Hi Marek,
Subject: Re: [U-Boot] [PATCH 4/6] spl: mmc: support loading i.MX container format file
On 5/21/19 4:31 AM, Peng Fan wrote:
Hi Marek,
Subject: Re: [U-Boot] [PATCH 4/6] spl: mmc: support loading i.MX container format file
On 5/20/19 3:54 AM, Peng Fan wrote:
Hi Marek,
Subject: Re: [U-Boot] [PATCH 4/6] spl: mmc: support loading i.MX container format file
On 5/20/19 3:30 AM, Peng Fan wrote:
Hi Simon,
> Subject: Re: [PATCH 4/6] spl: mmc: support loading i.MX container > format file > > Hi Peng, > > On Tue, 7 May 2019 at 06:52, Peng Fan peng.fan@nxp.com wrote: >> >> i.MX8 only support AHAB secure boot with Container format image, >> we could not use FIT to support secure boot, so introduce >> container > > Why not FIT?
Actually before we implement secure boot, we use FIT image, however i.MX8 only support i.MX container format image for secure boot, The chip will verify the container image when secure boot. It could not recognize FIT image. So we have to drop FIT image.
> >> support to let SPL could load container images. > > What is a container image? Can you please point to documentation?
Sadly, there is no public reference manual. There is a doc that has a bit of information.
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcom
m
unity.nxp.com%2Fdocs%2FDOC-343178&data=02%7C01%7Cpeng.fan%4
0nxp.co
m%7C8626e7a1d20c44b8715408d6dcc4d866%7C686ea1d3bc2b4c6fa92cd9
9c5c30163
5%7C0%7C0%7C636939135344595378&sdata=vmIaO78XmuL1tQJufqf7
HCGdWHTCJ
bEpmGBio15j46U%3D&reserved=0
Shouldn't it suffice for the SPL to be in this custom format , while the rest of the binaries can be in fitImage ?
The issue is the SoC only support i.MX container format for secure boot(AHAB boot), if we not use secure boot, FIT image do work and could
work well.
We investigated using FIT for i.MX8 secure boot, but it does not make sense we did a FIT wrapper for container. Container itself is also an image format, it contains image load/entry/size and etc
information.
I add a kconfig entry in SPL code, it does not hurt others if the Kconfig entry
not chosen.
I do not know how other SoC vendor did FIT hardware secure boot, please share you have any information.
The SPL can be in the custom format, but then can load fitImage with the next stage(s), right ?
I am not able to follow you, could you share more details?
Wrap the SPL into this custom format and then have the SPL load/authenticate fitImage with the rest (U-Boot, Linux, DTB etc). Would that work ?
It not work. We already wrap SPL in i.MX container format, this patchset is to let SPL could load the 2nd container file which contains U-Boot/DTB/OP-TEE/ATF. If we let SPL load a fitimage which contains (U-Boot/DTB and etc), it could not pass secure boot authentication, because ROM not know fitimage, it only know i.MX container format.
For authentication, we always let ROM to authenticate including SPL authenticating U-Boot, so we need pass an image to ROM that ROM could recognize when SPL booting 2nd image.
Thanks, Peng.
-- Best regards, Marek Vasut