[U-Boot] [PATCH 1/5] imx: hab: Keep CAAM clock enabled after authenticating additional images
From: Breno Lima breno.lima@nxp.com
Currently it is not possible to run CMD_DEK on i.MX SPL targets:
=> dek_blob 0x12000000 0x12001000 128
The system hangs after running dek_blob because the CAAM clock is being disabled by the HAB code. There is no need to disable CAAM clock after authenticating additional boot images, thus keep CAAM clock enabled to address this issue.
Signed-off-by: Breno Lima breno.lima@nxp.com --- arch/arm/mach-imx/hab.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c index 5f19777..1e6b31d 100644 --- a/arch/arm/mach-imx/hab.c +++ b/arch/arm/mach-imx/hab.c @@ -507,13 +507,13 @@ int imx_hab_authenticate_image(uint32_t ddr_start, uint32_t image_size,
/* Verify IVT header bugging out on error */ if (verify_ivt_header(ivt_hdr)) - goto hab_caam_clock_disable; + goto hab_authentication_exit;
/* Verify IVT body */ if (ivt->self != ivt_addr) { printf("ivt->self 0x%08x pointer is 0x%08x\n", ivt->self, ivt_addr); - goto hab_caam_clock_disable; + goto hab_authentication_exit; }
start = ddr_start; @@ -591,8 +591,7 @@ hab_exit_failure_print_status: get_hab_status(); #endif
-hab_caam_clock_disable: - hab_caam_clock_enable(0); +hab_authentication_exit:
if (load_addr != 0) result = 0;
From: Utkarsh Gupta utkarsh.gupta@nxp.com
DCD commands should only be present in the initial boot image loaded by the SoC ROM. DCD should not be present in images that will be verified by software using HAB RVT authentication APIs. Newer versions of HAB will generate an error if a DCD pointer is present in an image being authenticated by calling the HAB RVT API. Older versions of HAB will process and run DCD if it is present, and this could lead to an incorrect authentication boot flow.
It is highly recommended this check is in place to ensure additional HAB verified images do not include a DCD table.
Signed-off-by: Utkarsh Gupta utkarsh.gupta@nxp.com Signed-off-by: Breno Lima breno.lima@nxp.com --- arch/arm/mach-imx/hab.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c index 1e6b31d..ba6b31d 100644 --- a/arch/arm/mach-imx/hab.c +++ b/arch/arm/mach-imx/hab.c @@ -516,6 +516,12 @@ int imx_hab_authenticate_image(uint32_t ddr_start, uint32_t image_size, goto hab_authentication_exit; }
+ /* Verify if IVT DCD pointer is NULL */ + if (ivt->dcd) { + puts("Error: DCD pointer must be NULL\n"); + goto hab_authentication_exit; + } + start = ddr_start; bytes = image_size;
On Mon, Feb 19, 2018 at 10:19 PM, Breno Lima brenomatheus@gmail.com wrote:
From: Utkarsh Gupta utkarsh.gupta@nxp.com
DCD commands should only be present in the initial boot image loaded by the SoC ROM. DCD should not be present in images that will be verified by software using HAB RVT authentication APIs. Newer versions of HAB will generate an error if a DCD pointer is present in an image being authenticated by calling the HAB RVT API. Older versions of HAB will process and run DCD if it is present, and this could lead to an incorrect authentication boot flow.
It is highly recommended this check is in place to ensure additional HAB verified images do not include a DCD table.
