Merge branch 'v2021.04-rc4' of https://github.com/lftan/u-boot

- Add VAB support

Makefile

@@ -1264,11 +1264,6 @@ OBJCOPYFLAGS_u-boot-nodtb.bin := -O binary \
 		$(if $(CONFIG_X86_16BIT_INIT),-R .start16 -R .resetvec) \
 		$(if $(CONFIG_MPC85XX_HAVE_RESET_VECTOR),-R .bootpg -R .resetvec)
 
-OBJCOPYFLAGS_u-boot-spl.hex = $(OBJCOPYFLAGS_u-boot.hex)
-
-spl/u-boot-spl.hex: spl/u-boot-spl FORCE
-	$(call if_changed,objcopy)
-
 binary_size_check: u-boot-nodtb.bin FORCE
 	@file_size=$(shell wc -c u-boot-nodtb.bin | awk '{print $$1}') ; \
 	map_size=$(shell cat u-boot.map | \
@@ -1940,6 +1935,12 @@ spl/u-boot-spl.bin: spl/u-boot-spl
 	@:
 	$(SPL_SIZE_CHECK)
 
+spl/u-boot-spl-dtb.bin: spl/u-boot-spl
+	@:
+
+spl/u-boot-spl-dtb.hex: spl/u-boot-spl
+	@:
+
 spl/u-boot-spl: tools prepare \
 		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_SPL_OF_PLATDATA),dts/dt.dtb) \
 		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb)

arch/arm/Kconfig

@@ -970,7 +970,7 @@ config ARCH_SOCFPGA
 	bool "Altera SOCFPGA family"
 	select ARCH_EARLY_INIT_R
 	select ARCH_MISC_INIT if !TARGET_SOCFPGA_ARRIA10
-	select ARM64 if TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX
+	select ARM64 if TARGET_SOCFPGA_SOC64
 	select CPU_V7A if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_ARRIA10
 	select DM
 	select DM_SERIAL
@@ -982,7 +982,7 @@ config ARCH_SOCFPGA
 	select SPL_LIBGENERIC_SUPPORT
 	select SPL_NAND_SUPPORT if SPL_NAND_DENALI
 	select SPL_OF_CONTROL
-	select SPL_SEPARATE_BSS if TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX
+	select SPL_SEPARATE_BSS if TARGET_SOCFPGA_SOC64
 	select SPL_SERIAL_SUPPORT
 	select SPL_SYSRESET
 	select SPL_WATCHDOG_SUPPORT
@@ -991,7 +991,7 @@ config ARCH_SOCFPGA
 	select SYS_THUMB_BUILD if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_ARRIA10
 	select SYSRESET
 	select SYSRESET_SOCFPGA if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_ARRIA10
-	select SYSRESET_SOCFPGA_SOC64 if TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX
+	select SYSRESET_SOCFPGA_SOC64 if TARGET_SOCFPGA_SOC64
 	imply CMD_DM
 	imply CMD_MTDPARTS
 	imply CRC32_VERIFY

arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi

@@ -117,4 +117,26 @@
 	};
 };
 
+#if defined(CONFIG_SOCFPGA_SECURE_VAB_AUTH)
+&uboot_blob {
+	filename = "signed-u-boot-nodtb.bin";
+};
+
+&atf_blob {
+	filename = "signed-bl31.bin";
+};
+
+&uboot_fdt_blob {
+	filename = "signed-u-boot.dtb";
+};
+
+&kernel_blob {
+	filename = "signed-Image";
+};
+
+&kernel_fdt_blob {
+	filename = "signed-linux.dtb";
+};
+#endif
+
 #endif

arch/arm/mach-socfpga/Kconfig

@@ -6,6 +6,21 @@ config ERR_PTR_OFFSET
 config NR_DRAM_BANKS
 	default 1
 
+config SOCFPGA_SECURE_VAB_AUTH
+	bool "Enable boot image authentication with Secure Device Manager"
+	depends on TARGET_SOCFPGA_AGILEX
+	select FIT_IMAGE_POST_PROCESS
+	select SHA384
+	select SHA512_ALGO
+	select SPL_FIT_IMAGE_POST_PROCESS
+	help
+	 All images loaded from FIT will be authenticated by Secure Device
+	 Manager.
+
+config SOCFPGA_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE
+	bool "Allow non-FIT VAB signed images"
+	depends on SOCFPGA_SECURE_VAB_AUTH
+
 config SPL_SIZE_LIMIT
 	default 0x10000 if TARGET_SOCFPGA_GEN5
 
