path: root/bsp/meta-freescale-3rdparty/recipes-bsp/u-boot/u-boot-qoriq-lx2160acex7/0004-armv8-lx2160acex7-common-files-for-platform-support.patch

From 568555bb88a6d2880e21f736cfda0b89e89957fa Mon Sep 17 00:00:00 2001
From: Rabeeh Khoury <rabeeh@solid-run.com>
Date: Sun, 28 Jul 2019 13:31:47 +0300
Subject: [PATCH 04/17] armv8: lx2160acex7: common files for platform support

The patch copies and modifies NXP's common platform resources that adds
support to the following -
1. Secureboot
2. Analog devices DC-DC controller
3. EMC2301 PWM fan controller based on NXP's EMC2305 driver

Upstream-Status: Inappropriate [Solid-Run BSP]

Signed-off-by: Rabeeh Khoury <rabeeh@solid-run.com>
---
 board/solidrun/common/Makefile             |  24 +
 board/solidrun/common/cmd_esbc_validate.c  |  85 ++
 board/solidrun/common/emc2301.c            |  31 +
 board/solidrun/common/emc2301.h            |  17 +
 board/solidrun/common/fsl_chain_of_trust.c | 164 ++++
 board/solidrun/common/fsl_validate.c       | 962 +++++++++++++++++++++
 board/solidrun/common/vid.c                | 330 +++++++
 board/solidrun/common/vid.h                |  23 +
 8 files changed, 1636 insertions(+)
 create mode 100644 board/solidrun/common/Makefile
 create mode 100644 board/solidrun/common/cmd_esbc_validate.c
 create mode 100644 board/solidrun/common/emc2301.c
 create mode 100644 board/solidrun/common/emc2301.h
 create mode 100644 board/solidrun/common/fsl_chain_of_trust.c
 create mode 100644 board/solidrun/common/fsl_validate.c
 create mode 100644 board/solidrun/common/vid.c
 create mode 100644 board/solidrun/common/vid.h

diff --git a/board/solidrun/common/Makefile b/board/solidrun/common/Makefile
new file mode 100644
index 0000000000..454a18e2f9
--- /dev/null
+++ b/board/solidrun/common/Makefile
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: GPL-2.0+
+#
+# (C) Copyright 2006
+# Wolfgang Denk, DENX Software Engineering, wd@denx.de.
+
+MINIMAL=
+
+ifdef CONFIG_SPL_BUILD
+ifdef CONFIG_SPL_INIT_MINIMAL
+MINIMAL=y
+endif
+endif
+
+ifdef MINIMAL
+# necessary to create built-in.o
+obj- := __dummy__.o
+else
+obj-$(CONFIG_VID)		+= vid.o
+obj-$(CONFIG_EMC2301)		+= emc2301.o
+ifdef CONFIG_SECURE_BOOT
+obj-$(CONFIG_CMD_ESBC_VALIDATE) += fsl_validate.o cmd_esbc_validate.o
+endif
+obj-$(CONFIG_CHAIN_OF_TRUST) += fsl_chain_of_trust.o
+endif
diff --git a/board/solidrun/common/cmd_esbc_validate.c b/board/solidrun/common/cmd_esbc_validate.c
new file mode 100644
index 0000000000..b06235f291
--- /dev/null
+++ b/board/solidrun/common/cmd_esbc_validate.c
@@ -0,0 +1,85 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright 2015 Freescale Semiconductor, Inc.
+ */
+
+#include <common.h>
+#include <command.h>
+#include <fsl_validate.h>
+
+int do_esbc_halt(cmd_tbl_t *cmdtp, int flag, int argc,
+				char * const argv[])
+{
+	if (fsl_check_boot_mode_secure() == 0) {
+		printf("Boot Mode is Non-Secure. Not entering spin loop.\n");
+		return 0;
+	}
+
+	printf("Core is entering spin loop.\n");
+loop:
+	goto loop;
+
+	return 0;
+}
+
+#ifndef CONFIG_SPL_BUILD
+static int do_esbc_validate(cmd_tbl_t *cmdtp, int flag, int argc,
+				char * const argv[])
+{
+	char *hash_str = NULL;
+	uintptr_t haddr;
+	int ret;
+	uintptr_t img_addr = 0;
+	char buf[20];
+
+	if (argc < 2)
+		return cmd_usage(cmdtp);
+	else if (argc > 2)
+		/* Second arg - Optional - Hash Str*/
+		hash_str = argv[2];
+
+	/* First argument - header address -32/64bit */
+	haddr = (uintptr_t)simple_strtoul(argv[1], NULL, 16);
+
+	/* With esbc_validate command, Image address must be
+	 * part of header. So, the function is called
+	 * by passing this argument as 0.
+	 */
+	ret = fsl_secboot_validate(haddr, hash_str, &img_addr);
+
+	/* Need to set "img_addr" even if validation failure.
+	 * Required when SB_EN in RCW set and non-fatal error
+	 * to continue U-Boot
+	 */
+	sprintf(buf, "%lx", img_addr);
+	env_set("img_addr", buf);
+
+	if (ret)
+		return 1;
+
+	printf("esbc_validate command successful\n");
+	return 0;
+}
+
+/***************************************************/
+static char esbc_validate_help_text[] =
+	"esbc_validate hdr_addr <hash_val> - Validates signature using\n"
+	"                          RSA verification\n"
+	"                          $hdr_addr Address of header of the image\n"
+	"                          to be validated.\n"
+	"                          $hash_val -Optional\n"
+	"                          It provides Hash of public/srk key to be\n"
+	"                          used to verify signature.\n";
+
+U_BOOT_CMD(
+	esbc_validate,	3,	0,	do_esbc_validate,
+	"Validates signature on a given image using RSA verification",
+	esbc_validate_help_text
+);
+
+U_BOOT_CMD(
+	esbc_halt,	1,	0,	do_esbc_halt,
+	"Put the core in spin loop (Secure Boot Only)",
+	""
+);
+#endif
diff --git a/board/solidrun/common/emc2301.c b/board/solidrun/common/emc2301.c
new file mode 100644
index 0000000000..a4780dbfcc
--- /dev/null
+++ b/board/solidrun/common/emc2301.c
@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright 2019 SolidRun ltd. Based on code from NXP LX2160A RDB
+ *
+ * SPDX-License-Identifier:     GPL-2.0+
+ */
+
+#include <common.h>
+#include <command.h>
+#include <i2c.h>
+#include <asm/io.h>
+
+#include "emc2301.h"
+
+DECLARE_GLOBAL_DATA_PTR;
+
+void set_fan_speed(u8 data)
+{
+	if (i2c_write(I2C_EMC2301_ADDR, I2C_EMC2301_FAN, 1, &data, 1) != 0) {
+		puts("Error: failed to change fan speed\n");
+	}
+}
+
+void emc2301_init(void)
+{
+	u8 data;
+
+	data = I2C_EMC2301_CMD;
+	if (i2c_write(I2C_EMC2301_ADDR, I2C_EMC2301_CONF, 1, &data, 1) != 0)
+		puts("Error: failed to configure EMC2301\n");
+}
diff --git a/board/solidrun/common/emc2301.h b/board/solidrun/common/emc2301.h
new file mode 100644
index 0000000000..a5ceb73b7c
--- /dev/null
+++ b/board/solidrun/common/emc2301.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright 2019 SolidRun ltd.
+ *
+ * SPDX-License-Identifier:     GPL-2.0+
+ */
+
+#ifndef __EMC2301_H_
+#define __EMC2301_H_
+
+#define I2C_EMC2301_CONF		0x20
+#define I2C_EMC2301_FAN			0x30
+
+void emc2301_init(void);
+void set_fan_speed(u8 data);
+
+#endif  /* __EMC2305_H_ */
diff --git a/board/solidrun/common/fsl_chain_of_trust.c b/board/solidrun/common/fsl_chain_of_trust.c
new file mode 100644
index 0000000000..dddfd26a13
--- /dev/null
+++ b/board/solidrun/common/fsl_chain_of_trust.c
@@ -0,0 +1,164 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright 2015 Freescale Semiconductor, Inc.
