plat: imx8mm: Add in BL2 with FIP

Adds bl2 with FIP to the build required for mbed Linux booting where we do: BootROM -> SPL -> BL2 -> OPTEE -> u-boot If NEED_BL2 is specified then BL2 will be built and BL31 will have its address range modified upwards to accommodate. BL31 must be loaded from a FIP in this case. If NEED_BL2 is not specified then the current BL31 boot flow is unaffected and u-boot SPL will load and execute BL31 directly. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org> Change-Id: I655343b3b689b1fc57cfbedda4d3dc2fbd549a96

plat: imx8mm: Add in BL2 with FIP
Adds bl2 with FIP to the build required for mbed Linux booting where we do: BootROM -> SPL -> BL2 -> OPTEE -> u-boot If NEED_BL2 is specified then BL2 will be built and BL31 will have its address range modified upwards to accommodate. BL31 must be loaded from a FIP in this case. If NEED_BL2 is not specified then the current BL31 boot flow is unaffected and u-boot SPL will load and execute BL31 directly. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org> Change-Id: I655343b3b689b1fc57cfbedda4d3dc2fbd549a96
ad329e50 · Ying-Chun Liu (PaulLiu) · f255cad7 · ad329e50 · ad329e50 · ad329e50
Commit ad329e50 authored Dec 22, 2020 by Ying-Chun Liu (PaulLiu)
--- a/docs/plat/imx8m.rst
+++ b/docs/plat/imx8m.rst
@@ -43,3 +43,17 @@ together to generate a binary file called flash.bin, the imx-mkimage tool is
 used to generate flash.bin, and flash.bin needs to be flashed into SD card
 with certain offset for BOOT ROM. the u-boot and imx-mkimage will be upstreamed
 soon, this doc will be updated once they are ready, and the link will be posted.
+
+TBBR Boot Sequence
+------------------
+
+When setting NEED_BL2=1 on imx8mm. We support an alternative way of
+boot sequence to support TBBR.
+
+Bootrom --> SPL --> BL2 --> BL31 --> BL33(u-boot with UEFI) --> grub
+
+This helps us to fulfill the SystemReady EBBR standard.
+BL2 will be in the FIT image and SPL will verify it.
+All of the BL3x will be put in the FIP image. BL2 will verify them.
+In U-boot we turn on the UEFI secure boot features so it can verify
+grub. And we use grub to verify linux kernel.
--- a/plat/imx/imx8m/imx8mm/imx8mm_bl2_el3_setup.c
+++ b/plat/imx/imx8m/imx8mm/imx8mm_bl2_el3_setup.c
+/*
+ * Copyright 2017-2021 NXP
+ * Copyright 2021 Arm
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+
+#include <arch_helpers.h>
+#include <common/bl_common.h>
+#include <common/debug.h>
+#include <common/desc_image_load.h>
+#include <context.h>
+#include <drivers/console.h>
+#include <drivers/generic_delay_timer.h>
+#include <drivers/mmc.h>
+#include <lib/mmio.h>
+#include <lib/optee_utils.h>
+#include <lib/utils.h>
+#include <stdbool.h>
+#include <tbbr_img_def.h>
+
+#include <imx_aipstz.h>
+#include <imx_csu.h>
+#include <imx_uart.h>
+#include <imx_usdhc.h>
+#include <plat/common/platform.h>
+
+#include "imx8mm_private.h"
+#include "platform_def.h"
+
+static const struct aipstz_cfg aipstz[] = {
+	{IMX_AIPSTZ1, 0x77777777, 0x77777777, .opacr = {0x0, 0x0, 0x0, 0x0, 0x0}, },
+	{IMX_AIPSTZ2, 0x77777777, 0x77777777, .opacr = {0x0, 0x0, 0x0, 0x0, 0x0}, },
+	{IMX_AIPSTZ3, 0x77777777, 0x77777777, .opacr = {0x0, 0x0, 0x0, 0x0, 0x0}, },
+	{IMX_AIPSTZ4, 0x77777777, 0x77777777, .opacr = {0x0, 0x0, 0x0, 0x0, 0x0}, },
+	{0},
+};
+
+static void imx8mm_usdhc_setup(void)
+{
+	imx_usdhc_params_t params;
+	struct mmc_device_info info;
+
+	params.reg_base = PLAT_IMX8MM_BOOT_MMC_BASE;
+	/*
+	   The imx8mm SD Card Speed modes for USDHC2
+	   +--------------+--------------------+--------------+--------------+
+	   |Bus Speed Mode|Max. Clock Frequency|Max. Bus Speed|Signal Voltage|
+	   +--------------+--------------------+--------------+--------------+
+	   |Default Speed | 25 MHz             | 12.5 MB/s    | 3.3V         |
+	   |High Speed    | 50 MHz             | 25 MB/s      | 3.3V         |
+	   +--------------+--------------------+--------------+--------------+
+
+	   We pick 50 Mhz here for High Speed access.