@@ -38,6 +53,7 @@ config TARGET_SOCFPGA_AGILEX
 	select FPGA_INTEL_SDM_MAILBOX
 	select NCORE_CACHE
 	select SPL_CLK if SPL
+	select TARGET_SOCFPGA_SOC64
 
 config TARGET_SOCFPGA_ARRIA5
 	bool
@@ -75,12 +91,16 @@ config TARGET_SOCFPGA_GEN5
 	imply SPL_SYS_MALLOC_SIMPLE
 	imply SPL_USE_TINY_PRINTF
 
+config TARGET_SOCFPGA_SOC64
+	bool
+
 config TARGET_SOCFPGA_STRATIX10
 	bool
 	select ARMV8_MULTIENTRY
 	select ARMV8_SET_SMPEN
 	select BINMAN if SPL_ATF
 	select FPGA_INTEL_SDM_MAILBOX
+	select TARGET_SOCFPGA_SOC64
 
 choice
 	prompt "Altera SOCFPGA board select"

arch/arm/mach-socfpga/Makefile

@@ -4,6 +4,7 @@
 # Wolfgang Denk, DENX Software Engineering, wd@denx.de.
 #
 # Copyright (C) 2012-2017 Altera Corporation <www.altera.com>
+# Copyright (C) 2017-2020 Intel Corporation <www.intel.com>
 
 obj-y	+= board.o
 obj-y	+= clock_manager.o
@@ -47,8 +48,10 @@ obj-y	+= mailbox_s10.o
 obj-y	+= misc_s10.o
 obj-y	+= mmu-arm64_s10.o
 obj-y	+= reset_manager_s10.o
+obj-$(CONFIG_SOCFPGA_SECURE_VAB_AUTH)	+= secure_vab.o
 obj-y	+= system_manager_s10.o
 obj-y	+= timer_s10.o
+obj-$(CONFIG_SOCFPGA_SECURE_VAB_AUTH)	+= vab.o
 obj-y	+= wrap_pinmux_config_s10.o
 obj-y	+= wrap_pll_config_s10.o
 endif

arch/arm/mach-socfpga/board.c

@@ -6,14 +6,17 @@
  */
 
 #include <common.h>
-#include <errno.h>
-#include <fdtdec.h>
-#include <init.h>
-#include <asm/arch/reset_manager.h>
 #include <asm/arch/clock_manager.h>
 #include <asm/arch/misc.h>
+#include <asm/arch/reset_manager.h>
+#include <asm/arch/secure_vab.h>
 #include <asm/global_data.h>
 #include <asm/io.h>
+#include <errno.h>
+#include <fdtdec.h>
+#include <hang.h>
+#include <image.h>
+#include <init.h>
 #include <log.h>
 #include <usb.h>
 #include <usb/dwc2_udc.h>
@@ -98,3 +101,37 @@ __weak int board_fit_config_name_match(const char *name)
 	return 0;
 }
 #endif
+
+#if IS_ENABLED(CONFIG_FIT_IMAGE_POST_PROCESS)
+void board_fit_image_post_process(void **p_image, size_t *p_size)
+{
+	if (IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH)) {
+		if (socfpga_vendor_authentication(p_image, p_size))
+			hang();
+	}
+}
+#endif
+
+#if !IS_ENABLED(CONFIG_SPL_BUILD) && IS_ENABLED(CONFIG_FIT)
+void board_prep_linux(bootm_headers_t *images)
+{
+	if (!IS_ENABLED(CONFIG_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE)) {
+		/*
+		 * Ensure the OS is always booted from FIT and with
+		 * VAB signed certificate
+		 */
+		if (!images->fit_uname_cfg) {
+			printf("Please use FIT with VAB signed images!\n");
+			hang();
+		}
+
+		env_set_hex("fdt_addr", (ulong)images->ft_addr);
+		debug("images->ft_addr = 0x%08lx\n", (ulong)images->ft_addr);
+	}
+
+	if (IS_ENABLED(CONFIG_CADENCE_QSPI)) {
+		if (env_get("linux_qspi_enable"))
+			run_command(env_get("linux_qspi_enable"), 0);
+	}
+}
+#endif

