Replace CONFIG_PPC_T1024 with ARCH_T1024 in Kconfig and clean up
existing macros.
Signed-off-by: NYork Sun <york.sun@nxp.com>

Replace CONFIG_PPC_T1023 with ARCH_T1023 in Kconfig and clean up
existing macros.
Signed-off-by: NYork Sun <york.sun@nxp.com>

Use CONFIG_TARGET_B4860QDS instead.
Signed-off-by: NYork Sun <york.sun@nxp.com>

Replace CONFIG_P5040 with ARCH_P5040 in Kconfig and clean up
existing macros.
Signed-off-by: NYork Sun <york.sun@nxp.com>

Replace CONFIG_PPC_P5020 with ARCH_P5020 in Kconfig and clean up
existing macros.
Signed-off-by: NYork Sun <york.sun@nxp.com>

Replace CONFIG_PPC_P4080 with ARCH_P4080 in Kconfig and clean up
existing macros.
Signed-off-by: NYork Sun <york.sun@nxp.com>

Replace CONFIG_PPC_P3041 with ARCH_P3041 in Kconfig and clean up
existing macros.
Signed-off-by: NYork Sun <york.sun@nxp.com>

Replace CONFIG_PPC_P2041 with ARCH_P2041 in Kconfig and clean up
existing macros.
Signed-off-by: NYork Sun <york.sun@nxp.com>

Use CONFIG_TARGET_C29XPCIE instead.
Signed-off-by: NYork Sun <york.sun@nxp.com>

Use CONFIG_TARGET_BSC9132QDS from Kconfig option, remove CONFIG_BSC9132QDS
macro.
Signed-off-by: NYork Sun <york.sun@nxp.com>

Move this option to Kconfig and tidy up existing uses.
Signed-off-by: NSimon Glass <sjg@chromium.org>

Move this option to Kconfig and tidy up existing uses.
Signed-off-by: NSimon Glass <sjg@chromium.org>

Move this option to Kconfig and tidy up existing uses.
Signed-off-by: NSimon Glass <sjg@chromium.org>

A few boards define this in a header file which is incorrect. It means that
Kconfig options that rely on this cannot be used. Move it.
Signed-off-by: NSimon Glass <sjg@chromium.org>

A few boards define this in a header file which is incorrect. It means that
Kconfig options that rely on this cannot be used. Move it.

Note that quite a few boards defined this options but do not appear to
actually use SPL:

	BSC9132QDS_NOR_DDRCLK100_SECURE
	BSC9132QDS_NOR_DDRCLK133_SECURE
	BSC9132QDS_SDCARD_DDRCLK100_SECURE
	BSC9132QDS_SDCARD_DDRCLK133_SECURE
	BSC9132QDS_SPIFLASH_DDRCLK100_SECURE
	BSC9132QDS_SPIFLASH_DDRCLK133_SECURE
	C29XPCIE_NOR_SECBOOT
	P1010RDB-PA_36BIT_NAND_SECBOOT
	P1010RDB-PA_36BIT_SPIFLASH_SECBOOT
	P1010RDB-PA_NAND_SECBOOT
	P1010RDB-PA_NOR_SECBOOT
	P1010RDB-PB_36BIT_NOR_SECBOOT
	P1010RDB-PB_36BIT_SPIFLASH_SECBOOT
	P1010RDB-PB_NAND_SECBOOT
	P1010RDB-PB_NOR_SECBOOT
	P3041DS_SECURE_BOOT
	P4080DS_SECURE_BOOT
	P5020DS_NAND_SECURE_BOOT
	P5040DS_SECURE_BOOT
	T1023RDB_SECURE_BOOT
	T1024QDS_DDR4_SECURE_BOOT
	T1024QDS_SECURE_BOOT
	T1024RDB_SECURE_BOOT
	T1040RDB_SECURE_BOOT
	T1042D4RDB_SECURE_BOOT
	T1042RDB_SECURE_BOOT
	T2080QDS_SECURE_BOOT
	T2080RDB_SECURE_BOOT
	T4160QDS_SECURE_BOOT
	T4240QDS_SECURE_BOOT
	ls1021aqds_nor_SECURE_BOOT
	ls1021atwr_nor_SECURE_BOOT
	ls1043ardb_SECURE_BOOT