+ */
+
+#include <common.h>
+#include <dm.h>
+#include <fsl_validate.h>
+#include <fsl_secboot_err.h>
+#include <fsl_sfp.h>
+#include <dm/root.h>
+
+#if defined(CONFIG_SPL_BUILD) && defined(CONFIG_SPL_FRAMEWORK)
+#include <spl.h>
+#endif
+
+#ifdef CONFIG_ADDR_MAP
+#include <asm/mmu.h>
+#endif
+
+#ifdef CONFIG_FSL_CORENET
+#include <asm/fsl_pamu.h>
+#endif
+
+#ifdef CONFIG_ARCH_LS1021A
+#include <asm/arch/immap_ls102xa.h>
+#endif
+
+#if defined(CONFIG_MPC85xx)
+#define CONFIG_DCFG_ADDR	CONFIG_SYS_MPC85xx_GUTS_ADDR
+#else
+#define CONFIG_DCFG_ADDR	CONFIG_SYS_FSL_GUTS_ADDR
+#endif
+
+#ifdef CONFIG_SYS_FSL_CCSR_GUR_LE
+#define gur_in32(a)       in_le32(a)
+#else
+#define gur_in32(a)       in_be32(a)
+#endif
+
+/* Check the Boot Mode. If Secure, return 1 else return 0 */
+int fsl_check_boot_mode_secure(void)
+{
+	uint32_t val;
+	struct ccsr_sfp_regs *sfp_regs = (void *)(CONFIG_SYS_SFP_ADDR);
+	struct ccsr_gur __iomem *gur = (void *)(CONFIG_DCFG_ADDR);
+
+	val = sfp_in32(&sfp_regs->ospr) & ITS_MASK;
+	if (val == ITS_MASK)
+		return 1;
+
+#if defined(CONFIG_FSL_CORENET) || !defined(CONFIG_MPC85xx)
+	/* For PBL based platforms check the SB_EN bit in RCWSR */
+	val = gur_in32(&gur->rcwsr[RCW_SB_EN_REG_INDEX - 1]) & RCW_SB_EN_MASK;
+	if (val == RCW_SB_EN_MASK)
+		return 1;
+#endif
+
+#if defined(CONFIG_MPC85xx) && !defined(CONFIG_FSL_CORENET)
+	/* For Non-PBL Platforms, check the Device Status register 2*/
+	val = gur_in32(&gur->pordevsr2) & MPC85xx_PORDEVSR2_SBC_MASK;
+	if (val != MPC85xx_PORDEVSR2_SBC_MASK)
+		return 1;
+
+#endif
+	return 0;
+}
+
+#ifndef CONFIG_SPL_BUILD
+int fsl_setenv_chain_of_trust(void)
+{
+	/* Check Boot Mode
+	 * If Boot Mode is Non-Secure, no changes are required
+	 */
+	if (fsl_check_boot_mode_secure() == 0)
+		return 0;
+
+	/* If Boot mode is Secure, set the environment variables
+	 * bootdelay = 0 (To disable Boot Prompt)
+	 * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot script)
+	 */
+	env_set("bootdelay", "-2");
+
+#ifdef CONFIG_ARM
+	env_set("secureboot", "y");
+#else
+	env_set("bootcmd", CONFIG_CHAIN_BOOT_CMD);
+#endif
+
+	return 0;
+}
+#endif
+
+#ifdef CONFIG_SPL_BUILD
+void spl_validate_uboot(uint32_t hdr_addr, uintptr_t img_addr)
+{
+	int res;
+
+	/*
+	 * Check Boot Mode
+	 * If Boot Mode is Non-Secure, skip validation
+	 */
+	if (fsl_check_boot_mode_secure() == 0)
+		return;
+
+	printf("SPL: Validating U-Boot image\n");
+
+#ifdef CONFIG_ADDR_MAP
+	init_addr_map();
+#endif
+
+#ifdef CONFIG_FSL_CORENET
+	if (pamu_init() < 0)
+		fsl_secboot_handle_error(ERROR_ESBC_PAMU_INIT);
+#endif
+
+#ifdef CONFIG_FSL_CAAM
+	if (sec_init() < 0)
+		fsl_secboot_handle_error(ERROR_ESBC_SEC_INIT);
+#endif
+
+/*
+ * dm_init_and_scan() is called as part of common SPL framework, so no
+ * need to call it again but in case of powerpc platforms which currently
+ * do not use common SPL framework, so need to call this function here.
+ */
+#if defined(CONFIG_SPL_DM) && (!defined(CONFIG_SPL_FRAMEWORK))
+	dm_init_and_scan(true);
+#endif
+	res = fsl_secboot_validate(hdr_addr, CONFIG_SPL_UBOOT_KEY_HASH,
+				   &img_addr);
+
+	if (res == 0)
+		printf("SPL: Validation of U-boot successful\n");
+}
+
+#ifdef CONFIG_SPL_FRAMEWORK
+/* Override weak funtion defined in SPL framework to enable validation
+ * of main u-boot image before jumping to u-boot image.
+ */
+void __noreturn jump_to_image_no_args(struct spl_image_info *spl_image)
+{
+	typedef void __noreturn (*image_entry_noargs_t)(void);
+	uint32_t hdr_addr;
+
+	image_entry_noargs_t image_entry =
+		(image_entry_noargs_t)(unsigned long)spl_image->entry_point;
+
+	hdr_addr = (spl_image->entry_point + spl_image->size -
+			CONFIG_U_BOOT_HDR_SIZE);
+	spl_validate_uboot(hdr_addr, (uintptr_t)spl_image->entry_point);
+	/*
+	 * In case of failure in validation, spl_validate_uboot would
+	 * not return back in case of Production environment with ITS=1.
+	 * Thus U-Boot will not start.
+	 * In Development environment (ITS=0 and SB_EN=1), the function
+	 * may return back in case of non-fatal failures.
+	 */
+
+	debug("image entry point: 0x%lX\n", spl_image->entry_point);
+	image_entry();
+}
+#endif /* ifdef CONFIG_SPL_FRAMEWORK */
+#endif /* ifdef CONFIG_SPL_BUILD */
diff --git a/board/solidrun/common/fsl_validate.c b/board/solidrun/common/fsl_validate.c
new file mode 100644
index 0000000000..2bf9d58746
--- /dev/null
+++ b/board/solidrun/common/fsl_validate.c
@@ -0,0 +1,962 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright 2015 Freescale Semiconductor, Inc.
+ */
+
+#include <common.h>
+#include <dm.h>
+#include <fsl_validate.h>
+#include <fsl_secboot_err.h>
+#include <fsl_sfp.h>
+#include <fsl_sec.h>
+#include <command.h>
+#include <malloc.h>
+#include <u-boot/rsa-mod-exp.h>
+#include <hash.h>
+#include <fsl_secboot_err.h>
+#ifdef CONFIG_ARCH_LS1021A
+#include <asm/arch/immap_ls102xa.h>
+#endif
+
+#define SHA256_BITS	256
+#define SHA256_BYTES	(256/8)
+#define SHA256_NIBBLES	(256/4)
+#define NUM_HEX_CHARS	(sizeof(ulong) * 2)
+
+#define CHECK_KEY_LEN(key_len)	(((key_len) == 2 * KEY_SIZE_BYTES / 4) || \
+				 ((key_len) == 2 * KEY_SIZE_BYTES / 2) || \
+				 ((key_len) == 2 * KEY_SIZE_BYTES))
+#if defined(CONFIG_FSL_ISBC_KEY_EXT)
+/* Global data structure */
+static struct fsl_secboot_glb glb;
+#endif
+
+/* This array contains DER value for SHA-256 */
+static const u8 hash_identifier[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
+		0x86, 0x48, 0x01, 0x65,	0x03, 0x04, 0x02, 0x01, 0x05, 0x00,
+		0x04, 0x20
+		};
+
+static u8 hash_val[SHA256_BYTES];
+
+#ifdef CONFIG_ESBC_HDR_LS
+/* New Barker Code for LS ESBC Header */
+static const u8 barker_code[ESBC_BARKER_LEN] = { 0x12, 0x19, 0x20, 0x01 };
+#else
+static const u8 barker_code[ESBC_BARKER_LEN] = { 0x68, 0x39, 0x27, 0x81 };
+#endif
+
+void branch_to_self(void) __attribute__ ((noreturn));
+
+/*
+ * This function will put core in infinite loop.