arch/arm/mach-socfpga/include/mach/mailbox_s10.h

@@ -118,6 +118,7 @@ enum ALT_SDM_MBOX_RESP_CODE {
 #define MBOX_RECONFIG_MSEL	7
 #define MBOX_RECONFIG_DATA	8
 #define MBOX_RECONFIG_STATUS	9
+#define MBOX_VAB_SRC_CERT		11
 #define MBOX_QSPI_OPEN		50
 #define MBOX_QSPI_CLOSE		51
 #define MBOX_QSPI_DIRECT	59

arch/arm/mach-socfpga/include/mach/reset_manager.h

@@ -43,8 +43,7 @@ void socfpga_per_reset_all(void);
 #include <asm/arch/reset_manager_gen5.h>
 #elif defined(CONFIG_TARGET_SOCFPGA_ARRIA10)
 #include <asm/arch/reset_manager_arria10.h>
-#elif defined(CONFIG_TARGET_SOCFPGA_STRATIX10) || \
-	defined(CONFIG_TARGET_SOCFPGA_AGILEX)
+#elif defined(CONFIG_TARGET_SOCFPGA_SOC64)
 #include <asm/arch/reset_manager_soc64.h>
 #endif
 

arch/arm/mach-socfpga/include/mach/secure_vab.h

@@ -0,0 +1,63 @@
+/* SPDX-License-Identifier: GPL-2.0
+ *
+ * Copyright (C) 2020 Intel Corporation <www.intel.com>
+ *
+ */
+
+#ifndef	_SECURE_VAB_H_
+#define	_SECURE_VAB_H_
+
+#include <linux/sizes.h>
+#include <linux/stddef.h>
+#include <u-boot/sha512.h>
+
+#define VAB_DATA_SZ			64
+
+#define SDM_CERT_MAGIC_NUM		0x25D04E7F
+#define FCS_HPS_VAB_MAGIC_NUM		0xD0564142
+
+#define MAX_CERT_SIZE			(SZ_4K)
+
+/*
+ * struct fcs_hps_vab_certificate_data
+ * @vab_cert_magic_num: VAB Certificate Magic Word (0xD0564142)
+ * @flags: TBD
+ * @fcs_data: Data words being certificate signed.
+ * @cert_sign_keychain: Certificate Signing Keychain
+ */
+struct fcs_hps_vab_certificate_data {
+	u32 vab_cert_magic_num;		/* offset 0x10 */
+	u32 flags;
+	u8 rsvd0_1[8];
+	u8 fcs_sha384[SHA384_SUM_LEN];	/* offset 0x20 */
+};
+
+/*
+ * struct fcs_hps_vab_certificate_header
+ * @cert_magic_num: Certificate Magic Word (0x25D04E7F)
+ * @cert_data_sz: size of this certificate header (0x80)
+ *	Includes magic number all the way to the certificate
+ *      signing keychain (excludes cert. signing keychain)
+ * @cert_ver: Certificate Version
+ * @cert_type: Certificate Type
+ * @data: VAB HPS Image Certificate data
+ */
+struct fcs_hps_vab_certificate_header {
+	u32 cert_magic_num;		/* offset 0 */
+	u32 cert_data_sz;
+	u32 cert_ver;
+	u32 cert_type;
+	struct fcs_hps_vab_certificate_data d;	/* offset 0x10 */
+	/* keychain starts at offset 0x50 */
+};
+
+#define VAB_CERT_HEADER_SIZE	sizeof(struct fcs_hps_vab_certificate_header)
+#define VAB_CERT_MAGIC_OFFSET	offsetof \
+				(struct fcs_hps_vab_certificate_header, d)
+#define VAB_CERT_FIT_SHA384_OFFSET	offsetof \
+					(struct fcs_hps_vab_certificate_data, \
+					 fcs_sha384[0])
+
+int socfpga_vendor_authentication(void **p_image, size_t *p_size);
+
+#endif /* _SECURE_VAB_H_ */

arch/arm/mach-socfpga/include/mach/system_manager.h

@@ -8,8 +8,7 @@
 
 phys_addr_t socfpga_get_sysmgr_addr(void);
 
