diff --git a/plat/st/common/include/stm32mp_common.h b/plat/st/common/include/stm32mp_common.h index cc06f5cb2..a13e9e582 100644 --- a/plat/st/common/include/stm32mp_common.h +++ b/plat/st/common/include/stm32mp_common.h @@ -21,6 +21,7 @@ uint16_t stm32mp_get_boot_itf_selected(void); bool stm32mp_is_single_core(void); bool stm32mp_is_closed_device(void); +bool stm32mp_is_auth_supported(void); /* Return the base address of the DDR controller */ uintptr_t stm32mp_ddrctrl_base(void); diff --git a/plat/st/common/stm32mp_auth.c b/plat/st/common/stm32mp_auth.c index 744201cd1..97fbffa2e 100644 --- a/plat/st/common/stm32mp_auth.c +++ b/plat/st/common/stm32mp_auth.c @@ -46,6 +46,11 @@ int stm32mp_auth_image(boot_api_image_header_t *header, uintptr_t buffer) INFO("Check signature on Open device\n"); } + if (auth_ops == NULL) { + ERROR("Device doesn't support image authentication\n"); + return -EOPNOTSUPP; + } + ret = mmap_add_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_BASE, STM32MP_ROM_SIZE_2MB_ALIGNED, MT_CODE | MT_SECURE); if (ret != 0) { diff --git a/plat/st/stm32mp1/bl2_plat_setup.c b/plat/st/stm32mp1/bl2_plat_setup.c index 13ba5abd6..150436086 100644 --- a/plat/st/stm32mp1/bl2_plat_setup.c +++ b/plat/st/stm32mp1/bl2_plat_setup.c @@ -33,6 +33,20 @@ #include #include +#if DEBUG +static const char debug_msg[] = { + "***************************************************\n" + "** DEBUG ACCESS PORT IS OPEN! **\n" + "** This boot image is only for debugging purpose **\n" + "** and is unsafe for production use. **\n" + "** **\n" + "** If you see this message and you are not **\n" + "** debugging report this immediately to your **\n" + "** vendor! **\n" + "***************************************************\n" +}; +#endif + static struct stm32mp_auth_ops stm32mp1_auth_ops; static void print_reset_reason(void) @@ -333,11 +347,24 @@ skip_console_init: stm32_iwdg_refresh(); - stm32mp1_auth_ops.check_key = boot_context->bootrom_ecdsa_check_key; - stm32mp1_auth_ops.verify_signature = - boot_context->bootrom_ecdsa_verify_signature; + if (bsec_read_debug_conf() != 0U) { + if (stm32mp_is_closed_device()) { +#if DEBUG + WARN("\n%s", debug_msg); +#else + ERROR("***Debug opened on closed chip***\n"); +#endif + } + } - stm32mp_init_auth(&stm32mp1_auth_ops); + if (stm32mp_is_auth_supported()) { + stm32mp1_auth_ops.check_key = + boot_context->bootrom_ecdsa_check_key; + stm32mp1_auth_ops.verify_signature = + boot_context->bootrom_ecdsa_verify_signature; + + stm32mp_init_auth(&stm32mp1_auth_ops); + } stm32mp1_arch_security_setup(); diff --git a/plat/st/stm32mp1/stm32mp1_private.c b/plat/st/stm32mp1/stm32mp1_private.c index 075d1d7fa..9b39b9d3e 100644 --- a/plat/st/stm32mp1/stm32mp1_private.c +++ b/plat/st/stm32mp1/stm32mp1_private.c @@ -420,15 +420,20 @@ void stm32mp_print_boardinfo(void) /* Return true when SoC provides a single Cortex-A7 core, and false otherwise */ bool stm32mp_is_single_core(void) { + bool single_core = false; + switch (get_part_number()) { case STM32MP151A_PART_NB: case STM32MP151C_PART_NB: case STM32MP151D_PART_NB: case STM32MP151F_PART_NB: - return true; + single_core = true; + break; default: - return false; + break; } + + return single_core; } /* Return true when device is in closed state */ @@ -443,6 +448,27 @@ bool stm32mp_is_closed_device(void) return (value & CFG0_CLOSED_DEVICE) == CFG0_CLOSED_DEVICE; } +/* Return true when device supports secure boot */ +bool stm32mp_is_auth_supported(void) +{ + bool supported = false; + + switch (get_part_number()) { + case STM32MP151C_PART_NB: + case STM32MP151F_PART_NB: + case STM32MP153C_PART_NB: + case STM32MP153F_PART_NB: + case STM32MP157C_PART_NB: + case STM32MP157F_PART_NB: + supported = true; + break; + default: + break; + } + + return supported; +} + uint32_t stm32_iwdg_get_instance(uintptr_t base) { switch (base) {