For these boards CONFIG_SPL_DM will no-longer be defined in SPL. But since
they apparently don't have an SPL, this should not matter.
Signed-off-by: NSimon Glass <sjg@chromium.org>

The secure boot header files incorrectly define SPL options only if
CONFIG_SPL_BUILD is defined. This means that the options are only enabled
in an SPL build, and not with a normal 'make xxx_defconfig'. This means
that moveconfig.py cannot work, since it sees the options as disabled even
when they may be manually enabled in an SPL build.

Fix this by changing the order.
Signed-off-by: NSimon Glass <sjg@chromium.org>

Add support for reading bootscript and bootscript header from SD. Also
renamed macros *_FLASH to *_DEVICE to represent SD alongwith NAND and
NOR flash.
Reviewed-by: NAneesh Bansal <aneesh.bansal@nxp.com>
Signed-off-by: NSumit Garg <sumit.garg@nxp.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>
Reviewed-by: NYork Sun <york.sun@nxp.com>

For mpc85xx SoCs, the core begins execution from address 0xFFFFFFFC.
In non-secure boot scenario from NAND, this address will map to CPC
configured as SRAM. But in case of secure boot, this default address
always maps to IBR (Internal Boot ROM).
The IBR code requires that the bootloader(U-boot) must lie in 0 to 3.5G
address space i.e. 0x0 - 0xDFFFFFFF.

For secure boot target from NAND, the text base for SPL is kept same as
non-secure boot target i.e. 0xFFFx_xxxx but the SPL U-boot binary will
be copied to CPC configured as SRAM with address in 0-3.5G(0xBFFC_0000)
As a the virtual and physical address of CPC would be different. The
virtual address 0xFFFx_xxxx needs to be mapped to physical address
0xBFFx_xxxx.

Create a new PBI file to configure CPC as SRAM with address 0xBFFC0000
and update DCFG SCRTACH1 register with location of Header required for
secure boot.

The changes are similar to
commit 467a40df
    powerpc/mpc85xx: SECURE BOOT- NAND secure boot target for P3041

While P3041 has a 1MB CPC and does not require SPL. On T104x, CPC
is only 256K and thus SPL framework is used.
The changes are only applicable for SPL U-Boot running out of CPC SRAM
and not the next level U-Boot loaded on DDR.
Reviewed-by: NRuchika Gupta <ruchika.gupta@nxp.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>
Signed-off-by: NAneesh Bansal <aneesh.bansal@nxp.com>
Signed-off-by: NSumit Garg <sumit.garg@nxp.com>
Reviewed-by: NYork Sun <york.sun@nxp.com>

As part of Chain of Trust for Secure boot, the SPL U-Boot will validate
the next level U-boot image. Add a new function spl_validate_uboot to
perform the validation.

Enable hardware crypto operations in SPL using SEC block.
In case of Secure Boot, PAMU is not bypassed. For allowing SEC block
access to CPC configured as SRAM, configure PAMU.
Reviewed-by: NRuchika Gupta <ruchika.gupta@nxp.com>
Signed-off-by: NAneesh Bansal <aneesh.bansal@nxp.com>
Signed-off-by: NSumit Garg <sumit.garg@nxp.com>
Reviewed-by: NSimon Glass <sjg@chromium.org>
Reviewed-by: NYork Sun <york.sun@nxp.com>

There are already two FIT options in Kconfig but the CONFIG options are
still in the header files. We need to do a proper move to fix this.