-#if defined(CONFIG_TARGET_SOCFPGA_STRATIX10) || \
-	defined(CONFIG_TARGET_SOCFPGA_AGILEX)
+#if defined(CONFIG_TARGET_SOCFPGA_SOC64)
 #include <asm/arch/system_manager_soc64.h>
 #else
 #define SYSMGR_ROMCODEGRP_CTRL_WARMRSTCFGPINMUX	BIT(0)

arch/arm/mach-socfpga/secure_vab.c

@@ -0,0 +1,186 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2020 Intel Corporation <www.intel.com>
+ *
+ */
+
+#include <asm/arch/mailbox_s10.h>
+#include <asm/arch/secure_vab.h>
+#include <asm/arch/smc_api.h>
+#include <asm/unaligned.h>
+#include <common.h>
+#include <exports.h>
+#include <linux/errno.h>
+#include <linux/intel-smc.h>
+#include <log.h>
+
+#define CHUNKSZ_PER_WD_RESET		(256 * SZ_1K)
+
+/*
+ * Read the length of the VAB certificate from the end of image
+ * and calculate the actual image size (excluding the VAB certificate).
+ */
+static size_t get_img_size(u8 *img_buf, size_t img_buf_sz)
+{
+	u8 *img_buf_end = img_buf + img_buf_sz;
+	u32 cert_sz = get_unaligned_le32(img_buf_end - sizeof(u32));
+	u8 *p = img_buf_end - cert_sz - sizeof(u32);
+
+	/* Ensure p is pointing within the img_buf */
+	if (p < img_buf || p > (img_buf_end - VAB_CERT_HEADER_SIZE))
+		return 0;
+
+	if (get_unaligned_le32(p) == SDM_CERT_MAGIC_NUM)
+		return (size_t)(p - img_buf);
+
+	return 0;
+}
+
+/*
+ * Vendor Authorized Boot (VAB) is a security feature for authenticating
+ * the images such as U-Boot, ARM trusted Firmware, Linux kernel,
+ * device tree blob and etc loaded from FIT. User can also trigger
+ * the VAB authentication from U-Boot command.
+ *
+ * This function extracts the VAB certificate and signature block
+ * appended at the end of the image, then send to Secure Device Manager
+ * (SDM) for authentication. This function will validate the SHA384
+ * of the image against the SHA384 hash stored in the VAB certificate
+ * before sending the VAB certificate to SDM for authentication.
+ *
+ * RETURN
+ * 0 if authentication success or
+ *   if authentication is not required and bypassed on a non-secure device
+ * negative error code if authentication fail
+ */
+int socfpga_vendor_authentication(void **p_image, size_t *p_size)
+{
+	int retry_count = 20;
+	u8 hash384[SHA384_SUM_LEN];
+	u64 img_addr, mbox_data_addr;
+	size_t img_sz, mbox_data_sz;
+	u8 *cert_hash_ptr, *mbox_relocate_data_addr;
+	u32 resp = 0, resp_len = 1;
+	int ret;
+
+	img_addr = (uintptr_t)*p_image;
+
+	debug("Authenticating image at address 0x%016llx (%ld bytes)\n",
+	      img_addr, *p_size);
+
+	img_sz = get_img_size((u8 *)img_addr, *p_size);
+	debug("img_sz = %ld\n", img_sz);
+
+	if (!img_sz) {
+		puts("VAB certificate not found in image!\n");
+		return -ENOKEY;
+	}
+
+	if (!IS_ALIGNED(img_sz, sizeof(u32))) {
+		printf("Image size (%ld bytes) not aliged to 4 bytes!\n",
+		       img_sz);
+		return -EBFONT;
+	}
+
+	/* Generate HASH384 from the image */
+	sha384_csum_wd((u8 *)img_addr, img_sz, hash384, CHUNKSZ_PER_WD_RESET);
+
+	cert_hash_ptr = (u8 *)(img_addr + img_sz + VAB_CERT_MAGIC_OFFSET +
