Merge git://www.denx.de/git/u-boot-marvell
This commit is contained in:
commit
f77309d343
3
Makefile
3
Makefile
|
@ -957,7 +957,8 @@ MKIMAGEFLAGS_u-boot.kwb = -n $(srctree)/$(CONFIG_SYS_KWD_CONFIG:"%"=%) \
|
||||||
-T kwbimage -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_TEXT_BASE)
|
-T kwbimage -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_TEXT_BASE)
|
||||||
|
|
||||||
MKIMAGEFLAGS_u-boot-spl.kwb = -n $(srctree)/$(CONFIG_SYS_KWD_CONFIG:"%"=%) \
|
MKIMAGEFLAGS_u-boot-spl.kwb = -n $(srctree)/$(CONFIG_SYS_KWD_CONFIG:"%"=%) \
|
||||||
-T kwbimage -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_TEXT_BASE)
|
-T kwbimage -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_TEXT_BASE) \
|
||||||
|
$(if $(KEYDIR),-k $(KEYDIR))
|
||||||
|
|
||||||
MKIMAGEFLAGS_u-boot.pbl = -n $(srctree)/$(CONFIG_SYS_FSL_PBL_RCW:"%"=%) \
|
MKIMAGEFLAGS_u-boot.pbl = -n $(srctree)/$(CONFIG_SYS_FSL_PBL_RCW:"%"=%) \
|
||||||
-R $(srctree)/$(CONFIG_SYS_FSL_PBL_PBI:"%"=%) -T pblimage
|
-R $(srctree)/$(CONFIG_SYS_FSL_PBL_PBI:"%"=%) -T pblimage
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
if ARCH_MVEBU
|
if ARCH_MVEBU
|
||||||
|
|
||||||
|
config HAVE_MVEBU_EFUSE
|
||||||
|
bool
|
||||||
|
default n
|
||||||
|
|
||||||
config ARMADA_32BIT
|
config ARMADA_32BIT
|
||||||
bool
|
bool
|
||||||
select CPU_V7
|
select CPU_V7
|
||||||
|
@ -23,6 +27,7 @@ config ARMADA_375
|
||||||
config ARMADA_38X
|
config ARMADA_38X
|
||||||
bool
|
bool
|
||||||
select ARMADA_32BIT
|
select ARMADA_32BIT
|
||||||
|
select HAVE_MVEBU_EFUSE
|
||||||
|
|
||||||
config ARMADA_XP
|
config ARMADA_XP
|
||||||
bool
|
bool
|
||||||
|
@ -146,4 +151,34 @@ config SYS_VENDOR
|
||||||
config SYS_SOC
|
config SYS_SOC
|
||||||
default "mvebu"
|
default "mvebu"
|
||||||
|
|
||||||
|
config MVEBU_EFUSE
|
||||||
|
bool "Enable eFuse support"
|
||||||
|
default n
|
||||||
|
depends on HAVE_MVEBU_EFUSE
|
||||||
|
help
|
||||||
|
Enable support for reading and writing eFuses on mvebu SoCs.
|
||||||
|
|
||||||
|
config MVEBU_EFUSE_FAKE
|
||||||
|
bool "Fake eFuse access (dry run)"
|
||||||
|
default n
|
||||||
|
depends on MVEBU_EFUSE
|
||||||
|
help
|
||||||
|
This enables a "dry run" mode where eFuses are not really programmed.
|
||||||
|
Instead the eFuse accesses are emulated by writing to and reading
|
||||||
|
from a memory block.
|
||||||
|
This is can be used for testing prog scripts.
|
||||||
|
|
||||||
|
config SECURED_MODE_IMAGE
|
||||||
|
bool "Build image for trusted boot"
|
||||||
|
default false
|
||||||
|
depends on 88F6820
|
||||||
|
help
|
||||||
|
Build an image that employs the ARMADA SoC's trusted boot framework
|
||||||
|
for securely booting images.
|
||||||
|
|
||||||
|
config SECURED_MODE_CSK_INDEX
|
||||||
|
int "Index of active CSK"
|
||||||
|
default 0
|
||||||
|
depends on SECURED_MODE_IMAGE
|
||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
|
@ -27,6 +27,7 @@ ifndef CONFIG_SPL_BUILD
|
||||||
obj-$(CONFIG_ARMADA_375) += ../../../drivers/ddr/marvell/axp/xor.o
|
obj-$(CONFIG_ARMADA_375) += ../../../drivers/ddr/marvell/axp/xor.o
|
||||||
obj-$(CONFIG_ARMADA_38X) += ../../../drivers/ddr/marvell/a38x/xor.o
|
obj-$(CONFIG_ARMADA_38X) += ../../../drivers/ddr/marvell/a38x/xor.o
|
||||||
obj-$(CONFIG_ARMADA_XP) += ../../../drivers/ddr/marvell/axp/xor.o
|
obj-$(CONFIG_ARMADA_XP) += ../../../drivers/ddr/marvell/axp/xor.o
|
||||||
|
obj-$(CONFIG_MVEBU_EFUSE) += efuse.o
|
||||||
endif # CONFIG_SPL_BUILD
|
endif # CONFIG_SPL_BUILD
|
||||||
obj-y += gpio.o
|
obj-y += gpio.o
|
||||||
obj-y += mbus.o
|
obj-y += mbus.o
|
||||||
|
|
|
@ -0,0 +1,264 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2015-2016 Reinhard Pfau <reinhard.pfau@gdsys.cc>
|
||||||
|
*
|
||||||
|
* SPDX-License-Identifier: GPL-2.0+
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <config.h>
|
||||||
|
#include <common.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#include <asm/io.h>
|
||||||
|
#include <asm/arch/cpu.h>
|
||||||
|
#include <asm/arch/efuse.h>
|
||||||
|
#include <asm/arch/soc.h>
|
||||||
|
#include <linux/mbus.h>
|
||||||
|
|
||||||
|
#if defined(CONFIG_MVEBU_EFUSE_FAKE)
|
||||||
|
#define DRY_RUN
|
||||||
|
#else
|
||||||
|
#undef DRY_RUN
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#define MBUS_EFUSE_BASE 0xF6000000
|
||||||
|
#define MBUS_EFUSE_SIZE BIT(20)
|
||||||
|
|
||||||
|
#define MVEBU_EFUSE_CONTROL (MVEBU_REGISTER(0xE4008))
|
||||||
|
|
||||||
|
enum {
|
||||||
|
MVEBU_EFUSE_CTRL_PROGRAM_ENABLE = (1 << 31),
|
||||||
|
};
|
||||||
|
|
||||||
|
struct mvebu_hd_efuse {
|
||||||
|
u32 bits_31_0;
|
||||||
|
u32 bits_63_32;
|
||||||
|
u32 bit64;
|
||||||
|
u32 reserved0;
|
||||||
|
};
|
||||||
|
|
||||||
|
#ifndef DRY_RUN
|
||||||
|
static struct mvebu_hd_efuse *efuses =
|
||||||
|
(struct mvebu_hd_efuse *)(MBUS_EFUSE_BASE + 0xF9000);
|
||||||
|
#else
|
||||||
|
static struct mvebu_hd_efuse efuses[EFUSE_LINE_MAX + 1];
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static int efuse_initialised;
|
||||||
|
|
||||||
|
static struct mvebu_hd_efuse *get_efuse_line(int nr)
|
||||||
|
{
|
||||||
|
if (nr < 0 || nr > 63 || !efuse_initialised)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
return efuses + nr;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void enable_efuse_program(void)
|
||||||
|
{
|
||||||
|
#ifndef DRY_RUN
|
||||||
|
setbits_le32(MVEBU_EFUSE_CONTROL, MVEBU_EFUSE_CTRL_PROGRAM_ENABLE);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
static void disable_efuse_program(void)
|
||||||
|
{
|
||||||
|
#ifndef DRY_RUN
|
||||||
|
clrbits_le32(MVEBU_EFUSE_CONTROL, MVEBU_EFUSE_CTRL_PROGRAM_ENABLE);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
static int do_prog_efuse(struct mvebu_hd_efuse *efuse,
|
||||||
|
struct efuse_val *new_val, u32 mask0, u32 mask1)
|
||||||
|
{
|
||||||
|
struct efuse_val val;
|
||||||
|
|
||||||
|
val.dwords.d[0] = readl(&efuse->bits_31_0);
|
||||||
|
val.dwords.d[1] = readl(&efuse->bits_63_32);
|
||||||
|
val.lock = readl(&efuse->bit64);
|
||||||
|
|
||||||
|
if (val.lock & 1)
|
||||||
|
return -EPERM;
|
||||||
|
|
||||||
|
val.dwords.d[0] |= (new_val->dwords.d[0] & mask0);
|
||||||
|
val.dwords.d[1] |= (new_val->dwords.d[1] & mask1);
|
||||||
|
val.lock |= new_val->lock;
|
||||||
|
|
||||||
|
writel(val.dwords.d[0], &efuse->bits_31_0);
|
