Re: [U-Boot] [PATCH v5] xilinx: zynq: Add support to secure images
On 27.6.2018 16:33, Michal Simek wrote: > On 26.6.2018 11:32, Siva Durga Prasad Paladugu wrote: >> This patch basically adds two new commands for loadig secure >> images. >> 1. zynq rsa adds support to load secure image which can be both >>authenticated or encrypted or both authenticated and encrypted >>image in xilinx bootimage(BOOT.bin) format. >> 2. zynq aes command adds support to decrypt and load encrypted >>image back to DDR as per destination address. The image has >>to be encrypted using xilinx bootgen tool and to get only the >>encrypted image from tool use -split option while invoking >>bootgen. >> >> Signed-off-by: Siva Durga Prasad Paladugu >> --- >> Changes from v4: >> - Moved license to top of file as per comment >> - Removed unused variable ppkexp >> - Used void * for buf, added check for buf allocation and freeing buf >> - Fixed coding style comments and fsbl_len usage >> >> Changes from v3: >> - Removed aesload and aesloadp as encrypted bitstream load >> is under duscussion and hence removed from this patch. Will >> work on it as a separate patch once discussion finalized. >> _ Fixed coding style comments >> >> Changes from v2: >> - Created separate commands for zynq aesload and aesloadp >> as per comment >> - Fixed all other coding style comments >> >> Changes from v1: >> - Defined two config synbols for RSA and AES separately >> and used them wherever required. >> - Used U_BOOT_CMD_KENT as per comment >> - Cleared DEVCFG_CTRL_PCAP_RATE_EN_MASK once decryption is >> done. >> >> Changes from RFC: >> - Moved zynqaes to board/xilinx/zynq/cmds.c and renamed as >> "zynq aes". >> - Moved boot image parsing code to a separate file. >> - Squashed in to a single patch. >> - Fixed coding style comments. >> --- >> arch/arm/Kconfig | 1 + >> arch/arm/mach-zynq/include/mach/hardware.h | 1 + >> board/xilinx/zynq/Kconfig | 33 ++ >> board/xilinx/zynq/Makefile | 5 + >> board/xilinx/zynq/bootimg.c| 143 >> board/xilinx/zynq/cmds.c | 513 >> + >> drivers/fpga/zynqpl.c | 45 +++ >> include/u-boot/rsa-mod-exp.h | 4 + >> include/zynq_bootimg.h | 33 ++ >> include/zynqpl.h | 4 + >> lib/rsa/rsa-mod-exp.c | 51 +++ >> 11 files changed, 833 insertions(+) >> create mode 100644 board/xilinx/zynq/Kconfig >> create mode 100644 board/xilinx/zynq/bootimg.c >> create mode 100644 board/xilinx/zynq/cmds.c >> create mode 100644 include/zynq_bootimg.h >> >> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig >> index 3e05f79..e78e1a4 100644 >> --- a/arch/arm/Kconfig >> +++ b/arch/arm/Kconfig >> @@ -1428,6 +1428,7 @@ source "board/toradex/colibri_pxa270/Kconfig" >> source "board/vscom/baltos/Kconfig" >> source "board/woodburn/Kconfig" >> source "board/work-microwave/work_92105/Kconfig" >> +source "board/xilinx/zynq/Kconfig" >> source "board/xilinx/zynqmp/Kconfig" >> source "board/zipitz2/Kconfig" >> >> diff --git a/arch/arm/mach-zynq/include/mach/hardware.h >> b/arch/arm/mach-zynq/include/mach/hardware.h >> index f69cf00..3ff3c10 100644 >> --- a/arch/arm/mach-zynq/include/mach/hardware.h >> +++ b/arch/arm/mach-zynq/include/mach/hardware.h >> @@ -20,6 +20,7 @@ >> #define ZYNQ_EFUSE_BASEADDR 0xF800D000 >> #define ZYNQ_USB_BASEADDR0 0xE0002000 >> #define ZYNQ_USB_BASEADDR1 0xE0003000 >> +#define ZYNQ_OCM_BASEADDR 0xFFFC >> >> /* Bootmode setting values */ >> #define ZYNQ_BM_MASK0x7 >> diff --git a/board/xilinx/zynq/Kconfig