image: Add TEE loading to FIT loadable processing

To help automate the loading of a TEE image during the boot we add a new
FIT section type 'tee', when we see this type while loading the loadable
sections we automatically call the platforms TEE processing function on
this image section.

Signed-off-by: Andrew F. Davis <afd@ti.com>

3 files changed, 44 insertions, 1 deletions

diff --git a/Kconfig b/Kconfig
index 47b6a9a99c..be25f39beb 100644
--- a/Kconfig
+++ b/Kconfig
@@ -314,6 +314,16 @@ config FIT_IMAGE_POST_PROCESS
 	  injected into the FIT creation (i.e. the blobs would have been pre-
 	  processed before being added to the FIT image).
 
+config FIT_IMAGE_TEE_PROCESS
+	bool "Enable processing of TEE images during FIT loading by U-Boot"
+	depends on FIT && TI_SECURE_DEVICE
+	help
+	  Allows platforms to perform processing, such as authentication and
+	  installation, on TEE images extracted from FIT images in a platform
+	  or board specific way. In order to use this feature a platform or
+	  board-specific implementation of board_tee_image_process() must be
+	  provided.
+
 config SPL_PANIC_ON_NON_FIT_IMAGE
 	bool "Disable SPL loading of non-FIT images"
 	help
diff --git a/common/image.c b/common/image.c
index 26d6c9a592..dec05c70a7 100644
--- a/common/image.c
+++ b/common/image.c
@@ -159,6 +159,7 @@ static const table_entry_t uimage_type[] = {
 	{	IH_TYPE_RKSD,       "rksd",       "Rockchip SD Boot Image" },
 	{	IH_TYPE_RKSPI,      "rkspi",      "Rockchip SPI Boot Image" },
 	{	IH_TYPE_ZYNQIMAGE,  "zynqimage",  "Xilinx Zynq Boot Image" },
+	{	IH_TYPE_TEE,        "tee",        "TEE OS Image",},
 	{	-1,		    "",		  "",			},
 };
 
@@ -1229,6 +1230,8 @@ int boot_get_loadable(int argc, char * const argv[], bootm_headers_t *images,
 	int fit_img_result;
 	char *uname;
 
+	uint8_t img_type;
+
 	/* Check to see if the images struct has a FIT configuration */
 	if (!genimg_has_config(images)) {
 		debug("## FIT configuration was not specified\n");
@@ -1269,6 +1272,21 @@ int boot_get_loadable(int argc, char * const argv[], bootm_headers_t *images,
 				/* Something went wrong! */
 				return fit_img_result;
 			}
+
+			fit_img_result = fit_image_get_node(buf, uname);
+			if (fit_img_result < 0) {
+				/* Something went wrong! */
+				return fit_img_result;
+			}
+			fit_img_result = fit_image_get_type(buf, fit_img_result, &img_type);
+			if (fit_img_result < 0) {
+				/* Something went wrong! */
+				return fit_img_result;
+			}
+#if defined(CONFIG_FIT_IMAGE_TEE_PROCESS)
+			if (img_type == IH_TYPE_TEE)
+				board_tee_image_process(img_data, img_len);
+#endif
 		}
 		break;
 	default:
diff --git a/include/image.h b/include/image.h
index 8d3cb3550d..baa174c58c 100644
--- a/include/image.h
+++ b/include/image.h
@@ -246,8 +246,9 @@ struct lmb;
 #define IH_TYPE_RKSD		24	/* Rockchip SD card		*/
 #define IH_TYPE_RKSPI		25	/* Rockchip SPI image		*/
 #define IH_TYPE_ZYNQIMAGE	26	/* Xilinx Zynq Boot Image */
+#define IH_TYPE_TEE		27	/* Trusted Execution Environment OS Image */
 
-#define IH_TYPE_COUNT		27	/* Number of image types */
+#define IH_TYPE_COUNT		28	/* Number of image types */
 
 /*
  * Compression Types
@@ -1185,4 +1186,18 @@ int board_fit_config_name_match(const char *name);
 void board_fit_image_post_process(void **p_image, size_t *p_size);
 #endif /* CONFIG_SPL_FIT_IMAGE_POST_PROCESS */
 
+#ifdef CONFIG_FIT_IMAGE_TEE_PROCESS
+/**
+ * board_fit_tee_process() - Do any needed processing on a loaded TEE image
+ *
+ * This is used to verify, decrypt, and/or install a TEE in a platform or
+ * board specific way.
+ *
+ * @tee_image: pointer to the image
+ * @tee_size: the image size
+ * @return no return value (failure should be handled internally)
+ */
+void board_tee_image_process(void *tee_image, size_t tee_size);
+#endif /* CONFIG_FIT_IMAGE_TEE_PROCESS */
+
 #endif	/* __IMAGE_H__ */