+			       VAB_CERT_FIT_SHA384_OFFSET);
+
+	/*
+	 * Compare the SHA384 found in certificate against the SHA384
+	 * calculated from image
+	 */
+	if (memcmp(hash384, cert_hash_ptr, SHA384_SUM_LEN)) {
+		puts("SHA384 not match!\n");
+		return -EKEYREJECTED;
+	}
+
+	mbox_data_addr = img_addr + img_sz - sizeof(u32);
+	/* Size in word (32bits) */
+	mbox_data_sz = (ALIGN(*p_size - img_sz, sizeof(u32))) >> 2;
+
+	debug("mbox_data_addr = 0x%016llx\n", mbox_data_addr);
+	debug("mbox_data_sz = %ld words\n", mbox_data_sz);
+
+	/*
+	 * Relocate certificate to first memory block before trigger SMC call
+	 * to send mailbox command because ATF only able to access first
+	 * memory block.
+	 */
+	mbox_relocate_data_addr = (u8 *)malloc(mbox_data_sz * sizeof(u32));
+	if (!mbox_relocate_data_addr) {
+		puts("Out of memory for VAB certificate relocation!\n");
+		return -ENOMEM;
+	}
+
+	memcpy(mbox_relocate_data_addr, (u8 *)mbox_data_addr, mbox_data_sz * sizeof(u32));
+	*(u32 *)mbox_relocate_data_addr = 0;
+
+	debug("mbox_relocate_data_addr = 0x%p\n", mbox_relocate_data_addr);
+
+	do {
+		if (!IS_ENABLED(CONFIG_SPL_BUILD) && IS_ENABLED(CONFIG_SPL_ATF)) {
+			/* Invoke SMC call to ATF to send the VAB certificate to SDM */
+			ret  = smc_send_mailbox(MBOX_VAB_SRC_CERT, mbox_data_sz,
+						(u32 *)mbox_relocate_data_addr, 0, &resp_len,
+						&resp);
+		} else {
+			/* Send the VAB certficate to SDM for authentication */
+			ret = mbox_send_cmd(MBOX_ID_UBOOT, MBOX_VAB_SRC_CERT,
+					    MBOX_CMD_DIRECT, mbox_data_sz,
+					    (u32 *)mbox_relocate_data_addr, 0, &resp_len,
+					    &resp);
+		}
+		/* If SDM is not available, just delay 50ms and retry again */
+		if (ret == MBOX_RESP_DEVICE_BUSY)
+			mdelay(50);
+		else
+			break;
+	} while (--retry_count);
+
+	/* Free the relocate certificate memory space */
+	free(mbox_relocate_data_addr);
+
+	/* Exclude the size of the VAB certificate from image size */
+	*p_size = img_sz;
+
+	debug("ret = 0x%08x, resp = 0x%08x, resp_len = %d\n", ret, resp,
+	      resp_len);
+
+	if (ret) {
+		/*
+		 * Unsupported mailbox command or device not in the
+		 * owned/secure state
+		 */
+		if (ret == MBOX_RESP_NOT_ALLOWED_UNDER_SECURITY_SETTINGS) {
+			/* SDM bypass authentication */
+			printf("%s 0x%016llx (%ld bytes)\n",
+			       "Image Authentication bypassed at address",
+			       img_addr, img_sz);
+			return 0;
+		}
+		puts("VAB certificate authentication failed in SDM");
+		if (ret == MBOX_RESP_DEVICE_BUSY) {
+			puts(" (SDM busy timeout)\n");
+			return -ETIMEDOUT;
+		} else if (ret == MBOX_RESP_UNKNOWN) {
+			puts(" (Not supported)\n");
+			return -ESRCH;
+		}
+		puts("\n");
+		return -EKEYREJECTED;
+	} else {
+		/* If Certificate Process Status has error */
+		if (resp) {
+			puts("VAB certificate process failed\n");
+			return -ENOEXEC;
+		}
+	}
+
+	printf("%s 0x%016llx (%ld bytes)\n",
+	       "Image Authentication passed at address", img_addr, img_sz);
+
+	return 0;
+}