Signed-off-by: Utkarsh Gupta utkarsh.gupta@nxp.com Signed-off-by: Breno Lima breno.lima@nxp.com
Reviewed-by: Fabio Estevam fabio.estevam@nxp.com
From: Utkarsh Gupta utkarsh.gupta@nxp.com
For proper authentication the HAB code must check if the CSF is valid. Users must call the csf_is_valid() function to parse the CSF prior to authenticating any additional images. The function will return a failure if any of the following invalid conditions are met:
- CSF pointer is NULL - CSF Header does not exist - CSF does not lie within the image bounds - CSF command length zero
Signed-off-by: Utkarsh Gupta utkarsh.gupta@nxp.com Signed-off-by: Breno Lima breno.lima@nxp.com --- arch/arm/include/asm/mach-imx/hab.h | 8 ++++ arch/arm/mach-imx/hab.c | 81 +++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+)
diff --git a/arch/arm/include/asm/mach-imx/hab.h b/arch/arm/include/asm/mach-imx/hab.h index a0cb19d..bb73203 100644 --- a/arch/arm/include/asm/mach-imx/hab.h +++ b/arch/arm/include/asm/mach-imx/hab.h @@ -38,6 +38,12 @@ struct ivt { uint32_t reserved2; /* Reserved should be zero */ };
+struct __packed hab_hdr { + u8 tag; /* Tag field */ + u8 len[2]; /* Length field in bytes (big-endian) */ + u8 par; /* Parameters field */ +}; + /* -------- start of HAB API updates ------------*/ /* The following are taken from HAB4 SIS */
@@ -182,6 +188,8 @@ typedef void hapi_clock_init_t(void); #define HAB_CID_ROM 0 /**< ROM Caller ID */ #define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/
+#define HAB_CMD_HDR 0xD4 /* CSF Header */ + #define IVT_SIZE 0x20 #define CSF_PAD_SIZE 0x2000
diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c index ba6b31d..7f66965 100644 --- a/arch/arm/mach-imx/hab.c +++ b/arch/arm/mach-imx/hab.c @@ -453,6 +453,83 @@ U_BOOT_CMD(
#endif /* !defined(CONFIG_SPL_BUILD) */
+/* Get CSF Header length */ +static int get_hab_hdr_len(struct hab_hdr *hdr) +{ + return (size_t)((hdr->len[0] << 8) + (hdr->len[1])); +} + +/* Check whether addr lies between start and + * end and is within the length of the image + */ +static int chk_bounds(u8 *addr, size_t bytes, u8 *start, u8 *end) +{ + size_t csf_size = (size_t)((end + 1) - addr); + + return (addr && (addr >= start) && (addr <= end) && + (csf_size >= bytes)); +} + +/* Get Length of each command in CSF */ +static int get_csf_cmd_hdr_len(u8 *csf_hdr) +{ + if (*csf_hdr == HAB_CMD_HDR) + return sizeof(struct hab_hdr); + + return get_hab_hdr_len((struct hab_hdr *)csf_hdr); +} + +/* Check if CSF is valid */ +static bool csf_is_valid(struct ivt *ivt, ulong start_addr, size_t bytes) +{ + u8 *start = (u8 *)start_addr; + u8 *csf_hdr; + u8 *end; + + size_t csf_hdr_len; + size_t cmd_hdr_len; + size_t offset = 0; + + if (bytes != 0) + end = start + bytes - 1; + else + end = start; + + /* Verify if CSF pointer content is zero */ + if (!ivt->csf) { + puts("Error: CSF pointer is NULL\n"); + return false; + } + + csf_hdr = (u8 *)ivt->csf; + + /* Verify if CSF Header exist */ + if (*csf_hdr != HAB_CMD_HDR) { + puts("Error: CSF header command not found\n"); + return false; + } + + csf_hdr_len = get_hab_hdr_len((struct hab_hdr *)csf_hdr); + + /* Check if the CSF lies within the image bounds */ + if (!chk_bounds(csf_hdr, csf_hdr_len, start, end)) { + puts("Error: CSF lies outside the image bounds\n"); + return false; + } + + do { + cmd_hdr_len = get_csf_cmd_hdr_len(&csf_hdr[offset]); + if (!cmd_hdr_len) { + puts("Error: Invalid command length\n"); + return false; + } + offset += cmd_hdr_len; + + } while (offset < csf_hdr_len); + + return true; +} + bool imx_hab_is_enabled(void) { struct imx_sec_config_fuse_t *fuse = @@ -525,6 +602,10 @@ int imx_hab_authenticate_image(uint32_t ddr_start, uint32_t image_size, start = ddr_start; bytes = image_size;
