* [PATCH 1/4] optee: move optee_verify_header() to common
@ 2020-01-20 5:03 Rouven Czerwinski
2020-01-20 5:03 ` [PATCH 2/4] ARM: add optee early loading function Rouven Czerwinski
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Rouven Czerwinski @ 2020-01-20 5:03 UTC (permalink / raw)
To: barebox; +Cc: Rouven Czerwinski
Subsequent patches will use this to verify the header in the PBL, move
it to common to make it potentially available for both.
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
---
arch/arm/lib32/bootm.c | 12 +++---------
common/Makefile | 1 +
common/optee.c | 18 ++++++++++++++++++
include/tee/optee.h | 5 +++++
4 files changed, 27 insertions(+), 9 deletions(-)
create mode 100644 common/optee.c
diff --git a/arch/arm/lib32/bootm.c b/arch/arm/lib32/bootm.c
index 180624445d..d64e705c40 100644
--- a/arch/arm/lib32/bootm.c
+++ b/arch/arm/lib32/bootm.c
@@ -137,16 +137,10 @@ static int get_kernel_addresses(size_t image_size,
static int optee_verify_header_request_region(struct image_data *data, struct optee_header *hdr)
{
int ret = 0;
- if (hdr->magic != OPTEE_MAGIC) {
- pr_err("Invalid header magic 0x%08x, expected 0x%08x\n",
- hdr->magic, OPTEE_MAGIC);
- return -EINVAL;
- }
- if (hdr->arch != OPTEE_ARCH_ARM32 || hdr->init_load_addr_hi) {
- pr_err("Only 32bit supported\n");
- return -EINVAL;
- }
+ ret = optee_verify_header(hdr);
+ if (ret < 0)
+ return ret;
data->tee_res = request_sdram_region("TEE", hdr->init_load_addr_lo, hdr->init_size);
if (!data->tee_res) {
diff --git a/common/Makefile b/common/Makefile
index 10960169f9..fbdd74a9fd 100644
--- a/common/Makefile
+++ b/common/Makefile
@@ -66,6 +66,7 @@ obj-$(CONFIG_BAREBOX_UPDATE_IMX_NAND_FCB) += imx-bbu-nand-fcb.o
obj-$(CONFIG_BOOT) += boot.o
obj-$(CONFIG_SERIAL_DEV_BUS) += serdev.o
obj-$(CONFIG_USBGADGET_START) += usbgadget.o
+obj-$(CONFIG_BOOTM_OPTEE) += optee.o
ifdef CONFIG_PASSWORD
diff --git a/common/optee.c b/common/optee.c
new file mode 100644
index 0000000000..1516c07db4
--- /dev/null
+++ b/common/optee.c
@@ -0,0 +1,18 @@
+#include <tee/optee.h>
+#include <printk.h>
+#include <asm-generic/errno.h>
+
+int optee_verify_header (struct optee_header *hdr) {
+ if (hdr->magic != OPTEE_MAGIC) {
+ pr_err("Invalid header magic 0x%08x, expected 0x%08x\n",
+ hdr->magic, OPTEE_MAGIC);
+ return -EINVAL;
+ }
+
+ if (hdr->arch != OPTEE_ARCH_ARM32 || hdr->init_load_addr_hi) {
+ pr_err("Only 32bit supported\n");
+ return -EINVAL;
+ }
+
+ return 0;
+}
diff --git a/include/tee/optee.h b/include/tee/optee.h
index 8cfe06d889..9fb27fcec0 100644
--- a/include/tee/optee.h
+++ b/include/tee/optee.h
@@ -10,6 +10,9 @@
#ifndef _OPTEE_H
#define _OPTEE_H
+#include <types.h>
+#include <asm-generic/errno.h>
+
#define OPTEE_MAGIC 0x4554504f
#define OPTEE_VERSION 1
#define OPTEE_ARCH_ARM32 0
@@ -27,4 +30,6 @@ struct optee_header {
uint32_t paged_size;
};
+int optee_verify_header (struct optee_header *hdr);
+
#endif /* _OPTEE_H */
--
2.25.0
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/4] ARM: add optee early loading function
2020-01-20 5:03 [PATCH 1/4] optee: move optee_verify_header() to common Rouven Czerwinski
@ 2020-01-20 5:03 ` Rouven Czerwinski
2020-01-20 8:21 ` Sascha Hauer
2020-01-20 5:03 ` [PATCH 3/4] ARM: mach-imx: OPTEE PBL configures PL210 Rouven Czerwinski
2020-01-20 5:03 ` [PATCH 4/4] user: add documentation for OP-TEE loading Rouven Czerwinski
2 siblings, 1 reply; 5+ messages in thread
From: Rouven Czerwinski @ 2020-01-20 5:03 UTC (permalink / raw)
To: barebox; +Cc: Rouven Czerwinski
Add a OP-TEE early loading function which expects a pointer to a valid
tee binary and the device tree. OP-TEE will then be started and barebox
will continue to run in normal mode.