arch/arm/mach-socfpga/vab.c

@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2020 Intel Corporation <www.intel.com>
+ *
+ */
+
+#include <asm/arch/secure_vab.h>
+#include <command.h>
+#include <common.h>
+#include <linux/ctype.h>
+
+static int do_vab(struct cmd_tbl *cmdtp, int flag, int argc,
+		  char *const argv[])
+{
+	unsigned long addr, len;
+
+	if (argc < 3)
+		return CMD_RET_USAGE;
+
+	addr = simple_strtoul(argv[1], NULL, 16);
+	len = simple_strtoul(argv[2], NULL, 16);
+
+	if (socfpga_vendor_authentication((void *)&addr, (size_t *)&len) != 0)
+		return CMD_RET_FAILURE;
+
+	return 0;
+}
+
+U_BOOT_CMD(
+	vab,	3,	2,	do_vab,
+	"perform vendor authorization",
+	"addr len   - authorize 'len' bytes starting at\n"
+	"                 'addr' via vendor public key"
+);

board/intel/agilex-socdk/MAINTAINERS

@@ -6,3 +6,8 @@ F:	board/intel/agilex-socdk/
 F:	include/configs/socfpga_agilex_socdk.h
 F:	configs/socfpga_agilex_atf_defconfig
 F:	configs/socfpga_agilex_defconfig
+
+SOCFPGA BOARD WITH VAB
+M:	Siew Chin Lim <elly.siew.chin.lim@intel.com>
+S:	Maintained
+F:	configs/socfpga_agilex_vab_defconfig

common/Kconfig.boot

@@ -138,7 +138,7 @@ config FIT_BEST_MATCH
 
 config FIT_IMAGE_POST_PROCESS
 	bool "Enable post-processing of FIT artifacts after loading by U-Boot"
-	depends on TI_SECURE_DEVICE
+	depends on TI_SECURE_DEVICE || SOCFPGA_SECURE_VAB_AUTH
 	help
 	  Allows doing any sort of manipulation to blobs after they got extracted
 	  from FIT images like stripping off headers or modifying the size of the

configs/socfpga_agilex_atf_defconfig

@@ -20,6 +20,8 @@ CONFIG_SPL_LOAD_FIT_ADDRESS=0x02000000
 CONFIG_BOOTDELAY=5
 CONFIG_USE_BOOTARGS=y
 CONFIG_BOOTARGS="earlycon"
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="run fatscript; run mmcfitload; run linux_qspi_enable; run mmcfitboot"
 CONFIG_SPL_CACHE=y
 CONFIG_SPL_SPI_LOAD=y
 CONFIG_SPL_ATF=y

configs/socfpga_agilex_defconfig

@@ -18,6 +18,8 @@ CONFIG_DEFAULT_DEVICE_TREE="socfpga_agilex_socdk"
 CONFIG_BOOTDELAY=5
 CONFIG_USE_BOOTARGS=y
 CONFIG_BOOTARGS="earlycon"
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="run fatscript; run mmcload; run linux_qspi_enable; run mmcboot"
 CONFIG_SPL_CACHE=y
 CONFIG_SPL_SPI_LOAD=y
 CONFIG_HUSH_PARSER=y