+ * This will be called when the ESBC can not proceed further due
+ * to some unknown errors.
+ */
+void branch_to_self(void)
+{
+	printf("Core is in infinite loop due to errors.\n");
+self:
+	goto self;
+}
+
+#if defined(CONFIG_FSL_ISBC_KEY_EXT)
+static u32 check_ie(struct fsl_secboot_img_priv *img)
+{
+	if (img->hdr.ie_flag & IE_FLAG_MASK)
+		return 1;
+
+	return 0;
+}
+
+/* This function returns the CSF Header Address of uboot
+ * For MPC85xx based platforms, the LAW mapping for NOR
+ * flash changes in uboot code. Hence the offset needs
+ * to be calculated and added to the new NOR flash base
+ * address
+ */
+#if defined(CONFIG_MPC85xx)
+int get_csf_base_addr(u32 *csf_addr, u32 *flash_base_addr)
+{
+	struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_MPC85xx_GUTS_ADDR);
+	u32 csf_hdr_addr = in_be32(&gur->scratchrw[0]);
+	u32 csf_flash_offset = csf_hdr_addr & ~(CONFIG_SYS_PBI_FLASH_BASE);
+	u32 flash_addr, addr;
+	int found = 0;
+	int i = 0;
+
+	for (i = 0; i < CONFIG_SYS_MAX_FLASH_BANKS; i++) {
+		flash_addr = flash_info[i].start[0];
+		addr = flash_info[i].start[0] + csf_flash_offset;
+		if (memcmp((u8 *)addr, barker_code, ESBC_BARKER_LEN) == 0) {
+			debug("Barker found on addr %x\n", addr);
+			found = 1;
+			break;
+		}
+	}
+
+	if (!found)
+		return -1;
+
+	*csf_addr = addr;
+	*flash_base_addr = flash_addr;
+
+	return 0;
+}
+#else
+/* For platforms like LS1020, correct flash address is present in
+ * the header. So the function reqturns flash base address as 0
+ */
+int get_csf_base_addr(u32 *csf_addr, u32 *flash_base_addr)
+{
+	struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
+	u32 csf_hdr_addr = in_be32(&gur->scratchrw[0]);
+
+	if (memcmp((u8 *)(uintptr_t)csf_hdr_addr,
+		   barker_code, ESBC_BARKER_LEN))
+		return -1;
+
+	*csf_addr = csf_hdr_addr;
+	*flash_base_addr = 0;
+	return 0;
+}
+#endif
+
+#if defined(CONFIG_ESBC_HDR_LS)
+static int get_ie_info_addr(uintptr_t *ie_addr)
+{
+	struct ccsr_gur __iomem *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
+	/* For LS-CH3, the address of IE Table is
+	 * stated in Scratch13 and scratch14 of DCFG.
+	 * Bootrom validates this table while validating uboot.
+	 * DCFG is LE*/
+	*ie_addr = in_le32(&gur->scratchrw[SCRATCH_IE_HIGH_ADR - 1]);
+	*ie_addr = *ie_addr << 32;
+	*ie_addr |= in_le32(&gur->scratchrw[SCRATCH_IE_LOW_ADR - 1]);
+	return 0;
+}
+#else /* CONFIG_ESBC_HDR_LS */
+static int get_ie_info_addr(uintptr_t *ie_addr)
+{
+	struct fsl_secboot_img_hdr *hdr;
+	struct fsl_secboot_sg_table *sg_tbl;
+	u32 flash_base_addr, csf_addr;
+
+	if (get_csf_base_addr(&csf_addr, &flash_base_addr))
+		return -1;
+
+	hdr = (struct fsl_secboot_img_hdr *)(uintptr_t)csf_addr;
+
+	/* For SoC's with Trust Architecture v1 with corenet bus
+	 * the sg table field in CSF header has absolute address
+	 * for sg table in memory. In other Trust Architecture,
+	 * this field specifies the offset of sg table from the
+	 * base address of CSF Header
+	 */
+#if defined(CONFIG_FSL_TRUST_ARCH_v1) && defined(CONFIG_FSL_CORENET)
+	sg_tbl = (struct fsl_secboot_sg_table *)
+		 (((u32)hdr->psgtable & ~(CONFIG_SYS_PBI_FLASH_BASE)) +
+		  flash_base_addr);
+#else
+	sg_tbl = (struct fsl_secboot_sg_table *)(uintptr_t)(csf_addr +
+						 (u32)hdr->psgtable);
+#endif
+
+	/* IE Key Table is the first entry in the SG Table */
+#if defined(CONFIG_MPC85xx)
+	*ie_addr = (uintptr_t)((sg_tbl->src_addr &
+			~(CONFIG_SYS_PBI_FLASH_BASE)) +
+			flash_base_addr);
+#else
+	*ie_addr = (uintptr_t)sg_tbl->src_addr;
+#endif
+
+	debug("IE Table address is %lx\n", *ie_addr);
+	return 0;
+}
+#endif /* CONFIG_ESBC_HDR_LS */
+#endif
+
+#ifdef CONFIG_KEY_REVOCATION
+/* This function checks srk_table_flag in header and set/reset srk_flag.*/
+static u32 check_srk(struct fsl_secboot_img_priv *img)
+{
+#ifdef CONFIG_ESBC_HDR_LS
+	/* In LS, No SRK Flag as SRK is always present if IE not present*/
+#if defined(CONFIG_FSL_ISBC_KEY_EXT)
+	return !check_ie(img);
+#endif
+	return 1;
+#else
+	if (img->hdr.len_kr.srk_table_flag & SRK_FLAG)
+		return 1;
+
+	return 0;
+#endif
+}
+
+/* This function returns ospr's key_revoc values.*/
+static u32 get_key_revoc(void)
+{
+	struct ccsr_sfp_regs *sfp_regs = (void *)(CONFIG_SYS_SFP_ADDR);
+	return (sfp_in32(&sfp_regs->ospr) & OSPR_KEY_REVOC_MASK) >>
+		OSPR_KEY_REVOC_SHIFT;
+}
+
+/* This function checks if selected key is revoked or not.*/
+static u32 is_key_revoked(u32 keynum, u32 rev_flag)
+{
+	if (keynum == UNREVOCABLE_KEY)
+		return 0;
+
+	if ((u32)(1 << (ALIGN_REVOC_KEY - keynum)) & rev_flag)
+		return 1;
+
+	return 0;
+}
+
+/* It read validates srk_table key lengths.*/
+static u32 read_validate_srk_tbl(struct fsl_secboot_img_priv *img)
+{
+	int i = 0;
+	u32 ret, key_num, key_revoc_flag, size;
+	struct fsl_secboot_img_hdr *hdr = &img->hdr;
+	void *esbc = (u8 *)(uintptr_t)img->ehdrloc;
+
+	if ((hdr->len_kr.num_srk == 0) ||
+	    (hdr->len_kr.num_srk > MAX_KEY_ENTRIES))
+		return ERROR_ESBC_CLIENT_HEADER_INVALID_SRK_NUM_ENTRY;
+
+	key_num = hdr->len_kr.srk_sel;