Move these options to Kconfig and tidy up board configuration:

   CONFIG_FIT
   CONFIG_OF_BOARD_SETUP
   CONFIG_OF_SYSTEM_SETUP
   CONFIG_FIT_SIGNATURE
   CONFIG_FIT_BEST_MATCH
   CONFIG_FIT_VERBOSE
   CONFIG_OF_STDOUT_VIA_ALIAS
   CONFIG_RSA

Unfortunately the first one is a little complicated. We need to make sure
this option is not enabled in SPL by this change. Also this option is
enabled automatically in the host builds by defining CONFIG_FIT in the
image.h file. To solve this, add a new IMAGE_USE_FIT #define which can
be used in files that are built on the host but must also build for U-Boot
and SPL.

Note: Masahiro's moveconfig.py script is amazing.
Signed-off-by: NSimon Glass <sjg@chromium.org>
[trini: Add microblaze change, various configs/ re-applies]
Signed-off-by: NTom Rini <trini@konsulko.com>

Kconfig options must defined in the defconfig files. Since RSA_SOFTWARE_EXP
relies on CONFIG_DM, unless it is set in kconfig we cannot enable RSA.
Remove the hacks which enable CONFIG_DM in header files and update the
defconfig.
Signed-off-by: NSimon Glass <sjg@chromium.org>

Chain of Trust is enabled for PowerPC platforms for Secure Boot.
CONFIG_BOARD_LATE_INIT is defined.
In board_late_init(), fsl_setenv_chain_of_trust() is called which
will perform the following:
- If boot mode is non-secure, return (No Change)
- If boot mode is secure, set the following environmet variables:
   bootdelay = 0 (To disable Boot Prompt)
   bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
Signed-off-by: NAneesh Bansal <aneesh.bansal@nxp.com>
Acked-by: NRuchika Gupta <ruchika.gupta@nxp.com>
Reviewed-by: NYork Sun <york.sun@nxp.com>

There are two phases in Secure Boot
1. ISBC: In BootROM, validate the BootLoader (U-Boot).
2. ESBC: In U-Boot, continuing the Chain of Trust by
         validating and booting LINUX.

For ESBC phase, there is no difference in SoC's based on ARM or
PowerPC cores.

But the exit conditions after ISBC phase i.e. entry conditions for
U-Boot are different for ARM and PowerPC.
PowerPC:

If Secure Boot is executed, a separate U-Boot target is required
which must be compiled with a diffrent Text Base as compared to
Non-Secure Boot. There are some LAW and TLB settings which are
required specifically for Secure Boot scenario.

ARM:
ARM based SoC's have a fixed memory map and exit conditions from
BootROM are same irrespective of boot mode (Secure or Non-Secure).

Thus the current Secure Boot functionlity has been split into
two parts:
CONFIG_CHAIN_OF_TRUST
This will have the following functionality as part of U-Boot:
1. Enable commands like esbc_validate, esbc_halt
2. Change the environment settings based on bootmode, determined
   at run time:
     - If bootmode is non-secure, no change
     - If bootmode is secure, set the following:
         - bootdelay = 0 (Don't give boot prompt)
         - bootcmd = Validate and execute the bootscript.

CONFIG_SECURE_BOOT
This is defined only for creating a different compile time target
for secure boot.

Traditionally, both these functionalities were defined under
CONFIG_SECURE_BOOT. This patch is aimed at removing the requirement
for a separate Secure Boot target for ARM based SoC's.
CONFIG_CHAIN_OF_TRUST will be defined and boot mode will be
determine at run time.

Another Security Requirement for running CHAIN_OF_TRUST is that
U-Boot environemnt must not be picked from flash/external memory.
This cannot be done based on bootmode at run time in current U-Boot
architecture. Once this dependency is resolved, no separate
SECURE_BOOT target will be required for ARM based SoC's.

Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is
defining CONFIG_ENV_IS_NOWHERE
Signed-off-by: NAneesh Bansal <aneesh.bansal@nxp.com>
Acked-by: NRuchika Gupta <ruchika.gupta@nxp.com>
Reviewed-by: NYork Sun <york.sun@nxp.com>

CONFIG_CMD_BLOB must be defined in case of Secure Boot. It was
earlier defined in all config files. The definition has been
moved to a common file which is included by all configs.
Signed-off-by: NAneesh Bansal <aneesh.bansal@nxp.com>
Acked-by: NRuchika Gupta <ruchika.gupta@nxp.com>
Reviewed-by: NYork Sun <york.sun@nxp.com>

ISBC Key Extension feature is not applicable for RAMBOOT
as there is no way to retrieve the CSF Header and validated
IE Key table from SRAM once CPC has been disabled.
The feature is only applicable in case of NOR SECURE BOOT.
Code Cleanup:
The SECURE_BOOT specific defines have been moved from
arch-ls102xa/config.h to
arm/include/asm/fsl_secure_boot.h
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

For running Chain of Trust when doing Secure Boot from NAND,
the Bootscript header and bootscript must be copied from NAND
to RAM(DDR).
The addresses and commands for the same have been defined.
Signed-off-by: NSaksham Jain <saksham@freescale.com>
Signed-off-by: NRuchika Gupta <ruchika.gupta@freescale.com>
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

Secure Boot Target is added for NAND for P3041.
For mpc85xx SoCs, the core begins execution from address 0xFFFFFFFC.
In case of secure boot, this default address maps to Boot ROM.
The Boot ROM code requires that the bootloader(U-boot) must lie
in 0 to 3.5G address space i.e. 0x0 - 0xDFFFFFFF.

In case of NAND Secure Boot, CONFIG_SYS_RAMBOOT is enabled and CPC is
configured as SRAM. U-Boot binary will be located on SRAM configured
at address 0xBFF00000.
In the U-Boot code, TLB entries are created to map the virtual address
0xFFF00000 to physical address 0xBFF00000 of CPC configured as SRAM.
Signed-off-by: NSaksham Jain <saksham@freescale.com>
Signed-off-by: NRuchika Gupta <ruchika.gupta@freescale.com>
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

defconfig files are added and SFP version for these platforms
is updated.
Signed-off-by: NGaurav Rana <gaurav.rana@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

1. Default environment will be used for secure boot flow
 which can't be edited or saved.
2. Command for secure boot is predefined in the default
 environment which will run on autoboot (and autoboot is
 the only option allowed in case of secure boot) and it
 looks like this:
 #define CONFIG_SECBOOT \
 "setenv bs_hdraddr 0xe8e00000;"                 \
 "esbc_validate $bs_hdraddr;"                    \
 "source $img_addr;"                             \
 "esbc_halt;"
 #endif
3. Boot Script can contain esbc_validate commands and bootm command.
 Uboot source command used in default secure boot command will
 run the bootscript.
4. Command esbc_halt added to ensure either bootm executes
 after validation of images or core should just spin.
Signed-off-by: NRuchika Gupta <ruchika.gupta@freescale.com>
Signed-off-by: NGaurav Rana <gaurav.rana@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

esbc_validate command uses various IP Blocks: Security Monitor, CAAM block
and SFP registers. Hence the respective CONFIG's are enabled.

Apart from these CONFIG_SHA_PROG_HW_ACCEL and CONFIG_RSA are also enabled.
Signed-off-by: NGaurav Rana <gaurav.rana@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

CONFIG_SYS_PBI_FLASH_BASE is defined for Secure Boot on C29X
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

Add support for Freescale T1024/T1023 SoC.