||||||
|
mdelay(1);
|
||||||
|
writel(val.dwords.d[1], &efuse->bits_63_32);
|
||||||
|
mdelay(1);
|
||||||
|
writel(val.lock, &efuse->bit64);
|
||||||
|
mdelay(5);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int prog_efuse(int nr, struct efuse_val *new_val, u32 mask0, u32 mask1)
|
||||||
|
{
|
||||||
|
struct mvebu_hd_efuse *efuse;
|
||||||
|
int res = 0;
|
||||||
|
|
||||||
|
res = mvebu_efuse_init_hw();
|
||||||
|
if (res)
|
||||||
|
return res;
|
||||||
|
|
||||||
|
efuse = get_efuse_line(nr);
|
||||||
|
if (!efuse)
|
||||||
|
return -ENODEV;
|
||||||
|
|
||||||
|
if (!new_val)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
/* only write a fuse line with lock bit */
|
||||||
|
if (!new_val->lock)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
/* according to specs ECC protection bits must be 0 on write */
|
||||||
|
if (new_val->bytes.d[7] & 0xFE)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
if (!new_val->dwords.d[0] && !new_val->dwords.d[1] && (mask0 | mask1))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
enable_efuse_program();
|
||||||
|
|
||||||
|
res = do_prog_efuse(efuse, new_val, mask0, mask1);
|
||||||
|
|
||||||
|
disable_efuse_program();
|
||||||
|
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
|
int mvebu_efuse_init_hw(void)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if (efuse_initialised)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
ret = mvebu_mbus_add_window_by_id(
|
||||||
|
CPU_TARGET_SATA23_DFX, 0xA, MBUS_EFUSE_BASE, MBUS_EFUSE_SIZE);
|
||||||
|
|
||||||
|
if (ret)
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
efuse_initialised = 1;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int mvebu_read_efuse(int nr, struct efuse_val *val)
|
||||||
|
{
|
||||||
|
struct mvebu_hd_efuse *efuse;
|
||||||
|
int res;
|
||||||
|
|
||||||
|
res = mvebu_efuse_init_hw();
|
||||||
|
if (res)
|
||||||
|
return res;
|
||||||
|
|
||||||
|
efuse = get_efuse_line(nr);
|
||||||
|
if (!efuse)
|
||||||
|
return -ENODEV;
|
||||||
|
|
||||||
|
if (!val)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
val->dwords.d[0] = readl(&efuse->bits_31_0);
|
||||||
|
val->dwords.d[1] = readl(&efuse->bits_63_32);
|
||||||
|
val->lock = readl(&efuse->bit64);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int mvebu_write_efuse(int nr, struct efuse_val *val)
|
||||||
|
{
|
||||||
|
return prog_efuse(nr, val, ~0, ~0);
|
||||||
|
}
|
||||||
|
|
||||||
|
int mvebu_lock_efuse(int nr)
|
||||||
|
{
|
||||||
|
struct efuse_val val = {
|
||||||
|
.lock = 1,
|
||||||
|
};
|
||||||
|
|
||||||
|
return prog_efuse(nr, &val, 0, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* wrapper funcs providing the fuse API
|
||||||
|
*
|
||||||
|
* we use the following mapping:
|
||||||
|
* "bank" -> eFuse line
|
||||||
|
* "word" -> 0: bits 0-31
|
||||||
|
* 1: bits 32-63
|
||||||
|
* 2: bit 64 (lock)
|
||||||
|
*/
|
||||||
|
|
||||||
|
static struct efuse_val prog_val;
|
||||||
|
static int valid_prog_words;
|
||||||
|
|
||||||
|
int fuse_read(u32 bank, u32 word, u32 *val)
|
||||||
|
{
|
||||||
|
struct efuse_val fuse_line;
|
||||||
|
int res;
|
||||||
|
|
||||||
|
if (bank < EFUSE_LINE_MIN || bank > EFUSE_LINE_MAX || word > 2)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
res = mvebu_read_efuse(bank, &fuse_line);
|
||||||
|
if (res)
|
||||||
|
return res;
|
||||||
|
|
||||||
|
if (word < 2)
|
||||||
|
*val = fuse_line.dwords.d[word];
|
||||||
|
else
|
||||||
|
*val = fuse_line.lock;
|
||||||
|
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
|
int fuse_sense(u32 bank, u32 word, u32 *val)
|
||||||
|
{
|
||||||
|
/* not supported */
|
||||||
|
return -ENOSYS;
|
||||||
|
}
|
||||||
|
|
||||||
|
int fuse_prog(u32 bank, u32 word, u32 val)
|
||||||
|
{
|
||||||
|
int res = 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* NOTE: Fuse line should be written as whole.
|
||||||
|
* So how can we do that with this API?
|
||||||
|
* For now: remember values for word == 0 and word == 1 and write the
|
||||||
|
* whole line when word == 2.
|
||||||
|
* This implies that we always require all 3 fuse prog cmds (one for
|
||||||
|
* for each word) to write a single fuse line.
|
||||||
|
* Exception is a single write to word 2 which will lock the fuse line.
|
||||||
|
*
|
||||||
|
* Hope that will be OK.
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (bank < EFUSE_LINE_MIN || bank > EFUSE_LINE_MAX || word > 2)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
if (word < 2) {
|
||||||
|
prog_val.dwords.d[word] = val;
|
||||||
|
valid_prog_words |= (1 << word);
|
||||||
|
} else if ((valid_prog_words & 3) == 0 && val) {
|
||||||
|
res = mvebu_lock_efuse(bank);
|
||||||
|
valid_prog_words = 0;
|
||||||
|
} else if ((valid_prog_words & 3) != 3 || !val) {
|
||||||
|
res = -EINVAL;
|
||||||
|
} else {
|
||||||
|
prog_val.lock = val != 0;
|
||||||
|
res = mvebu_write_efuse(bank, &prog_val);
|
||||||
|
valid_prog_words = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
|
int fuse_override(u32 bank, u32 word, u32 val)
|
||||||
|
{
|
||||||
|
/* not supported */
|
||||||
|
return -ENOSYS;
|
||||||
|
}
|
|
@ -36,7 +36,9 @@ enum cpu_target {
|
||||||
CPU_TARGET_ETH01 = 0x7,
|
CPU_TARGET_ETH01 = 0x7,
|
||||||
CPU_TARGET_PCIE13 = 0x8,
|
CPU_TARGET_PCIE13 = 0x8,
|
||||||
CPU_TARGET_SASRAM = 0x9,
|
CPU_TARGET_SASRAM = 0x9,
|
||||||
|
CPU_TARGET_SATA01 = 0xa, /* A38X */
|
||||||
CPU_TARGET_NAND = 0xd,
|
CPU_TARGET_NAND = 0xd,
|
||||||
|
CPU_TARGET_SATA23_DFX = 0xe, /* A38X */
|
||||||
};
|
};
|
||||||
|
|
||||||
enum cpu_attrib {
|
enum cpu_attrib {
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2015 Reinhard Pfau <reinhard.pfau@gdsys.cc>
|
||||||
|
*
|
||||||
|
* SPDX-License-Identifier: GPL-2.0+
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef _MVEBU_EFUSE_H
|
||||||
|
#define _MVEBU_EFUSE_H
|
||||||
|
|
||||||
|
#include <common.h>
|
||||||
|
|
||||||
|
struct efuse_val {
|
||||||
|
union {
|
||||||
|
struct {
|
||||||
|
u8 d[8];
|
||||||
|
} bytes;
|
||||||
|
struct {
|
||||||
|
u16 d[4];
|
||||||
|
} words;
|
||||||
|
struct {
|
||||||
|
u32 d[2];
|
||||||
|
} dwords;
|
||||||
|
};
|
||||||
|
u32 lock;
|
||||||
|
};
|
||||||
|
|
||||||
|
#if defined(CONFIG_ARMADA_38X)
|
||||||
|
|
||||||
|
enum efuse_line {
|
||||||
|
EFUSE_LINE_SECURE_BOOT = 24,