b/board/xilinx/zynq/Kconfig >> new file mode 100644 >> index 000..196c8e2 >> --- /dev/null >> +++ b/board/xilinx/zynq/Kconfig >> @@ -0,0 +1,33 @@ >> +# SPDX-License-Identifier: GPL-2.0 >> +# >> +# Copyright (c) 2018, Xilinx, Inc. >> + >> +if ARCH_ZYNQ >> + >> +config CMD_ZYNQ >> +bool "Enable Zynq specific commands" >> +default y >> +help >> + Enables Zynq specific commands. >> + >> +config CMD_ZYNQ_AES >> +bool "Enable zynq aes command for decryption of encrypted images" >> +depends on CMD_ZYNQ >> +depends on FPGA_ZYNQPL >> +help >> + Decrypts the encrypted image present in source address >> + and places the decrypted image at destination address. >> + >> +config CMD_ZYNQ_RSA >> +bool "Enable zynq rsa command for loading secure images" >> +default y >> +depends on CMD_ZYNQ >> +select CMD_ZYNQ_AES >> +help >> + Enabling this will support zynq secure image verification. >> + The secure image is a xilinx specific BOOT.BIN with >> + either authentication or encryption or both encryption >> + and authentication feature enabled while generating >> + BOOT.BIN using Xilinx bootgen tool. >> + >> +endif >> diff --git a/board/xilinx/zynq/Makefile
Re: [U-Boot] [PATCH v5] xilinx: zynq: Add support to secure images
On 26.6.2018 11:32, Siva Durga Prasad Paladugu wrote: > This patch basically adds two new commands for loadig secure > images. > 1. zynq rsa adds support to load secure image which can be both >authenticated or encrypted or both authenticated and encrypted >image in xilinx bootimage(BOOT.bin) format. > 2. zynq aes command adds support to decrypt and load encrypted >image back to DDR as per destination address. The image has >to be encrypted using xilinx bootgen tool and to get only the >encrypted image from tool use -split option while invoking >bootgen. > > Signed-off-by: Siva Durga Prasad Paladugu > --- > Changes from v4: > - Moved license to top of file as per comment > - Removed unused variable ppkexp > - Used void * for buf, added check for buf allocation and freeing buf > - Fixed coding style comments and fsbl_len usage > > Changes from v3: > - Removed aesload and aesloadp as encrypted bitstream load > is under duscussion and hence removed from this patch. Will > work on it as a separate patch once discussion finalized. > _ Fixed coding style comments > > Changes from v2: > - Created separate commands for zynq aesload and aesloadp > as per comment > - Fixed all other coding style comments > > Changes from v1: > - Defined two config synbols for RSA and AES separately > and used them wherever required. > - Used U_BOOT_CMD_KENT as per comment > - Cleared DEVCFG_CTRL_PCAP_RATE_EN_MASK once decryption is > done. > > Changes from RFC: > - Moved zynqaes to board/xilinx/zynq/cmds.c and renamed as > "zynq aes". > - Moved boot image parsing code to a separate file. > - Squashed in to a single patch. > - Fixed coding style comments. > --- > arch/arm/Kconfig | 1 + > arch/arm/mach-zynq/include/mach/hardware.h | 1 + > board/xilinx/zynq/Kconfig | 33 ++ > board/xilinx/zynq/Makefile | 5 + > board/xilinx/zynq/bootimg.c| 143 > board/xilinx/zynq/cmds.c | 513 > + > drivers/fpga/zynqpl.c | 45 +++ > include/u-boot/rsa-mod-exp.h | 4 + > include/zynq_bootimg.h | 33 ++ > include/zynqpl.h | 4 + > lib/rsa/rsa-mod-exp.c | 51 +++ > 11 files changed, 833 insertions(+) > create mode 100644 board/xilinx/zynq/Kconfig > create mode 100644 board/xilinx/zynq/bootimg.c > create mode 100644 