The T1024 SoC includes the following function and features:
- Two 64-bit Power architecture e5500 cores, up to 1.4GHz
- private 256KB L2 cache each core and shared 256KB CoreNet platform cache (CPC)
- 32-/64-bit DDR3L/DDR4 SDRAM memory controller with ECC and interleaving support
- Data Path Acceleration Architecture (DPAA) incorporating acceleration
- Four MAC for 1G/2.5G/10G network interfaces (RGMII, SGMII, QSGMII, XFI)
- High-speed peripheral interfaces
  - Three PCI Express 2.0 controllers
- Additional peripheral interfaces
  - One SATA 2.0 controller
  - Two USB 2.0 controllers with integrated PHY
  - Enhanced secure digital host controller (SD/eSDHC/eMMC)
  - Enhanced serial peripheral interface (eSPI)
  - Four I2C controllers
  - Four 2-pin UARTs or two 4-pin UARTs
  - Integrated Flash Controller supporting NAND and NOR flash
- Two 8-channel DMA engines
- Multicore programmable interrupt controller (PIC)
- LCD interface (DIU) with 12 bit dual data rate
- QUICC Engine block supporting TDM, HDLC, and UART
- Deep Sleep power implementaion (wakeup from GPIO/Timer/Ethernet/USB)
- Support for hardware virtualization and partitioning enforcement
- QorIQ Platform's Trust Architecture 2.0

Differences between T1024 and T1023:
  Feature         T1024  T1023
  QUICC Engine:   yes    no
  DIU:            yes    no
  Deep Sleep:     yes    no
  I2C controller: 4      3
  DDR:            64-bit 32-bit
  IFC:            32-bit 28-bit
Signed-off-by: NShengzhou Liu <Shengzhou.Liu@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

Secure Boot Target is added for T2080RDB

Changes:
For Secure boot, CPC is configured as SRAM and used as house
keeping area which needs to be disabled.
So CONFIG_SYS_CPC_REINIT_F is defined for CONFIG_T2080RDB.
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>

T1040RDB.h file is removed and a unified file T104xRDB.h is created.
Hence macro CONFIG_T1040 is renamed to CONFIG_T104x.
Signed-off-by: NGaurav Kumar Rana <gaurav.rana@freescale.com>
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>

Secure Boot Target is added for T1040QDS and T1040RDB
Changes:
For Secure boot, CPC is configured as SRAM and used as house
keeping area which needs to be disabled.
So CONFIG_SYS_CPC_REINIT_F is defined for CONFIG_T1040QDS and
CONFIG_T1040RDB
Signed-off-by: NGaurav Rana <gaurav.rana@freescale.com>
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

Secure Boot Target is added for T2080QDS
Changes:
For Secure boot, CPC is configured as SRAM and used as house
keeping area which needs to be disabled.
So CONFIG_SYS_CPC_REINIT_F is defined for CONFIG_T2080QDS.
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

Secure Boot Target is added for T4240QDS and T4160QDS
Changes:
For Secure boot, CPC is configured as SRAM and used as house
keeping area which needs to be disabled.
So CONFIG_SYS_CPC_REINIT_F is defined for CONFIG_T4240QDS.
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

Changes:
1. L2 cache is being invalidated by Boot ROM code for e6500 core.
   So removing the invalidation from start.S
2. Clear the LAW and corresponding configuration for CPC. Boot ROM
   code uses it as hosekeeping area.
3. For Secure boot, CPC is configured as SRAM and used as house
   keeping area. This configuration is to be disabled once in uboot.
   Earlier this disabling of CPC as SRAM was happening in cpu_init_r.
   As a result cache invalidation function was getting skipped in
   case CPC is configured as SRAM.This was causing random crashes.
Signed-off-by: NRuchika Gupta <ruchika.gupta@freescale.com>
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

Add NOR, SPI and SD secure boot targets for BSC9132QDS.

Changes:
- Debug TLB entry is not required for Secure Boot Target.
Signed-off-by: NAneesh Bansal <aneesh.bansal@freescale.com>
Reviewed-by: NYork Sun <yorksun@freescale.com>

This patch is for board config file not to add CONFIG_SECURE_BOOT
condition for include the asm/fsl_secure_boot.h.
Signed-off-by: NPo Liu <Po.Liu@freescale.com>