MLK-12500-1 HAB: Add kernel image authentication in image loading

To support the trust boot chain, we integrate the authentication
into the kernel image loading process. The kernel image will be verified
at its load address. So when signing the kernel image, we need to
use this load address which may change on different platforms.

Signed-off-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit 3c118b8)
(cherry picked from commit fd9a975)
(cherry picked from commit 98d4fae)
(cherry picked from commit 3c0f0ee)
(cherry picked from commit 6605ea4)
(cherry picked from commit 6391ea5)

cmd/bootm.c

@@ -125,6 +125,31 @@ int do_bootm(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
 			return do_bootm_subcommand(cmdtp, flag, argc, argv);
 	}
 
+#ifdef CONFIG_IMX_HAB
+	extern int authenticate_image(
+			uint32_t ddr_start, uint32_t raw_image_size);
+
+	switch (genimg_get_format((const void *)image_load_addr)) {
+#if defined(CONFIG_LEGACY_IMAGE_FORMAT)
+	case IMAGE_FORMAT_LEGACY:
+		if (authenticate_image(image_load_addr,
+			image_get_image_size((image_header_t *)image_load_addr)) != 0) {
+			printf("Authenticate uImage Fail, Please check\n");
+			return 1;
+		}
+		break;
+#endif
+#ifdef CONFIG_ANDROID_BOOT_IMAGE
+	case IMAGE_FORMAT_ANDROID:
+		/* Do this authentication in boota command */
+		break;
+#endif
+	default:
+		printf("Not valid image format for Authentication, Please check\n");
+		return 1;
+	}
+#endif
+
 	return do_bootm_states(cmdtp, flag, argc, argv, BOOTM_STATE_START |
 		BOOTM_STATE_FINDOS | BOOTM_STATE_FINDOTHER |
 		BOOTM_STATE_LOADOS |

cmd/bootz.c

@@ -57,6 +57,14 @@ static int bootz_start(struct cmd_tbl *cmdtp, int flag, int argc,
 	if (bootm_find_images(flag, argc, argv, images->ep, zi_end - zi_start))
 		return 1;
 
+#ifdef CONFIG_IMX_HAB
+	extern int authenticate_image(
+			uint32_t ddr_start, uint32_t raw_image_size);
+	if (authenticate_image(images->ep, zi_end - zi_start) != 0) {
+		printf("Authenticate zImage Fail, Please check\n");
+		return 1;
+	}
+#endif
 	return 0;
 }