+ /* Verify CSF */ + if (!csf_is_valid(ivt, start, bytes)) + goto hab_authentication_exit; + if (hab_rvt_entry() != HAB_SUCCESS) { puts("hab entry function fail\n"); goto hab_exit_failure_print_status;
On Mon, Feb 19, 2018 at 10:19 PM, Breno Lima brenomatheus@gmail.com wrote:
From: Utkarsh Gupta utkarsh.gupta@nxp.com
For proper authentication the HAB code must check if the CSF is valid. Users must call the csf_is_valid() function to parse the CSF prior to authenticating any additional images. The function will return a failure if any of the following invalid conditions are met:
- CSF pointer is NULL
- CSF Header does not exist
- CSF does not lie within the image bounds
- CSF command length zero
Signed-off-by: Utkarsh Gupta utkarsh.gupta@nxp.com Signed-off-by: Breno Lima breno.lima@nxp.com
Reviewed-by: Fabio Estevam fabio.estevam@nxp.com
From: Utkarsh Gupta utkarsh.gupta@nxp.com
Write, Check and Set MID commands have been deprecated from the Code Signing Tool (CST) v2.3.3 and will not be implemented in newer versions of HAB, hence the following features are no longer available:
- Write Data - Clear Mask - Set Mask - Check All Clear - Check All Set - Check Any Clear - Check Any Set - Set MID
The inappropriate use of Write Data command may lead to an incorrect authentication boot flow. Since no specific application has been identified that requires the use of any of these features, it is highly recommended to add this check.
Signed-off-by: Utkarsh Gupta utkarsh.gupta@nxp.com Signed-off-by: Breno Lima breno.lima@nxp.com --- arch/arm/include/asm/mach-imx/hab.h | 4 ++++ arch/arm/mach-imx/hab.c | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+)
diff --git a/arch/arm/include/asm/mach-imx/hab.h b/arch/arm/include/asm/mach-imx/hab.h index bb73203..93475a6 100644 --- a/arch/arm/include/asm/mach-imx/hab.h +++ b/arch/arm/include/asm/mach-imx/hab.h @@ -189,6 +189,10 @@ typedef void hapi_clock_init_t(void); #define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/
#define HAB_CMD_HDR 0xD4 /* CSF Header */ +#define HAB_CMD_WRT_DAT 0xCC /* Write Data command tag */ +#define HAB_CMD_CHK_DAT 0xCF /* Check Data command tag */ +#define HAB_CMD_SET 0xB1 /* Set command tag */ +#define HAB_PAR_MID 0x01 /* MID parameter value */
#define IVT_SIZE 0x20 #define CSF_PAD_SIZE 0x2000 diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c index 7f66965..79e8bf6 100644 --- a/arch/arm/mach-imx/hab.c +++ b/arch/arm/mach-imx/hab.c @@ -518,6 +518,26 @@ static bool csf_is_valid(struct ivt *ivt, ulong start_addr, size_t bytes) }
do { + struct hab_hdr *cmd; + + cmd = (struct hab_hdr *)&csf_hdr[offset]; + + switch (cmd->tag) { + case (HAB_CMD_WRT_DAT): + puts("Error: Deprecated write command found\n"); + return false; + case (HAB_CMD_CHK_DAT): + puts("Error: Deprecated check command found\n"); + return false; + case (HAB_CMD_SET): + if (cmd->par == HAB_PAR_MID) { + puts("Error: Deprecated Set MID command found\n"); + return false; + } + default: + break; + } + cmd_hdr_len = get_csf_cmd_hdr_len(&csf_hdr[offset]); if (!cmd_hdr_len) { puts("Error: Invalid command length\n");
On Mon, Feb 19, 2018 at 10:19 PM, Breno Lima brenomatheus@gmail.com wrote:
From: Utkarsh Gupta utkarsh.gupta@nxp.com
Write, Check and Set MID commands have been deprecated from the Code Signing Tool (CST) v2.3.3 and will not be implemented in newer versions of HAB, hence the following features are no longer available:
- Write Data
- Clear Mask
- Set Mask
- Check All Clear
- Check All Set
- Check Any Clear
- Check Any Set
- Set MID
The inappropriate use of Write Data command may lead to an incorrect authentication boot flow. Since no specific application has been identified that requires the use of any of these features, it is highly recommended to add this check.