+	*/
+	params.clk_rate = 50000000;
+	params.bus_width = MMC_BUS_WIDTH_1;
+	params.flags = 0;
+	info.mmc_dev_type = MMC_IS_SD;
+	info.ocr_voltage = OCR_3_3_3_4 | OCR_3_2_3_3;
+	imx_usdhc_init(&params, &info);
+}
+
+void bl2_el3_early_platform_setup(u_register_t arg1, u_register_t arg2,
+				  u_register_t arg3, u_register_t arg4)
+{
+	int i;
+	static console_t console;
+
+	/* enable CSU NS access permission */
+	for (i = 0; i < MAX_CSU_NUM; i++) {
+		mmio_write_32(IMX_CSU_BASE + i * 4, CSU_CSL_OPEN_ACCESS);
+	}
+
+	/* config the aips access permission */
+	imx_aipstz_init(aipstz);
+
+	console_imx_uart_register(IMX_BOOT_UART_BASE, IMX_BOOT_UART_CLK_IN_HZ,
+		IMX_CONSOLE_BAUDRATE, &console);
+
+	generic_delay_timer_init();
+
+	/* select the CKIL source to 32K OSC */
+	mmio_write_32(0x30360124, 0x1);
+
+	imx8mm_usdhc_setup();
+
+	/* Open handles to a FIP image */
+	plat_imx8mm_io_setup();
+}
+
+void bl2_el3_plat_arch_setup(void)
+{
+}
+
+void bl2_platform_setup(void)
+{
+}
+
+int bl2_plat_handle_post_image_load(unsigned int image_id)
+{
+	int err = 0;
+	bl_mem_params_node_t *bl_mem_params = get_bl_mem_params_node(image_id);
+	bl_mem_params_node_t *pager_mem_params = NULL;
+	bl_mem_params_node_t *paged_mem_params = NULL;
+
+	assert(bl_mem_params);
+
+	switch (image_id) {
+	case BL32_IMAGE_ID:
+		pager_mem_params = get_bl_mem_params_node(BL32_EXTRA1_IMAGE_ID);
+		assert(pager_mem_params);
+
+		paged_mem_params = get_bl_mem_params_node(BL32_EXTRA2_IMAGE_ID);
+		assert(paged_mem_params);
+
+		err = parse_optee_header(&bl_mem_params->ep_info,
+					 &pager_mem_params->image_info,
+					 &paged_mem_params->image_info);
+		if (err != 0) {
+			WARN("OPTEE header parse error.\n");
+		}
+
+		break;
+	default:
+		/* Do nothing in default case */
+		break;
+	}
+
+	return err;
+}
+
+unsigned int plat_get_syscnt_freq2(void)
+{
+	return COUNTER_FREQUENCY;
+}
+
+void bl2_plat_runtime_setup(void)
+{
+	return;
+}
--- a/plat/imx/imx8m/imx8mm/imx8mm_bl2_mem_params_desc.c
+++ b/plat/imx/imx8m/imx8mm/imx8mm_bl2_mem_params_desc.c
+/*
+ * Copyright (c) 2021, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <arch.h>
+#include <common/desc_image_load.h>
+#include <plat/common/platform.h>
+#include <platform_def.h>
+
+static bl_mem_params_node_t bl2_mem_params_descs[] = {
+	{
+		.image_id = BL31_IMAGE_ID,
+		SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP, VERSION_2,
+				      entry_point_info_t,
+				      SECURE | EXECUTABLE | EP_FIRST_EXE),
+		.ep_info.pc = BL31_BASE,
+		.ep_info.spsr = SPSR_64(MODE_EL3, MODE_SP_ELX,
+					DISABLE_ALL_EXCEPTIONS),
+		SET_STATIC_PARAM_HEAD(image_info, PARAM_EP, VERSION_2, image_info_t,
+				      IMAGE_ATTRIB_PLAT_SETUP),
+		.image_info.image_base = BL31_BASE,
