MLK-12500-1 HAB: Add kernel image authentication in image loading

To support the trust boot chain, we integrate the authentication
into the kernel image loading process. The kernel image will be verified
at its load address. So when signing the kernel image, we need to
use this load address which may change on different platforms.

Signed-off-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit 3c118b8d6bbe1a25ca8c8bafeb528309f16fc73d)
(cherry picked from commit fd9a9759ed9b3a9fc26b18aff00880382213b1ca)

cmd/bootm.c

@@ -123,6 +123,31 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 			return do_bootm_subcommand(cmdtp, flag, argc, argv);
 	}
 
+#ifdef CONFIG_SECURE_BOOT
+	extern int authenticate_image(
+			uint32_t ddr_start, uint32_t raw_image_size);
+
+	switch (genimg_get_format((const void *)load_addr)) {
+#if defined(CONFIG_IMAGE_FORMAT_LEGACY)
+	case IMAGE_FORMAT_LEGACY:
+		if (authenticate_image(load_addr,
+			image_get_image_size((image_header_t *)load_addr)) != 0) {
+			printf("Authenticate uImage Fail, Please check\n");
+			return 1;
+		}
+		break;
+#endif
+#ifdef CONFIG_ANDROID_BOOT_IMAGE
+	case IMAGE_FORMAT_ANDROID:
+		/* Do this authentication in boota command */
+		break;
+#endif
+	default:
+		printf("Not valid image format for Authentication, Please check\n");
+		return 1;
+	}
+#endif
+
 	return do_bootm_states(cmdtp, flag, argc, argv, BOOTM_STATE_START |
 		BOOTM_STATE_FINDOS | BOOTM_STATE_FINDOTHER |
 		BOOTM_STATE_LOADOS |

cmd/bootz.c

@@ -55,6 +55,14 @@ static int bootz_start(cmd_tbl_t *cmdtp, int flag, int argc,
 	if (bootm_find_images(flag, argc, argv))
 		return 1;
 
+#ifdef CONFIG_SECURE_BOOT
+	extern int authenticate_image(
+			uint32_t ddr_start, uint32_t raw_image_size);
+	if (authenticate_image(images->ep, zi_end - zi_start) != 0) {
+		printf("Authenticate zImage Fail, Please check\n");
+		return 1;
+	}
+#endif
 	return 0;
 }