ARM: bootm: Allow booting in secure mode on hyp capable systems

Older Linux kernels will not properly boot in hyp mode, add support for a
bootm_boot_mode environment variable, which can be set to "sec" or "nonsec"
to force booting in secure or non-secure mode when build with non-sec support.

The default behavior can be selected through CONFIG_ARMV7_BOOT_SEC_DEFAULT,
when this is set booting in secure mode is the default. The default setting
for this Kconfig option is N, preserving the current behavior of booting in
non-secure mode by default when non-secure mode is supported.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Siarhei Siamashka <siarhei.siamashka@gmail.com>

diff --git a/arch/arm/cpu/armv7/Kconfig b/arch/arm/cpu/armv7/Kconfig
index 15c5155b1cdf44b81d8a66828f3037c7f584c410..61e7c824594b691db486ca60ed98c2fb1252bf3a 100644 (file)
--- a/arch/arm/cpu/armv7/Kconfig
+++ b/arch/arm/cpu/armv7/Kconfig
@@ -13,6 +13,17 @@ config ARMV7_NONSEC
        ---help---
        Say Y here to enable support for booting in non-secure / SVC mode.
 
+config ARMV7_BOOT_SEC_DEFAULT
+       boolean "Boot in secure mode by default" if EXPERT
+       depends on ARMV7_NONSEC
+       default n
+       ---help---
+       Say Y here to boot in secure mode by default even if non-secure mode
+       is supported. This option is useful to boot kernels which do not
+       suppport booting in non-secure mode. Only set this if you need it.
+       This can be overriden at run-time by setting the bootm_boot_mode env.
+       variable to "sec" or "nonsec".
+
 config ARMV7_VIRT
        boolean "Enable support for hardware virtualization" if EXPERT
        depends on CPU_V7_HAS_VIRT && ARMV7_NONSEC

diff --git a/arch/arm/lib/bootm.c b/arch/arm/lib/bootm.c
index 4949d573af8c310f8348beae48caa5ea0f580bf9..a7f7c67997691c3b33d49bd6fa676fe6fcdb05b6 100644 (file)
--- a/arch/arm/lib/bootm.c
+++ b/arch/arm/lib/bootm.c
@@ -237,6 +237,26 @@ static void boot_prep_linux(bootm_headers_t *images)
        }
 }
 
+#if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
+static bool boot_nonsec(void)
+{
+       char *s = getenv("bootm_boot_mode");
+#ifdef CONFIG_ARMV7_BOOT_SEC_DEFAULT
+       bool nonsec = false;
+#else
+       bool nonsec = true;
+#endif
+
+       if (s && !strcmp(s, "sec"))
+               nonsec = false;
+
+       if (s && !strcmp(s, "nonsec"))
+               nonsec = true;
+
+       return nonsec;
+}
+#endif
+
 /* Subcommand: GO */
 static void boot_jump_linux(bootm_headers_t *images, int flag)
 {
@@ -285,12 +305,13 @@ static void boot_jump_linux(bootm_headers_t *images, int flag)
 
        if (!fake) {
 #if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
-               armv7_init_nonsec();
-               secure_ram_addr(_do_nonsec_entry)(kernel_entry,
-                                                 0, machid, r2);
-#else
-               kernel_entry(0, machid, r2);
+               if (boot_nonsec()) {
+                       armv7_init_nonsec();
+                       secure_ram_addr(_do_nonsec_entry)(kernel_entry,
+                                                         0, machid, r2);
+               } else
 #endif
+                       kernel_entry(0, machid, r2);
        }
 #endif
 }