The function start_optee_early should be used in a boards lowlevel.c
file. Ensure that barebox has been relocated and a proper c environment
has been setup beforehand. Depending on the OP-TEE configuration, the
fdt will be modified. If the internal barebox device tree is passed,
OP-TEE will overwrite barebox PBL memory during this modification. Copy
the fdt to a save memory location beforehand to avoid a corruption of
barebox PBL memory.
This also moves the OP-TEE Kconfig symbols into a separate menu.
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
---
arch/arm/lib32/Makefile | 3 ++
arch/arm/lib32/optee-early.c | 29 ++++++++++++++++
common/Kconfig | 54 ++++++++++++++++++-----------
common/Makefile | 1 +
include/asm-generic/memory_layout.h | 4 +--
include/tee/optee.h | 6 ++++
6 files changed, 74 insertions(+), 23 deletions(-)
create mode 100644 arch/arm/lib32/optee-early.c
diff --git a/arch/arm/lib32/Makefile b/arch/arm/lib32/Makefile
index cd43147e66..18f6973fcc 100644
--- a/arch/arm/lib32/Makefile
+++ b/arch/arm/lib32/Makefile
@@ -28,3 +28,6 @@ extra-y += barebox.lds
pbl-y += lib1funcs.o
pbl-y += ashldi3.o
pbl-y += div0.o
+
+pbl-$(CONFIG_PBL_OPTEE) += setjmp.o
+pbl-$(CONFIG_PBL_OPTEE) += optee-early.o
diff --git a/arch/arm/lib32/optee-early.c b/arch/arm/lib32/optee-early.c
new file mode 100644
index 0000000000..f1755e075f
--- /dev/null
+++ b/arch/arm/lib32/optee-early.c
@@ -0,0 +1,29 @@
+#include <asm/cache.h>
+#include <asm/setjmp.h>
+#include <tee/optee.h>
+#include <debug_ll.h>
+
+jmp_buf tee_buf;
+
+int start_optee_early(void* fdt, void* tee) {
+ void (*tee_start)(void* r0, void* r1, void* r2);
+ struct optee_header *hdr;
+ int ret = 0;
+
+ hdr = tee;
+ ret = optee_verify_header(hdr);
+ if (ret < 0)
+ return ret;
+
+ memcpy((void *)hdr->init_load_addr_lo, tee + sizeof(*hdr), hdr->init_size);
+ tee_start = (void *) hdr->init_load_addr_lo;
+ ret = 1;
+ ret = setjmp(tee_buf);
+ if (ret == 0) {
+ sync_caches_for_execution();
+ tee_start(0, 0, fdt);
+ longjmp(tee_buf, 1);
+ }
+
+ return 0;
+}
diff --git a/common/Kconfig b/common/Kconfig
index 60237d3056..25587d1927 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -643,27 +643,6 @@ config BOOTM_FORCE_SIGNED_IMAGES
are refused to boot. Effectively this means only FIT images can be booted
since they are the only supported image type that support signing.
-config BOOTM_OPTEE
- bool
- prompt "support booting OP-TEE"
- depends on BOOTM && ARM
- help
- OP-TEE is a trusted execution environment (TEE). With this option
- enabled barebox supports starting optee_os as part of the bootm command.
- Instead of the kernel bootm starts the optee_os binary which then starts
- the kernel in nonsecure mode. Pass the optee_os binary with the -t option
- or in the global.bootm.tee variable.
