diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h index 8491a72dd1..0da0599738 100644 --- a/arch/arm/include/asm/fsl_secure_boot.h +++ b/arch/arm/include/asm/fsl_secure_boot.h @@ -8,6 +8,14 @@ #define __FSL_SECURE_BOOT_H #ifdef CONFIG_SECURE_BOOT + +#ifndef CONFIG_FIT_SIGNATURE +#define CONFIG_CHAIN_OF_TRUST +#endif + +#endif + +#ifdef CONFIG_CHAIN_OF_TRUST #define CONFIG_CMD_ESBC_VALIDATE #define CONFIG_CMD_BLOB #define CONFIG_FSL_SEC_MON @@ -40,8 +48,6 @@ #define CONFIG_ESBC_ADDR_64BIT #endif -#ifndef CONFIG_FIT_SIGNATURE - #define CONFIG_EXTRA_ENV \ "setenv fdt_high 0xcfffffff;" \ "setenv initrd_high 0xcfffffff;" \ @@ -50,8 +56,6 @@ /* The address needs to be modified according to NOR memory map */ #define CONFIG_BOOTSCRIPT_HDR_ADDR 0x600a0000 -#include -#endif -#endif - +#include +#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ #endif diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h index 7d217a63fd..41058d11ad 100644 --- a/arch/powerpc/include/asm/fsl_secure_boot.h +++ b/arch/powerpc/include/asm/fsl_secure_boot.h @@ -9,19 +9,11 @@ #include #ifdef CONFIG_SECURE_BOOT -#define CONFIG_CMD_ESBC_VALIDATE -#define CONFIG_CMD_BLOB -#define CONFIG_FSL_SEC_MON -#define CONFIG_SHA_PROG_HW_ACCEL -#define CONFIG_DM -#define CONFIG_RSA -#define CONFIG_RSA_FREESCALE_EXP -#ifndef CONFIG_FSL_CAAM -#define CONFIG_FSL_CAAM -#endif + +#ifndef CONFIG_FIT_SIGNATURE +#define CONFIG_CHAIN_OF_TRUST #endif -#ifdef CONFIG_SECURE_BOOT #if defined(CONFIG_FSL_CORENET) #define CONFIG_SYS_PBI_FLASH_BASE 0xc0000000 #elif defined(CONFIG_BSC9132QDS) @@ -76,8 +68,25 @@ */ #define CONFIG_FSL_ISBC_KEY_EXT #endif +#endif /* #ifdef CONFIG_SECURE_BOOT */ + +#ifdef CONFIG_CHAIN_OF_TRUST + +#define CONFIG_CMD_ESBC_VALIDATE +#define CONFIG_CMD_BLOB +#define CONFIG_FSL_SEC_MON +#define CONFIG_SHA_PROG_HW_ACCEL +#define CONFIG_RSA +#define CONFIG_RSA_FREESCALE_EXP + +#ifndef CONFIG_DM +#define CONFIG_DM +#endif + +#ifndef CONFIG_FSL_CAAM +#define CONFIG_FSL_CAAM +#endif -#ifndef CONFIG_FIT_SIGNATURE /* If Boot Script is not on NOR and is required to be copied on RAM */ #ifdef CONFIG_BOOTSCRIPT_COPY_RAM #define CONFIG_BS_HDR_ADDR_RAM 0x00010000 @@ -105,10 +114,8 @@ #define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee020000 #endif -#endif +#endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */ -#include -#endif - -#endif +#include +#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */ #endif diff --git a/include/config_fsl_secboot.h b/include/config_fsl_chain_trust.h similarity index 76% rename from include/config_fsl_secboot.h rename to include/config_fsl_chain_trust.h index fc6788a7a6..45dda56bc3 100644 --- a/include/config_fsl_secboot.h +++ b/include/config_fsl_chain_trust.h @@ -4,15 +4,27 @@ * SPDX-License-Identifier: GPL-2.0+ */ -#ifndef __CONFIG_FSL_SECBOOT_H -#define __CONFIG_FSL_SECBOOT_H +#ifndef __CONFIG_FSL_CHAIN_TRUST_H +#define __CONFIG_FSL_CHAIN_TRUST_H +/* For secure boot, since ENVIRONMENT in flash/external memories is + * not verified, undef CONFIG_ENV_xxx and set default env + * (CONFIG_ENV_IS_NOWHERE) + */ #ifdef CONFIG_SECURE_BOOT -#ifndef CONFIG_CMD_ESBC_VALIDATE -#define CONFIG_CMD_ESBC_VALIDATE +#undef CONFIG_ENV_IS_IN_EEPROM +#undef CONFIG_ENV_IS_IN_NAND +#undef CONFIG_ENV_IS_IN_MMC +#undef CONFIG_ENV_IS_IN_SPI_FLASH +#undef CONFIG_ENV_IS_IN_FLASH + +#define CONFIG_ENV_IS_NOWHERE + #endif +#ifdef CONFIG_CHAIN_OF_TRUST + #ifndef CONFIG_EXTRA_ENV #define CONFIG_EXTRA_ENV "" #endif @@ -71,18 +83,7 @@ #endif /* CONFIG_RAMBOOT_NAND */ #endif /* CONFIG_BOOTSCRIPT_COPY_RAM */ -#if defined(CONFIG_RAMBOOT_SPIFLASH) -#undef CONFIG_ENV_IS_IN_SPI_FLASH -#elif defined(CONFIG_RAMBOOT_NAND) -#undef CONFIG_ENV_IS_IN_NAND -#elif defined(CONFIG_RAMBOOT_SDCARD) -#undef CONFIG_ENV_IS_IN_MMC #endif -#else /*CONFIG_SYS_RAMBOOT*/ -#undef CONFIG_ENV_IS_IN_FLASH -#endif - -#define CONFIG_ENV_IS_NOWHERE #ifndef CONFIG_BS_COPY_ENV #define CONFIG_BS_COPY_ENV @@ -92,25 +93,9 @@ #define CONFIG_BS_COPY_CMD #endif -#define CONFIG_SECBOOT_CMD CONFIG_BS_COPY_ENV \ +#define CONFIG_CHAIN_BOOT_CMD CONFIG_BS_COPY_ENV \ CONFIG_BS_COPY_CMD \ CONFIG_SECBOOT -/* - * We don't want boot delay for secure boot flow - * before autoboot starts - */ -#undef CONFIG_BOOTDELAY -#define CONFIG_BOOTDELAY 0 -#undef CONFIG_BOOTCOMMAND -#define CONFIG_BOOTCOMMAND CONFIG_SECBOOT_CMD - -/* - * CONFIG_ZERO_BOOTDELAY_CHECK should not be defined for - * secure boot flow as defining this would enable a user to - * reach uboot prompt by pressing some key before start of - * autoboot - */ -#undef CONFIG_ZERO_BOOTDELAY_CHECK #endif #endif