board/xilinx/zynq/cmds.c > create mode 100644 include/zynq_bootimg.h > > diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig > index 3e05f79..e78e1a4 100644 > --- a/arch/arm/Kconfig > +++ b/arch/arm/Kconfig > @@ -1428,6 +1428,7 @@ source "board/toradex/colibri_pxa270/Kconfig" > source "board/vscom/baltos/Kconfig" > source "board/woodburn/Kconfig" > source "board/work-microwave/work_92105/Kconfig" > +source "board/xilinx/zynq/Kconfig" > source "board/xilinx/zynqmp/Kconfig" > source "board/zipitz2/Kconfig" > > diff --git a/arch/arm/mach-zynq/include/mach/hardware.h > b/arch/arm/mach-zynq/include/mach/hardware.h > index f69cf00..3ff3c10 100644 > --- a/arch/arm/mach-zynq/include/mach/hardware.h > +++ b/arch/arm/mach-zynq/include/mach/hardware.h > @@ -20,6 +20,7 @@ > #define ZYNQ_EFUSE_BASEADDR 0xF800D000 > #define ZYNQ_USB_BASEADDR0 0xE0002000 > #define ZYNQ_USB_BASEADDR1 0xE0003000 > +#define ZYNQ_OCM_BASEADDR0xFFFC > > /* Bootmode setting values */ > #define ZYNQ_BM_MASK 0x7 > diff --git a/board/xilinx/zynq/Kconfig b/board/xilinx/zynq/Kconfig > new file mode 100644 > index 000..196c8e2 > --- /dev/null > +++ b/board/xilinx/zynq/Kconfig > @@ -0,0 +1,33 @@ > +# SPDX-License-Identifier: GPL-2.0 > +# > +# Copyright (c) 2018, Xilinx, Inc. > + > +if ARCH_ZYNQ > + > +config CMD_ZYNQ > + bool "Enable Zynq specific commands" > + default y > + help > + Enables Zynq specific commands. > + > +config CMD_ZYNQ_AES > + bool "Enable zynq aes command for decryption of encrypted images" > + depends on CMD_ZYNQ > + depends on FPGA_ZYNQPL > + help > + Decrypts the encrypted image present in source address > + and places the decrypted image at destination address. > + > +config CMD_ZYNQ_RSA > + bool "Enable zynq rsa command for loading secure images" > + default y > + depends on CMD_ZYNQ > + select CMD_ZYNQ_AES > + help > + Enabling this will support zynq secure image verification. > + The secure image is a xilinx specific BOOT.BIN with > + either authentication or encryption or both encryption > + and authentication feature enabled while generating > + BOOT.BIN using Xilinx bootgen tool. > + > +endif > diff --git a/board/xilinx/zynq/Makefile b/board/xilinx/zynq/Makefile > index 5a76a26..f4996fa 100644 > --- a/board/xilinx/zynq/Makefile > +++ b/board/xilinx/zynq/Makefile > @@ -18,6 +18,11 @@ $(warning Put custom
[U-Boot] [PATCH v5] xilinx: zynq: Add support to secure images
This patch basically adds two new commands for loadig secure images. 1. zynq rsa adds support to load secure image which can be both authenticated or encrypted or both authenticated and encrypted image in xilinx bootimage(BOOT.bin) format. 2. zynq aes command adds support to decrypt and load encrypted image back to DDR as per destination address. The image has to be encrypted using xilinx bootgen tool and to get only the encrypted image from tool use -split option while invoking bootgen. Signed-off-by: Siva Durga Prasad Paladugu --- Changes from v4: - Moved license to top of file as per comment - Removed unused variable ppkexp - Used void * for buf, added check for buf allocation and freeing buf - Fixed coding style comments and fsbl_len usage Changes from v3: - Removed aesload and aesloadp as encrypted bitstream load is under duscussion and hence removed from this patch. Will work on it as a separate patch once discussion finalized. _ Fixed coding style comments Changes from v2: - Created separate commands for zynq aesload