|
||||||
|
EFUSE_LINE_PUBKEY_DIGEST_0 = 26,
|
||||||
|
EFUSE_LINE_PUBKEY_DIGEST_1 = 27,
|
||||||
|
EFUSE_LINE_PUBKEY_DIGEST_2 = 28,
|
||||||
|
EFUSE_LINE_PUBKEY_DIGEST_3 = 29,
|
||||||
|
EFUSE_LINE_PUBKEY_DIGEST_4 = 30,
|
||||||
|
EFUSE_LINE_CSK_0_VALID = 31,
|
||||||
|
EFUSE_LINE_CSK_1_VALID = 32,
|
||||||
|
EFUSE_LINE_CSK_2_VALID = 33,
|
||||||
|
EFUSE_LINE_CSK_3_VALID = 34,
|
||||||
|
EFUSE_LINE_CSK_4_VALID = 35,
|
||||||
|
EFUSE_LINE_CSK_5_VALID = 36,
|
||||||
|
EFUSE_LINE_CSK_6_VALID = 37,
|
||||||
|
EFUSE_LINE_CSK_7_VALID = 38,
|
||||||
|
EFUSE_LINE_CSK_8_VALID = 39,
|
||||||
|
EFUSE_LINE_CSK_9_VALID = 40,
|
||||||
|
EFUSE_LINE_CSK_10_VALID = 41,
|
||||||
|
EFUSE_LINE_CSK_11_VALID = 42,
|
||||||
|
EFUSE_LINE_CSK_12_VALID = 43,
|
||||||
|
EFUSE_LINE_CSK_13_VALID = 44,
|
||||||
|
EFUSE_LINE_CSK_14_VALID = 45,
|
||||||
|
EFUSE_LINE_CSK_15_VALID = 46,
|
||||||
|
EFUSE_LINE_FLASH_ID = 47,
|
||||||
|
EFUSE_LINE_BOX_ID = 48,
|
||||||
|
|
||||||
|
EFUSE_LINE_MIN = 0,
|
||||||
|
EFUSE_LINE_MAX = 63,
|
||||||
|
};
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
|
int mvebu_efuse_init_hw(void);
|
||||||
|
|
||||||
|
int mvebu_read_efuse(int nr, struct efuse_val *val);
|
||||||
|
|
||||||
|
int mvebu_write_efuse(int nr, struct efuse_val *val);
|
||||||
|
|
||||||
|
int mvebu_lock_efuse(int nr);
|
||||||
|
|
||||||
|
#endif
|
|
@ -67,6 +67,7 @@
|
||||||
#define MVEBU_REG_PCIE_BASE (MVEBU_REGISTER(0x40000))
|
#define MVEBU_REG_PCIE_BASE (MVEBU_REGISTER(0x40000))
|
||||||
#define MVEBU_AXP_USB_BASE (MVEBU_REGISTER(0x50000))
|
#define MVEBU_AXP_USB_BASE (MVEBU_REGISTER(0x50000))
|
||||||
#define MVEBU_USB20_BASE (MVEBU_REGISTER(0x58000))
|
#define MVEBU_USB20_BASE (MVEBU_REGISTER(0x58000))
|
||||||
|
#define MVEBU_REG_PCIE0_BASE (MVEBU_REGISTER(0x80000))
|
||||||
#define MVEBU_AXP_SATA_BASE (MVEBU_REGISTER(0xa0000))
|
#define MVEBU_AXP_SATA_BASE (MVEBU_REGISTER(0xa0000))
|
||||||
#define MVEBU_SATA0_BASE (MVEBU_REGISTER(0xa8000))
|
#define MVEBU_SATA0_BASE (MVEBU_REGISTER(0xa8000))
|
||||||
#define MVEBU_NAND_BASE (MVEBU_REGISTER(0xd0000))
|
#define MVEBU_NAND_BASE (MVEBU_REGISTER(0xd0000))
|
||||||
|
|
|
@ -13,6 +13,11 @@
|
||||||
#include "ctrl_pex.h"
|
#include "ctrl_pex.h"
|
||||||
#include "sys_env_lib.h"
|
#include "sys_env_lib.h"
|
||||||
|
|
||||||
|
__weak void board_pex_config(void)
|
||||||
|
{
|
||||||
|
/* nothing in this weak default implementation */
|
||||||
|
}
|
||||||
|
|
||||||
int hws_pex_config(const struct serdes_map *serdes_map, u8 count)
|
int hws_pex_config(const struct serdes_map *serdes_map, u8 count)
|
||||||
{
|
{
|
||||||
u32 pex_idx, tmp, next_busno, first_busno, temp_pex_reg,
|
u32 pex_idx, tmp, next_busno, first_busno, temp_pex_reg,
|
||||||
|
@ -77,6 +82,9 @@ int hws_pex_config(const struct serdes_map *serdes_map, u8 count)
|
||||||
|
|
||||||
/* Support gen1/gen2 */
|
/* Support gen1/gen2 */
|
||||||
DEBUG_INIT_FULL_S("Support gen1/gen2\n");
|
DEBUG_INIT_FULL_S("Support gen1/gen2\n");
|
||||||
|
|
||||||
|
board_pex_config();
|
||||||
|
|
||||||
next_busno = 0;
|
next_busno = 0;
|
||||||
mdelay(150);
|
mdelay(150);
|
||||||
|
|
||||||
|
|
|
@ -83,4 +83,6 @@ int pex_local_bus_num_set(u32 pex_if, u32 bus_num);
|
||||||
int pex_local_dev_num_set(u32 pex_if, u32 dev_num);
|
int pex_local_dev_num_set(u32 pex_if, u32 dev_num);
|
||||||
u32 pex_config_read(u32 pex_if, u32 bus, u32 dev, u32 func, u32 reg_off);
|
u32 pex_config_read(u32 pex_if, u32 bus, u32 dev, u32 func, u32 reg_off);
|
||||||
|
|
||||||
|
void board_pex_config(void);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -13,8 +13,6 @@
|
||||||
#include <asm/arch/cpu.h>
|
#include <asm/arch/cpu.h>
|
||||||
#include <asm/arch/soc.h>
|
#include <asm/arch/soc.h>
|
||||||
|
|
||||||
DECLARE_GLOBAL_DATA_PTR;
|
|
||||||
|
|
||||||
static u32 get_boot_device(void)
|
static u32 get_boot_device(void)
|
||||||
{
|
{
|
||||||
u32 val;
|
u32 val;
|
||||||
|
|
|
@ -43,15 +43,6 @@
|
||||||
#define CCDM_AUTO_FIRST_STAGE
|
#define CCDM_AUTO_FIRST_STAGE
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* enums from TCG specs */
|
|
||||||
enum {
|
|
||||||
/* capability areas */
|
|
||||||
TPM_CAP_NV_INDEX = 0x00000011,
|
|
||||||
TPM_CAP_HANDLE = 0x00000014,
|
|
||||||
/* resource types */
|
|
||||||
TPM_RT_KEY = 0x00000001,
|
|
||||||
};
|
|
||||||
|
|
||||||
/* CCDM specific contants */
|
/* CCDM specific contants */
|
||||||
enum {
|
enum {
|
||||||
/* NV indices */
|
/* NV indices */
|
||||||
|
|
70
cmd/tpm.c
70
cmd/tpm.c
|
@ -646,6 +646,64 @@ TPM_COMMAND_NO_ARG(tpm_end_oiap)
|
||||||
|
|
||||||
#endif /* CONFIG_TPM_AUTH_SESSIONS */
|
#endif /* CONFIG_TPM_AUTH_SESSIONS */
|
||||||
|
|
||||||
|
#ifdef CONFIG_TPM_FLUSH_RESOURCES
|
||||||
|
static int do_tpm_flush(cmd_tbl_t *cmdtp, int flag, int argc,
|
||||||
|
char * const argv[])
|
||||||
|
{
|
||||||
|
int type = 0;
|
||||||
|
|
||||||
|
if (argc != 2)
|
||||||
|
return CMD_RET_USAGE;
|
||||||
|
|
||||||
|
if (strcasecmp(argv[1], "key"))
|
||||||
|
type = TPM_RT_KEY;
|
||||||
|
else if (strcasecmp(argv[1], "auth"))
|
||||||
|
type = TPM_RT_AUTH;
|
||||||
|
else if (strcasecmp(argv[1], "hash"))
|
||||||
|
type = TPM_RT_HASH;
|
||||||
|
else if (strcasecmp(argv[1], "trans"))
|
||||||
|
type = TPM_RT_TRANS;
|
||||||
|
else if (strcasecmp(argv[1], "context"))
|
||||||
|
type = TPM_RT_CONTEXT;
|
||||||
|
else if (strcasecmp(argv[1], "counter"))
|
||||||
|
type = TPM_RT_COUNTER;
|
||||||
|
else if (strcasecmp(argv[1], "delegate"))
|
||||||
|
type = TPM_RT_DELEGATE;
|
||||||
|
else if (strcasecmp(argv[1], "daa_tpm"))
|
||||||
|
type = TPM_RT_DAA_TPM;
|
||||||
|
else if (strcasecmp(argv[1], "daa_v0"))
|
||||||
|
type = TPM_RT_DAA_V0;
|
||||||
|
else if (strcasecmp(argv[1], "daa_v1"))
|
||||||
|
type = TPM_RT_DAA_V1;
|
||||||
|
|
||||||
|
if (strcasecmp(argv[2], "all")) {
|
||||||
|
uint16_t res_count;
|
||||||
|
uint8_t buf[288];
|
||||||
|
uint8_t *ptr;
|
||||||
|
int err;
|
||||||
|
uint i;
|
||||||
|
|
||||||
|
/* fetch list of already loaded resources in the TPM */
|
||||||
|
err = tpm_get_capability(TPM_CAP_HANDLE, type, buf,
|
||||||
|
sizeof(buf));
|
||||||
|
if (err)
|
||||||
|
return -1;
|
||||||
|
res_count = get_unaligned_be16(buf);
|
||||||
|
ptr = buf + 2;
|
||||||
|
for (i = 0; i < res_count; ++i, ptr += 4)
|
||||||
|
