[coreboot-gerrit] New patch to review for coreboot: arm64: Add support for loading secure os

Mon Jun 29 17:10:22 CEST 2015

Patrick Georgi (pgeorgi at google.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/10693

-gerrit

commit 032bbf342656182cbac9e0e32032b0b04431a292
Author: Furquan Shaikh <furquan at google.com>
Date:   Thu May 28 12:13:51 2015 -0700

    arm64: Add support for loading secure os
    
    Add support for loading secure os and pass its entrypoint as bl32 params
    to bl31 stage.
    
    BUG=chrome-os-partner:40713
    BRANCH=None
    TEST=Compiles successfully and loads secure os
    
    Change-Id: I1409ccb7344c1d1b1ddc2b321fdae1beea2f823d
    Signed-off-by: Patrick Georgi <pgeorgi at chromium.org>
    Original-Commit-Id: d3dc19025ff11c1e0590306230df7654ef9ad086
    Original-Change-Id: Iafd540bf2906d10b5ee009e96179121fecbf5e11
    Original-Signed-off-by: Furquan Shaikh <furquan at google.com>
    Original-Reviewed-on: https://chromium-review.googlesource.com/273719
    Original-Reviewed-by: Julius Werner <jwerner at chromium.org>
    Original-Commit-Queue: Furquan Shaikh <furquan at chromium.org>
    Original-Trybot-Ready: Furquan Shaikh <furquan at chromium.org>
    Original-Tested-by: Furquan Shaikh <furquan at chromium.org>
---
 src/arch/arm64/Kconfig      | 10 ++++++++++
 src/arch/arm64/Makefile.inc | 10 ++++++++++
 src/arch/arm64/arm_tf.c     | 20 +++++++++++++++++++-
 src/include/assets.h        |  1 +
 4 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/src/arch/arm64/Kconfig b/src/arch/arm64/Kconfig
index 8ebf76e..8c16732 100644
--- a/src/arch/arm64/Kconfig
+++ b/src/arch/arm64/Kconfig
@@ -44,3 +44,13 @@ config ARM64_USE_ARM_TRUSTED_FIRMWARE
 	bool
 	default n
 	depends on ARCH_RAMSTAGE_ARM64
+
+config ARM64_USE_SECURE_OS
+	bool
+	default n
+	depends on ARM64_USE_ARM_TRUSTED_FIRMWARE
+
+config ARM64_SECURE_OS_FILE
+	string "Secure OS binary file"
+	help
+	  Secure OS binary file.
diff --git a/src/arch/arm64/Makefile.inc b/src/arch/arm64/Makefile.inc
index 1aeef76..86d6f7d 100644
--- a/src/arch/arm64/Makefile.inc
+++ b/src/arch/arm64/Makefile.inc
@@ -217,6 +217,16 @@ $(BL31_CBFS)-type := stage
 $(BL31_CBFS)-compression := $(CBFS_COMPRESS_FLAG)
 cbfs-files-y += $(BL31_CBFS)
 
+ifeq ($(CONFIG_ARM64_USE_SECURE_OS),y)
+
+SECURE_OS_FILE := $(CONFIG_ARM64_SECURE_OS_FILE)
+SECURE_OS_FILE_CBFS := $(call strip_quotes,$(CONFIG_CBFS_PREFIX))/secure_os
+$(SECURE_OS_FILE_CBFS)-file := $(SECURE_OS_FILE)
+$(SECURE_OS_FILE_CBFS)-type := stage
+cbfs-files-y += $(SECURE_OS_FILE_CBFS)
+
+endif # CONFIG_ARM64_USE_SECURE_OS
+
 endif # CONFIG_ARM64_USE_ARM_TRUSTED_FIRMWARE
 
 endif # CONFIG_ARCH_RAMSTAGE_ARM64
diff --git a/src/arch/arm64/arm_tf.c b/src/arch/arm64/arm_tf.c
index 29dc7c3..9b0f19f 100644
--- a/src/arch/arm64/arm_tf.c
+++ b/src/arch/arm64/arm_tf.c
@@ -18,6 +18,8 @@
  */
 
 #include <arch/cache.h>
+#include <arch/lib_helpers.h>
+#include <arch/transition.h>
 #include <arm_tf.h>
 #include <assert.h>
 #include <cbfs.h>
@@ -32,8 +34,8 @@
 static image_info_t bl31_image_info;
 static image_info_t bl32_image_info;
 static image_info_t bl33_image_info;
-static entry_point_info_t bl32_ep_info;
  */
+static entry_point_info_t bl32_ep_info;
 static entry_point_info_t bl33_ep_info;
 static bl31_params_t bl31_params;
 
@@ -57,6 +59,22 @@ void arm_tf_run_bl31(u64 payload_entry, u64 payload_arg0, u64 payload_spsr)
 	bl31_entry = prog_entry(&bl31);
 
 	SET_PARAM_HEAD(&bl31_params, PARAM_BL31, VERSION_1, 0);
+
+	if (IS_ENABLED(CONFIG_ARM64_USE_SECURE_OS)) {
+		struct prog bl32 = PROG_INIT(ASSET_BL32, CONFIG_CBFS_PREFIX"/secure_os");
+
+		if (prog_locate(&bl32))
+			die("BL31 not found");
+
+		if (cbfs_prog_stage_load(&bl32))
+			die("BL31 load failed");
+
+		SET_PARAM_HEAD(&bl32_ep_info, PARAM_EP, VERSION_1, PARAM_EP_SECURE);
+		bl32_ep_info.pc = (uintptr_t)prog_entry(&bl32);
+		bl32_ep_info.spsr = SPSR_EXCEPTION_MASK | get_eret_el(EL1, SPSR_USE_L);
+		bl31_params.bl32_ep_info = &bl32_ep_info;
+	}
+
 	bl31_params.bl33_ep_info = &bl33_ep_info;
 
 	SET_PARAM_HEAD(&bl33_ep_info, PARAM_EP, VERSION_1, PARAM_EP_NON_SECURE);
diff --git a/src/include/assets.h b/src/include/assets.h
index 9c757ed..2368508 100644
--- a/src/include/assets.h
+++ b/src/include/assets.h
@@ -33,6 +33,7 @@ enum asset_type {
 	ASSET_REFCODE,
 	ASSET_PAYLOAD,
 	ASSET_BL31,
+	ASSET_BL32,
 };
 
 struct asset {

