Add secure boot script, use ahab to verify image
Signed-off-by: Peng Fan <peng....@nxp.com>
---
include/configs/imx8qxp_mek.h | 64 +++++++++++++++++++++++++++++++++----------
1 file changed, 49 insertions(+), 15 deletions(-)
diff --git a/include/configs/imx8qxp_mek.h b/include/configs/imx8qxp_mek.h
index d950d06045..0149822bee 100644
--- a/include/configs/imx8qxp_mek.h
+++ b/include/configs/imx8qxp_mek.h
@@ -54,8 +54,15 @@
#define CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG
+#ifdef CONFIG_AHAB_BOOT
+#define AHAB_ENV "sec_boot=yes\0"
+#else
+#define AHAB_ENV "sec_boot=no\0"
+#endif
+
/* Initial environment variables */
#define CONFIG_EXTRA_ENV_SETTINGS \
+ AHAB_ENV \
"script=boot.scr\0" \
"image=Image\0" \
"panel=NULL\0" \
@@ -76,16 +83,27 @@
"source\0" \
"loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}\0" \
"loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}\0" \
+ "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0"
\
+ "auth_os=auth_cntr ${cntr_addr}\0" \
+ "boot_os=booti ${loadaddr} - ${fdt_addr};\0" \
"mmcboot=echo Booting from mmc ...; " \
"run mmcargs; " \
- "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
- "if run loadfdt; then " \
- "booti ${loadaddr} - ${fdt_addr}; " \
+ "if test ${sec_boot} = yes; then " \
+ "if run auth_os; then " \
+ "run boot_os; " \
"else " \
- "echo WARN: Cannot load the DT; " \
+ "echo ERR: failed to authenticate; " \
"fi; " \
"else " \
- "echo wait for boot; " \
+ "if test ${boot_fdt} = yes || test ${boot_fdt} = try;
then " \
+ "if run loadfdt; then " \
+ "run boot_os; " \
+ "else " \
+ "echo WARN: Cannot load the DT; " \
+ "fi; " \
+ "else " \
+ "echo wait for boot; " \
+ "fi;" \
"fi;\0" \
"netargs=setenv bootargs console=${console} " \
"root=/dev/nfs " \
@@ -97,15 +115,24 @@
"else " \
"setenv get_cmd tftp; " \
"fi; " \
- "${get_cmd} ${loadaddr} ${image}; " \
- "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \
- "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \
- "booti ${loadaddr} - ${fdt_addr}; " \
+ "if test ${sec_boot} = yes; then " \
+ "${get_cmd} ${cntr_addr} ${cntr_file}; " \
+ "if run auth_os; then " \
+ "run boot_os; " \
"else " \
- "echo WARN: Cannot load the DT; " \
+ "echo ERR: failed to authenticate; " \
"fi; " \
"else " \
- "booti; " \
+ "${get_cmd} ${loadaddr} ${image}; " \
+ "if test ${boot_fdt} = yes || test ${boot_fdt} = try;
then " \
+ "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \
+ "run boot_os; " \
+ "else " \
+ "echo WARN: Cannot load the DT; " \
+ "fi; " \
+ "else " \
+ "booti; " \
+ "fi;" \
"fi;\0"
#define CONFIG_BOOTCOMMAND \
@@ -113,10 +140,17 @@
"if run loadbootscript; then " \
"run bootscript; " \
"else " \
- "if run loadimage; then " \
- "run mmcboot; " \
- "else run netboot; " \
- "fi; " \
+ "if test ${sec_boot} = yes; then " \
+ "if run loadcntr; then " \
+ "run mmcboot; " \
+ "else run netboot; " \
+ "fi; " \
+ "else " \
+ "if run loadimage; then " \
+ "run mmcboot; " \
+ "else run netboot; " \
+ "fi; " \
+ "fi; " \
"fi; " \
"else booti ${loadaddr} - ${fdt_addr}; fi"
--
2.16.4
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
