warp7: Add support for automated secure boot.scr verification

This patch adds support for verifying a signed boot.scr. With this in place
it's possible for run-time Linux to update boot.scr to set different
variables such as switching between different boot partitions, pointing to
different kernels etc and for u-boot to verify these changes via the HAB
prior to executing the commands contained in boot.scr.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>

diff --git a/include/configs/warp7.h b/include/configs/warp7.h
index fe9b7d57d768e5bd09fb8d9d90a9f5369c207a06..f340bff3e708a45ee9cd3997b7f6573ed919de84 100644 (file)
--- a/include/configs/warp7.h
+++ b/include/configs/warp7.h
@@ -53,6 +53,14 @@
                "root=PARTUUID=${uuid} rootwait rw\0" \
        "ivt_offset=" __stringify(BOOTROM_IVT_HDR_OFFSET)"\0"\
        "warp7_auth_or_fail=hab_auth_img_or_fail ${hab_ivt_addr} ${filesize} 0;\0" \
+       "do_bootscript_hab=" \
+               "if test ${hab_enabled} -eq 1; then " \
+                       "setexpr hab_ivt_addr ${loadaddr} - ${ivt_offset}; " \
+                       "setenv script ${script_signed}; " \
+                       "load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${script}; " \
+                       "run warp7_auth_or_fail; " \
+                       "run bootscript; "\
+               "fi;\0" \
        "loadbootscript=" \
                "load mmc ${mmcdev}:${mmcpart} ${loadaddr} ${script};\0" \
        "bootscript=echo Running bootscript from mmc ...; " \
@@ -79,6 +87,7 @@
 #define CONFIG_BOOTCOMMAND \
           "mmc dev ${mmcdev};" \
           "mmc dev ${mmcdev}; if mmc rescan; then " \
+                  "run do_bootscript_hab;" \
                   "if run loadbootscript; then " \
                           "run bootscript; " \
                   "else " \