and aesloadp as per comment - Fixed all other coding style comments Changes from v1: - Defined two config synbols for RSA and AES separately and used them wherever required. - Used U_BOOT_CMD_KENT as per comment - Cleared DEVCFG_CTRL_PCAP_RATE_EN_MASK once decryption is done. Changes from RFC: - Moved zynqaes to board/xilinx/zynq/cmds.c and renamed as "zynq aes". - Moved boot image parsing code to a separate file. - Squashed in to a single patch. - Fixed coding style comments. --- arch/arm/Kconfig | 1 + arch/arm/mach-zynq/include/mach/hardware.h | 1 + board/xilinx/zynq/Kconfig | 33 ++ board/xilinx/zynq/Makefile | 5 + board/xilinx/zynq/bootimg.c| 143 board/xilinx/zynq/cmds.c | 513 + drivers/fpga/zynqpl.c | 45 +++ include/u-boot/rsa-mod-exp.h | 4 + include/zynq_bootimg.h | 33 ++ include/zynqpl.h | 4 + lib/rsa/rsa-mod-exp.c | 51 +++ 11 files changed, 833 insertions(+) create mode 100644 board/xilinx/zynq/Kconfig create mode 100644 board/xilinx/zynq/bootimg.c create mode 100644 board/xilinx/zynq/cmds.c create mode 100644 include/zynq_bootimg.h diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 3e05f79..e78e1a4 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -1428,6 +1428,7 @@ source "board/toradex/colibri_pxa270/Kconfig" source "board/vscom/baltos/Kconfig" source "board/woodburn/Kconfig" source "board/work-microwave/work_92105/Kconfig" +source "board/xilinx/zynq/Kconfig" source "board/xilinx/zynqmp/Kconfig" source "board/zipitz2/Kconfig" diff --git a/arch/arm/mach-zynq/include/mach/hardware.h b/arch/arm/mach-zynq/include/mach/hardware.h index f69cf00..3ff3c10 100644 --- a/arch/arm/mach-zynq/include/mach/hardware.h +++ b/arch/arm/mach-zynq/include/mach/hardware.h @@ -20,6 +20,7 @@ #define ZYNQ_EFUSE_BASEADDR0xF800D000 #define ZYNQ_USB_BASEADDR0 0xE0002000 #define ZYNQ_USB_BASEADDR1 0xE0003000 +#define ZYNQ_OCM_BASEADDR 0xFFFC /* Bootmode setting values */ #define ZYNQ_BM_MASK 0x7 diff --git a/board/xilinx/zynq/Kconfig b/board/xilinx/zynq/Kconfig new file mode 100644 index 000..196c8e2 --- /dev/null +++ b/board/xilinx/zynq/Kconfig @@ -0,0 +1,33 @@ +# SPDX-License-Identifier: GPL-2.0 +# +# Copyright (c) 2018, Xilinx, Inc. + +if ARCH_ZYNQ + +config CMD_ZYNQ + bool "Enable Zynq specific commands" + default y + help + Enables Zynq specific commands. + +config CMD_ZYNQ_AES + bool "Enable zynq aes command for decryption of encrypted images" + depends on CMD_ZYNQ + depends on FPGA_ZYNQPL + help + Decrypts the encrypted image present in source address + and places the decrypted image at destination address. + +config CMD_ZYNQ_RSA + bool "Enable zynq rsa command for loading secure images" + default y + depends on CMD_ZYNQ + select CMD_ZYNQ_AES + help + Enabling this will support zynq secure image verification. + The secure image is a xilinx specific BOOT.BIN with + either authentication or encryption or both encryption + and authentication feature enabled while generating + BOOT.BIN using Xilinx bootgen tool. + +endif diff --git a/board/xilinx/zynq/Makefile b/board/xilinx/zynq/Makefile index 5a76a26..f4996fa 100644 --- a/board/xilinx/zynq/Makefile +++ b/board/xilinx/zynq/Makefile @@ -18,6 +18,11 @@ $(warning Put custom ps7_init_gpl.c/h to board/xilinx/zynq/custom_hw_platform/)) endif endif +ifndef CONFIG_SPL_BUILD +obj-$(CONFIG_CMD_ZYNQ) += cmds.o +obj-$(CONFIG_CMD_ZYNQ_RSA) += bootimg.o +endif + obj-$(CONFIG_SPL_BUILD) += $(init-objs) # Suppress "warning: function