tpm_flush_specific(get_unaligned_be32(ptr), type);
|
||||||
|
} else {
|
||||||
|
uint32_t handle = simple_strtoul(argv[2], NULL, 0);
|
||||||
|
|
||||||
|
if (!handle)
|
||||||
|
return -1;
|
||||||
|
tpm_flush_specific(cpu_to_be32(handle), type);
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif /* CONFIG_TPM_FLUSH_RESOURCES */
|
||||||
|
|
||||||
#define MAKE_TPM_CMD_ENTRY(cmd) \
|
#define MAKE_TPM_CMD_ENTRY(cmd) \
|
||||||
U_BOOT_CMD_MKENT(cmd, 0, 1, do_tpm_ ## cmd, "", "")
|
U_BOOT_CMD_MKENT(cmd, 0, 1, do_tpm_ ## cmd, "", "")
|
||||||
|
|
||||||
|
@ -701,6 +759,10 @@ static cmd_tbl_t tpm_commands[] = {
|
||||||
U_BOOT_CMD_MKENT(get_pub_key_oiap, 0, 1,
|
U_BOOT_CMD_MKENT(get_pub_key_oiap, 0, 1,
|
||||||
do_tpm_get_pub_key_oiap, "", ""),
|
do_tpm_get_pub_key_oiap, "", ""),
|
||||||
#endif /* CONFIG_TPM_AUTH_SESSIONS */
|
#endif /* CONFIG_TPM_AUTH_SESSIONS */
|
||||||
|
#ifdef CONFIG_TPM_FLUSH_RESOURCES
|
||||||
|
U_BOOT_CMD_MKENT(flush, 0, 1,
|
||||||
|
do_tpm_flush, "", ""),
|
||||||
|
#endif /* CONFIG_TPM_FLUSH_RESOURCES */
|
||||||
};
|
};
|
||||||
|
|
||||||
static int do_tpm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
|
static int do_tpm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
|
||||||
|
@ -750,6 +812,14 @@ U_BOOT_CMD(tpm, CONFIG_SYS_MAXARGS, 1, do_tpm,
|
||||||
" get_capability cap_area sub_cap addr count\n"
|
" get_capability cap_area sub_cap addr count\n"
|
||||||
" - Read <count> bytes of TPM capability indexed by <cap_area> and\n"
|
" - Read <count> bytes of TPM capability indexed by <cap_area> and\n"
|
||||||
" <sub_cap> to memory address <addr>.\n"
|
" <sub_cap> to memory address <addr>.\n"
|
||||||
|
#ifdef CONFIG_TPM_FLUSH_RESOURCES
|
||||||
|
"Resource management functions\n"
|
||||||
|
" flush resource_type id\n"
|
||||||
|
" - flushes a resource of type <resource_type> (may be one of key, auth,\n"
|
||||||
|
" hash, trans, context, counter, delegate, daa_tpm, daa_v0, daa_v1),\n"
|
||||||
|
" and id <id> from the TPM. Use an <id> of \"all\" to flush all\n"
|
||||||
|
" resources of that type.\n"
|
||||||
|
#endif /* CONFIG_TPM_FLUSH_RESOURCES */
|
||||||
#ifdef CONFIG_TPM_AUTH_SESSIONS
|
#ifdef CONFIG_TPM_AUTH_SESSIONS
|
||||||
"Storage functions\n"
|
"Storage functions\n"
|
||||||
" loadkey2_oiap parent_handle key_addr key_len usage_auth\n"
|
" loadkey2_oiap parent_handle key_addr key_len usage_auth\n"
|
||||||
|
|
|
@ -0,0 +1,373 @@
|
||||||
|
The trusted boot framework on Marvell Armada 38x
|
||||||
|
================================================
|
||||||
|
|
||||||
|
Contents:
|
||||||
|
|
||||||
|
1. Overview of the trusted boot
|
||||||
|
2. Terminology
|
||||||
|
3. Boot image layout
|
||||||
|
4. The secured header
|
||||||
|
5. The secured boot flow
|
||||||
|
6. Usage example
|
||||||
|
7. Work to be done
|
||||||
|
8. Bibliography
|
||||||
|
|
||||||
|
1. Overview of the trusted boot
|
||||||
|
-------------------------------
|
||||||
|
|
||||||
|
The Armada's trusted boot framework enables the SoC to cryptographically verify
|
||||||
|
a specially prepared boot image. This can be used to establish a chain of trust
|
||||||
|
from the boot firmware all the way to the OS.
|
||||||
|
|
||||||
|
To achieve this, the Armada SoC requires a specially prepared boot image, which
|
||||||
|
contains the relevant cryptographic data, as well as other information
|
||||||
|
pertaining to the boot process. Furthermore, a eFuse structure (a
|
||||||
|
one-time-writeable memory) need to be configured in the correct way.
|
||||||
|
|
||||||
|
Roughly, the secure boot process works as follows:
|
||||||
|
|
||||||
|
* Load the header block of the boot image, extract a special "root" public RSA
|
||||||
|
key from it, and verify its SHA-256 hash against a SHA-256 stored in a eFuse
|
||||||
|
field.
|
||||||
|
* Load an array of code signing public RSA keys from the header block, and
|
||||||
|
verify its RSA signature (contained in the header block as well) using the
|
||||||
|
"root" RSA key.
|
||||||
|
* Choose a code signing key, and use it to verify the header block (excluding
|
||||||
|
the key array).
|
||||||
|
* Verify the binary image's signature (contained in the header block) using the
|
||||||
|
code signing key.
|
||||||
|
* If all checks pass successfully, boot the image.
|
||||||
|
|
||||||
|
The chain of trust is thus as follows:
|
||||||
|
|
||||||
|
* The SHA-256 value in the eFuse field verifies the "root" public key.
|
||||||
|
* The "root" public key verifies the code signing key array.
|
||||||
|
* The selected code signing key verifies the header block and the binary image.
|
||||||
|
|
||||||
|
In the special case of building a boot image containing U-Boot as the binary
|
||||||
|
image, which employs this trusted boot framework, the following tasks need to
|
||||||
|
be addressed:
|
||||||
|
|
||||||
|
1. Creation of the needed cryptographic key material.
|
||||||
|
2. Creation of a conforming boot image containing the U-Boot image as binary
|
||||||
|
image.
|
||||||
|
3. Burning the necessary eFuse values.
|
||||||
|
|
||||||
|
(1) will be addressed later, (2) will be taken care of by U-Boot's build
|
||||||
|
system (some user configuration is required, though), and for (3) the necessary
|
||||||
|
data (essentially a series of U-Boot commands to be entered at the U-Boot
|
||||||
|
command prompt) will be created by the build system as well.
|
||||||
|
|
||||||
|
The documentation of the trusted boot mode is contained in part 1, chapter
|
||||||
|
7.2.5 in the functional specification [1], and in application note [2].
|
||||||
|
|
||||||
|
2. Terminology
|
||||||
|
--------------
|
||||||
|
|
||||||
|
CSK - Code Signing Key(s): An array of RSA key pairs, which
|
||||||
|
are used to sign and verify the secured header and the
|
||||||
|
boot loader image.
|
||||||
|
KAK - Key Authentication Key: A RSA key pair, which is used
|
||||||
|
to sign and verify the array of CSKs.
|
||||||
|
Header block - The first part of the boot image, which contains the
|
||||||
|
image's headers (also known as "headers block", "boot
|
||||||
|
header", and "image header")
|
||||||
|
eFuse - A one-time-writeable memory.
|
||||||
|
BootROM - The Armada's built-in boot firmware, which is
|
||||||
|
responsible for verifying and starting secure images.
