3 * Common security related functions for OMAP devices
6 * Texas Instruments, <www.ti.com>
8 * Daniel Allred <d-allred@ti.com>
9 * Andreas Dannenberg <dannenberg@ti.com>
11 * SPDX-License-Identifier: GPL-2.0+
17 #include <asm/arch/sys_proto.h>
18 #include <asm/omap_common.h>
19 #include <asm/omap_sec_common.h>
23 /* Index for signature verify ROM API */
25 #define API_HAL_KM_VERIFYCERTIFICATESIGNATURE_INDEX (0x0000000C)
27 #define API_HAL_KM_VERIFYCERTIFICATESIGNATURE_INDEX (0x0000000E)
30 static uint32_t secure_rom_call_args[5] __aligned(ARCH_DMA_MINALIGN);
32 u32 secure_rom_call(u32 service, u32 proc_id, u32 flag, ...)
40 num_args = va_arg(ap, u32);
47 /* Copy args to aligned args structure */
48 for (i = 0; i < num_args; i++)
49 secure_rom_call_args[i + 1] = va_arg(ap, u32);
51 secure_rom_call_args[0] = num_args;
55 /* if data cache is enabled, flush the aligned args structure */
57 (unsigned int)&secure_rom_call_args[0],
58 (unsigned int)&secure_rom_call_args[0] +
59 roundup(sizeof(secure_rom_call_args), ARCH_DMA_MINALIGN));
61 return omap_smc_sec(service, proc_id, flag, secure_rom_call_args);
64 static u32 find_sig_start(char *image, size_t size)
66 char *image_end = image + size;
67 char *sig_start_magic = "CERT_";
68 int magic_str_len = strlen(sig_start_magic);
71 while (--image_end > image) {
72 if (*image_end == '_') {
73 ch = image_end - magic_str_len + 1;
74 if (!strncmp(ch, sig_start_magic, magic_str_len))
81 int secure_boot_verify_image(void **image, size_t *size)
84 u32 cert_addr, sig_addr;
87 /* Perform cache writeback on input buffer */
90 (u32)*image + roundup(*size, ARCH_DMA_MINALIGN));
92 cert_addr = (uint32_t)*image;
93 sig_addr = find_sig_start((char *)*image, *size);
96 printf("No signature found in image!\n");
101 *size = sig_addr - cert_addr; /* Subtract out the signature size */
104 /* Check if image load address is 32-bit aligned */
105 if (!IS_ALIGNED(cert_addr, 4)) {
106 printf("Image is not 4-byte aligned!\n");
111 /* Image size also should be multiple of 4 */
112 if (!IS_ALIGNED(cert_size, 4)) {
113 printf("Image size is not 4-byte aligned!\n");
118 /* Call ROM HAL API to verify certificate signature */
119 debug("%s: load_addr = %x, size = %x, sig_addr = %x\n", __func__,
120 cert_addr, cert_size, sig_addr);
122 result = secure_rom_call(
123 API_HAL_KM_VERIFYCERTIFICATESIGNATURE_INDEX, 0, 0,
124 4, cert_addr, cert_size, sig_addr, 0xFFFFFFFF);
126 /* Perform cache writeback on output buffer */
129 (u32)*image + roundup(*size, ARCH_DMA_MINALIGN));
133 printf("Authentication failed!\n");
134 printf("Return Value = %08X\n", result);
139 * Output notification of successful authentication as well the name of
140 * the signing certificate used to re-assure the user that the secure
141 * code is being processed as expected. However suppress any such log
142 * output in case of building for SPL and booting via YMODEM. This is
143 * done to avoid disturbing the YMODEM serial protocol transactions.
145 if (!(IS_ENABLED(CONFIG_SPL_BUILD) &&
146 IS_ENABLED(CONFIG_SPL_YMODEM_SUPPORT) &&
147 spl_boot_device() == BOOT_DEVICE_UART))
148 printf("Authentication passed: %s\n", (char *)sig_addr);