Signed-off-by: Utkarsh Gupta utkarsh.gupta@nxp.com Signed-off-by: Breno Lima breno.lima@nxp.com
Reviewed-by: Fabio Estevam fabio.estevam@nxp.com
From: Breno Lima breno.lima@nxp.com
Currently the following devices are using a different definition for ROM Vector Table addresses:
- i.MX6DQP = All rev - i.MX6DQ >= rev 1.5 - i.MX6SDL >= rev 1.2
There is no need to create a new RVT macros since the only update were the RVT base address. Remove HAB_RVT_*_NEW macros and define a new RVT base address.
More details about RVT base address can be found on processors Reference Manual and in the following documents:
EB803: i.MX 6Dual/6Quad Applications Processor Silicon Revision 1.2 to 1.3 Comparison
EB804: i.MX 6Solo/6DualLite Application Processor Silicon Revision 1.1 to 1.2/1.3 Comparison
Signed-off-by: Breno Lima breno.lima@nxp.com --- arch/arm/include/asm/mach-imx/hab.h | 15 ++--- arch/arm/mach-imx/hab.c | 106 +++--------------------------------- 2 files changed, 17 insertions(+), 104 deletions(-)
diff --git a/arch/arm/include/asm/mach-imx/hab.h b/arch/arm/include/asm/mach-imx/hab.h index 93475a6..561de9c 100644 --- a/arch/arm/include/asm/mach-imx/hab.h +++ b/arch/arm/include/asm/mach-imx/hab.h @@ -168,7 +168,14 @@ typedef void hapi_clock_init_t(void); #ifdef CONFIG_ROM_UNIFIED_SECTIONS #define HAB_RVT_BASE 0x00000100 #else -#define HAB_RVT_BASE 0x00000094 +#define HAB_RVT_BASE_NEW 0x00000098 +#define HAB_RVT_BASE_OLD 0x00000094 +#define HAB_RVT_BASE ((is_mx6dqp()) ? \ + HAB_RVT_BASE_NEW : \ + (is_mx6dq() && (soc_rev() >= CHIP_REV_1_5)) ? \ + HAB_RVT_BASE_NEW : \ + (is_mx6sdl() && (soc_rev() >= CHIP_REV_1_2)) ? \ + HAB_RVT_BASE_NEW : HAB_RVT_BASE_OLD) #endif
#define HAB_RVT_ENTRY (*(uint32_t *)(HAB_RVT_BASE + 0x04)) @@ -179,12 +186,6 @@ typedef void hapi_clock_init_t(void); #define HAB_RVT_REPORT_STATUS (*(uint32_t *)(HAB_RVT_BASE + 0x24)) #define HAB_RVT_FAILSAFE (*(uint32_t *)(HAB_RVT_BASE + 0x28))
-#define HAB_RVT_REPORT_EVENT_NEW (*(uint32_t *)0x000000B8) -#define HAB_RVT_REPORT_STATUS_NEW (*(uint32_t *)0x000000BC) -#define HAB_RVT_AUTHENTICATE_IMAGE_NEW (*(uint32_t *)0x000000A8) -#define HAB_RVT_ENTRY_NEW (*(uint32_t *)0x0000009C) -#define HAB_RVT_EXIT_NEW (*(uint32_t *)0x000000A0) - #define HAB_CID_ROM 0 /**< ROM Caller ID */ #define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/
diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c index 79e8bf6..c3fc699 100644 --- a/arch/arm/mach-imx/hab.c +++ b/arch/arm/mach-imx/hab.c @@ -13,96 +13,6 @@ #include <asm/arch/sys_proto.h> #include <asm/mach-imx/hab.h>
-/* -------- start of HAB API updates ------------*/ - -#define hab_rvt_report_event_p \ -( \ - (is_mx6dqp()) ? \ - ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT_NEW) : \ - (is_mx6dq() && (soc_rev() >= CHIP_REV_1_5)) ? \ - ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT_NEW) : \ - (is_mx6sdl() && (soc_rev() >= CHIP_REV_1_2)) ? \ - ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT_NEW) : \ - ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT) \ -) - -#define hab_rvt_report_status_p \ -( \ - (is_mx6dqp()) ? \ - ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS_NEW) :\ - (is_mx6dq() && (soc_rev() >= CHIP_REV_1_5)) ? \ - ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS_NEW) :\ - (is_mx6sdl() && (soc_rev() >= CHIP_REV_1_2)) ? \ - ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS_NEW) :\ - ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS) \ -) - -#define hab_rvt_authenticate_image_p \ -( \ - (is_mx6dqp()) ? \ - ((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE_NEW) : \ - (is_mx6dq() && (soc_rev() >= CHIP_REV_1_5)) ? \ - ((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE_NEW) : \ - (is_mx6sdl() && (soc_rev() >= CHIP_REV_1_2)) ? \ - ((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE_NEW) : \ - ((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE) \ -) - -#define hab_rvt_entry_p \ -( \ - (is_mx6dqp()) ? \ - ((hab_rvt_entry_t *)HAB_RVT_ENTRY_NEW) : \ - (is_mx6dq() && (soc_rev() >= CHIP_REV_1_5)) ? \ - ((hab_rvt_entry_t *)HAB_RVT_ENTRY_NEW) : \ - (is_mx6sdl() && (soc_rev() >= CHIP_REV_1_2)) ? \ - ((hab_rvt_entry_t *)HAB_RVT_ENTRY_NEW) : \ - ((hab_rvt_entry_t *)HAB_RVT_ENTRY) \ -) - -#define hab_rvt_exit_p \ -( \ - (is_mx6dqp()) ? \ - ((hab_rvt_exit_t *)HAB_RVT_EXIT_NEW) : \ - (is_mx6dq() && (soc_rev() >= CHIP_REV_1_5)) ? \ - ((hab_rvt_exit_t *)HAB_RVT_EXIT_NEW) : \ - (is_mx6sdl() && (soc_rev() >= CHIP_REV_1_2)) ? \ - ((hab_rvt_exit_t *)HAB_RVT_EXIT_NEW) : \ - ((hab_rvt_exit_t *)HAB_RVT_EXIT) \ -) - -static inline void hab_rvt_failsafe_new(void) -{ -} - -#define hab_rvt_failsafe_p \ -( \ - (is_mx6dqp()) ? \ - ((hab_rvt_failsafe_t *)hab_rvt_failsafe_new) : \ - (is_mx6dq() && (soc_rev() >= CHIP_REV_1_5)) ? \ - ((hab_rvt_failsafe_t *)hab_rvt_failsafe_new) : \ - (is_mx6sdl() && (soc_rev() >= CHIP_REV_1_2)) ? \ - ((hab_rvt_failsafe_t *)hab_rvt_failsafe_new) : \ - ((hab_rvt_failsafe_t *)HAB_RVT_FAILSAFE) \ -) - -static inline enum hab_status hab_rvt_check_target_new(enum hab_target target, - const void *start, - size_t bytes) -{ - return HAB_SUCCESS; -} - -#define hab_rvt_check_target_p \ -( \ - (is_mx6dqp()) ? \ - ((hab_rvt_check_target_t *)hab_rvt_check_target_new) : \ - (is_mx6dq() && (soc_rev() >= CHIP_REV_1_5)) ? \ - ((hab_rvt_check_target_t *)hab_rvt_check_target_new) : \ - (is_mx6sdl() && (soc_rev() >= CHIP_REV_1_2)) ? \ - ((hab_rvt_check_target_t *)hab_rvt_check_target_new) : \ - ((hab_rvt_check_target_t *)HAB_RVT_CHECK_TARGET) \ -) - #define ALIGN_SIZE 0x1000 #define MX6DQ_PU_IROM_MMU_EN_VAR 0x009024a8 #define MX6DLS_PU_IROM_MMU_EN_VAR 0x00901dd0 @@ -344,8 +254,9 @@ static int get_hab_status(void) hab_rvt_report_event_t *hab_rvt_report_event; hab_rvt_report_status_t *hab_rvt_report_status;
- hab_rvt_report_event = hab_rvt_report_event_p; - hab_rvt_report_status = hab_rvt_report_status_p; + hab_rvt_report_event = (hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT; + hab_rvt_report_status = + (hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS;