configs/socfpga_agilex_vab_defconfig

@@ -0,0 +1,75 @@
+CONFIG_ARM=y
+CONFIG_SPL_LDSCRIPT="arch/arm/mach-socfpga/u-boot-spl-soc64.lds"
+CONFIG_ARCH_SOCFPGA=y
+CONFIG_SYS_TEXT_BASE=0x200000
+CONFIG_SYS_MALLOC_F_LEN=0x2000
+CONFIG_NR_DRAM_BANKS=2
+CONFIG_ENV_SIZE=0x1000
+CONFIG_ENV_OFFSET=0x200
+CONFIG_SYS_SPI_U_BOOT_OFFS=0x02000000
+CONFIG_DM_GPIO=y
+CONFIG_SPL_TEXT_BASE=0xFFE00000
+CONFIG_SOCFPGA_SECURE_VAB_AUTH=y
+CONFIG_TARGET_SOCFPGA_AGILEX_SOCDK=y
+CONFIG_IDENT_STRING="socfpga_agilex"
+CONFIG_SPL_FS_FAT=y
+CONFIG_DEFAULT_DEVICE_TREE="socfpga_agilex_socdk"
+CONFIG_FIT=y
+CONFIG_SPL_LOAD_FIT=y
+CONFIG_SPL_LOAD_FIT_ADDRESS=0x02000000
+# CONFIG_USE_SPL_FIT_GENERATOR is not set
+# CONFIG_LEGACY_IMAGE_FORMAT is not set
+CONFIG_BOOTDELAY=5
+CONFIG_USE_BOOTARGS=y
+CONFIG_BOOTARGS="earlycon"
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="run fatscript; run mmcfitload; run mmcfitboot"
+CONFIG_SPL_CACHE=y
+CONFIG_SPL_SPI_LOAD=y
+CONFIG_SPL_ATF=y
+CONFIG_SPL_ATF_NO_PLATFORM_PARAM=y
+CONFIG_HUSH_PARSER=y
+CONFIG_SYS_PROMPT="SOCFPGA_AGILEX # "
+CONFIG_CMD_MEMTEST=y
+CONFIG_CMD_GPIO=y
+CONFIG_CMD_I2C=y
+CONFIG_CMD_MMC=y
+CONFIG_CMD_SPI=y
+CONFIG_CMD_USB=y
+CONFIG_CMD_DHCP=y
+CONFIG_CMD_MII=y
+CONFIG_CMD_PING=y
+CONFIG_CMD_CACHE=y
+CONFIG_CMD_EXT4=y
+CONFIG_CMD_FAT=y
+CONFIG_CMD_FS_GENERIC=y
+CONFIG_ENV_IS_IN_MMC=y
+CONFIG_NET_RANDOM_ETHADDR=y
+CONFIG_SPL_DM_SEQ_ALIAS=y
+CONFIG_SPL_ALTERA_SDRAM=y
+CONFIG_DWAPB_GPIO=y
+CONFIG_DM_I2C=y
+CONFIG_SYS_I2C_DW=y
+CONFIG_DM_MMC=y
+CONFIG_MMC_DW=y
+CONFIG_MTD=y
+CONFIG_SF_DEFAULT_MODE=0x2003
+CONFIG_SPI_FLASH_SPANSION=y
+CONFIG_SPI_FLASH_STMICRO=y
+CONFIG_PHY_MICREL=y
+CONFIG_PHY_MICREL_KSZ90X1=y
+CONFIG_DM_ETH=y
+CONFIG_ETH_DESIGNWARE=y
+CONFIG_MII=y
+CONFIG_DM_RESET=y
+CONFIG_SPI=y
+CONFIG_CADENCE_QSPI=y
+CONFIG_DESIGNWARE_SPI=y
+CONFIG_USB=y
+CONFIG_DM_USB=y
+CONFIG_USB_DWC2=y
+CONFIG_USB_STORAGE=y
+CONFIG_DESIGNWARE_WATCHDOG=y
+CONFIG_WDT=y
+# CONFIG_SPL_USE_TINY_PRINTF is not set
+CONFIG_PANIC_HANG=y

configs/socfpga_stratix10_atf_defconfig

@@ -20,6 +20,8 @@ CONFIG_SPL_LOAD_FIT_ADDRESS=0x02000000
 CONFIG_BOOTDELAY=5
 CONFIG_USE_BOOTARGS=y
 CONFIG_BOOTARGS="earlycon"
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="run fatscript; run mmcfitload; run linux_qspi_enable; run mmcfitboot"
 CONFIG_SPL_SPI_LOAD=y
 CONFIG_SPL_ATF=y
 CONFIG_SPL_ATF_NO_PLATFORM_PARAM=y

configs/socfpga_stratix10_defconfig

@@ -20,6 +20,8 @@ CONFIG_SPL_OPTIMIZE_INLINING=y
 CONFIG_BOOTDELAY=5
 CONFIG_USE_BOOTARGS=y
 CONFIG_BOOTARGS="earlycon"
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="run fatscript; run mmcload; run linux_qspi_enable; run mmcboot"
 CONFIG_SPL_SPI_LOAD=y
 CONFIG_HUSH_PARSER=y
 CONFIG_SYS_PROMPT="SOCFPGA_STRATIX10 # "

drivers/ddr/altera/Kconfig

@@ -1,8 +1,8 @@
 config SPL_ALTERA_SDRAM
 	bool "SoCFPGA DDR SDRAM driver in SPL"
 	depends on SPL
-	depends on TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_ARRIA10 || TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX
-	select RAM if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX
-	select SPL_RAM if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX
+	depends on TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_ARRIA10 || TARGET_SOCFPGA_SOC64
+	select RAM if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_SOC64
+	select SPL_RAM if TARGET_SOCFPGA_GEN5 || TARGET_SOCFPGA_SOC64
 	help
 	  Enable DDR SDRAM controller for the SoCFPGA devices.