+	if (key_num == 0 || key_num > hdr->len_kr.num_srk)
+		return ERROR_ESBC_CLIENT_HEADER_INVALID_KEY_NUM;
+
+	/* Get revoc key from sfp */
+	key_revoc_flag = get_key_revoc();
+	ret = is_key_revoked(key_num, key_revoc_flag);
+	if (ret)
+		return ERROR_ESBC_CLIENT_HEADER_KEY_REVOKED;
+
+	size = hdr->len_kr.num_srk * sizeof(struct srk_table);
+
+	memcpy(&img->srk_tbl, esbc + hdr->srk_tbl_off, size);
+
+	for (i = 0; i < hdr->len_kr.num_srk; i++) {
+		if (!CHECK_KEY_LEN(img->srk_tbl[i].key_len))
+			return ERROR_ESBC_CLIENT_HEADER_INV_SRK_ENTRY_KEYLEN;
+	}
+
+	img->key_len = img->srk_tbl[key_num - 1].key_len;
+
+	memcpy(&img->img_key, &(img->srk_tbl[key_num - 1].pkey),
+	       img->key_len);
+
+	return 0;
+}
+#endif
+
+#ifndef CONFIG_ESBC_HDR_LS
+static u32 read_validate_single_key(struct fsl_secboot_img_priv *img)
+{
+	struct fsl_secboot_img_hdr *hdr = &img->hdr;
+	void *esbc = (u8 *)(uintptr_t)img->ehdrloc;
+
+	/* check key length */
+	if (!CHECK_KEY_LEN(hdr->key_len))
+		return ERROR_ESBC_CLIENT_HEADER_KEY_LEN;
+
+	memcpy(&img->img_key, esbc + hdr->pkey, hdr->key_len);
+
+	img->key_len = hdr->key_len;
+
+	return 0;
+}
+#endif /* CONFIG_ESBC_HDR_LS */
+
+#if defined(CONFIG_FSL_ISBC_KEY_EXT)
+
+static void install_ie_tbl(uintptr_t ie_tbl_addr,
+		struct fsl_secboot_img_priv *img)
+{
+	/* Copy IE tbl to Global Data */
+	memcpy(&glb.ie_tbl, (u8 *)ie_tbl_addr, sizeof(struct ie_key_info));
+	img->ie_addr = (uintptr_t)&glb.ie_tbl;
+	glb.ie_addr = img->ie_addr;
+}
+
+static u32 read_validate_ie_tbl(struct fsl_secboot_img_priv *img)
+{
+	struct fsl_secboot_img_hdr *hdr = &img->hdr;
+	u32 ie_key_len, ie_revoc_flag, ie_num;
+	struct ie_key_info *ie_info;
+
+	if (!img->ie_addr) {
+		if (get_ie_info_addr(&img->ie_addr))
+			return ERROR_IE_TABLE_NOT_FOUND;
+		else
+			install_ie_tbl(img->ie_addr, img);
+		}
+
+	ie_info = (struct ie_key_info *)(uintptr_t)img->ie_addr;
+	if (ie_info->num_keys == 0 || ie_info->num_keys > 32)
+		return ERROR_ESBC_CLIENT_HEADER_INVALID_IE_NUM_ENTRY;
+
+	ie_num = hdr->ie_key_sel;
+	if (ie_num == 0 || ie_num > ie_info->num_keys)
+		return ERROR_ESBC_CLIENT_HEADER_INVALID_IE_KEY_NUM;
+
+	ie_revoc_flag = ie_info->key_revok;
+	if ((u32)(1 << (ie_num - 1)) & ie_revoc_flag)
+		return ERROR_ESBC_CLIENT_HEADER_IE_KEY_REVOKED;
+
+	ie_key_len = ie_info->ie_key_tbl[ie_num - 1].key_len;
+
+	if (!CHECK_KEY_LEN(ie_key_len))
+		return ERROR_ESBC_CLIENT_HEADER_INV_IE_ENTRY_KEYLEN;
+
+	memcpy(&img->img_key, &(ie_info->ie_key_tbl[ie_num - 1].pkey),
+	       ie_key_len);
+
+	img->key_len = ie_key_len;
+	return 0;
+}
+#endif
+
+
+/* This function return length of public key.*/
+static inline u32 get_key_len(struct fsl_secboot_img_priv *img)
+{
+	return img->key_len;
+}
+
+/*
+ * Handles the ESBC uboot client header verification failure.
+ * This  function  handles all the errors which might occur in the
+ * parsing and checking of ESBC uboot client header. It will also
+ * set the error bits in the SEC_MON.
+ */
+static void fsl_secboot_header_verification_failure(void)
+{
+	struct ccsr_sfp_regs *sfp_regs = (void *)(CONFIG_SYS_SFP_ADDR);
+
+	/* 29th bit of OSPR is ITS */
+	u32 its = sfp_in32(&sfp_regs->ospr) >> 2;
+
+	if (its == 1)
+		set_sec_mon_state(HPSR_SSM_ST_SOFT_FAIL);
+	else
+		set_sec_mon_state(HPSR_SSM_ST_NON_SECURE);
+
+	printf("Generating reset request\n");
+	do_reset(NULL, 0, 0, NULL);
+	/* If reset doesn't coocur, halt execution */
+	do_esbc_halt(NULL, 0, 0, NULL);
+}
+
+/*
+ * Handles the ESBC uboot client image verification failure.
+ * This  function  handles all the errors which might occur in the
+ * public key hash comparison and signature verification of
+ * ESBC uboot client image. It will also
+ * set the error bits in the SEC_MON.
+ */
+static void fsl_secboot_image_verification_failure(void)
+{
+	struct ccsr_sfp_regs *sfp_regs = (void *)(CONFIG_SYS_SFP_ADDR);
+
+	u32 its = (sfp_in32(&sfp_regs->ospr) & ITS_MASK) >> ITS_BIT;
+
+	if (its == 1) {
+		set_sec_mon_state(HPSR_SSM_ST_SOFT_FAIL);
+
+		printf("Generating reset request\n");
+		do_reset(NULL, 0, 0, NULL);
+		/* If reset doesn't coocur, halt execution */
+		do_esbc_halt(NULL, 0, 0, NULL);
+
+	} else {
+		set_sec_mon_state(HPSR_SSM_ST_NON_SECURE);
+	}
+}
+
+static void fsl_secboot_bootscript_parse_failure(void)
+{
+	fsl_secboot_header_verification_failure();
+}
+
+/*
+ * Handles the errors in esbc boot.
+ * This  function  handles all the errors which might occur in the
+ * esbc boot phase. It will call the appropriate api to log the
+ * errors and set the error bits in the SEC_MON.
+ */
+void fsl_secboot_handle_error(int error)
+{
+#ifndef CONFIG_SPL_BUILD
+	const struct fsl_secboot_errcode *e;
+
+	for (e = fsl_secboot_errcodes; e->errcode != ERROR_ESBC_CLIENT_MAX;
+		e++) {
+		if (e->errcode == error)
+			printf("ERROR :: %x :: %s\n", error, e->name);
+	}
+#else
+	printf("ERROR :: %x\n", error);
+#endif
+
+	/* If Boot Mode is secure, transition the SNVS state and issue
+	 * reset based on type of failure and ITS setting.
+	 * If Boot mode is non-secure, return from this function.