if (imx_hab_is_enabled()) puts("\nSecure boot enabled\n"); @@ -424,7 +335,7 @@ static int do_hab_failsafe(cmd_tbl_t *cmdtp, int flag, int argc, return 1; }
- hab_rvt_failsafe = hab_rvt_failsafe_p; + hab_rvt_failsafe = (hab_rvt_failsafe_t *)HAB_RVT_FAILSAFE; hab_rvt_failsafe();
return 0; @@ -582,10 +493,11 @@ int imx_hab_authenticate_image(uint32_t ddr_start, uint32_t image_size, struct ivt_header *ivt_hdr; enum hab_status status;
- hab_rvt_authenticate_image = hab_rvt_authenticate_image_p; - hab_rvt_entry = hab_rvt_entry_p; - hab_rvt_exit = hab_rvt_exit_p; - hab_rvt_check_target = hab_rvt_check_target_p; + hab_rvt_authenticate_image = + (hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE; + hab_rvt_entry = (hab_rvt_entry_t *)HAB_RVT_ENTRY; + hab_rvt_exit = (hab_rvt_exit_t *)HAB_RVT_EXIT; + hab_rvt_check_target = (hab_rvt_check_target_t *)HAB_RVT_CHECK_TARGET;
if (!imx_hab_is_enabled()) { puts("hab fuse not enabled\n");
On Mon, Feb 19, 2018 at 10:19 PM, Breno Lima brenomatheus@gmail.com wrote:
From: Breno Lima breno.lima@nxp.com
Currently the following devices are using a different definition for ROM Vector Table addresses:
- i.MX6DQP = All rev
- i.MX6DQ >= rev 1.5
- i.MX6SDL >= rev 1.2
There is no need to create a new RVT macros since the only update were the RVT base address. Remove HAB_RVT_*_NEW macros and define a new RVT base address.
More details about RVT base address can be found on processors Reference Manual and in the following documents:
EB803: i.MX 6Dual/6Quad Applications Processor Silicon Revision 1.2 to 1.3 Comparison
EB804: i.MX 6Solo/6DualLite Application Processor Silicon Revision 1.1 to 1.2/1.3 Comparison
Signed-off-by: Breno Lima breno.lima@nxp.com
Reviewed-by: Fabio Estevam fabio.estevam@nxp.com
On Mon, Feb 19, 2018 at 10:19 PM, Breno Lima brenomatheus@gmail.com wrote:
From: Breno Lima breno.lima@nxp.com
Currently it is not possible to run CMD_DEK on i.MX SPL targets:
=> dek_blob 0x12000000 0x12001000 128
The system hangs after running dek_blob because the CAAM clock is being disabled by the HAB code. There is no need to disable CAAM clock after authenticating additional boot images, thus keep CAAM clock enabled to address this issue.
Signed-off-by: Breno Lima breno.lima@nxp.com
Reviewed-by: Fabio Estevam fabio.estevam@nxp.com
On 20/02/2018 11:44, Fabio Estevam wrote:
On Mon, Feb 19, 2018 at 10:19 PM, Breno Lima brenomatheus@gmail.com wrote:
From: Breno Lima breno.lima@nxp.com
Currently it is not possible to run CMD_DEK on i.MX SPL targets:
=> dek_blob 0x12000000 0x12001000 128
The system hangs after running dek_blob because the CAAM clock is being disabled by the HAB code. There is no need to disable CAAM clock after authenticating additional boot images, thus keep CAAM clock enabled to address this issue.
Signed-off-by: Breno Lima breno.lima@nxp.com
Reviewed-by: Fabio Estevam fabio.estevam@nxp.com
Series contains fixes, I pick it up for the release.
Best regards, Stefano Babic
participants (3)
-
Breno Lima -
Fabio Estevam -
Stefano Babic