and image tools infrastructure allowing build images for secure boot mode on A3xx and ALP - Modify doimage and hdrparser, update bootrom header format. - Modify build script for supporting secure boot mode options. Change-Id: I46d08fd9e5f17777df41c1b89e447e83ba39c24b Signed-off-by: kostap <kostap@marvell.com> Reviewed-on: http://vgitil04.il.marvell.com:8080/15951 Tested-by: Star_Automation <star@marvell.com> Reviewed-by: Haim Boot <hayim@marvell.com> Reviewed-by: Hanna Hawa <hannah@marvell.com> Reviewed-by: Shadi Ammouri <shadi@marvell.com> Reviewed-on: http://vgitil04.il.marvell.com:8080/16281 Reviewed-by: Omri Itach <omrii@marvell.com> Tested-by: Omri Itach <omrii@marvell.com>
SolidRun · Sep 7, 2015 · a7b64b5 · a7b64b5
1 parent 29cb5c9
commit a7b64b5
Show file tree

Hide file tree

Showing 6 changed files with 643 additions and 455 deletions.
diff --git a/build.pl b/build.pl
@@ -4,8 +4,10 @@
 
 sub HELP_MESSAGE
 {
-	print "\nUsage  : build -f \"Flash type\" -b \"board name\" [-v X.X.X] [-m \"DDR type\"] [-o \"Output file\"]\\\n";
-	print "              [-p] [-r \"UART baudrate\"] [-u \"UART port\"] [-g \"MPP configuration\"]\n\n";
+	print "\nUsage  : build -f \"Flash type\" -b \"board name\" [-v X.X.X] [-m \"DDR type\"] [-o \"Output file\"] \\\n";
+	print "              [-p] [-r \"UART baudrate\"] [-u \"UART port\"] [-g \"MPP configuration\"] \\\n";
+	print "              [-z \"Private RSA KAK key file\" -a \"Private RSA CSK key file\" -k \"CSK array index\" \\\n";
+	print "              -x \"BOX ID\" -l \"Flash ID\"] [-j \"JTAG delay\"]\n";
 	print "Example: ./build.pl -f spi -v 14T2 -b avanta_lp -i spi:nand -c\n";
 	print "\n";
 	print "Options:\n";
@@ -29,6 +31,18 @@ sub HELP_MESSAGE
 	print "\t-u\tChange the default BootROM UART debug port number. Suported ports 0 - 3\n";
 	print "\t-g\tSelect BootROM debug port MPPs configuration value = 0-7 (BootROM-specific)\n";
 	print "\n";
+	print "Secure boot options:\n";
+	print "\tNOTE: \tAll secure options except \"j\" are mandatory once one of them is selected\n";
+	print "\t\tSecure boot mode is availbale for Armada-3xx and Avanta-LP SoC families only!\n\n";
+	print "\t-z\tCreate image with RSA KAK block signature for secure boot mode\n";
+	print "\t\tIf the private key file name is \"@@\", the new RSA key pair will be generated and used\n";
+	print "\t-a\tCreate image with RSA CSK signature for secure boot mode\n";
+	print "\t\tIf the private key file name is \"@@\", the new RSA key pair will be generated and used\n";
+	print "\t-k\tCSK Array Index in range of 0 to 15\n";
+	print "\t-j\tEnable JTAG interface and delay boot execution by \" delay\" ms. Disabled if omitted\n";
+	print "\t-x\tBox ID (hex) - in range of 0 to 0xffffffff\n";
+	print "\t-l\tFlash ID (hex) - in range of to 0xffffffff\n";
+	print "\n";
 	print "Environment Variables:\n";
 	print "\tCROSS_COMPILE     Cross compiler to build U-BOOT\n";
 	print "\tCROSS_COMPILE_BH  Cross compiler to build bin hdr\n";
@@ -38,7 +52,7 @@ sub HELP_MESSAGE
 # Main
 use Getopt::Std;
 
-getopt('f:b:o:i:v:d:m:r:u:g:');
+getopt('f:b:o:i:v:d:m:r:u:g:z:a:k:j:x:l:');
 
 if((!defined $opt_b) or
 	(!defined $opt_f)) {
@@ -198,6 +212,70 @@ sub HELP_MESSAGE
 	exit 1;
 }
 