+	 */
+	if (fsl_check_boot_mode_secure() == 0)
+		return;
+
+	switch (error) {
+	case ERROR_ESBC_CLIENT_HEADER_BARKER:
+	case ERROR_ESBC_CLIENT_HEADER_IMG_SIZE:
+	case ERROR_ESBC_CLIENT_HEADER_KEY_LEN:
+	case ERROR_ESBC_CLIENT_HEADER_SIG_LEN:
+	case ERROR_ESBC_CLIENT_HEADER_KEY_LEN_NOT_TWICE_SIG_LEN:
+	case ERROR_ESBC_CLIENT_HEADER_KEY_MOD_1:
+	case ERROR_ESBC_CLIENT_HEADER_KEY_MOD_2:
+	case ERROR_ESBC_CLIENT_HEADER_SIG_KEY_MOD:
+	case ERROR_ESBC_CLIENT_HEADER_SG_ESBC_EP:
+	case ERROR_ESBC_CLIENT_HEADER_SG_ENTIRES_BAD:
+	case ERROR_KEY_TABLE_NOT_FOUND:
+#ifdef CONFIG_KEY_REVOCATION
+	case ERROR_ESBC_CLIENT_HEADER_KEY_REVOKED:
+	case ERROR_ESBC_CLIENT_HEADER_INVALID_SRK_NUM_ENTRY:
+	case ERROR_ESBC_CLIENT_HEADER_INVALID_KEY_NUM:
+	case ERROR_ESBC_CLIENT_HEADER_INV_SRK_ENTRY_KEYLEN:
+#endif
+#if defined(CONFIG_FSL_ISBC_KEY_EXT)
+	/*@fallthrough@*/
+	case ERROR_ESBC_CLIENT_HEADER_IE_KEY_REVOKED:
+	case ERROR_ESBC_CLIENT_HEADER_INVALID_IE_NUM_ENTRY:
+	case ERROR_ESBC_CLIENT_HEADER_INVALID_IE_KEY_NUM:
+	case ERROR_ESBC_CLIENT_HEADER_INV_IE_ENTRY_KEYLEN:
+	case ERROR_IE_TABLE_NOT_FOUND:
+#endif
+		fsl_secboot_header_verification_failure();
+		break;
+	case ERROR_ESBC_SEC_RESET:
+	case ERROR_ESBC_SEC_DEQ:
+	case ERROR_ESBC_SEC_ENQ:
+	case ERROR_ESBC_SEC_DEQ_TO:
+	case ERROR_ESBC_SEC_JOBQ_STATUS:
+	case ERROR_ESBC_CLIENT_HASH_COMPARE_KEY:
+	case ERROR_ESBC_CLIENT_HASH_COMPARE_EM:
+		fsl_secboot_image_verification_failure();
+		break;
+	case ERROR_ESBC_MISSING_BOOTM:
+		fsl_secboot_bootscript_parse_failure();
+		break;
+	case ERROR_ESBC_WRONG_CMD:
+	default:
+		branch_to_self();
+		break;
+	}
+}
+
+static void fsl_secblk_handle_error(int error)
+{
+	switch (error) {
+	case ERROR_ESBC_SEC_ENQ:
+		fsl_secboot_handle_error(ERROR_ESBC_SEC_ENQ);
+		break;
+	case ERROR_ESBC_SEC_DEQ:
+		fsl_secboot_handle_error(ERROR_ESBC_SEC_DEQ);
+		break;
+	case ERROR_ESBC_SEC_DEQ_TO:
+		fsl_secboot_handle_error(ERROR_ESBC_SEC_DEQ_TO);
+		break;
+	default:
+		printf("Job Queue Output status %x\n", error);
+		fsl_secboot_handle_error(ERROR_ESBC_SEC_JOBQ_STATUS);
+		break;
+	}
+}
+
+/*
+ * Calculate hash of key obtained via offset present in ESBC uboot
+ * client hdr. This function calculates the hash of key which is obtained
+ * through offset present in ESBC uboot client header.
+ */
+static int calc_img_key_hash(struct fsl_secboot_img_priv *img)
+{
+	struct hash_algo *algo;
+	void *ctx;
+	int i, srk = 0;
+	int ret = 0;
+	const char *algo_name = "sha256";
+
+	/* Calculate hash of the esbc key */
+	ret = hash_progressive_lookup_algo(algo_name, &algo);
+	if (ret)
+		return ret;
+
+	ret = algo->hash_init(algo, &ctx);
+	if (ret)
+		return ret;
+
+	/* Update hash for ESBC key */
+#ifdef CONFIG_KEY_REVOCATION
+	if (check_srk(img)) {
+		ret = algo->hash_update(algo, ctx,
+		      (u8 *)(uintptr_t)(img->ehdrloc + img->hdr.srk_tbl_off),
+		      img->hdr.len_kr.num_srk * sizeof(struct srk_table), 1);
+		srk = 1;
+	}
+#endif
+	if (!srk)
+		ret = algo->hash_update(algo, ctx,
+			img->img_key, img->key_len, 1);
+	if (ret)
+		return ret;
+
+	/* Copy hash at destination buffer */
+	ret = algo->hash_finish(algo, ctx, hash_val, algo->digest_size);
+	if (ret)
+		return ret;
+
+	for (i = 0; i < SHA256_BYTES; i++)
+		img->img_key_hash[i] = hash_val[i];
+
+	return 0;
+}
+
+/*
+ * Calculate hash of ESBC hdr and ESBC. This function calculates the
+ * single hash of ESBC header and ESBC image. If SG flag is on, all
+ * SG entries are also hashed alongwith the complete SG table.
+ */
+static int calc_esbchdr_esbc_hash(struct fsl_secboot_img_priv *img)
+{
+	struct hash_algo *algo;
+	void *ctx;
+	int ret = 0;
+	int key_hash = 0;
+	const char *algo_name = "sha256";
+
+	/* Calculate the hash of the ESBC */
+	ret = hash_progressive_lookup_algo(algo_name, &algo);
+	if (ret)
+		return ret;
+
+	ret = algo->hash_init(algo, &ctx);
+	/* Copy hash at destination buffer */
+	if (ret)
+		return ret;
+
+	/* Update hash for CSF Header */
+	ret = algo->hash_update(algo, ctx,
+		(u8 *)&img->hdr, sizeof(struct fsl_secboot_img_hdr), 0);
+	if (ret)
+		return ret;
+
+	/* Update the hash with that of srk table if srk flag is 1
+	 * If IE Table is selected, key is not added in the hash
+	 * If neither srk table nor IE key table available, add key
+	 * from header in the hash calculation
+	 */
+#ifdef CONFIG_KEY_REVOCATION
+	if (check_srk(img)) {
+		ret = algo->hash_update(algo, ctx,
+		      (u8 *)(uintptr_t)(img->ehdrloc + img->hdr.srk_tbl_off),
+		      img->hdr.len_kr.num_srk * sizeof(struct srk_table), 0);
+		key_hash = 1;
+	}
+#endif
+#if defined(CONFIG_FSL_ISBC_KEY_EXT)
+	if (!key_hash && check_ie(img))
+		key_hash = 1;
+#endif
+#ifndef CONFIG_ESBC_HDR_LS
+/* No single key support in LS ESBC header */
+	if (!key_hash) {
+		ret = algo->hash_update(algo, ctx,
+			img->img_key, img->hdr.key_len, 0);
+		key_hash = 1;
+	}
+#endif
+	if (ret)
+		return ret;
+	if (!key_hash)
+		return ERROR_KEY_TABLE_NOT_FOUND;
+
+	/* Update hash for actual Image */
+	ret = algo->hash_update(algo, ctx,
+		(u8 *)(*(img->img_addr_ptr)), img->img_size, 1);
+	if (ret)
+		return ret;
+
+	/* Copy hash at destination buffer */
+	ret = algo->hash_finish(algo, ctx, hash_val, algo->digest_size);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
+/*
+ * Construct encoded hash EM' wrt PKCSv1.5. This function calculates the
+ * pointers for padding, DER value and hash. And finally, constructs EM'
+ * which includes hash of complete CSF header and ESBC image. If SG flag
+ * is on, hash of SG table and entries is also included.