|
||||||
|
Boot image - The complete image the SoC's boot firmware loads
|
||||||
|
(contains the header block and the binary image)
|
||||||
|
Main header - The header in the header block containing information
|
||||||
|
and data pertaining to the boot process (used for both
|
||||||
|
the regular and secured boot processes)
|
||||||
|
Binary image - The binary code payload of the boot image; in this
|
||||||
|
case the U-Boot's code (also known as "source image",
|
||||||
|
or just "image")
|
||||||
|
Secured header - The specialized header in the header block that
|
||||||
|
contains information and data pertaining to the
|
||||||
|
trusted boot (also known as "security header")
|
||||||
|
Secured boot mode - A special boot mode of the Armada SoC in which secured
|
||||||
|
images are verified (non-secure images won't boot);
|
||||||
|
the mode is activated by setting a eFuse field.
|
||||||
|
Trusted debug mode - A special mode for the trusted boot that allows
|
||||||
|
debugging of devices employing the trusted boot
|
||||||
|
framework in a secure manner (untested in the current
|
||||||
|
implementation).
|
||||||
|
Trusted boot framework - The ARMADA SoC's implementation of a secure verified
|
||||||
|
boot process.
|
||||||
|
|
||||||
|
3. Boot image layout
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
+-- Boot image --------------------------------------------+
|
||||||
|
| |
|
||||||
|
| +-- Header block --------------------------------------+ |
|
||||||
|
| | Main header | |
|
||||||
|
| +------------------------------------------------------+ |
|
||||||
|
| | Secured header | |
|
||||||
|
| +------------------------------------------------------+ |
|
||||||
|
| | BIN header(s) | |
|
||||||
|
| +------------------------------------------------------+ |
|
||||||
|
| | REG header(s) | |
|
||||||
|
| +------------------------------------------------------+ |
|
||||||
|
| | Padding | |
|
||||||
|
| +------------------------------------------------------+ |
|
||||||
|
| |
|
||||||
|
| +------------------------------------------------------+ |
|
||||||
|
| | Binary image + checksum | |
|
||||||
|
| +------------------------------------------------------+ |
|
||||||
|
+----------------------------------------------------------+
|
||||||
|
|
||||||
|
4. The secured header
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
For the trusted boot framework, a additional header is added to the boot image.
|
||||||
|
The following data are relevant for the secure boot:
|
||||||
|
|
||||||
|
KAK: The KAK is contained in the secured header in the form
|
||||||
|
of a RSA-2048 public key in DER format with a length of
|
||||||
|
524 bytes.
|
||||||
|
Header block signature: The RSA signature of the header block (excluding the
|
||||||
|
CSK array), created using the selected CSK.
|
||||||
|
Binary image signature: The RSA signature of the binary image, created using
|
||||||
|
the selected CSK.
|
||||||
|
CSK array: The array of the 16 CSKs as RSA-2048 public keys in DER
|
||||||
|
format with a length of 8384 = 16 * 524 bytes.
|
||||||
|
CSK block signature: The RSA signature of the CSK array, created using the
|
||||||
|
KAK.
|
||||||
|
|
||||||
|
NOTE: The JTAG delay, Box ID, and Flash ID header fields do play a role in the
|
||||||
|
trusted boot process to enable and configure secure debugging, but they were
|
||||||
|
not tested in the current implementation of the trusted boot in U-Boot.
|
||||||
|
|
||||||
|
5. The secured boot flow
|
||||||
|
------------------------
|
||||||
|
|
||||||
|
The steps in the boot flow that are relevant for the trusted boot framework
|
||||||
|
proceed as follows:
|
||||||
|
|
||||||
|
1) Check if trusted boot is enabled, and perform regular boot if it is not.
|
||||||
|
2) Load the secured header, and verify its checksum.
|
||||||
|
3) Select the lowest valid CSK from CSK0 to CSK15.
|
||||||
|
4) Verify the SHA-256 hash of the KAK embedded in the secured header.
|
||||||
|
5) Verify the RSA signature of the CSK block from the secured header with the
|
||||||
|
KAK.
|
||||||
|
6) Verify the header block signature (which excludes the CSK block) from the
|
||||||
|
secured header with the selected CSK.
|
||||||
|
7) Load the binary image to the main memory and verify its checksum.
|
||||||
|
8) Verify the binary image's RSA signature from the secured header with the
|
||||||
|
selected CSK.
|
||||||
|
9) Continue the boot process as in the case of the regular boot.
|
||||||
|
|
||||||
|
NOTE: All RSA signatures are verified according to the PKCS #1 v2.1 standard
|
||||||
|
described in [3].
|
||||||
|
|
||||||
|
NOTE: The Box ID and Flash ID are checked after step 6, and the trusted debug
|
||||||
|
mode may be entered there, but since this mode is untested in the current
|
||||||
|
implementation, it is not described further.
|
||||||
|
|
||||||
|
6. Usage example
|
||||||
|
----------------
|
||||||
|
|
||||||
|
### Create key material
|
||||||
|
|
||||||
|
To employ the trusted boot framework, cryptographic key material needs to be
|
||||||
|
created. In the current implementation, two keys are needed to build a valid
|
||||||
|
secured boot image: The KAK private key and a CSK private key (both have to be
|
||||||
|
2048 bit RSA keys in PEM format). Note that the usage of more than one CSK is
|
||||||
|
currently not supported.
|
||||||
|
|
||||||
|
NOTE: Since the public key can be generated from the private key, it is
|
||||||
|
sufficient to store the private key for each key pair.
|
||||||
|
|
||||||
|
OpenSSL can be used to generate the needed files kwb_kak.key and kwb_csk.key
|
||||||
|
(the names of these files have to be configured, see the next section on
|
||||||
|
kwbimage.cfg settings):
|
||||||
|
|
||||||
|
openssl genrsa -out kwb_kak.key 2048
|
||||||
|
openssl genrsa -out kwb_csk.key 2048
|
||||||
|
|
||||||
|
The generated files have to be placed in the U-Boot root directory.
|
||||||
|
|
||||||
|
Alternatively, instead of copying the files, symlinks to the private keys can
|
||||||
|
be placed in the U-Boot root directory.
|
||||||
|
|
||||||
|
WARNING: Knowledge of the KAK or CSK private key would enable an attacker to
|
||||||
|
generate secured boot images containing arbitrary code. Hence, the private keys
|
||||||
|
should be carefully guarded.
|
||||||
|
|
||||||
|
### Create/Modifiy kwbimage.cfg
|
||||||
|
|
||||||
|
The Kirkwook architecture in U-Boot employs a special board-specific
|
||||||
|
configuration file (kwbimage.cfg), which controls various boot image settings
|
||||||
|
that are interpreted by the BootROM, such as the boot medium. The support the
|
||||||
|
trusted boot framework, several new options were added to faciliate
|
||||||
|
configuration of the secured boot.
|
||||||
|
|
||||||
|
The configuration file's layout has been retained, only the following new
|
||||||
|
options were added:
|
||||||
|
|
||||||
|
KAK - The name of the KAK RSA private key file in the U-Boot
|
||||||
|
root directory, without the trailing extension of ".key".
|
||||||
|
CSK - The name of the (active) CSK RSA private key file in the
|
||||||
|
U-Boot root directory, without the trailing extension of
|
||||||
|
".key".
|
||||||
|
BOX_ID - The BoxID to be used for trusted debugging (a integer
|
||||||
|
value).
|
||||||
|
FLASH_ID - The FlashID to be used for trusted debugging (a integer
|
||||||
|
value).
|
||||||
|
JTAG_DELAY - The JTAG delay to be used for trusted debugging (a
|
||||||
|
integer value).
|
||||||
|
CSK_INDEX - The index of the active CSK (a integer value).
|
||||||
|
SEC_SPECIALIZED_IMG - Flag to indicate whether to include the BoxID and FlashID
|
||||||
|
in the image (that is, whether to use the trusted debug
|
||||||
|
mode or not); no parameters.
|
||||||
|
SEC_BOOT_DEV - The boot device from which the trusted boot is allowed to
|
||||||
|
proceed, identified via a numeric ID. The tested values
|
||||||
|
are 0x34 = NOR flash, 0x31 = SDIO/MMC card; for
|
||||||
|
additional ID values, consult the documentation in [1].
|
||||||
|
SEC_FUSE_DUMP - Dump the "fuse prog" commands necessary for writing the
|
||||||
|
correct eFuse values to a text file in the U-Boot root
|
||||||
|
directory. The parameter is the architecture for which to
|
||||||
|
dump the commands (currently only "a38x" is supported).
|
||||||
|
|
||||||
|
The parameter values may be hardcoded into the file, but it is also possible to
|
||||||
|
employ a dynamic approach of creating a Autoconf-like kwbimage.cfg.in, then
|
||||||
|
reading configuration values from Kconfig options or from the board config
|
||||||
|
file, and generating the actual kwbimage.cfg from this template using Makefile
|
||||||
|
mechanisms (see board/gdsys/a38x/Makefile as an example for this approach).