+$bin_hdr_n = "bin_hdr.bin";
+
+if (($boardID eq "a38x") or
+	($boardID eq "a39x") or
+	($boardID eq "a375") or
+	($boardID eq "alp")) {
+
+	# Secure boot options
+	if ((defined $opt_z) or
+		(defined $opt_a) or
+		(defined $opt_k) or
+		(defined $opt_j) or
+		(defined $opt_x) or
+		(defined $opt_l)) {
+
+		# If defined one of secure options, all the rest except "j" become mandatory
+		if ((!defined $opt_z) or
+			(!defined $opt_a) or
+			(!defined $opt_k) or
+			(!defined $opt_x) or
+			(!defined $opt_l)) {
+			print "\n *** Error: In secure boot mode all options (except \"j\") are mandatory!\n\n";
+			exit 1;
+		}
+
+		# KAK RSA key
+		if ($opt_z eq "@@") {
+			print("Secure boot, generate new KAK RSA key\n");
+		} else {
+			printf("Secure boot, Use KAK RSA key from file \"$opt_z\"\n", );
+		}
+
+		# CSK RSA key
+		if ($opt_a eq "@@") {
+			print("Secure boot, generate new CSK RSA key ");
+		} else {
+			print("Secure boot, Use CSK RSA key from file \"$opt_z\" ");
+		}
+
+		# CSK array index
+		print("@ CSK array index $opt_k\n");
+		$rsa_opts = "-Z $opt_z -A $opt_a -K $opt_k ";
+
+		# JTAG enable/disable and delay
+		if(!defined $opt_j){
+			$id_opts = "-B $opt_x -F $opt_l ";
+		} else {
+			$id_opts = "-B $opt_x -F $opt_l -J $opt_j ";
+		}
+		printf("Secure boot, Additional options : %s\n", $id_opts);
+
+		$bin_hdr_n = "bin_hdr_sec.bin";
+
+	} else {
+
+		print("No secure boot option selected\n");
+		$rsa_opts = "";
+		$id_opts = "";
+	}
+
+}
+
+
+
 # Big endian place holder
 if(defined $opt_e) {
 	$endian = "be";
@@ -333,7 +411,7 @@ sub HELP_MESSAGE
 print "\n**** [Creating Image]\t*****\n\n";
 
 $failUart = system("./tools/marvell/doimage -T uart -D 0 -E 0 -G ./tools/marvell/bin_hdr/bin_hdr.uart.bin u-boot.bin u-boot-$boardID-$opt_v-$flash_name$targetBoard-uart.bin");
-$fail = system("./tools/marvell/doimage -T $img_type -D 0x0 -E 0x0 $img_opts $extra_opt -G ./tools/marvell/bin_hdr/bin_hdr.bin u-boot.bin u-boot-$boardID-$opt_v-$flash_name$targetBoard.bin");
+$fail = system("./tools/marvell/doimage -T $img_type -D 0x0 -E 0x0 $img_opts $rsa_opts $id_opts $extra_opt -G ./tools/marvell/bin_hdr/$bin_hdr_n u-boot.bin u-boot-$boardID-$opt_v-$flash_name$targetBoard.bin");
 
 if($fail){
 	print "\n *** Error: Doimage failed\n\n";

diff --git a/tools/marvell/bin_hdr/inc/common/bootstrap_def.h b/tools/marvell/bin_hdr/inc/common/bootstrap_def.h
@@ -73,26 +73,25 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #define MAIN_HDR_NAND_SLC	0
 #define MAIN_HDR_NAND_MLC	1
 