+		.image_info.image_max_size = BL31_LIMIT - BL31_BASE,
+		.next_handoff_image_id = INVALID_IMAGE_ID,
+	},
+	{
+		.image_id = BL32_IMAGE_ID,
+
+		SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP, VERSION_2,
+				      entry_point_info_t,
+				      SECURE | EXECUTABLE),
+		.ep_info.pc = BL32_BASE,
+
+		SET_STATIC_PARAM_HEAD(image_info, PARAM_EP, VERSION_2,
+				      image_info_t, 0),
+
+		.image_info.image_base = BL32_BASE,
+		.image_info.image_max_size = BL32_SIZE,
+
+		.next_handoff_image_id = BL33_IMAGE_ID,
+	},
+	{
+		.image_id = BL32_EXTRA1_IMAGE_ID,
+
+		SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP, VERSION_2,
+				      entry_point_info_t,
+				      SECURE | NON_EXECUTABLE),
+
+		SET_STATIC_PARAM_HEAD(image_info, PARAM_EP, VERSION_2,
+				      image_info_t, IMAGE_ATTRIB_SKIP_LOADING),
+		.image_info.image_base = BL32_BASE,
+		.image_info.image_max_size =  BL32_SIZE,
+
+		.next_handoff_image_id = INVALID_IMAGE_ID,
+	},
+	{
+		/* This is a zero sized image so we don't set base or size */
+		.image_id = BL32_EXTRA2_IMAGE_ID,
+
+		SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP,
+				      VERSION_2, entry_point_info_t,
+				      SECURE | NON_EXECUTABLE),
+
+		SET_STATIC_PARAM_HEAD(image_info, PARAM_EP,
+				      VERSION_2, image_info_t,
+				      IMAGE_ATTRIB_SKIP_LOADING),
+		.next_handoff_image_id = INVALID_IMAGE_ID,
+	},
+	{
+		.image_id = BL33_IMAGE_ID,
+		SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP, VERSION_2,
+				      entry_point_info_t,
+				      NON_SECURE | EXECUTABLE),
+		# ifdef PRELOADED_BL33_BASE
+			.ep_info.pc = PLAT_NS_IMAGE_OFFSET,
+
+			SET_STATIC_PARAM_HEAD(image_info, PARAM_EP,
+					      VERSION_2, image_info_t,
+					      IMAGE_ATTRIB_SKIP_LOADING),
+		# else
+			.ep_info.pc = PLAT_NS_IMAGE_OFFSET,
+
+			SET_STATIC_PARAM_HEAD(image_info, PARAM_EP,
+					      VERSION_2, image_info_t, 0),
+			.image_info.image_base = PLAT_NS_IMAGE_OFFSET,
+			.image_info.image_max_size = PLAT_NS_IMAGE_SIZE,
+		# endif /* PRELOADED_BL33_BASE */
+
+		.next_handoff_image_id = INVALID_IMAGE_ID,
+	}
+};
+
+REGISTER_BL_IMAGE_DESCS(bl2_mem_params_descs);
--- a/plat/imx/imx8m/imx8mm/platform.mk
+++ b/plat/imx/imx8m/imx8mm/platform.mk
@@ -6,7 +6,9 @@

 PLAT_INCLUDES		:=	-Iplat/imx/common/include		\
 				-Iplat/imx/imx8m/include		\
-				-Iplat/imx/imx8m/imx8mm/include
+				-Iplat/imx/imx8m/imx8mm/include		\
+				-Idrivers/imx/usdhc			\
+				-Iinclude/common/tbbr

 # Include GICv3 driver files
 include drivers/arm/gic/v3/gicv3.mk
@@ -39,6 +41,94 @@ BL31_SOURCES		+=	plat/imx/common/imx8_helpers.S			\
 				drivers/delay_timer/generic_delay_timer.c	\
 				${IMX_GIC_SOURCES}

+ifeq (${NEED_BL2},yes)
+BL2_SOURCES		+=	common/desc_image_load.c			\