drivers/fpga/Kconfig

@@ -33,7 +33,7 @@ config FPGA_CYCLON2
 
 config FPGA_INTEL_SDM_MAILBOX
 	bool "Enable Intel FPGA Full Reconfiguration SDM Mailbox driver"
-	depends on TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX
+	depends on TARGET_SOCFPGA_SOC64
 	select FPGA_ALTERA
 	help
 	  Say Y here to enable the Intel FPGA Full Reconfig SDM Mailbox driver

drivers/sysreset/Kconfig

@@ -94,7 +94,7 @@ config SYSRESET_SOCFPGA
 
 config SYSRESET_SOCFPGA_SOC64
 	bool "Enable support for Intel SOCFPGA SoC64 family (Stratix10/Agilex)"
-	depends on ARCH_SOCFPGA && (TARGET_SOCFPGA_STRATIX10 || TARGET_SOCFPGA_AGILEX)
+	depends on ARCH_SOCFPGA && TARGET_SOCFPGA_SOC64
 	help
 	  This enables the system reset driver support for Intel SOCFPGA
 	  SoC64 SoCs.

include/configs/socfpga_soc64_common.h

@@ -79,19 +79,13 @@ unsigned int cm_get_qspi_controller_clk_hz(void);
 #endif /* CONFIG_CADENCE_QSPI */
 
 /*
- * Boot arguments passed to the boot command. The value of
- * CONFIG_BOOTARGS goes into the environment value "bootargs".
- * Do note the value will override also the chosen node in FDT blob.
+ * Environment variable
  */
 
 #ifdef CONFIG_FIT
 #define CONFIG_BOOTFILE "kernel.itb"
-#define CONFIG_BOOTCOMMAND "run fatscript; run mmcfitload;run linux_qspi_enable;" \
-			   "run mmcfitboot"
 #else
 #define CONFIG_BOOTFILE "Image"
-#define CONFIG_BOOTCOMMAND "run fatscript; run mmcload;run linux_qspi_enable;" \
-			   "run mmcboot"
 #endif
 
 #define CONFIG_EXTRA_ENV_SETTINGS \
@@ -200,7 +194,7 @@ unsigned int cm_get_l4_sys_free_clk_hz(void);
  * 0x8000_0000 ...... End of SDRAM_1 (assume 2GB)
  *
  */
-#define CONFIG_SPL_TARGET		"spl/u-boot-spl.hex"
+#define CONFIG_SPL_TARGET		"spl/u-boot-spl-dtb.hex"
 #define CONFIG_SPL_MAX_SIZE		CONFIG_SYS_INIT_RAM_SIZE
 #define CONFIG_SPL_STACK		CONFIG_SYS_INIT_SP_ADDR
 #define CONFIG_SPL_BSS_MAX_SIZE		0x100000	/* 1 MB */

scripts/Makefile.spl

@@ -229,6 +229,8 @@ ifneq ($(CONFIG_TARGET_SOCFPGA_GEN5)$(CONFIG_TARGET_SOCFPGA_ARRIA10),)
 INPUTS-y	+= $(obj)/$(SPL_BIN).sfp
 endif
 
+INPUTS-$(CONFIG_TARGET_SOCFPGA_SOC64) += $(obj)/u-boot-spl-dtb.hex
+
 ifdef CONFIG_ARCH_SUNXI
 INPUTS-y	+= $(obj)/sunxi-spl.bin
 
@@ -389,6 +391,11 @@ $(obj)/$(SPL_BIN).sfp: $(obj)/$(SPL_BIN).bin FORCE
 MKIMAGEFLAGS_sunxi-spl.bin = -T sunxi_egon \
 	-n $(CONFIG_DEFAULT_DEVICE_TREE)
 
+OBJCOPYFLAGS_u-boot-spl-dtb.hex := -I binary -O ihex --change-address=$(CONFIG_SPL_TEXT_BASE)
+
+$(obj)/u-boot-spl-dtb.hex: $(obj)/u-boot-spl-dtb.bin FORCE
+	$(call if_changed,objcopy)
+
 $(obj)/sunxi-spl.bin: $(obj)/$(SPL_BIN).bin FORCE
 	$(call if_changed,mkimage)