-typedef struct BHR_t
-{
-/*  	type        	name                byte order */
-	MV_U8		blockID;		/*0 */
-	MV_U8		rsvd1;			/*1 */
-	MV_U16		nandPageSize;		/*2-3 */
-	MV_U32		blockSize;		/*4-7 */
-	MV_U8		version;		/*8 */
-	MV_U8		hdrSizeMsb;		/*9 */
-	MV_U16		hdrSizeLsb;		/*10-11 */
-	MV_U32		sourceAddr;		/*12-15 */
-	MV_U32		destinationAddr;	/*16-19 */
-	MV_U32		executionAddr;		/*20-23 */
-	MV_U8		rsvd3;			/*24 */
-	MV_U8		nandBlockSize;		/*25 */
-	MV_U8		nandTechnology;		/*26 */
-	MV_U8		rsvd4;			/*27 */
-	MV_U16		rsvd2;			/*28-29 */
-	MV_U8		ext;			/*30 */
-	MV_U8		checkSum;		/*31 */
+typedef struct BHR_t {
+/*	type        name                byte order */
+	MV_U8		blockID;			/*   0   */
+	MV_U8		flags;				/*   1   */
+	MV_U16		nandPageSize;		/*  2-3  */
+	MV_U32		blockSize;			/*  4-7  */
+	MV_U8		version;			/*   8   */
+	MV_U8		hdrSizeMsb;			/*   9   */
+	MV_U16		hdrSizeLsb;			/* 10-11 */
+	MV_U32		sourceAddr;			/* 12-15 */
+	MV_U32		destinationAddr;	/* 16-19 */
+	MV_U32		executionAddr;		/* 20-23 */
+	MV_U8		options;			/*   24  */
+	MV_U8		nandBlockSize;		/*   25  */
+	MV_U8		nandTechnology;		/*   26  */
+	MV_U8		rsvd4;				/*   27  */
+	MV_U16		rsvd2;				/* 28-29 */
+	MV_U8		ext;				/*   30  */
+	MV_U8		checkSum;			/*   31  */
 
 } BHR_t, * pBHR_t;
 
@@ -103,8 +102,7 @@ typedef struct BHR_t
 #define EXT_HDR_TYP_BINARY	0x02
 #define EXT_HDR_TYP_REGISTER	0x03
 
-typedef struct headExtBHR_t /* Common extention header head */
-{
+typedef struct headExtBHR_t { /* Common extension header head */
 /*  type        name        byte order */
 	MV_U8		type;
 	MV_U8		lenMsb;
@@ -121,44 +119,54 @@ typedef struct headExtBHR_t /* Common extention header head */
 #define EXT_HDR_GET_LEN(pHead)	\
 	(((MV_U32)((pHead)->lenMsb) << 16) | ((pHead)->lenLsb))
 
-typedef struct tailExtBHR_t /* Common extention header tail */
-{
+typedef struct tailExtBHR_t {/* Common extension header tail */
 /* type        name        byte order */
 	MV_U8		nextHdr;
 	MV_U8		delay;
 	MV_U16		rsvd2;
 
 } tailExtBHR_t;
 
+typedef struct publicKey_t {/* public key*/
+	MV_U8	Key[524];
+} publicKey_t;
+
 #define	RSA_MAX_KEY_LEN_BYTES		256
 
-typedef struct secExtBHR_t
-{
+typedef struct secExtBHR_t {
 	headExtBHR_t	head;
 	MV_U8			encrypt;
 	MV_U8			rsrvd0;
 	MV_U16			rsrvd1;
-	MV_U8			pubKey[524];
+	publicKey_t		pubKey;
 	MV_U8			jtagEn;
 	MV_U8			rsrvd2;
 	MV_U16			rsrvd3;
 	MV_U32			boxId;
-	MV_U16			flashId;
-	MV_U16			rsrvd4;
+	MV_U32			flashId;
 	MV_U8			hdrSign[256];
 	MV_U8			imgSign[256];
+	publicKey_t		cskArray[16];
+	MV_U8			cskBlockSign[256];
 	tailExtBHR_t	tail;
 
 } secExtBHR_t, *pSecExtBHR_T;
 