+ */
+static void construct_img_encoded_hash_second(struct fsl_secboot_img_priv *img)
+{
+	/*
+	 * RSA PKCSv1.5 encoding format for encoded message is below
+	 * EM = 0x0 || 0x1 || PS || 0x0 || DER || Hash
+	 * PS is Padding String
+	 * DER is DER value for SHA-256
+	 * Hash is SHA-256 hash
+	 * *********************************************************
+	 * representative points to first byte of EM initially and is
+	 * filled with 0x0
+	 * representative is incremented by 1 and second byte is filled
+	 * with 0x1
+	 * padding points to third byte of EM
+	 * digest points to full length of EM - 32 bytes
+	 * hash_id (DER value) points to 19 bytes before pDigest
+	 * separator is one byte which separates padding and DER
+	 */
+
+	size_t len;
+	u8 *representative;
+	u8 *padding, *digest;
+	u8 *hash_id, *separator;
+	int i;
+
+	len = (get_key_len(img) / 2) - 1;
+	representative = img->img_encoded_hash_second;
+	representative[0] = 0;
+	representative[1] = 1;  /* block type 1 */
+
+	padding = &representative[2];
+	digest = &representative[1] + len - 32;
+	hash_id = digest - sizeof(hash_identifier);
+	separator = hash_id - 1;
+
+	/* fill padding area pointed by padding with 0xff */
+	memset(padding, 0xff, separator - padding);
+
+	/* fill byte pointed by separator */
+	*separator = 0;
+
+	/* fill SHA-256 DER value  pointed by HashId */
+	memcpy(hash_id, hash_identifier, sizeof(hash_identifier));
+
+	/* fill hash pointed by Digest */
+	for (i = 0; i < SHA256_BYTES; i++)
+		digest[i] = hash_val[i];
+}
+
+/*
+ * Reads and validates the ESBC client header.
+ * This function reads key and signature from the ESBC client header.
+ * If Scatter/Gather flag is on, lengths and offsets of images
+ * present as SG entries are also read. This function also checks
+ * whether the header is valid or not.
+ */
+static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
+{
+	struct fsl_secboot_img_hdr *hdr = &img->hdr;
+	void *esbc = (u8 *)(uintptr_t)img->ehdrloc;
+	u8 *k, *s;
+	u32 ret = 0;
+
+	int  key_found = 0;
+
+	/* check barker code */
+	if (memcmp(hdr->barker, barker_code, ESBC_BARKER_LEN))
+		return ERROR_ESBC_CLIENT_HEADER_BARKER;
+
+	/* If Image Address is not passed as argument to function,
+	 * then Address and Size must be read from the Header.
+	 */
+	if (*(img->img_addr_ptr) == 0) {
+	#ifdef CONFIG_ESBC_ADDR_64BIT
+		*(img->img_addr_ptr) = hdr->pimg64;
+	#else
+		*(img->img_addr_ptr) = hdr->pimg;
+	#endif
+	}
+
+	if (!hdr->img_size)
+		return ERROR_ESBC_CLIENT_HEADER_IMG_SIZE;
+
+	img->img_size = hdr->img_size;
+
+	/* Key checking*/
+#ifdef CONFIG_KEY_REVOCATION
+	if (check_srk(img)) {
+		ret = read_validate_srk_tbl(img);
+		if (ret != 0)
+			return ret;
+		key_found = 1;
+	}
+#endif
+
+#if defined(CONFIG_FSL_ISBC_KEY_EXT)
+	if (!key_found && check_ie(img)) {
+		ret = read_validate_ie_tbl(img);
+		if (ret != 0)
+			return ret;
+		key_found = 1;
+	}
+#endif
+#ifndef CONFIG_ESBC_HDR_LS
+/* Single Key Feature not available in LS ESBC Header */
+	if (key_found == 0) {
+		ret = read_validate_single_key(img);
+		if (ret != 0)
+			return ret;
+		key_found = 1;
+	}
+#endif
+	if (!key_found)
+		return ERROR_KEY_TABLE_NOT_FOUND;
+
+	/* check signaure */
+	if (get_key_len(img) == 2 * hdr->sign_len) {
+		/* check signature length */
+		if (!((hdr->sign_len == KEY_SIZE_BYTES / 4) ||
+		      (hdr->sign_len == KEY_SIZE_BYTES / 2) ||
+		      (hdr->sign_len == KEY_SIZE_BYTES)))
+			return ERROR_ESBC_CLIENT_HEADER_SIG_LEN;
+	} else {
+		return ERROR_ESBC_CLIENT_HEADER_KEY_LEN_NOT_TWICE_SIG_LEN;
+	}
+
+	memcpy(&img->img_sign, esbc + hdr->psign, hdr->sign_len);
+/* No SG support in LS-CH3 */
+#ifndef CONFIG_ESBC_HDR_LS
+	/* No SG support */
+	if (hdr->sg_flag)
+		return ERROR_ESBC_CLIENT_HEADER_SG;
+#endif
+
+	/* modulus most significant bit should be set */
+	k = (u8 *)&img->img_key;
+
+	if ((k[0] & 0x80) == 0)
+		return ERROR_ESBC_CLIENT_HEADER_KEY_MOD_1;
+
+	/* modulus value should be odd */
+	if ((k[get_key_len(img) / 2 - 1] & 0x1) == 0)
+		return ERROR_ESBC_CLIENT_HEADER_KEY_MOD_2;
+
+	/* Check signature value < modulus value */
+	s = (u8 *)&img->img_sign;
+
+	if (!(memcmp(s, k, hdr->sign_len) < 0))
+		return ERROR_ESBC_CLIENT_HEADER_SIG_KEY_MOD;
+
+	return ESBC_VALID_HDR;
+}
+
+static inline int str2longbe(const char *p, ulong *num)
+{
+	char *endptr;
+	ulong tmp;
+
+	if (!p) {
+		return 0;
+	} else {
+		tmp = simple_strtoul(p, &endptr, 16);
+		if (sizeof(ulong) == 4)
+			*num = cpu_to_be32(tmp);
+		else
+			*num = cpu_to_be64(tmp);
+	}
+
+	return *p != '\0' && *endptr == '\0';
+}
+/* Function to calculate the ESBC Image Hash
+ * and hash from Digital signature.
+ * The Two hash's are compared to yield the
+ * result of signature validation.
+ */
+static int calculate_cmp_img_sig(struct fsl_secboot_img_priv *img)
+{
+	int ret;
+	uint32_t key_len;
+	struct key_prop prop;
+#if !defined(USE_HOSTCC)
+	struct udevice *mod_exp_dev;
+#endif
+	ret = calc_esbchdr_esbc_hash(img);
+	if (ret)
+		return ret;
+
+	/* Construct encoded hash EM' wrt PKCSv1.5 */
+	construct_img_encoded_hash_second(img);
+
+	/* Fill prop structure for public key */
+	memset(&prop, 0, sizeof(struct key_prop));
+	key_len = get_key_len(img) / 2;
+	prop.modulus = img->img_key;
+	prop.public_exponent = img->img_key + key_len;
+	prop.num_bits = key_len * 8;
+	prop.exp_len = key_len;
+
+	ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
+	if (ret) {
+		printf("RSA: Can't find Modular Exp implementation\n");
+		return -EINVAL;
+	}
+
+	ret = rsa_mod_exp(mod_exp_dev, img->img_sign, img->hdr.sign_len,
+			  &prop, img->img_encoded_hash);
+	if (ret)
+		return ret;
+
+	/*
+	 * compare the encoded messages EM' and EM wrt RSA PKCSv1.5
+	 * memcmp returns zero on success
+	 * memcmp returns non-zero on failure
+	 */
+	ret = memcmp(&img->img_encoded_hash_second, &img->img_encoded_hash,
+		img->hdr.sign_len);
+
+	if (ret)
+		return ERROR_ESBC_CLIENT_HASH_COMPARE_EM;
+
+	return 0;
+}
+/* Function to initialize img priv and global data structure
+ */
+static int secboot_init(struct fsl_secboot_img_priv **img_ptr)
+{
+	*img_ptr = malloc(sizeof(struct fsl_secboot_img_priv));
+
+	struct fsl_secboot_img_priv *img = *img_ptr;
+
+	if (!img)
+		return -ENOMEM;
+	memset(img, 0, sizeof(struct fsl_secboot_img_priv));
+
+#if defined(CONFIG_FSL_ISBC_KEY_EXT)
+	if (glb.ie_addr)
+		img->ie_addr = glb.ie_addr;
+#endif
+	return 0;
+}
+
+
+/* haddr - Address of the header of image to be validated.
+ * arg_hash_str - Option hash string. If provided, this
+ * overrides the key hash in the SFP fuses.
+ * img_addr_ptr - Optional pointer to address of image to be validated.
+ * If non zero addr, this overrides the addr of image in header,
+ * otherwise updated to image addr in header.
