Merge branch '2022-05-02-add-verifying-program-loader'

To quote the author:

U-Boot provides a verified-boot feature based around FIT, but there is
no standard way of implementing it for a board. At present the various
required pieces must be built up separately, to produce a working
implementation. In particular, there is no built-in support for selecting
A/B boot or recovery mode.

This series introduces VPL, a verified program loader phase for U-Boot.
Its purpose is to run the verified-boot process and decide which SPL
binary should be run. It is critical that this decision happens before
SPL runs, since SPL sets up SDRAM and we need to be able to update the
SDRAM-init code in the field.

Adding VPL into the boot flow provides a standard place to implement
verified boot. This series includes the phase itself, some useful Kconfig
options and a sandbox_vpl build for sandbox. No verfied-boot support is
provided in this series.

Most of the patches in this series are fixes and improvements to docs and
various Kconfig conditions for SPL.

drivers/Makefile

@@ -38,6 +38,7 @@ obj-$(CONFIG_XEN) += xen/
 obj-$(CONFIG_$(SPL_)FPGA) += fpga/
 
 ifndef CONFIG_TPL_BUILD
+ifndef CONFIG_VPL_BUILD
 ifdef CONFIG_SPL_BUILD
 
 obj-$(CONFIG_SPL_CPU) += cpu/
@@ -60,6 +61,7 @@ obj-$(CONFIG_SPL_SATA) += ata/ scsi/
 obj-$(CONFIG_HAVE_BLOCK_DEVICE) += block/
 obj-$(CONFIG_SPL_THERMAL) += thermal/
 
+endif
 endif
 endif
 

drivers/block/Kconfig

@@ -39,6 +39,18 @@ config TPL_BLK
 	  be partitioned into several areas, called 'partitions' in U-Boot.
 	  A filesystem can be placed in each partition.
 
+config VPL_BLK
+	bool "Support block devices in VPL"
+	depends on VPL_DM && BLK
+	default y
+	help
+	  Enable support for block devices, such as SCSI, MMC and USB
+	  flash sticks. These provide a block-level interface which permits
+	  reading, writing and (in some cases) erasing blocks. Block
+	  devices often have a partition table which allows the device to
+	  be partitioned into several areas, called 'partitions' in U-Boot.
+	  A filesystem can be placed in each partition.
+
 config BLOCK_CACHE
 	bool "Use block device cache"
 	depends on BLK

drivers/clk/Kconfig

@@ -30,6 +30,32 @@ config TPL_CLK
 	  setting up clocks within TPL, and allows the same drivers to be
 	  used as U-Boot proper.
 
+config VPL_CLK
+	bool "Enable clock support in VPL"
+	depends on CLK && VPL_DM
+	help
+	  The clock subsystem adds a small amount of overhead to the image.
+	  If this is acceptable and you have a need to use clock drivers in
+	  SPL, enable this option. It might provide a cleaner interface to
+	  setting up clocks within TPL, and allows the same drivers to be
+	  used as U-Boot proper.
+
+config CLK_BCM6345
+	bool "Clock controller driver for BCM6345"
+	depends on CLK && ARCH_BMIPS
+	default y
+	help
+	  This clock driver adds support for enabling and disabling peripheral
+	  clocks on BCM6345 SoCs. HW has no rate changing capabilities.
+
+config CLK_BOSTON
+	def_bool y if TARGET_BOSTON
+	depends on CLK
+	select REGMAP
+	select SYSCON
+	help
+	  Enable this to support the clocks
+
 config SPL_CLK_CCF
 	bool "SPL Common Clock Framework [CCF] support "
 	depends on SPL

drivers/core/Kconfig

@@ -35,6 +35,16 @@ config TPL_DM
 	  CONFIG_SPL_SYS_MALLOC_F_LEN for more details on how to enable it.
 	  Disable this for very small implementations.
 
+config VPL_DM
+	bool "Enable Driver Model for VPL"
+	depends on DM && VPL
+	default y if SPL_DM
+	help
+	  Enable driver model in VPL. You will need to provide a
+	  suitable malloc() implementation. If you are not using the
+	  full malloc() enabled by CONFIG_SYS_SPL_MALLOC_START,
+	  consider using CONFIG_SYS_MALLOC_SIMPLE.
+
 config DM_WARN
 	bool "Enable warnings in driver model"
 	depends on DM
@@ -121,6 +131,15 @@ config SPL_DM_SEQ_ALIAS
 	  numbered devices (e.g. serial0 = &serial0). This feature can be
 	  disabled if it is not required, to save code space in SPL.
 
+config VPL_DM_SEQ_ALIAS
+	bool "Support numbered aliases in device tree in VPL"
+	depends on VPL_DM
+	default y
+	help
+	  Most boards will have a '/aliases' node containing the path to
+	  numbered devices (e.g. serial0 = &serial0). This feature can be
+	  disabled if it is not required, to save code space in VPL.
+
 config SPL_DM_INLINE_OFNODE
 	bool "Inline some ofnode functions which are seldom used in SPL"
 	depends on SPL_DM
@@ -176,6 +195,16 @@ config TPL_REGMAP
 	  support any bus type (I2C, SPI) but so far this only supports
 	  direct memory access.
 
+config VPL_REGMAP
+	bool "Support register maps in VPL"
+	depends on VPL_DM
+	help
+	  Hardware peripherals tend to have one or more sets of registers
+	  which can be accessed to control the hardware. A register map
+	  models this with a simple read/write interface. It can in principle
+	  support any bus type (I2C, SPI) but so far this only supports
+	  direct memory access.
+
 config SYSCON
 	bool "Support system controllers"
 	depends on REGMAP
@@ -196,7 +225,16 @@ config SPL_SYSCON
 
 config TPL_SYSCON
 	bool "Support system controllers in TPL"
-	depends on TPL_REGMAP
+	depends on SPL_REGMAP
+	help
+	  Many SoCs have a number of system controllers which are dealt with
+	  as a group by a single driver. Some common functionality is provided
+	  by this uclass, including accessing registers via regmap and
+	  assigning a unique number to each.
+
+config VPL_SYSCON
+	bool "Support system controllers in VPL"
+	depends on VPL_REGMAP
 	help
 	  Many SoCs have a number of system controllers which are dealt with
 	  as a group by a single driver. Some common functionality is provided
@@ -292,6 +330,20 @@ config SPL_OF_TRANSLATE
 	  used for the address translation. This function is faster and
 	  smaller in size than fdt_translate_address().
 
+config VPL_OF_TRANSLATE
+	bool "Translate addresses using fdt_translate_address in SPL"
+	depends on SPL_DM && VPL_OF_CONTROL
+	help
+	  If this option is enabled, the reg property will be translated
+	  using the fdt_translate_address() function. This is necessary
+	  on some platforms (e.g. MVEBU) using complex "ranges"
+	  properties in many nodes. As this translation is not handled
+	  correctly in the default simple_bus_translate() function.
+
+	  If this option is not enabled, simple_bus_translate() will be
+	  used for the address translation. This function is faster and
+	  smaller in size than fdt_translate_address().
+
 config TRANSLATION_OFFSET
 	bool "Platforms specific translation offset"
 	depends on DM && OF_CONTROL

drivers/core/Makefile

@@ -5,7 +5,7 @@
 obj-y	+= device.o fdtaddr.o lists.o root.o uclass.o util.o tag.o
 obj-$(CONFIG_$(SPL_TPL_)ACPIGEN) += acpi.o
 obj-$(CONFIG_$(SPL_TPL_)DEVRES) += devres.o
-obj-$(CONFIG_$(SPL_)DM_DEVICE_REMOVE)	+= device-remove.o
+obj-$(CONFIG_$(SPL_TPL_)DM_DEVICE_REMOVE)	+= device-remove.o
 obj-$(CONFIG_$(SPL_)SIMPLE_BUS)	+= simple-bus.o
 obj-$(CONFIG_SIMPLE_PM_BUS)	+= simple-pm-bus.o
 obj-$(CONFIG_DM)	+= dump.o

drivers/gpio/Kconfig

@@ -48,6 +48,17 @@ config TPL_DM_GPIO
 	  particular GPIOs that they provide. The uclass interface
 	  is defined in include/asm-generic/gpio.h.
 
+config VPL_DM_GPIO
+	bool "Enable Driver Model for GPIO drivers in VPL"
+	depends on DM_GPIO && VPL_DM && VPL_GPIO
+	default y
+	help
+	  Enable driver model for GPIO access in VPL. The standard GPIO
+	  interface (gpio_get_value(), etc.) is then implemented by
+	  the GPIO uclass. Drivers provide methods to query the
+	  particular GPIOs that they provide. The uclass interface
+	  is defined in include/asm-generic/gpio.h.
+
 config GPIO_HOG
 	bool "Enable GPIO hog support"
 	depends on DM_GPIO

drivers/i2c/Kconfig

@@ -47,6 +47,17 @@ config SPL_DM_I2C
 	  device (bus child) info is kept as parent platdata. The interface
 	  is defined in include/i2c.h.
 
+config VPL_DM_I2C
+	bool "Enable Driver Model for I2C drivers in VPL"
+	depends on VPL_DM && DM_I2C
+	default y
+	help
+	  Enable driver model for I2C. The I2C uclass interface: probe, read,
+	  write and speed, is implemented with the bus drivers operations,
+	  which provide methods for bus setting and data transfer. Each chip
+	  device (bus child) info is kept as parent platdata. The interface
+	  is defined in include/i2c.h.
+
 config SYS_I2C_LEGACY
 	bool "Enable legacy I2C subsystem and drivers"
 	depends on !DM_I2C

drivers/misc/Kconfig

@@ -131,6 +131,16 @@ config TPL_CROS_EC
 	  control access to the battery and main PMIC depending on the
 	  device. You can use the 'crosec' command to access it.
 
+config VPL_CROS_EC
+	bool "Enable Chrome OS EC in VPL"
+	depends on VPL
+	help
+	  Enable access to the Chrome OS EC in VPL. This is a separate
+	  microcontroller typically available on a SPI bus on Chromebooks. It
+	  provides access to the keyboard, some internal storage and may
+	  control access to the battery and main PMIC depending on the
+	  device. You can use the 'crosec' command to access it.
+
 config CROS_EC_I2C
 	bool "Enable Chrome OS EC I2C driver"
 	depends on CROS_EC
@@ -167,6 +177,15 @@ config TPL_CROS_EC_LPC
 	  through a legacy port interface, so on x86 machines the main
 	  function of the EC is power and thermal management.
 
+config VPL_CROS_EC_LPC
+	bool "Enable Chrome OS EC LPC driver in VPL"
+	depends on CROS_EC
+	help
+	  Enable I2C access to the Chrome OS EC. This is used on x86
+	  Chromebooks such as link and falco. The keyboard is provided
+	  through a legacy port interface, so on x86 machines the main
+	  function of the EC is power and thermal management.
+
 config CROS_EC_SANDBOX
 	bool "Enable Chrome OS EC sandbox driver"
 	depends on CROS_EC && SANDBOX
@@ -194,6 +213,15 @@ config TPL_CROS_EC_SANDBOX
 	  EC flash read/write/erase support and a few other things. It is
 	  enough to perform a Chrome OS verified boot on sandbox.
 
+config VPL_CROS_EC_SANDBOX
+	bool "Enable Chrome OS EC sandbox driver in VPL"
+	depends on VPL_CROS_EC && SANDBOX
+	help
+	  Enable a sandbox emulation of the Chrome OS EC in VPL. This supports
+	  keyboard (use the -l flag to enable the LCD), verified boot context,
+	  EC flash read/write/erase support and a few other things. It is
+	  enough to perform a Chrome OS verified boot on sandbox.
+
 config CROS_EC_SPI
 	bool "Enable Chrome OS EC SPI driver"
 	depends on CROS_EC

drivers/pinctrl/Kconfig

@@ -89,20 +89,34 @@ config TPL_PINCTRL
 	  This option is an TPL variant of the PINCTRL option.
 	  See the help of PINCTRL for details.
 
+config VPL_PINCTRL
+	bool "Support pin controllers in VPL"
+	depends on VPL && VPL_DM
+	help
+	  This option is an VPL variant of the PINCTRL option.
+	  See the help of PINCTRL for details.
+
 config SPL_PINCTRL_FULL
 	bool "Support full pin controllers in SPL"
 	depends on SPL_PINCTRL && SPL_OF_CONTROL
 	default n if TARGET_STM32F746_DISCO
 	default y
 	help
-	  This option is an SPL-variant of the PINCTRL_FULL option.
+	  This option is an SPL variant of the PINCTRL_FULL option.
 	  See the help of PINCTRL_FULL for details.
 
 config TPL_PINCTRL_FULL
 	bool "Support full pin controllers in TPL"
 	depends on TPL_PINCTRL && TPL_OF_CONTROL
 	help
-	  This option is an TPL-variant of the PINCTRL_FULL option.
+	  This option is a TPL variant of the PINCTRL_FULL option.
+	  See the help of PINCTRL_FULL for details.
+
+config VPL_PINCTRL_FULL
+	bool "Support full pin controllers in VPL"
+	depends on VPL_PINCTRL && VPL_OF_CONTROL
+	help
+	  This option is a VPL variant of the PINCTRL_FULL option.
 	  See the help of PINCTRL_FULL for details.
 
 config SPL_PINCTRL_GENERIC

drivers/rtc/Kconfig

@@ -32,6 +32,15 @@ config TPL_DM_RTC
 	  drivers to perform the actual functions. See rtc.h for a
 	  description of the API.
 
+config VPL_DM_RTC
+	bool "Enable Driver Model for RTC drivers in VPL"
+	depends on VPL_DM
+	help
+	  Enable drver model for real-time-clock drivers. The RTC uclass
+	  then provides the rtc_get()/rtc_set() interface, delegating to
+	  drivers to perform the actual functions. See rtc.h for a
+	  description of the API.
+
 config RTC_ENABLE_32KHZ_OUTPUT
 	bool "Enable RTC 32Khz output"
 	help

drivers/serial/Kconfig

@@ -74,6 +74,16 @@ config TPL_SERIAL_PRESENT
 	  This option enables the full UART in TPL, so if is it disabled,
 	  the full UART driver will be omitted, thus saving space.
 
+config VPL_SERIAL_PRESENT
+	bool "Provide a serial driver in VPL"
+	depends on DM_SERIAL && VPL
+	default y
+	help
+	  In very space-constrained devices even the full UART driver is too
+	  large. In this case the debug UART can still be used in some cases.
+	  This option enables the full UART in TPL, so if is it disabled,
+	  the full UART driver will be omitted, thus saving space.
+
 # Logic to allow us to use the imply keyword to set what the default port
 # should be.  The default is otherwise 1.
 config CONS_INDEX_0
@@ -195,6 +205,16 @@ config TPL_DM_SERIAL
 	  implements serial_putc() etc. The uclass interface is
 	  defined in include/serial.h.
 
+config VPL_DM_SERIAL
+	bool "Enable Driver Model for serial drivers in VPL"
+	depends on DM_SERIAL
+	default y if VPL && DM_SERIAL
+	help
+	  Enable driver model for serial in VPL. This replaces
+	  drivers/serial/serial.c with the serial uclass, which
+	  implements serial_putc() etc. The uclass interface is
+	  defined in include/serial.h.
+
 config DEBUG_UART
 	bool "Enable an early debug UART for debugging"
 	help

drivers/sysreset/Kconfig

@@ -31,6 +31,16 @@ config TPL_SYSRESET
 	  to effect a reset. The uclass will try all available drivers when
 	  reset_walk() is called.
 
+config VPL_SYSRESET
+	bool "Enable support for system reset drivers in VPL mode"
+	depends on SYSRESET && VPL_DM
+	default y if TPL_SYSRESET
+	help
+	  Enable system reset drivers which can be used to reset the CPU or
+	  board. Each driver can provide a reset method which will be called
+	  to effect a reset. The uclass will try all available drivers when
+	  reset_walk() is called.
+
 if SYSRESET
 
 config SYSRESET_CMD_RESET

drivers/timer/Kconfig

@@ -27,6 +27,16 @@ config TPL_TIMER
 	  function. This enables the drivers in drivers/timer as part of an
 	  TPL build.
 
+config VPL_TIMER
+	bool "Enable driver model for timer drivers in VPL"
+	depends on TIMER && VPL
+	default y if TPL_TIMER
+	help
+	  Enable support for timer drivers in VPL. These can be used to get
+	  a timer value when in VPL, or perhaps for implementing a delay
+	  function. This enables the drivers in drivers/timer as part of an
+	  TPL build.
+
 config TIMER_EARLY
 	bool "Allow timer to be used early in U-Boot"
 	depends on TIMER

drivers/tpm/Kconfig

@@ -137,6 +137,36 @@ config TPM2_CR50_I2C
 	  trust for a device, It operates like a TPM and can be used with
 	  verified boot. Cr50 is used on recent Chromebooks (since 2017).
 
+config SPL_TPM2_CR50_I2C
+	bool "Enable support for Google cr50 TPM"
+	depends on DM_I2C && SPL_TPM
+	help
+	  Cr50 is an implementation of a TPM on Google's H1 security chip.
+	  This uses the same open-source firmware as the Chromium OS EC.
+	  While Cr50 has other features, its primary role is as the root of
+	  trust for a device, It operates like a TPM and can be used with
+	  verified boot. Cr50 is used on recent Chromebooks (since 2017).
+
+config TPL_TPM2_CR50_I2C
+	bool "Enable support for Google cr50 TPM"
+	depends on DM_I2C && TPL_TPM
+	help
+	  Cr50 is an implementation of a TPM on Google's H1 security chip.
+	  This uses the same open-source firmware as the Chromium OS EC.
+	  While Cr50 has other features, its primary role is as the root of
+	  trust for a device, It operates like a TPM and can be used with
+	  verified boot. Cr50 is used on recent Chromebooks (since 2017).
+
+config VPL_TPM2_CR50_I2C
+	bool "Enable support for Google cr50 TPM"
+	depends on DM_I2C && VPL_TPM
+	help
+	  Cr50 is an implementation of a TPM on Google's H1 security chip.
+	  This uses the same open-source firmware as the Chromium OS EC.
+	  While Cr50 has other features, its primary role is as the root of
+	  trust for a device, It operates like a TPM and can be used with
+	  verified boot. Cr50 is used on recent Chromebooks (since 2017).
+
 config TPM2_TIS_SANDBOX
 	bool "Enable sandbox TPMv2.x driver"
 	depends on TPM_V2 && SANDBOX