-#ifdef MV_TEST_PLATFORM
+/***********************/
+/* SECURE PARAMS       */
+/***********************/
+#define CSK_BLOCK_OFFSET		0x420
+#define PUB_KEY_SIZE			524
+#define CSK_KEY_NUM			16
+#define CSK_BLOCK_SIGN_OFFSET		(CSK_BLOCK_OFFSET + (PUB_KEY_SIZE * CSK_KEY_NUM))
+/* 16 keys + 256 bytes long signature */
+#define CSK_BLOCK_SIZE			((PUB_KEY_SIZE * CSK_KEY_NUM) + 0x100)
+
+
 #define BOOTROM_SIZE		(64 * 1024)
-#else
-#define BOOTROM_SIZE		(48 * 1024)
-#endif
 #define EXT_HDR_BASE_SIZE	(sizeof(headExtBHR_t) + sizeof(tailExtBHR_t))
 /* MAX size of entire headers block */
-#define MAX_HEADER_SIZE		(64 * 1024)
+#define MAX_HEADER_SIZE		(192 * 1024)
 #define MAX_TWSI_HDR_SIZE	(60 * 1024) /* MAX eeprom is 64K & leave 4K for image and header */
 
 /* Boot Type - block ID */
@@ -167,8 +175,48 @@ typedef struct secExtBHR_t
 #define IBR_HDR_NAND_ID     	0x8B
 #define IBR_HDR_SATA_ID     	0x78
 #define IBR_HDR_PEX_ID		0x9C
+#define IBR_HDR_MMC_ID			0xAE
 #define IBR_HDR_UART_ID     	0x69
 #define IBR_DEF_ATTRIB      	0x00
 
+/* ROM flags */
+#define BHR_FLAG_PRINT_EN	0x01
+#define BHR_FLAG_RESERVED1	0x02
+#define BHR_FLAG_RESERVED2	0x04
+#define BHR_FLAG_RESERVED3	0x08
+#define BHR_FLAG_RESERVED4	0x10
+#define BHR_FLAG_RESERVED5	0x20
+#define BHR_FLAG_RESERVED6	0x40
+#define BHR_FLAG_RESERVED7	0x80
+
+/* ROM options */
+#define BHR_OPT_BAUDRATE_OFFS	0x0
+#define BHR_OPT_BAUDRATE_MASK	(0x7 << BHR_OPT_BAUDRATE_OFFS)
+#define BHR_OPT_BAUD_DEFAULT	(0x0 << BHR_OPT_BAUDRATE_OFFS)
+#define BHR_OPT_BAUD_2400		(0x1 << BHR_OPT_BAUDRATE_OFFS)
+#define BHR_OPT_BAUD_4800		(0x2 << BHR_OPT_BAUDRATE_OFFS)
+#define BHR_OPT_BAUD_9600		(0x3 << BHR_OPT_BAUDRATE_OFFS)
+#define BHR_OPT_BAUD_19200		(0x4 << BHR_OPT_BAUDRATE_OFFS)
+#define BHR_OPT_BAUD_38400		(0x5 << BHR_OPT_BAUDRATE_OFFS)
+#define BHR_OPT_BAUD_57600		(0x6 << BHR_OPT_BAUDRATE_OFFS)
+#define BHR_OPT_BAUD_115200		(0x7 << BHR_OPT_BAUDRATE_OFFS)
+
+#define BHR_OPT_UART_PORT_OFFS	0x3
+#define BHR_OPT_UART_PORT_MASK	(0x3 << BHR_OPT_UART_PORT_OFFS)
+
+#define BHR_OPT_UART_MPPS_OFFS	0x5
+#define BHR_OPT_UART_MPPS_MASK	(0x7 << BHR_OPT_UART_PORT_OFFS)
+
+
+
+
+typedef struct _mvCpuArmClk {
+	MV_U32	cpuClk;	/* CPU clock MHz */
+	MV_U32	ddrClk;	/* DDR clock MHz */
+	MV_U32	l2cClk;	/* L2 cache clock MHz */
+} MV_CPU_ARM_CLK;
+
+
 #endif /* MV_ASMLANGUAGE */
 #endif /* _INC_BOOTSTRAP_H */
+
diff --git a/tools/marvell/doimage_mv/bootstrap_def.h b/tools/marvell/doimage_mv/bootstrap_def.h
@@ -73,9 +73,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #define MAIN_HDR_NAND_SLC	0
 #define MAIN_HDR_NAND_MLC	1
 
