TBB: abort boot if BL3-2 cannot be authenticated

BL3-2 image (Secure Payload) is optional. If the image cannot be
loaded a warning message is printed and the boot process continues.
According to the TBBR document, this behaviour should not apply in
case of an authentication error, where the boot process should be
aborted.

This patch modifies the load_auth_image() function to distinguish
between a load error and an authentication error. The caller uses
the return value to abort the boot process or continue.

In case of authentication error, the memory region used to store
the image is wiped clean.

Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992

diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c
index 4c1900252244af99109398f7d94839461921dd7f..71940a62cfb67a9abd8b3857f712063b464dbcea 100644 (file)
--- a/bl2/bl2_main.c
+++ b/bl2/bl2_main.c
@@ -238,8 +238,14 @@ void bl2_main(void)
        }
 
        e = load_bl32(bl2_to_bl31_params);
-       if (e)
-               WARN("Failed to load BL3-2 (%i)\n", e);
+       if (e) {
+               if (e == LOAD_AUTH_ERR) {
+                       ERROR("Failed to authenticate BL3-2\n");
+                       panic();
+               } else {
+                       WARN("Failed to load BL3-2 (%i)\n", e);
+               }
+       }
 
        e = load_bl33(bl2_to_bl31_params);
        if (e) {

diff --git a/common/bl_common.c b/common/bl_common.c
index b8558a69d4c4388de75880c52fc41e59dd0cdae7..3088cb06605b702d1afcc5d323ce1f1a594efe8a 100644 (file)
--- a/common/bl_common.c
+++ b/common/bl_common.c
@@ -37,6 +37,7 @@
 #include <errno.h>
 #include <io_storage.h>
 #include <platform.h>
+#include <string.h>
 
 unsigned long page_align(unsigned long value, unsigned dir)
 {
@@ -331,7 +332,7 @@ int load_auth_image(meminfo_t *mem_layout,
        if (rc == 0) {
                rc = load_auth_image(mem_layout, parent_id, image_base,
                                     image_data, NULL);
-               if (rc != IO_SUCCESS) {
+               if (rc != LOAD_SUCCESS) {
                        return rc;
                }
        }
@@ -341,7 +342,7 @@ int load_auth_image(meminfo_t *mem_layout,
        rc = load_image(mem_layout, image_id, image_base, image_data,
                        entry_point_info);
        if (rc != IO_SUCCESS) {
-               return rc;
+               return LOAD_ERR;
        }
 
 #if TRUSTED_BOARD_BOOT
@@ -350,7 +351,11 @@ int load_auth_image(meminfo_t *mem_layout,
                                 (void *)image_data->image_base,
                                 image_data->image_size);
        if (rc != 0) {
-               return IO_FAIL;
+               memset((void *)image_data->image_base, 0x00,
+                      image_data->image_size);
+               flush_dcache_range(image_data->image_base,
+                                  image_data->image_size);
+               return LOAD_AUTH_ERR;
        }
 
        /* After working with data, invalidate the data cache */
@@ -358,5 +363,5 @@ int load_auth_image(meminfo_t *mem_layout,
                        (size_t)image_data->image_size);
 #endif /* TRUSTED_BOARD_BOOT */
 
-       return IO_SUCCESS;
+       return LOAD_SUCCESS;
 }

diff --git a/include/common/bl_common.h b/include/common/bl_common.h
index b1a9c8f6190b7fe0d366630bc5a7db591d31b257..66244ca93cec57e74d9596ed19f1a542e15d5a5d 100644 (file)
--- a/include/common/bl_common.h
+++ b/include/common/bl_common.h
@@ -202,6 +202,15 @@ typedef struct bl31_params {
        image_info_t *bl33_image_info;
 } bl31_params_t;
 
+/*
+ * load_auth_image() return values
+ */
+enum {
+       LOAD_SUCCESS,           /* Load + authentication success */
+       LOAD_ERR,               /* Load error */
+       LOAD_AUTH_ERR           /* Authentication error */
+};
+
 
 /*
  * Compile time assertions related to the 'entry_point_info' structure to