|
||||||
|
|
||||||
|
### Set config options
|
||||||
|
|
||||||
|
To enable the generation of trusted boot images, the corresponding support
|
||||||
|
needs to be activated, and a index for the active CSK needs to be selected as
|
||||||
|
well.
|
||||||
|
|
||||||
|
Furthermore, eFuse writing support has to be activated in order to burn the
|
||||||
|
eFuse structure's values (this option is just needed for programming the eFuse
|
||||||
|
structure; production boot images may disable it).
|
||||||
|
|
||||||
|
ARM architecture
|
||||||
|
-> [*] Build image for trusted boot
|
||||||
|
(0) Index of active CSK
|
||||||
|
-> [*] Enable eFuse support
|
||||||
|
[ ] Fake eFuse access (dry run)
|
||||||
|
|
||||||
|
### Build and test boot image
|
||||||
|
|
||||||
|
The creation of the boot image is done via the usual invocation of make (with a
|
||||||
|
suitably set CROSS_COMPILE environment variable, of course). The resulting boot
|
||||||
|
image u-boot-spl.kwb can then be tested, if so desired. The hdrparser from [5]
|
||||||
|
can be used for this purpose. To build the tool, invoke make in the
|
||||||
|
'tools/marvell/doimage_mv' directory of [5], which builds a stand-alone
|
||||||
|
hdrparser executable. A test can be conducted by calling hdrparser with the
|
||||||
|
produced boot image and the following (mandatory) parameters:
|
||||||
|
|
||||||
|
./hdrparser -k 0 -t u-boot-spl.kwb
|
||||||
|
|
||||||
|
Here we assume that the CSK index is 0 and the boot image file resides in the
|
||||||
|
same directory (adapt accordingly if needed). The tool should report that all
|
||||||
|
checksums are valid ("GOOD"), that all signature verifications succeed
|
||||||
|
("PASSED"), and, finally, that the overall test was successful
|
||||||
|
("T E S T S U C C E E D E D" in the last line of output).
|
||||||
|
|
||||||
|
### Burn eFuse structure
|
||||||
|
|
||||||
|
+----------------------------------------------------------+
|
||||||
|
| WARNING: Burning the eFuse structure is a irreversible |
|
||||||
|
| operation! Should wrong or corrupted values be used, the |
|
||||||
|
| board won't boot anymore, and recovery is likely |
|
||||||
|
| impossible! |
|
||||||
|
+----------------------------------------------------------+
|
||||||
|
|
||||||
|
After the build process has finished, and the SEC_FUSE_DUMP option was set in
|
||||||
|
the kwbimage.cfg was set, a text file kwb_fuses_a38x.txt should be present in
|
||||||
|
the U-Boot top-level directory. It contains all the necessary commands to set
|
||||||
|
the eFuse structure to the values needed for the used KAK digest, as well as
|
||||||
|
the CSK index, Flash ID and Box ID that were selected in kwbimage.cfg.
|
||||||
|
|
||||||
|
Sequentially executing the commands in this file at the U-Boot command prompt
|
||||||
|
will write these values to the eFuse structure.
|
||||||
|
|
||||||
|
If the SEC_FUSE_DUMP option was not set, the commands needed to burn the fuses
|
||||||
|
have to be crafted by hand. The needed fuse lines can be looked up in [1]; a
|
||||||
|
rough overview of the process is:
|
||||||
|
|
||||||
|
* Burn the KAK public key hash. The hash itself can be found in the file
|
||||||
|
pub_kak_hash.txt in the U-Boot top-level directory; be careful to account for
|
||||||
|
the endianness!
|
||||||
|
* Burn the CSK selection, BoxID, and FlashID
|
||||||
|
* Enable trusted boot by burning the corresponding fuse (WARNING: this must be
|
||||||
|
the last fuse line written!)
|
||||||
|
* Lock the unused fuse lines
|
||||||
|
|
||||||
|
The command to employ is the "fuse prog" command previously enabled by setting
|
||||||
|
the corresponding configuration option.
|
||||||
|
|
||||||
|
For the trusted boot, the fuse prog command has a special syntax, since the
|
||||||
|
ARMADA SoC demands that whole fuse lines (64 bit values) have to be written as
|
||||||
|
a whole. The fuse prog command itself allows lists of 32 bit words to be
|
||||||
|
written at a time, but this is translated to a series of single 32 bit write
|
||||||
|
operations to the fuse line, where the individual 32 bit words are identified
|
||||||
|
by a "word" counter that is increased for each write.
|
||||||
|
|
||||||
|
To work around this restriction, we interpret each line to have three "words"
|
||||||
|
(0-2): The first and second words are the values to be written to the fuse
|
||||||
|
line, and the third is a lock flag, which is supposed to lock the fuse line
|
||||||
|
when set to 1. Writes to the first and second words are memoized between
|
||||||
|
function calls, and the fuse line is only really written and locked (on writing
|
||||||
|
the third word) if both words were previously set, so that "incomplete" writes
|
||||||
|
are prevented. An exception to this is a single write to the third word (index
|
||||||
|
2) without previously writing neither the first nor the second word, which
|
||||||
|
locks the fuse line without setting any value; this is needed to lock the
|
||||||
|
unused fuse lines.
|
||||||
|
|
||||||
|
As an example, to write the value 0011223344556677 to fuse line 10, we would
|
||||||
|
use the following command:
|
||||||
|
|
||||||
|
fuse prog -y 10 0 00112233 44556677 1
|
||||||
|
|
||||||
|
Here 10 is the fuse line number, 0 is the index of the first word to be
|
||||||
|
written, 00112233 and 44556677 are the values to be written to the fuse line
|
||||||
|
(first and second word) and the trailing 1 is the value for the third word
|
||||||
|
responsible for locking the line.
|
||||||
|
|
||||||
|
A "lock-only" command would look like this:
|
||||||
|
|
||||||
|
fuse prog -y 11 2 1
|
||||||
|
|
||||||
|
Here 11 is the fuse number, 2 is the index of the first word to be written
|
||||||
|
(notice that we only write to word 2 here; the third word for fuse line
|
||||||
|
locking), and the 1 is the value for the word we are writing to.
|
||||||
|
|
||||||
|
WARNING: According to application note [4], the VHV pin of the SoC must be
|
||||||
|
connected to a 1.8V source during eFuse programming, but *must* be disconnected
|
||||||
|
for normal operation. The AN [4] describes a software-controlled circuit (based
|
||||||
|
on a N-channel or P-channel FET and a free GPIO pin of the SoC) to achieve
|
||||||
|
this, but a jumper-based circuit should suffice as well. Regardless of the
|
||||||
|
chosen circuit, the issue needs to be addressed accordingly!
