From fedbc0497bb0407fc1d55430eae1938712f1afe8 Mon Sep 17 00:00:00 2001 From: Juan Castillo Date: Mon, 17 Aug 2015 10:43:27 +0100 Subject: [PATCH] TBB: abort boot if BL3-2 cannot be authenticated BL3-2 image (Secure Payload) is optional. If the image cannot be loaded a warning message is printed and the boot process continues. According to the TBBR document, this behaviour should not apply in case of an authentication error, where the boot process should be aborted. This patch modifies the load_auth_image() function to distinguish between a load error and an authentication error. The caller uses the return value to abort the boot process or continue. In case of authentication error, the memory region used to store the image is wiped clean. Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992 --- bl2/bl2_main.c | 10 ++++++++-- common/bl_common.c | 13 +++++++++---- include/common/bl_common.h | 9 +++++++++ 3 files changed, 26 insertions(+), 6 deletions(-) diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c index 4c1900252..71940a62c 100644 --- a/bl2/bl2_main.c +++ b/bl2/bl2_main.c @@ -238,8 +238,14 @@ void bl2_main(void) } e = load_bl32(bl2_to_bl31_params); - if (e) - WARN("Failed to load BL3-2 (%i)\n", e); + if (e) { + if (e == LOAD_AUTH_ERR) { + ERROR("Failed to authenticate BL3-2\n"); + panic(); + } else { + WARN("Failed to load BL3-2 (%i)\n", e); + } + } e = load_bl33(bl2_to_bl31_params); if (e) { diff --git a/common/bl_common.c b/common/bl_common.c index b8558a69d..3088cb066 100644 --- a/common/bl_common.c +++ b/common/bl_common.c @@ -37,6 +37,7 @@ #include #include #include +#include unsigned long page_align(unsigned long value, unsigned dir) { @@ -331,7 +332,7 @@ int load_auth_image(meminfo_t *mem_layout, if (rc == 0) { rc = load_auth_image(mem_layout, parent_id, image_base, image_data, NULL); - if (rc != IO_SUCCESS) { + if (rc != LOAD_SUCCESS) { return rc; } } @@ -341,7 +342,7 @@ int load_auth_image(meminfo_t *mem_layout, rc = load_image(mem_layout, image_id, image_base, image_data, entry_point_info); if (rc != IO_SUCCESS) { - return rc; + return LOAD_ERR; } #if TRUSTED_BOARD_BOOT @@ -350,7 +351,11 @@ int load_auth_image(meminfo_t *mem_layout, (void *)image_data->image_base, image_data->image_size); if (rc != 0) { - return IO_FAIL; + memset((void *)image_data->image_base, 0x00, + image_data->image_size); + flush_dcache_range(image_data->image_base, + image_data->image_size); + return LOAD_AUTH_ERR; } /* After working with data, invalidate the data cache */ @@ -358,5 +363,5 @@ int load_auth_image(meminfo_t *mem_layout, (size_t)image_data->image_size); #endif /* TRUSTED_BOARD_BOOT */ - return IO_SUCCESS; + return LOAD_SUCCESS; } diff --git a/include/common/bl_common.h b/include/common/bl_common.h index b1a9c8f61..66244ca93 100644 --- a/include/common/bl_common.h +++ b/include/common/bl_common.h @@ -202,6 +202,15 @@ typedef struct bl31_params { image_info_t *bl33_image_info; } bl31_params_t; +/* + * load_auth_image() return values + */ +enum { + LOAD_SUCCESS, /* Load + authentication success */ + LOAD_ERR, /* Load error */ + LOAD_AUTH_ERR /* Authentication error */ +}; + /* * Compile time assertions related to the 'entry_point_info' structure to