-typedef struct BHR_t
-{
-//  	type        	name                byte order
+typedef struct BHR_t {
+/*	type        name                byte order */
 	MV_U8		blockID;			/*   0   */
 	MV_U8		flags;				/*   1   */
 	MV_U16		nandPageSize;		/*  2-3  */
@@ -103,8 +102,7 @@ typedef struct BHR_t
 #define EXT_HDR_TYP_BINARY	0x02
 #define EXT_HDR_TYP_REGISTER	0x03
 
-typedef struct headExtBHR_t /* Common extention header head */
-{
+typedef struct headExtBHR_t { /* Common extension header head */
 //  type        name        byte order
 	MV_U8		type;
 	MV_U8		lenMsb;
@@ -121,41 +119,51 @@ typedef struct headExtBHR_t /* Common extention header head */
 #define EXT_HDR_GET_LEN(pHead)	\
 	(((MV_U32)((pHead)->lenMsb) << 16) | ((pHead)->lenLsb))
 
-typedef struct tailExtBHR_t /* Common extention header tail */
-{
+typedef struct tailExtBHR_t {/* Common extension header tail */
 // type        name        byte order
 	MV_U8		nextHdr;
 	MV_U8		delay;
 	MV_U16		rsvd2;
 
 } tailExtBHR_t;
 
+typedef struct publicKey_t {/* public key*/
+	MV_U8	Key[524];
+} publicKey_t;
+
 #define	RSA_MAX_KEY_LEN_BYTES		256
 
-typedef struct secExtBHR_t
-{
+typedef struct secExtBHR_t {
 	headExtBHR_t	head;
 	MV_U8			encrypt;
 	MV_U8			rsrvd0;
 	MV_U16			rsrvd1;
-	MV_U8			pubKey[524];
+	publicKey_t		pubKey;
 	MV_U8			jtagEn;
 	MV_U8			rsrvd2;
 	MV_U16			rsrvd3;
 	MV_U32			boxId;
-	MV_U16			flashId;
-	MV_U16			rsrvd4;
+	MV_U32			flashId;
 	MV_U8			hdrSign[256];
 	MV_U8			imgSign[256];
+	publicKey_t		cskArray[16];
+	MV_U8			cskBlockSign[256];
 	tailExtBHR_t	tail;
 
 } secExtBHR_t, *pSecExtBHR_T;
 
-#ifdef MV_TEST_PLATFORM
+/***********************/
+/* SECURE PARAMS       */
+/***********************/
+#define CSK_BLOCK_OFFSET		0x420
+#define PUB_KEY_SIZE			524
+#define CSK_KEY_NUM			16
+#define CSK_BLOCK_SIGN_OFFSET		(CSK_BLOCK_OFFSET + (PUB_KEY_SIZE * CSK_KEY_NUM))
+/* 16 keys + 256 bytes long signature */
+#define CSK_BLOCK_SIZE			((PUB_KEY_SIZE * CSK_KEY_NUM) + 0x100)
+
+
 #define BOOTROM_SIZE		(64 * 1024)
-#else
-#define BOOTROM_SIZE		(48 * 1024)
-#endif
 #define EXT_HDR_BASE_SIZE	(sizeof(headExtBHR_t) + sizeof(tailExtBHR_t))
 /* MAX size of entire headers block */
 #define MAX_HEADER_SIZE		(192 * 1024)
@@ -199,6 +207,16 @@ typedef struct secExtBHR_t
 #define BHR_OPT_UART_MPPS_OFFS	0x5
 #define BHR_OPT_UART_MPPS_MASK	(0x7 << BHR_OPT_UART_MPPS_OFFS)
 
+
+
+
+typedef struct _mvCpuArmClk {
+	MV_U32	cpuClk;	/* CPU clock MHz */
+	MV_U32	ddrClk;	/* DDR clock MHz */
+	MV_U32	l2cClk;	/* L2 cache clock MHz */
+} MV_CPU_ARM_CLK;
+
+
 #endif /* MV_ASMLANGUAGE */
 #endif /* _INC_BOOTSTRAP_H */