|
||||||
|
|
||||||
|
7. Work to be done
|
||||||
|
------------------
|
||||||
|
|
||||||
|
* Add the ability to populate more than one CSK
|
||||||
|
* Test secure debug
|
||||||
|
* Test on Armada XP
|
||||||
|
|
||||||
|
8. Bibliography
|
||||||
|
---------------
|
||||||
|
|
||||||
|
[1] ARMADA(R) 38x Family High-Performance Single/Dual CPU System on Chip
|
||||||
|
Functional Specification; MV-S109094-00, Rev. C; August 2, 2015,
|
||||||
|
Preliminary
|
||||||
|
[2] AN-383: ARMADA(R) 38x Families Secure Boot Mode Support; MV-S302501-00
|
||||||
|
Rev. A; March 11, 2015, Preliminary
|
||||||
|
[3] Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
|
||||||
|
Specifications Version 2.1; February 2003;
|
||||||
|
https://www.ietf.org/rfc/rfc3447.txt
|
||||||
|
[4] AN-389: ARMADA(R) VHV Power; MV-S302545-00 Rev. B; January 28, 2016,
|
||||||
|
Released
|
||||||
|
[5] Marvell Armada 38x U-Boot support; November 25, 2015;
|
||||||
|
https://github.com/MarvellEmbeddedProcessors/u-boot-marvell
|
||||||
|
|
||||||
|
2017-01-05, Mario Six <mario.six@gdsys.cc>
|
|
@ -480,6 +480,49 @@ static int m88e1310_config(struct phy_device *phydev)
|
||||||
return genphy_config_aneg(phydev);
|
return genphy_config_aneg(phydev);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int m88e1680_config(struct phy_device *phydev)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* As per Marvell Release Notes - Alaska V 88E1680 Rev A2
|
||||||
|
* Errata Section 4.1
|
||||||
|
*/
|
||||||
|
u16 reg;
|
||||||
|
int res;
|
||||||
|
|
||||||
|
/* Matrix LED mode (not neede if single LED mode is used */
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, MIIM_88E1118_PHY_PAGE, 0x0004);
|
||||||
|
reg = phy_read(phydev, MDIO_DEVAD_NONE, 27);
|
||||||
|
reg |= (1 << 5);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, 27, reg);
|
||||||
|
|
||||||
|
/* QSGMII TX amplitude change */
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, MIIM_88E1118_PHY_PAGE, 0x00fd);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, 8, 0x0b53);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, 7, 0x200d);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, MIIM_88E1118_PHY_PAGE, 0x0000);
|
||||||
|
|
||||||
|
/* EEE initialization */
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, MIIM_88E1118_PHY_PAGE, 0x00ff);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, 17, 0xb030);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, 16, 0x215c);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, 22, 0x00fc);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, 24, 0x888c);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, 25, 0x888c);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, MIIM_88E1118_PHY_PAGE, 0x0000);
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, 0, 0x9140);
|
||||||
|
|
||||||
|
res = genphy_config_aneg(phydev);
|
||||||
|
if (res < 0)
|
||||||
|
return res;
|
||||||
|
|
||||||
|
/* soft reset */
|
||||||
|
reg = phy_read(phydev, MDIO_DEVAD_NONE, MII_BMCR);
|
||||||
|
reg |= BMCR_RESET;
|
||||||
|
phy_write(phydev, MDIO_DEVAD_NONE, MII_BMCR, reg);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static struct phy_driver M88E1011S_driver = {
|
static struct phy_driver M88E1011S_driver = {
|
||||||
.name = "Marvell 88E1011S",
|
.name = "Marvell 88E1011S",
|
||||||
.uid = 0x1410c60,
|
.uid = 0x1410c60,
|
||||||
|
@ -580,6 +623,16 @@ static struct phy_driver M88E1310_driver = {
|
||||||
.shutdown = &genphy_shutdown,
|
.shutdown = &genphy_shutdown,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
static struct phy_driver M88E1680_driver = {
|
||||||
|
.name = "Marvell 88E1680",
|
||||||
|
.uid = 0x1410ed0,
|
||||||
|
.mask = 0xffffff0,
|
||||||
|
.features = PHY_GBIT_FEATURES,
|
||||||
|
.config = &m88e1680_config,
|
||||||
|
.startup = &genphy_startup,
|
||||||
|
.shutdown = &genphy_shutdown,
|
||||||
|
};
|
||||||
|
|
||||||
int phy_marvell_init(void)
|
int phy_marvell_init(void)
|
||||||
{
|
{
|
||||||
phy_register(&M88E1310_driver);
|
phy_register(&M88E1310_driver);
|
||||||
|
@ -592,6 +645,7 @@ int phy_marvell_init(void)
|
||||||
phy_register(&M88E1011S_driver);
|
phy_register(&M88E1011S_driver);
|
||||||
phy_register(&M88E1510_driver);
|
phy_register(&M88E1510_driver);
|
||||||
phy_register(&M88E1518_driver);
|
phy_register(&M88E1518_driver);
|
||||||
|
phy_register(&M88E1680_driver);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -91,25 +91,26 @@ static void __iomem *mvebu_pcie_membase = (void __iomem *)MBUS_PCI_MEM_BASE;
|
||||||
#if defined(CONFIG_ARMADA_38X)
|
#if defined(CONFIG_ARMADA_38X)
|
||||||
#define PCIE_BASE(if) \
|
#define PCIE_BASE(if) \
|
||||||
((if) == 0 ? \
|
((if) == 0 ? \
|
||||||
MVEBU_REG_PCIE_BASE + 0x40000 : \
|
MVEBU_REG_PCIE0_BASE : \
|
||||||
MVEBU_REG_PCIE_BASE + 0x4000 * (if))
|
(MVEBU_REG_PCIE_BASE + 0x4000 * (if - 1)))
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* On A38x MV6820 these PEX ports are supported:
|
* On A38x MV6820 these PEX ports are supported:
|
||||||
* 0 - Port 0.0
|
* 0 - Port 0.0
|
||||||
* 1 - Port 0.1
|
* 1 - Port 1.0
|
||||||
* 2 - Port 0.2
|
* 2 - Port 2.0
|
||||||
|
* 3 - Port 3.0
|
||||||
*/
|
*/
|
||||||
#define MAX_PEX 3
|
#define MAX_PEX 4
|
||||||
static struct mvebu_pcie pcie_bus[MAX_PEX];
|
static struct mvebu_pcie pcie_bus[MAX_PEX];
|
||||||
|
|
||||||
static void mvebu_get_port_lane(struct mvebu_pcie *pcie, int pex_idx,
|
static void mvebu_get_port_lane(struct mvebu_pcie *pcie, int pex_idx,
|
||||||
int *mem_target, int *mem_attr)
|
int *mem_target, int *mem_attr)
|
||||||
{
|
{
|
||||||
u8 port[] = { 0, 1, 2 };
|
u8 port[] = { 0, 1, 2, 3 };
|
||||||
u8 lane[] = { 0, 0, 0 };
|
u8 lane[] = { 0, 0, 0, 0 };
|
||||||
u8 target[] = { 8, 4, 4 };
|
u8 target[] = { 8, 4, 4, 4 };
|
||||||
u8 attr[] = { 0xe8, 0xe8, 0xd8 };
|
u8 attr[] = { 0xe8, 0xe8, 0xd8, 0xb8 };
|
||||||
|
|
||||||
pcie->port = port[pex_idx];
|
pcie->port = port[pex_idx];
|
||||||
pcie->lane = lane[pex_idx];
|
pcie->lane = lane[pex_idx];
|
||||||
|
@ -351,9 +352,9 @@ void pci_init_board(void)
|
||||||
mvebu_get_port_lane(pcie, i, &mem_target, &mem_attr);
|
mvebu_get_port_lane(pcie, i, &mem_target, &mem_attr);
|
||||||
|
|
||||||
/* Don't read at all from pci registers if port power is down */
|
/* Don't read at all from pci registers if port power is down */
|
||||||
if (pcie->lane == 0 && SELECT(soc_ctrl, pcie->port) == 0) {
|
if (SELECT(soc_ctrl, pcie->port) == 0) {
|
||||||
i += 3;
|
if (pcie->lane == 0)
|
||||||
debug("%s: skipping port %d\n", __func__, pcie->port);
|
debug("%s: skipping port %d\n", __func__, pcie->port);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -884,11 +884,10 @@ void comphy_dedicated_phys_init(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
node = fdt_node_offset_by_compatible(blob, -1,
|
node = fdt_node_offset_by_compatible(blob, -1,
|
||||||
"marvell,armada-3700-sdio");
|
"marvell,armada-8k-sdhci");
|
||||||
if (node <= 0) {
|
if (node <= 0) {
|
||||||
debug("No SDIO node in DT, looking for MMC one\n");
|
node = fdt_node_offset_by_compatible(
|
||||||
node = fdt_node_offset_by_compatible(blob, -1,
|
blob, -1, "marvell,armada-3700-sdhci");
|
||||||
"marvell,xenon-sdhci");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (node > 0) {
|
if (node > 0) {
|
||||||
|
|
|
@ -82,4 +82,10 @@ config TPM_ST33ZP24_SPI
|
||||||
to the device using the standard TPM Interface Specification (TIS)
|
to the device using the standard TPM Interface Specification (TIS)
|
||||||
protocol
|
protocol
|
||||||
|
|
||||||
|
config TPM_FLUSH_RESOURCES
|
||||||
|
bool "Enable TPM resource flushing support"
|
||||||
|
depends on TPM
|
||||||
|
help
|
||||||
|
Enable support to flush specific resources (e.g. keys) from the TPM.
|
||||||
|
The functionality is available via the 'tpm' command as well.