-
-config BOOTM_OPTEE_SIZE
- hex
- default 0x02000000
- prompt "OP-TEE Memory Size"
- depends on BOOTM_OPTEE
- help
- Size to reserve in main memory for OP-TEE.
- Can be smaller than the actual size used by OP-TEE, this is used to prevent
- barebox from allocating memory in this area.
-
config BLSPEC
depends on FLEXIBLE_BOOTARGS
depends on !SHELL_NONE
@@ -1000,6 +979,39 @@ config MACHINE_ID
Note: if no hashable information is available no machine id will be passed
to the kernel.
+menu "OP-TEE loading"
+
+config OPTEE_SIZE
+ hex
+ default 0x02000000
+ prompt "OP-TEE Memory Size"
+ depends on BOOTM_OPTEE || PBL_OPTEE
+ help
+ Size to reserve in main memory for OP-TEE.
+ Can be smaller than the actual size used by OP-TEE, this is used to prevent
+ barebox from allocating memory in this area.
+
+config BOOTM_OPTEE
+ bool
+ prompt "support booting OP-TEE"
+ depends on BOOTM && ARM
+ help
+ OP-TEE is a trusted execution environment (TEE). With this option
+ enabled barebox supports starting optee_os as part of the bootm command.
+ Instead of the kernel bootm starts the optee_os binary which then starts
+ the kernel in nonsecure mode. Pass the optee_os binary with the -t option
+ or in the global.bootm.tee variable.
+
+config PBL_OPTEE
+ bool "Enable OP-TEE early start"
+ depends on ARM
+ depends on !THUMB2_BAREBOX
+ help
+ Allows starting OP-TEE during lowlevel initialization of the PBL.
+ Requires explicit support in the boards lowlevel file.
+
+endmenu
+
endmenu
menu "Debugging"
diff --git a/common/Makefile b/common/Makefile
index fbdd74a9fd..8312e88572 100644
--- a/common/Makefile
+++ b/common/Makefile
@@ -66,6 +66,7 @@ obj-$(CONFIG_BAREBOX_UPDATE_IMX_NAND_FCB) += imx-bbu-nand-fcb.o
obj-$(CONFIG_BOOT) += boot.o
obj-$(CONFIG_SERIAL_DEV_BUS) += serdev.o
obj-$(CONFIG_USBGADGET_START) += usbgadget.o
+pbl-$(CONFIG_PBL_OPTEE) += optee.o
obj-$(CONFIG_BOOTM_OPTEE) += optee.o
ifdef CONFIG_PASSWORD
diff --git a/include/asm-generic/memory_layout.h b/include/asm-generic/memory_layout.h
index 3f69664aa0..0d7ce3fe02 100644
--- a/include/asm-generic/memory_layout.h
+++ b/include/asm-generic/memory_layout.h
@@ -11,8 +11,8 @@
#define MALLOC_BASE CONFIG_MALLOC_BASE
#endif
-#ifdef CONFIG_BOOTM_OPTEE_SIZE
-#define OPTEE_SIZE CONFIG_BOOTM_OPTEE_SIZE
+#ifdef CONFIG_OPTEE_SIZE
+#define OPTEE_SIZE CONFIG_OPTEE_SIZE
#else
#define OPTEE_SIZE 0
#endif
diff --git a/include/tee/optee.h b/include/tee/optee.h
index 9fb27fcec0..fa124236ba 100644
--- a/include/tee/optee.h
+++ b/include/tee/optee.h
@@ -32,4 +32,10 @@ struct optee_header {
int optee_verify_header (struct optee_header *hdr);
+#ifdef __PBL__
+
+int start_optee_early(void* fdt, void* tee);
+
+#endif /* __PBL__ */
+
#endif /* _OPTEE_H */
--
2.25.0
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/4] ARM: add optee early loading function
2020-01-20 5:03 ` [PATCH 2/4] ARM: add optee early loading function Rouven Czerwinski
@ 2020-01-20 8:21 ` Sascha Hauer
0 siblings, 0 replies; 5+ messages in thread
From: Sascha Hauer @ 2020-01-20 8:21 UTC (permalink / raw)
To: Rouven Czerwinski; +Cc: barebox
On Mon, Jan 20, 2020 at 06:03:28AM +0100, Rouven Czerwinski wrote:
> Add a OP-TEE early loading function which expects a pointer to a valid
> tee binary and the device tree. OP-TEE will then be started and barebox
> will continue to run in normal mode.