+ * Acts as both input and output of function.
+ * This pointer shouldn't be NULL.
+ */
+int fsl_secboot_validate(uintptr_t haddr, char *arg_hash_str,
+			uintptr_t *img_addr_ptr)
+{
+	struct ccsr_sfp_regs *sfp_regs = (void *)(CONFIG_SYS_SFP_ADDR);
+	ulong hash[SHA256_BYTES/sizeof(ulong)];
+	char hash_str[NUM_HEX_CHARS + 1];
+	struct fsl_secboot_img_priv *img;
+	struct fsl_secboot_img_hdr *hdr;
+	void *esbc;
+	int ret, i, hash_cmd = 0;
+	u32 srk_hash[8];
+
+	if (arg_hash_str != NULL) {
+		const char *cp = arg_hash_str;
+		int i = 0;
+
+		if (*cp == '0' && *(cp + 1) == 'x')
+			cp += 2;
+
+		/* The input string expected is in hex, where
+		 * each 4 bits would be represented by a hex
+		 * sha256 hash is 256 bits long, which would mean
+		 * num of characters = 256 / 4
+		 */
+		if (strlen(cp) != SHA256_NIBBLES) {
+			printf("%s is not a 256 bits hex string as expected\n",
+			       arg_hash_str);
+			return -1;
+		}
+
+		for (i = 0; i < sizeof(hash)/sizeof(ulong); i++) {
+			strncpy(hash_str, cp + (i * NUM_HEX_CHARS),
+				NUM_HEX_CHARS);
+			hash_str[NUM_HEX_CHARS] = '\0';
+			if (!str2longbe(hash_str, &hash[i])) {
+				printf("%s is not a 256 bits hex string ",
+				       arg_hash_str);
+				return -1;
+			}
+		}
+
+		hash_cmd = 1;
+	}
+
+	ret = secboot_init(&img);
+	if (ret)
+		goto exit;
+
+	/* Update the information in Private Struct */
+	hdr = &img->hdr;
+	img->ehdrloc = haddr;
+	img->img_addr_ptr = img_addr_ptr;
+	esbc = (u8 *)img->ehdrloc;
+
+	memcpy(hdr, esbc, sizeof(struct fsl_secboot_img_hdr));
+
+	/* read and validate esbc header */
+	ret = read_validate_esbc_client_header(img);
+
+	if (ret != ESBC_VALID_HDR) {
+		fsl_secboot_handle_error(ret);
+		goto exit;
+	}
+
+	/* SRKH present in SFP */
+	for (i = 0; i < NUM_SRKH_REGS; i++)
+		srk_hash[i] = srk_in32(&sfp_regs->srk_hash[i]);
+
+	/*
+	 * Calculate hash of key obtained via offset present in
+	 * ESBC uboot client hdr
+	 */
+	ret = calc_img_key_hash(img);
+	if (ret) {
+		fsl_secblk_handle_error(ret);
+		goto exit;
+	}
+
+	/* Compare hash obtained above with SRK hash present in SFP */
+	if (hash_cmd)
+		ret = memcmp(&hash, &img->img_key_hash, SHA256_BYTES);
+	else
+		ret = memcmp(srk_hash, img->img_key_hash, SHA256_BYTES);
+
+#if defined(CONFIG_FSL_ISBC_KEY_EXT)
+	if (!hash_cmd && check_ie(img))
+		ret = 0;
+#endif
+
+	if (ret != 0) {
+		fsl_secboot_handle_error(ERROR_ESBC_CLIENT_HASH_COMPARE_KEY);
+		goto exit;
+	}
+
+	ret = calculate_cmp_img_sig(img);
+	if (ret) {
+		fsl_secboot_handle_error(ret);
+		goto exit;
+	}
+
+exit:
+	/* Free Img as it was malloc'ed*/
+	free(img);
+	return ret;
+}
diff --git a/board/solidrun/common/vid.c b/board/solidrun/common/vid.c
new file mode 100644
index 0000000000..cc81e80c37
--- /dev/null
+++ b/board/solidrun/common/vid.c
@@ -0,0 +1,330 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright 2014 Freescale Semiconductor, Inc.
+ * Copyright 2018 NXP
+ */
+#include <common.h>
+#include <command.h>
+#include <i2c.h>
+#include <asm/io.h>
+#ifdef CONFIG_FSL_LSCH2
+#include <asm/arch/immap_lsch2.h>
+#elif defined(CONFIG_FSL_LSCH3)
+#include <asm/arch/immap_lsch3.h>
+#else
+#include <asm/immap_85xx.h>
+#endif
+#include "vid.h"
+
+int __weak i2c_multiplexer_select_vid_channel(u8 channel)
+{
+	return 0;
+}
+
+/*
+ * Compensate for a board specific voltage drop between regulator and SoC
+ * return a value in mV
+ */
+int __weak board_vdd_drop_compensation(void)
+{
+	return 0;
+}
+
+/*
+ * Board specific settings for specific voltage value
+ */
+int __weak board_adjust_vdd(int vdd)
+{
+	return 0;
+}
+
+/* Maximum loop count waiting for new voltage to take effect */
+#define MAX_LOOP_WAIT_NEW_VOL		100
+/* Maximum loop count waiting for the voltage to be stable */
+#define MAX_LOOP_WAIT_VOL_STABLE	100
+/*
+ * read_voltage from sensor on I2C bus
+ * We use average of 4 readings, waiting for WAIT_FOR_ADC before
+ * another reading
+ */
+#define NUM_READINGS    4       /* prefer to be power of 2 for efficiency */
+
+/* If an INA220 chip is available, we can use it to read back the voltage
+ * as it may have a higher accuracy than the IR chip for the same purpose
+ */
+#ifdef CONFIG_VOL_MONITOR_INA220
+#define WAIT_FOR_ADC	532	/* wait for 532 microseconds for ADC */
+#define ADC_MIN_ACCURACY	4
+#else
+#define WAIT_FOR_ADC	138	/* wait for 138 microseconds for ADC */
+#define ADC_MIN_ACCURACY	4
+#endif
+
+/* read the current value of the LTC Regulator Voltage */
+static int read_voltage_from_LTC(int i2caddress)
+{
+	int  ret, vcode = 0;
+	u8 chan = PWM_CHANNEL0;
+
+	/* select the PAGE 0 using PMBus commands PAGE for VDD*/
+	ret = i2c_write(I2C_VOL_MONITOR_ADDR,
+			PMBUS_CMD_PAGE, 1, &chan, 1);
+	if (ret) {
+		printf("VID: failed to select VDD Page 0\n");
+		return ret;
+	}
+
+	/*read the output voltage using PMBus command READ_VOUT*/
+	ret = i2c_read(I2C_VOL_MONITOR_ADDR,
+		       PMBUS_CMD_READ_VOUT, 1, (void *)&vcode, 2);
+	if (ret) {
+		printf("VID: failed to read the volatge\n");
+		return ret;
+	}
+
+	/* Scale down to the real mV as LTC resolution is 1/4096V,rounding up */
+	vcode = DIV_ROUND_UP(vcode * 1000, 4096);
+
+	return vcode;
+}
+
+static int read_voltage(int i2caddress)
+{
+	int voltage_read;
+	voltage_read = read_voltage_from_LTC(i2caddress);
+	return voltage_read;
+}
+
+/* this function sets the VDD and returns the value set */
+static int set_voltage_to_LTC(int i2caddress, int vdd)
+{
+	int ret, vdd_last, vdd_target = vdd;
+	int count = 100, temp = 0;
+
+	/* Scale up to the LTC resolution is 1/4096V */
+	vdd = (vdd * 4096) / 1000;
+
+	/* 5-byte buffer which needs to be sent following the
+	 * PMBus command PAGE_PLUS_WRITE.