|
||||||
endmenu
|
endmenu
|
||||||
|
|
|
@ -47,6 +47,42 @@ enum tpm_nv_index {
|
||||||
TPM_NV_INDEX_DIR = 0x10000001,
|
TPM_NV_INDEX_DIR = 0x10000001,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
enum tpm_resource_type {
|
||||||
|
TPM_RT_KEY = 0x00000001,
|
||||||
|
TPM_RT_AUTH = 0x00000002,
|
||||||
|
TPM_RT_HASH = 0x00000003,
|
||||||
|
TPM_RT_TRANS = 0x00000004,
|
||||||
|
TPM_RT_CONTEXT = 0x00000005,
|
||||||
|
TPM_RT_COUNTER = 0x00000006,
|
||||||
|
TPM_RT_DELEGATE = 0x00000007,
|
||||||
|
TPM_RT_DAA_TPM = 0x00000008,
|
||||||
|
TPM_RT_DAA_V0 = 0x00000009,
|
||||||
|
TPM_RT_DAA_V1 = 0x0000000A,
|
||||||
|
};
|
||||||
|
|
||||||
|
enum tpm_capability_areas {
|
||||||
|
TPM_CAP_ORD = 0x00000001,
|
||||||
|
TPM_CAP_ALG = 0x00000002,
|
||||||
|
TPM_CAP_PID = 0x00000003,
|
||||||
|
TPM_CAP_FLAG = 0x00000004,
|
||||||
|
TPM_CAP_PROPERTY = 0x00000005,
|
||||||
|
TPM_CAP_VERSION = 0x00000006,
|
||||||
|
TPM_CAP_KEY_HANDLE = 0x00000007,
|
||||||
|
TPM_CAP_CHECK_LOADED = 0x00000008,
|
||||||
|
TPM_CAP_SYM_MODE = 0x00000009,
|
||||||
|
TPM_CAP_KEY_STATUS = 0x0000000C,
|
||||||
|
TPM_CAP_NV_LIST = 0x0000000D,
|
||||||
|
TPM_CAP_MFR = 0x00000010,
|
||||||
|
TPM_CAP_NV_INDEX = 0x00000011,
|
||||||
|
TPM_CAP_TRANS_ALG = 0x00000012,
|
||||||
|
TPM_CAP_HANDLE = 0x00000014,
|
||||||
|
TPM_CAP_TRANS_ES = 0x00000015,
|
||||||
|
TPM_CAP_AUTH_ENCRYPT = 0x00000017,
|
||||||
|
TPM_CAP_SELECT_SIZE = 0x00000018,
|
||||||
|
TPM_CAP_DA_LOGIC = 0x00000019,
|
||||||
|
TPM_CAP_VERSION_VAL = 0x0000001A,
|
||||||
|
};
|
||||||
|
|
||||||
#define TPM_NV_PER_GLOBALLOCK (1U << 15)
|
#define TPM_NV_PER_GLOBALLOCK (1U << 15)
|
||||||
#define TPM_NV_PER_PPWRITE (1U << 0)
|
#define TPM_NV_PER_PPWRITE (1U << 0)
|
||||||
#define TPM_NV_PER_READ_STCLEAR (1U << 31)
|
#define TPM_NV_PER_READ_STCLEAR (1U << 31)
|
||||||
|
@ -594,4 +630,13 @@ uint32_t tpm_get_permanent_flags(struct tpm_permanent_flags *pflags);
|
||||||
*/
|
*/
|
||||||
uint32_t tpm_get_permissions(uint32_t index, uint32_t *perm);
|
uint32_t tpm_get_permissions(uint32_t index, uint32_t *perm);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Flush a resource with a given handle and type from the TPM
|
||||||
|
*
|
||||||
|
* @param key_handle handle of the resource
|
||||||
|
* @param resource_type type of the resource
|
||||||
|
* @return return code of the operation
|
||||||
|
*/
|
||||||
|
uint32_t tpm_flush_specific(uint32_t key_handle, uint32_t resource_type);
|
||||||
|
|
||||||
#endif /* __TPM_H */
|
#endif /* __TPM_H */
|
||||||
|
|
29
lib/tpm.c
29
lib/tpm.c
|
@ -645,6 +645,35 @@ uint32_t tpm_get_permissions(uint32_t index, uint32_t *perm)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_TPM_FLUSH_RESOURCES
|
||||||
|
uint32_t tpm_flush_specific(uint32_t key_handle, uint32_t resource_type)
|
||||||
|
{
|
||||||
|
const uint8_t command[18] = {
|
||||||
|
0x00, 0xc1, /* TPM_TAG */
|
||||||
|
0x00, 0x00, 0x00, 0x12, /* parameter size */
|
||||||
|
0x00, 0x00, 0x00, 0xba, /* TPM_COMMAND_CODE */
|
||||||
|
0x00, 0x00, 0x00, 0x00, /* key handle */
|
||||||
|
0x00, 0x00, 0x00, 0x00, /* resource type */
|
||||||
|
};
|
||||||
|
const size_t key_handle_offset = 10;
|
||||||
|
const size_t resource_type_offset = 14;
|
||||||
|
uint8_t buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
|
||||||
|
size_t response_length = sizeof(response);
|
||||||
|
uint32_t err;
|
||||||
|
|
||||||
|
if (pack_byte_string(buf, sizeof(buf), "sdd",
|
||||||
|
0, command, sizeof(command),
|
||||||
|
key_handle_offset, key_handle,
|
||||||
|
resource_type_offset, resource_type))
|
||||||
|
return TPM_LIB_ERROR;
|
||||||
|
|
||||||
|
err = tpm_sendrecv_command(buf, response, &response_length);
|
||||||
|
if (err)
|
||||||
|
return err;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif /* CONFIG_TPM_FLUSH_RESOURCES */
|
||||||
|
|
||||||
#ifdef CONFIG_TPM_AUTH_SESSIONS
|
#ifdef CONFIG_TPM_AUTH_SESSIONS
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -142,8 +142,12 @@ ifdef CONFIG_SYS_U_BOOT_OFFS
|
||||||
HOSTCFLAGS_kwbimage.o += -DCONFIG_SYS_U_BOOT_OFFS=$(CONFIG_SYS_U_BOOT_OFFS)
|
HOSTCFLAGS_kwbimage.o += -DCONFIG_SYS_U_BOOT_OFFS=$(CONFIG_SYS_U_BOOT_OFFS)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
ifneq ($(CONFIG_ARMADA_38X)$(CONFIG_ARMADA_39X),)
|
||||||
|
HOSTCFLAGS_kwbimage.o += -DCONFIG_KWB_SECURE
|
||||||
|
endif
|
||||||
|
|
||||||
# MXSImage needs LibSSL
|
# MXSImage needs LibSSL
|
||||||
ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_FIT_SIGNATURE),)
|
ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_ARMADA_38X)$(CONFIG_ARMADA_39X)$(CONFIG_FIT_SIGNATURE),)
|
||||||
HOSTLOADLIBES_mkimage += \
|
HOSTLOADLIBES_mkimage += \
|
||||||
$(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto")
|
$(shell pkg-config --libs libssl libcrypto 2> /dev/null || echo "-lssl -lcrypto")
|
||||||
|
|
||||||
|
|
1117
tools/kwbimage.c
1117
tools/kwbimage.c
File diff suppressed because it is too large
Load Diff
|
@ -113,6 +113,43 @@ struct opt_hdr_v1 {
|
||||||
char data[0];
|
char data[0];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Public Key data in DER format
|
||||||
|
*/
|
||||||
|
struct pubkey_der_v1 {
|
||||||
|
uint8_t key[524];
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Signature (RSA 2048)
|
||||||
|
*/
|
||||||
|
struct sig_v1 {
|
||||||
|
uint8_t sig[256];
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Structure of secure header (Armada 38x)
|
||||||
|
*/
|
||||||
|
struct secure_hdr_v1 {
|
||||||
|
uint8_t headertype; /* 0x0 */
|
||||||
|
uint8_t headersz_msb; /* 0x1 */
|
||||||
|
uint16_t headersz_lsb; /* 0x2 - 0x3 */
|
||||||
|
uint32_t reserved1; /* 0x4 - 0x7 */
|
||||||
|
struct pubkey_der_v1 kak; /* 0x8 - 0x213 */
|
||||||
|
uint8_t jtag_delay; /* 0x214 */
|
||||||
|
uint8_t reserved2; /* 0x215 */
|
||||||
|
uint16_t reserved3; /* 0x216 - 0x217 */
|
||||||
|
uint32_t boxid; /* 0x218 - 0x21B */
|
||||||
|
uint32_t flashid; /* 0x21C - 0x21F */
|
||||||
|
struct sig_v1 hdrsig; /* 0x220 - 0x31F */
|
||||||
|
struct sig_v1 imgsig; /* 0x320 - 0x41F */
|
||||||
|
struct pubkey_der_v1 csk[16]; /* 0x420 - 0x24DF */
|
||||||
|
struct sig_v1 csksig; /* 0x24E0 - 0x25DF */
|
||||||
|
uint8_t next; /* 0x25E0 */
|
||||||
|
uint8_t reserved4; /* 0x25E1 */
|
||||||
|
uint16_t reserved5; /* 0x25E2 - 0x25E3 */
|
||||||
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Various values for the opt_hdr_v1->headertype field, describing the
|
* Various values for the opt_hdr_v1->headertype field, describing the
|
||||||
* different types of optional headers. The "secure" header contains
|
* different types of optional headers. The "secure" header contains
|
||||||
|
|
Loading…
Reference in New Issue