>
> The function start_optee_early should be used in a boards lowlevel.c
> file. Ensure that barebox has been relocated and a proper c environment
> has been setup beforehand. Depending on the OP-TEE configuration, the
> fdt will be modified. If the internal barebox device tree is passed,
> OP-TEE will overwrite barebox PBL memory during this modification. Copy
> the fdt to a save memory location beforehand to avoid a corruption of
s/save/safe/
> barebox PBL memory.
>
> This also moves the OP-TEE Kconfig symbols into a separate menu.
>
> Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
> ---
> arch/arm/lib32/Makefile | 3 ++
> arch/arm/lib32/optee-early.c | 29 ++++++++++++++++
> common/Kconfig | 54 ++++++++++++++++++-----------
> common/Makefile | 1 +
> include/asm-generic/memory_layout.h | 4 +--
> include/tee/optee.h | 6 ++++
> 6 files changed, 74 insertions(+), 23 deletions(-)
> create mode 100644 arch/arm/lib32/optee-early.c
>
> diff --git a/arch/arm/lib32/Makefile b/arch/arm/lib32/Makefile
> index cd43147e66..18f6973fcc 100644
> --- a/arch/arm/lib32/Makefile
> +++ b/arch/arm/lib32/Makefile
> @@ -28,3 +28,6 @@ extra-y += barebox.lds
> pbl-y += lib1funcs.o
> pbl-y += ashldi3.o
> pbl-y += div0.o
> +
> +pbl-$(CONFIG_PBL_OPTEE) += setjmp.o
This should be in the patch adding setjmp/longjmp support. Where is it
btw?
> +pbl-$(CONFIG_PBL_OPTEE) += optee-early.o
> diff --git a/arch/arm/lib32/optee-early.c b/arch/arm/lib32/optee-early.c
> new file mode 100644
> index 0000000000..f1755e075f
> --- /dev/null
> +++ b/arch/arm/lib32/optee-early.c
> @@ -0,0 +1,29 @@
spdx?
> +#include <asm/cache.h>
> +#include <asm/setjmp.h>
> +#include <tee/optee.h>
> +#include <debug_ll.h>
> +
> +jmp_buf tee_buf;
static?
> +
> +int start_optee_early(void* fdt, void* tee) {
Coding style nitpick: opening braces of a function should be on the next
line. Also, should be "void *fdt", not "void* fdt"
> + void (*tee_start)(void* r0, void* r1, void* r2);
> + struct optee_header *hdr;
> + int ret = 0;
Unnecessary initialization.
> +
> + hdr = tee;
> + ret = optee_verify_header(hdr);
> + if (ret < 0)
> + return ret;
> +
> + memcpy((void *)hdr->init_load_addr_lo, tee + sizeof(*hdr), hdr->init_size);
> + tee_start = (void *) hdr->init_load_addr_lo;
> + ret = 1;
Why?
> + ret = setjmp(tee_buf);
> + if (ret == 0) {
> + sync_caches_for_execution();
> + tee_start(0, 0, fdt);
> + longjmp(tee_buf, 1);
> + }
Some comment like "We use setjmp/longjmp here because OP-TEE clobbers
most registers" would be nice here.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 3/4] ARM: mach-imx: OPTEE PBL configures PL210
2020-01-20 5:03 [PATCH 1/4] optee: move optee_verify_header() to common Rouven Czerwinski
2020-01-20 5:03 ` [PATCH 2/4] ARM: add optee early loading function Rouven Czerwinski
@ 2020-01-20 5:03 ` Rouven Czerwinski
2020-01-20 5:03 ` [PATCH 4/4] user: add documentation for OP-TEE loading Rouven Czerwinski
2 siblings, 0 replies; 5+ messages in thread
From: Rouven Czerwinski @ 2020-01-20 5:03 UTC (permalink / raw)
To: barebox; +Cc: Rouven Czerwinski
If OP-TEE early loading is performed, OP-TEE will configure the PL210
and lock access to the controller from the normal world. Skip the
configuration in this case.