+	 */
+	u8 buff[5] = {0x04, PWM_CHANNEL0, PMBUS_CMD_VOUT_COMMAND,
+			vdd & 0xFF, (vdd & 0xFF00) >> 8};
+
+	/* Write the desired voltage code to the regulator */
+	ret = i2c_write(I2C_VOL_MONITOR_ADDR,
+			PMBUS_CMD_PAGE_PLUS_WRITE, 1, (void *)&buff, 5);
+	if (ret) {
+		printf("VID: I2C failed to write to the volatge regulator\n");
+		return -1;
+	}
+
+	/* Wait for the volatge to get to the desired value */
+	do {
+		vdd_last = read_voltage_from_LTC(i2caddress);
+		if (vdd_last < 0) {
+			printf("VID: Couldn't read sensor abort VID adjust\n");
+			return -1;
+		}
+		count--;
+		temp = vdd_last - vdd_target;
+	} while ((abs(temp) > 2)  && (count > 0));
+
+	return vdd_last;
+}
+
+static int set_voltage(int i2caddress, int vdd)
+{
+	int vdd_last = -1;
+
+	vdd_last = set_voltage_to_LTC(i2caddress, vdd);
+	return vdd_last;
+}
+
+int adjust_vdd(ulong vdd_override)
+{
+	int re_enable = disable_interrupts();
+	struct ccsr_gur *gur = (void *)(CONFIG_SYS_FSL_GUTS_ADDR);
+	u32 fusesr;
+	u8 vid;
+	int vdd_target, vdd_current, vdd_last;
+	int ret, i2caddress;
+	unsigned long vdd_string_override;
+	char *vdd_string;
+	static const u16 vdd[32] = {
+		8250,
+		7875,
+		7750,
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		8000,
+		8125,
+		8250,
+		0,      /* reserved */
+		8500,
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+		0,      /* reserved */
+	};
+	struct vdd_drive {
+		u8 vid;
+		unsigned voltage;
+	};
+	ret = i2c_multiplexer_select_vid_channel(I2C_MUX_CH_VOL_MONITOR);
+	if (ret) {
+		debug("VID: I2C failed to switch channel\n");
+		ret = -1;
+		goto exit;
+	}
+	/* get the voltage ID from fuse status register */
+	fusesr = in_le32(&gur->dcfg_fusesr);
+	vid = (fusesr >> FSL_CHASSIS3_DCFG_FUSESR_ALTVID_SHIFT) &
+		FSL_CHASSIS3_DCFG_FUSESR_ALTVID_MASK;
+	if ((vid == 0) || (vid == FSL_CHASSIS3_DCFG_FUSESR_ALTVID_MASK)) {
+		vid = (fusesr >> FSL_CHASSIS3_DCFG_FUSESR_VID_SHIFT) &
+			FSL_CHASSIS3_DCFG_FUSESR_VID_MASK;
+	}
+	vdd_target = vdd[vid];
+	printf ("vid FUSE index %d (vdd_target = %d)\n",vid,vdd_target);
+
+	/* check override variable for overriding VDD */
+	vdd_string = env_get(CONFIG_VID_FLS_ENV);
+	if (vdd_override == 0 && vdd_string &&
+	    !strict_strtoul(vdd_string, 10, &vdd_string_override))
+		vdd_override = vdd_string_override;
+
+	if (vdd_override >= VDD_MV_MIN && vdd_override <= VDD_MV_MAX) {
+		vdd_target = vdd_override * 10; /* convert to 1/10 mV */
+		debug("VDD override is %lu\n", vdd_override);
+	} else if (vdd_override != 0) {
+		printf("Invalid value.\n");
+	}
+
+	/* divide and round up by 10 to get a value in mV */
+	vdd_target = DIV_ROUND_UP(vdd_target, 10);
+	if (vdd_target == 0) {
+		debug("VID: VID not used\n");
+		ret = 0;
+		goto exit;
+	} else if (vdd_target < VDD_MV_MIN || vdd_target > VDD_MV_MAX) {
+		/* Check vdd_target is in valid range */
+		printf("VID: Target VID %d mV is not in range.\n",
+		       vdd_target);
+		ret = -1;
+		goto exit;
+	} else {
+		debug("VID: vid = %d mV\n", vdd_target);
+	}
+
+	/*
+	 * Read voltage monitor to check real voltage.
+	 */
+	vdd_last = read_voltage(i2caddress);
+	if (vdd_last < 0) {
+		printf("VID: Couldn't read sensor abort VID adjustment\n");
+		ret = -1;
+		goto exit;
+	}
+	vdd_current = vdd_last;
+	debug("VID: Core voltage is currently at %d mV\n", vdd_last);
+
+	/* Set the target voltage */
+	vdd_last = vdd_current = set_voltage(i2caddress, vdd_target);
+	if (board_adjust_vdd(vdd_target) < 0) {
+		ret = -1;
+		goto exit;
+	}
+
+	if (vdd_last > 0)
+		printf("VID: Core voltage after adjustment is at %d mV\n",
+		       vdd_last);
+	else
+		ret = -1;
+exit:
+	if (re_enable)
+		enable_interrupts();
+	i2c_multiplexer_select_vid_channel(I2C_MUX_CH_DEFAULT);
+	return ret;
+}
+
+static int print_vdd(void)
+{
+	int vdd_last, ret, i2caddress;
+
+	ret = i2c_multiplexer_select_vid_channel(I2C_MUX_CH_VOL_MONITOR);
+	if (ret) {
+		debug("VID : I2c failed to switch channel\n");
+		return -1;
+	}
+	/*
+	 * Read voltage monitor to check real voltage.
+	 */
+	vdd_last = read_voltage(i2caddress);
+	if (vdd_last < 0) {
+		printf("VID: Couldn't read sensor abort VID adjustment\n");
+		goto exit;
+	}
+	printf("VID: Core voltage is at %d mV\n", vdd_last);
+exit:
+	i2c_multiplexer_select_vid_channel(I2C_MUX_CH_DEFAULT);
+
+	return ret < 0 ? -1 : 0;
+
+}
+
+static int do_vdd_override(cmd_tbl_t *cmdtp,
+			   int flag, int argc,
+			   char * const argv[])
+{
+	ulong override;
+
+	if (argc < 2)
+		return CMD_RET_USAGE;
+
+	if (!strict_strtoul(argv[1], 10, &override))
+		adjust_vdd(override);   /* the value is checked by callee */
+	else
+		return CMD_RET_USAGE;
+	return 0;
+}
+
+static int do_vdd_read(cmd_tbl_t *cmdtp,
+			 int flag, int argc,
+			 char * const argv[])
+{
+	if (argc < 1)
+		return CMD_RET_USAGE;
+	print_vdd();
+
+	return 0;
+}
+
+U_BOOT_CMD(
+	vdd_override, 2, 0, do_vdd_override,
+	"override VDD",
+	" - override with the voltage specified in mV, eg. 1050"
+);
+
+U_BOOT_CMD(
+	vdd_read, 1, 0, do_vdd_read,
+	"read VDD",
+	" - Read the voltage specified in mV"
+)
diff --git a/board/solidrun/common/vid.h b/board/solidrun/common/vid.h
new file mode 100644
index 0000000000..99778e9a93
--- /dev/null
+++ b/board/solidrun/common/vid.h
@@ -0,0 +1,23 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright 2014 Freescale Semiconductor, Inc.
+ */
+
+#ifndef __VID_H_
+#define __VID_H_
+
+#define IR36021_LOOP1_MANUAL_ID_OFFSET	0x6A
+#define IR36021_LOOP1_VOUT_OFFSET	0x9A
+#define IR36021_MFR_ID_OFFSET		0x92
+#define IR36021_MFR_ID			0x43
+#define IR36021_INTEL_MODE_OOFSET	0x14
+#define IR36021_MODE_MASK		0x20
+#define IR36021_INTEL_MODE		0x00
+#define IR36021_AMD_MODE		0x20
+
+/* step the IR regulator in 5mV increments */
+#define IR_VDD_STEP_DOWN		5
+#define IR_VDD_STEP_UP			5
+int adjust_vdd(ulong vdd_override);
+
+#endif  /* __VID_H_ */
-- 
2.17.1