+				plat/imx/common/imx8_helpers.S			\
+				plat/imx/common/imx_uart_console.S		\
+				plat/imx/imx8m/imx8mm/imx8mm_bl2_el3_setup.c	\
+				plat/imx/imx8m/imx8mm/gpc.c			\
+				plat/imx/imx8m/imx_aipstz.c			\
+				plat/common/plat_psci_common.c			\
+				lib/xlat_tables/aarch64/xlat_tables.c		\
+				lib/xlat_tables/xlat_tables_common.c		\
+				lib/cpus/aarch64/cortex_a53.S			\
+				drivers/delay_timer/delay_timer.c		\
+				drivers/delay_timer/generic_delay_timer.c	\
+				${PLAT_GIC_SOURCES}				\
+				${PLAT_DRAM_SOURCES}				\
+				drivers/mmc/mmc.c				\
+				drivers/io/io_block.c				\
+				drivers/io/io_fip.c				\
+				drivers/io/io_memmap.c				\
+				drivers/io/io_storage.c				\
+				drivers/imx/usdhc/imx_usdhc.c			\
+				plat/imx/imx8m/imx8mm/imx8mm_bl2_mem_params_desc.c	\
+				plat/imx/imx8m/imx8mm/imx8mm_io_storage.c		\
+				plat/imx/imx8m/imx8mm/imx8mm_image_load.c		\
+				lib/optee/optee_utils.c
+endif
+
+# Add the build options to pack BLx images and kernel device tree
+# in the FIP if the platform requires.
+ifneq ($(BL2),)
+RESET_TO_BL31		:=	0
+$(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/tb_fw.crt,--tb-fw-cert))
+endif
+ifneq ($(BL32_EXTRA1),)
+$(eval $(call TOOL_ADD_IMG,BL32_EXTRA1,--tos-fw-extra1))
+endif
+ifneq ($(BL32_EXTRA2),)
+$(eval $(call TOOL_ADD_IMG,BL32_EXTRA2,--tos-fw-extra2))
+endif
+ifneq ($(HW_CONFIG),)
+$(eval $(call TOOL_ADD_IMG,HW_CONFIG,--hw-config))
+endif
+
+ifeq (${NEED_BL2},yes)
+$(eval $(call add_define,NEED_BL2))
+LOAD_IMAGE_V2		:=	1
+# Non-TF Boot ROM
+BL2_AT_EL3		:=	1
+endif
+
+ifneq (${TRUSTED_BOARD_BOOT},0)
+
+include drivers/auth/mbedtls/mbedtls_crypto.mk
+include drivers/auth/mbedtls/mbedtls_x509.mk
+
+AUTH_SOURCES	:=	drivers/auth/auth_mod.c			\
+			drivers/auth/crypto_mod.c		\
+			drivers/auth/img_parser_mod.c		\
+			drivers/auth/tbbr/tbbr_cot_common.c     \
+			drivers/auth/tbbr/tbbr_cot_bl2.c
+
+BL2_SOURCES	+=	${AUTH_SOURCES}					\
+			plat/common/tbbr/plat_tbbr.c			\
+			plat/imx/imx8m/imx8mm/imx8mm_trusted_boot.c	\
+			plat/imx/imx8m/imx8mm/imx8mm_rotpk.S
+
+ROT_KEY             = $(BUILD_PLAT)/rot_key.pem
+ROTPK_HASH          = $(BUILD_PLAT)/rotpk_sha256.bin
+
+$(eval $(call add_define_val,ROTPK_HASH,'"$(ROTPK_HASH)"'))
+$(eval $(call MAKE_LIB_DIRS))
+
+$(BUILD_PLAT)/bl2/imx8mm_rotpk.o: $(ROTPK_HASH)
+
+certificates: $(ROT_KEY)
+
+$(ROT_KEY): | $(BUILD_PLAT)
+	@echo "  OPENSSL $@"
+	@if [ ! -f $(ROT_KEY) ]; then \
+		openssl genrsa 2048 > $@ 2>/dev/null; \
+	fi
+
+$(ROTPK_HASH): $(ROT_KEY)
+	@echo "  OPENSSL $@"
+	$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+	openssl dgst -sha256 -binary > $@ 2>/dev/null
+endif
+
 USE_COHERENT_MEM	:=	1
 RESET_TO_BL31		:=	1
 A53_DISABLE_NON_TEMPORAL_HINT := 0