From 2f473cc96a2722fb69b8166c10b7c7962243ecb2 Mon Sep 17 00:00:00 2001
From: Jorge Ramirez-Ortiz <jramirez@baylibre.com>
Date: Sun, 23 Sep 2018 09:38:24 +0200
Subject: [PATCH] rcar_gen3: drivers: authentication

Signed-off-by: ldts <jramirez@baylibre.com>
---
 drivers/renesas/rcar/auth/auth_mod.c | 171 +++++++++++++++++++++++++++
 1 file changed, 171 insertions(+)
 create mode 100644 drivers/renesas/rcar/auth/auth_mod.c

diff --git a/drivers/renesas/rcar/auth/auth_mod.c b/drivers/renesas/rcar/auth/auth_mod.c
new file mode 100644
index 000000000..04ed27928
--- /dev/null
+++ b/drivers/renesas/rcar/auth/auth_mod.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (c) 2015-2017, Renesas Electronics Corporation. All rights
+ * reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <arch_helpers.h>
+#include <debug.h>
+#include <mmio.h>
+#include <platform.h>
+#include <platform_def.h>
+#include <stddef.h>
+
+#include "rom_api.h"
+
+typedef int32_t(*secure_boot_api_f) (uint32_t a, uint32_t b, void *c);
+extern int32_t rcar_get_certificate(const int32_t name, uint32_t *cert_addr);
+
+#define	RCAR_IMAGE_ID_MAX	(10)
+#define	RCAR_CERT_MAGIC_NUM	(0xE291F358U)
+#define RCAR_BOOT_KEY_CERT	(0xE6300C00U)
+#define RCAR_BOOT_KEY_CERT_NEW	(0xE6300F00U)
+#define	RST_BASE		(0xE6160000U)
+#define	RST_MODEMR		(RST_BASE + 0x0060U)
+#define	MFISSOFTMDR		(0xE6260600U)
+#define	MODEMR_MD5_MASK		(0x00000020U)
+#define	MODEMR_MD5_SHIFT	(5U)
+#define	SOFTMD_BOOTMODE_MASK	(0x00000001U)
+#define	SOFTMD_NORMALBOOT	(0x1U)
+
+static secure_boot_api_f secure_boot_api;
+
+int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id)
+{
+	return 1;
+}
+
+int auth_mod_verify_img(unsigned int img_id, void *ptr, unsigned int len)
+{
+	int32_t ret = 0, index = 0;
+	uint32_t cert_addr = 0U;
+	static const struct img_to_cert_t {
+		uint32_t id;
+		int32_t cert;
+		const char *name;
+	} image[RCAR_IMAGE_ID_MAX] = {
+		{ BL31_IMAGE_ID, SOC_FW_CONTENT_CERT_ID, "BL31" },
+		{ BL32_IMAGE_ID, TRUSTED_OS_FW_CONTENT_CERT_ID, "BL32" },
+		{ BL33_IMAGE_ID, NON_TRUSTED_FW_CONTENT_CERT_ID, "BL33" },
+		{ BL332_IMAGE_ID, BL332_CERT_ID, "BL332" },
+		{ BL333_IMAGE_ID, BL333_CERT_ID, "BL333" },
+		{ BL334_IMAGE_ID, BL334_CERT_ID, "BL334" },
+		{ BL335_IMAGE_ID, BL335_CERT_ID, "BL335" },
+		{ BL336_IMAGE_ID, BL336_CERT_ID, "BL336" },
+		{ BL337_IMAGE_ID, BL337_CERT_ID, "BL337" },
+		{ BL338_IMAGE_ID, BL338_CERT_ID, "BL338" },
+	};
+
+#if IMAGE_BL2
+	switch (img_id) {
+	case TRUSTED_KEY_CERT_ID:
+	case SOC_FW_KEY_CERT_ID:
+	case TRUSTED_OS_FW_KEY_CERT_ID:
+	case NON_TRUSTED_FW_KEY_CERT_ID:
+	case BL332_KEY_CERT_ID:
+	case BL333_KEY_CERT_ID:
+	case BL334_KEY_CERT_ID:
+	case BL335_KEY_CERT_ID:
+	case BL336_KEY_CERT_ID:
+	case BL337_KEY_CERT_ID:
+	case BL338_KEY_CERT_ID:
+	case SOC_FW_CONTENT_CERT_ID:
+	case TRUSTED_OS_FW_CONTENT_CERT_ID:
+	case NON_TRUSTED_FW_CONTENT_CERT_ID:
+	case BL332_CERT_ID:
+	case BL333_CERT_ID:
+	case BL334_CERT_ID:
+	case BL335_CERT_ID:
+	case BL336_CERT_ID:
+	case BL337_CERT_ID:
+	case BL338_CERT_ID:
+		return ret;
+	case BL31_IMAGE_ID:
+	case BL32_IMAGE_ID:
+	case BL33_IMAGE_ID:
+	case BL332_IMAGE_ID:
+	case BL333_IMAGE_ID:
+	case BL334_IMAGE_ID:
+	case BL335_IMAGE_ID:
+	case BL336_IMAGE_ID:
+	case BL337_IMAGE_ID:
+	case BL338_IMAGE_ID:
+		goto verify_image;
+	default:
+		return -1;
+	}
+
+verify_image:
+	for (index = 0; index < RCAR_IMAGE_ID_MAX; index++) {
+		if (img_id != image[index].id)
+			continue;
+
+		ret = rcar_get_certificate(image[index].cert, &cert_addr);
+		break;
+	}
+
+	if (ret || (index == RCAR_IMAGE_ID_MAX)) {
+		ERROR("Verification Failed for image id = %d\n", img_id);
+		return ret;
+	}
+#if RCAR_BL2_DCACHE == 1
+	/* clean and disable */
+	write_sctlr_el1(read_sctlr_el1() & ~SCTLR_C_BIT);
+	dcsw_op_all(DCCISW);
+#endif
+	ret = (mmio_read_32(RCAR_BOOT_KEY_CERT_NEW) == RCAR_CERT_MAGIC_NUM) ?
+	    secure_boot_api(RCAR_BOOT_KEY_CERT_NEW, cert_addr, NULL) :
+	    secure_boot_api(RCAR_BOOT_KEY_CERT, cert_addr, NULL);
+	if (ret)
+		ERROR("Verification Failed 0x%x, %s\n", ret, image[index].name);
+
+#if RCAR_BL2_DCACHE == 1
+	/* enable */
+	write_sctlr_el1(read_sctlr_el1() | SCTLR_C_BIT);
+#endif
+
+#endif
+	return ret;
+}
+
+static int32_t normal_boot_verify(uint32_t a, uint32_t b, void *c)
+{
+	return 0;
+}
+
+void auth_mod_init(void)
+{
+#if RCAR_SECURE_BOOT
+	uint32_t soft_md = mmio_read_32(MFISSOFTMDR) & SOFTMD_BOOTMODE_MASK;
+	uint32_t md = mmio_read_32(RST_MODEMR) & MODEMR_MD5_MASK;
+	uint32_t lcs, ret;
+
+	secure_boot_api = (secure_boot_api_f) &rcar_rom_secure_boot_api;
+
+	ret = rcar_rom_get_lcs(&lcs);
+	if (ret) {
+		ERROR("BL2: Failed to get the LCS. (%d)\n", ret);
+		panic();
+	}
+
+	switch (lcs) {
+	case LCS_SE:
+		if (soft_md == SOFTMD_NORMALBOOT)
+			secure_boot_api = &normal_boot_verify;
+		break;
+	case LCS_SD:
+		secure_boot_api = &normal_boot_verify;
+		break;
+	default:
+		if (md >> MODEMR_MD5_SHIFT)
+			secure_boot_api = &normal_boot_verify;
+	}
+
+	NOTICE("BL2: %s boot\n",
+	       secure_boot_api == &normal_boot_verify ? "Normal" : "Secure");
+#else
+	NOTICE("BL2: Normal boot\n");
+	secure_boot_api = &normal_boot_verify;
+#endif
+}