From: Juan Castillo <juan.castillo@arm.com>
Date: Mon, 17 Aug 2015 09:43:27 +0000 (+0100)
Subject: TBB: abort boot if BL3-2 cannot be authenticated
X-Git-Url: http://git.openwrt.org/%22https:/collectd.org//%22/%22https:/collectd.org/%22?a=commitdiff_plain;h=fedbc0497bb0407fc1d55430eae1938712f1afe8;p=project%2Fbcm63xx%2Fatf.git

TBB: abort boot if BL3-2 cannot be authenticated

BL3-2 image (Secure Payload) is optional. If the image cannot be
loaded a warning message is printed and the boot process continues.
According to the TBBR document, this behaviour should not apply in
case of an authentication error, where the boot process should be
aborted.

This patch modifies the load_auth_image() function to distinguish
between a load error and an authentication error. The caller uses
the return value to abort the boot process or continue.

In case of authentication error, the memory region used to store
the image is wiped clean.

Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
---

diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c
index 4c190025..71940a62 100644
--- a/bl2/bl2_main.c
+++ b/bl2/bl2_main.c
@@ -238,8 +238,14 @@ void bl2_main(void)
 	}
 
 	e = load_bl32(bl2_to_bl31_params);
-	if (e)
-		WARN("Failed to load BL3-2 (%i)\n", e);
+	if (e) {
+		if (e == LOAD_AUTH_ERR) {
+			ERROR("Failed to authenticate BL3-2\n");
+			panic();
+		} else {
+			WARN("Failed to load BL3-2 (%i)\n", e);
+		}
+	}
 
 	e = load_bl33(bl2_to_bl31_params);
 	if (e) {
diff --git a/common/bl_common.c b/common/bl_common.c
index b8558a69..3088cb06 100644
--- a/common/bl_common.c
+++ b/common/bl_common.c
@@ -37,6 +37,7 @@
 #include <errno.h>
 #include <io_storage.h>
 #include <platform.h>
+#include <string.h>
 
 unsigned long page_align(unsigned long value, unsigned dir)
 {
@@ -331,7 +332,7 @@ int load_auth_image(meminfo_t *mem_layout,
 	if (rc == 0) {
 		rc = load_auth_image(mem_layout, parent_id, image_base,
 				     image_data, NULL);
-		if (rc != IO_SUCCESS) {
+		if (rc != LOAD_SUCCESS) {
 			return rc;
 		}
 	}
@@ -341,7 +342,7 @@ int load_auth_image(meminfo_t *mem_layout,
 	rc = load_image(mem_layout, image_id, image_base, image_data,
 			entry_point_info);
 	if (rc != IO_SUCCESS) {
-		return rc;
+		return LOAD_ERR;
 	}
 
 #if TRUSTED_BOARD_BOOT
@@ -350,7 +351,11 @@ int load_auth_image(meminfo_t *mem_layout,
 				 (void *)image_data->image_base,
 				 image_data->image_size);
 	if (rc != 0) {
-		return IO_FAIL;
+		memset((void *)image_data->image_base, 0x00,
+		       image_data->image_size);
+		flush_dcache_range(image_data->image_base,
+				   image_data->image_size);
+		return LOAD_AUTH_ERR;
 	}
 
 	/* After working with data, invalidate the data cache */
@@ -358,5 +363,5 @@ int load_auth_image(meminfo_t *mem_layout,
 			(size_t)image_data->image_size);
 #endif /* TRUSTED_BOARD_BOOT */
 
-	return IO_SUCCESS;
+	return LOAD_SUCCESS;
 }
diff --git a/include/common/bl_common.h b/include/common/bl_common.h
index b1a9c8f6..66244ca9 100644
--- a/include/common/bl_common.h
+++ b/include/common/bl_common.h
@@ -202,6 +202,15 @@ typedef struct bl31_params {
 	image_info_t *bl33_image_info;
 } bl31_params_t;
 
+/*
+ * load_auth_image() return values
+ */
+enum {
+	LOAD_SUCCESS,		/* Load + authentication success */
+	LOAD_ERR,		/* Load error */
+	LOAD_AUTH_ERR		/* Authentication error */
+};
+
 
 /*
  * Compile time assertions related to the 'entry_point_info' structure to