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
---
arch/arm/mach-imx/imx6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/mach-imx/imx6.c b/arch/arm/mach-imx/imx6.c
index 41e0066add..f2311efd92 100644
--- a/arch/arm/mach-imx/imx6.c
+++ b/arch/arm/mach-imx/imx6.c
@@ -278,7 +278,7 @@ static int imx6_mmu_init(void)
void __iomem *l2x0_base = IOMEM(0x00a02000);
u32 val, cache_part, cache_rtl;
- if (!cpu_is_mx6())
+ if (!cpu_is_mx6() || IS_ENABLED(CONFIG_PBL_OPTEE))
return 0;
val = readl(l2x0_base + L2X0_CACHE_ID);
--
2.25.0
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 4/4] user: add documentation for OP-TEE loading
2020-01-20 5:03 [PATCH 1/4] optee: move optee_verify_header() to common Rouven Czerwinski
2020-01-20 5:03 ` [PATCH 2/4] ARM: add optee early loading function Rouven Czerwinski
2020-01-20 5:03 ` [PATCH 3/4] ARM: mach-imx: OPTEE PBL configures PL210 Rouven Czerwinski
@ 2020-01-20 5:03 ` Rouven Czerwinski
2 siblings, 0 replies; 5+ messages in thread
From: Rouven Czerwinski @ 2020-01-20 5:03 UTC (permalink / raw)
To: barebox; +Cc: Rouven Czerwinski
Some rudimentary documentation how to load OP-TEE.
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
---
Documentation/user/optee.rst | 29 +++++++++++++++++++++++++++++
Documentation/user/user-manual.rst | 1 +
2 files changed, 30 insertions(+)
create mode 100644 Documentation/user/optee.rst
diff --git a/Documentation/user/optee.rst b/Documentation/user/optee.rst
new file mode 100644
index 0000000000..950917b446
--- /dev/null
+++ b/Documentation/user/optee.rst
@@ -0,0 +1,29 @@
+
+.. _optee:
+
+OP-TEE
+======
+
+Barebox is able to start the Open Portable Trusted Execution Environment
+(OP-TEE) either before starting the linux kernel or during lowlevel board
+initialization in the Pre Bootloader ``PBL``.
+
+Before Linux start
+------------------
+Enable the `CONFIG_BOOTM_OPTEE` configuration variable and configure the
+`CONFIG_OPTEE_SIZE` variable. This will reserve a memory area at the end
+of memory for OP-TEE to run, usually Barebox would relocate itself there. To
+load OP-TEE before the kernel is started, configure the global ``bootm.tee``
+variable to point to a valid OPTEE v1 binary.
+
+During the PBL
+--------------
+To start OP-TEE during the lowlevel initialization of your board in the ``PBL``,
+enable the ``CONFIG_PBL_OPTEE`` configuration variable. your board should then
+call the function ``start_optee_early(void* tee, void* fdt)`` with a valid tee
+and FDT. Ensure that your OP-TEE is compiled with ``CFG_NS_ENTRY_ADDR`` unset,
+otherwise OP-TEE will not correctly return to barebox after startup.
+Since OP-TEE in the default configuration also modifies the device tree, don't
+pass the barebox internal device tree, instead copy it into a different memory
+location and pass it to OP-TEE afterwards.
+The modified device tree can then be passed to the main barebox start function.
diff --git a/Documentation/user/user-manual.rst b/Documentation/user/user-manual.rst
index 41fdb8805c..827683eaa0 100644
--- a/Documentation/user/user-manual.rst
+++ b/Documentation/user/user-manual.rst
@@ -33,6 +33,7 @@ Contents:
system-reset
state
random
+ optee
debugging
watchdog
--
2.25.0
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-01-20 8:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-20 5:03 [PATCH 1/4] optee: move optee_verify_header() to common Rouven Czerwinski
2020-01-20 5:03 ` [PATCH 2/4] ARM: add optee early loading function Rouven Czerwinski
2020-01-20 8:21 ` Sascha Hauer
2020-01-20 5:03 ` [PATCH 3/4] ARM: mach-imx: OPTEE PBL configures PL210 Rouven Czerwinski
2020-01-20 5:03 ` [PATCH 4/4] user: add documentation for OP-TEE loading Rouven Czerwinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox