arm: ls1021atwr: Add distro secure boot support

Enable validation of boot.scr script prior to its execution dependent
on "secureboot" flag in environment. Disable fall back option to
qspi boot in case of secure boot. Also enable "secureboot=y" flag
in environment for ARM based platforms instead of bootcmd.

Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
Tested-by: Vinitha Pillai <vinitha.pillai@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>

configs/ls1021atwr_nor_SECURE_BOOT_defconfig

@@ -46,3 +46,4 @@ CONFIG_VIDEO_FSL_DCU_FB=y
 # CONFIG_VIDEO_SW_CURSOR is not set
 CONFIG_RSA=y
 CONFIG_SPL_RSA=y
+CONFIG_DISTRO_DEFAULTS=y

configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig

@@ -61,3 +61,4 @@ CONFIG_VIDEO_FSL_DCU_FB=y
 # CONFIG_VIDEO_SW_CURSOR is not set
 CONFIG_RSA=y
 CONFIG_SPL_RSA=y
+CONFIG_DISTRO_DEFAULTS=y

include/configs/ls1021atwr.h

@@ -380,6 +380,7 @@
 	"fdt_addr=0x64f00000\0"		\
 	"kernel_addr=0x65000000\0"	\
 	"scriptaddr=0x80000000\0"	\
+	"scripthdraddr=0x80080000\0"	\
 	"fdtheader_addr_r=0x80100000\0"	\
 	"kernelheader_addr_r=0x80200000\0"	\
 	"kernel_addr_r=0x81000000\0"	\
@@ -389,6 +390,7 @@
 	"kernel_size=0x2800000\0"	\
 	BOOTENV				\
 	"boot_scripts=ls1021atwr_boot.scr\0"	\
+	"boot_script_hdr=hdr_ls1021atwr_bs.out\0"	\
 		"scan_dev_for_boot_part="	\
 			"part list ${devtype} ${devnum} devplist; "	\
 			"env exists devplist || setenv devplist 1; "	\
@@ -399,6 +401,21 @@
 				"run scan_dev_for_boot; "		\
 			"fi; "			\
 		"done\0"			\
+	"scan_dev_for_boot="				  \
+		"echo Scanning ${devtype} "		  \
+				"${devnum}:${distro_bootpart}...; "  \
+		"for prefix in ${boot_prefixes}; do "	  \
+			"run scan_dev_for_scripts; "	  \
+		"done;"					  \
+		"\0"					  \
+	"boot_a_script="				  \
+		"load ${devtype} ${devnum}:${distro_bootpart} "  \
+			"${scriptaddr} ${prefix}${script}; "    \
+		"env exists secureboot && load ${devtype} "     \
+			"${devnum}:${distro_bootpart} "		\
+			"${scripthdraddr} ${prefix}${boot_script_hdr} " \
+			"&& esbc_validate ${scripthdraddr};"    \
+		"source ${scriptaddr}\0"	  \
 	"installer=load mmc 0:2 $load_addr "	\
 		"/flex_installer_arm32.itb; "		\
 		"bootm $load_addr#ls1021atwr\0"	\
@@ -416,6 +433,7 @@
 	"fdt_addr=0x64f00000\0"		\
 	"kernel_addr=0x65000000\0"	\
 	"scriptaddr=0x80000000\0"	\
+	"scripthdraddr=0x80080000\0"	\
 	"fdtheader_addr_r=0x80100000\0"	\
 	"kernelheader_addr_r=0x80200000\0"	\
 	"kernel_addr_r=0x81000000\0"	\
@@ -425,6 +443,7 @@
 	"kernel_size=0x2800000\0"	\
 	BOOTENV				\
 	"boot_scripts=ls1021atwr_boot.scr\0"	\
+	"boot_script_hdr=hdr_ls1021atwr_bs.out\0"	\
 		"scan_dev_for_boot_part="	\
 			"part list ${devtype} ${devnum} devplist; "	\
 			"env exists devplist || setenv devplist 1; "	\
@@ -435,6 +454,21 @@
 				"run scan_dev_for_boot; "		\
 			"fi; "			\
 		"done\0"			\
+	"scan_dev_for_boot="				  \
+		"echo Scanning ${devtype} "		  \
+				"${devnum}:${distro_bootpart}...; "  \
+		"for prefix in ${boot_prefixes}; do "	  \
+			"run scan_dev_for_scripts; "	  \
+		"done;"					  \
+		"\0"					  \
+	"boot_a_script="				  \
+		"load ${devtype} ${devnum}:${distro_bootpart} "  \
+			"${scriptaddr} ${prefix}${script}; "    \
+		"env exists secureboot && load ${devtype} "     \
+			"${devnum}:${distro_bootpart} "		\
+			"${scripthdraddr} ${prefix}${boot_script_hdr} " \
+			"&& esbc_validate ${scripthdraddr};"    \
+		"source ${scriptaddr}\0"	  \
 	"installer=load mmc 0:2 $load_addr "	\
 		"/flex_installer_arm32.itb; "		\
 		"bootm $load_addr#ls1021atwr\0"	\
@@ -448,9 +482,11 @@
 
 #undef CONFIG_BOOTCOMMAND
 #if defined(CONFIG_QSPI_BOOT) || defined(CONFIG_SD_BOOT_QSPI)
-#define CONFIG_BOOTCOMMAND "run distro_bootcmd;run qspi_bootcmd"
+#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot"	\
+			   "&& esbc_halt; run qspi_bootcmd;"
 #else
-#define CONFIG_BOOTCOMMAND "run distro_bootcmd;run nor_bootcmd"
+#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot"	\
+			   "&& esbc_halt; run nor_bootcmd;"
 #endif
 
 #define CONFIG_BOOTARGS			"console=ttyS0,115200 root=/dev/ram0"