[U-Boot] [PATCH v2 0/3] imx: hab: Add helper functions for scripted HAB auth
V2: - Dropped first patch setexpr does the same job - Lothar Waßmann
- IVT_PAD_SIZE -> BOOTROM_IVT_HDR_OFFSET The objective is to define the default offset of the IVT header in the BootROM version of the IMX image - not as was confusingly named IVT_PAD_SIZE - this is not a padding size ! - Breno Matheus Lima
- image_failover CMD_RET_USAGE on invalid parameters - Breno Matheus Lima
- image_failover added printf("error: secure boot disabled\n"); - Breno
- Added BOOTROM_IVT_HDR_OFFSET to imximage.h instead of to hab.h This define pertains to the image layout. - bod
V1: Greetings.
This set adds some helper functions as a pre-cursor to an upcoming set of changes to a BSP adding scripted HAB authentication.
Calculating a HAB IVT address based on a base address and a +/- offset is a trivial but, useful function for HAB. It means you can have a load address for a HAB image inside of your environment and specify the IVT offset relative to that address. All you need to do then is to call the function to obtain the correct IVT address to pass into hab_auth_img.
Two relatively minor changes then - one encasing the hab.h in ifndef __ASSEMBLY__ which is required if you want to include hab.h in a board.h.
Specifying the IVT padding size is again properly done as a define as opposed to a magic number in code.
The final patch then is wrappering up two common use-cases in the upcoming BSP - hab_auth_image ? continue-to-boot : drop-to-bootrom USB mode.
In other words if you fail to authenticate an image on the secure-boot path the appropriate next step is typically to drop into USB recovery mode.
In USB recovery mode you need to provide a signed image on a secure-boot (closed in the parlance) board. So hab_auth_img_or_fail() encapsulates that behaviour in one place - again allowing for scripting to reuse instead of replicate functionality over and over again.
These helper functions could all be buried in the board-port but, they are made available here in the hopes they will be of use to others.
Bryan O'Donoghue (3): imximage: Encase majority of header in __ASSEMBLY__ declaration imximage: Specify default IVT offset in IMX image imx: hab: Provide hab_auth_img_or_fail command
arch/arm/mach-imx/hab.c | 35 +++++++++++++++++++++++++++++++++++ include/imximage.h | 5 +++++ 2 files changed, 40 insertions(+)
Subsequent patches will want to include imageimage.h but in doing so include it on an assembly compile path causing a range of compile errors. Fix the errors pre-emptively by encasing the majority of the declarations in imximage.h inside an ifdef __ASSEMBLY__ block.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Utkarsh Gupta utkarsh.gupta@nxp.com Cc: Breno Lima breno.lima@nxp.com Cc: Fabio Estevam fabio.estevam@nxp.com --- include/imximage.h | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/include/imximage.h b/include/imximage.h index de1ea8f..553b852 100644 --- a/include/imximage.h +++ b/include/imximage.h @@ -56,6 +56,7 @@ #define DCD_CHECK_BITS_SET_PARAM 0x14 #define DCD_CHECK_BITS_CLR_PARAM 0x04
+#ifndef __ASSEMBLY__ enum imximage_cmd { CMD_INVALID, CMD_IMAGE_VERSION, @@ -197,4 +198,5 @@ typedef void (*set_dcd_rst_t)(struct imx_header *imxhdr, typedef void (*set_imx_hdr_t)(struct imx_header *imxhdr, uint32_t dcd_len, uint32_t entry_point, uint32_t flash_offset);
+#endif /* __ASSEMBLY__ */ #endif /* _IMXIMAGE_H_ */
This patch adds BOOTROM_IVT_HDR_OFFSET at 0xC00. The BootROM expects to find the IVT header at a particular offset in an i.MX image.
Defining the expected offset of the IVT header in the first-stage BootROM image format is of use of later stage authentication routines where those routines continue to follow the first-stage authentication layout.
This patch defines the first stage offset with an upcoming set of BSP patches making use of that offset subsequently.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Utkarsh Gupta utkarsh.gupta@nxp.com Cc: Breno Lima breno.lima@nxp.com Cc: Fabio Estevam fabio.estevam@nxp.com --- include/imximage.h | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/include/imximage.h b/include/imximage.h index 553b852..800fd63 100644 --- a/include/imximage.h +++ b/include/imximage.h @@ -14,6 +14,9 @@ #define APP_CODE_BARKER 0xB1 #define DCD_BARKER 0xB17219E9
+/* Specify the offset of the IVT in the IMX header as expected by BootROM */ +#define BOOTROM_IVT_HDR_OFFSET 0xC00 + /* * NOTE: This file must be kept in sync with arch/arm/include/asm/\ * mach-imx/imximage.cfg because tools/imximage.c can not
On Mon, Mar 26, 2018 at 11:11 AM, Bryan O'Donoghue bryan.odonoghue@linaro.org wrote:
+/* Specify the offset of the IVT in the IMX header as expected by BootROM */ +#define BOOTROM_IVT_HDR_OFFSET 0xC00
You introduce this new define, but there is no user for it.
On 26/03/18 15:15, Fabio Estevam wrote:
On Mon, Mar 26, 2018 at 11:11 AM, Bryan O'Donoghue bryan.odonoghue@linaro.org wrote:
+/* Specify the offset of the IVT in the IMX header as expected by BootROM */ +#define BOOTROM_IVT_HDR_OFFSET 0xC00
You introduce this new define, but there is no user for it.
Ah not _yet_
There's a bunch of code in a BSP mod I plan to bomb the list with that makes use of this.
On Mon, Mar 26, 2018 at 11:30 AM, Bryan O'Donoghue bryan.odonoghue@linaro.org wrote:
Ah not _yet_
There's a bunch of code in a BSP mod I plan to bomb the list with that makes use of this.
In this case, please make this patch part of the series where we actually see its usage, thanks.
On 26/03/18 15:31, Fabio Estevam wrote:
On Mon, Mar 26, 2018 at 11:30 AM, Bryan O'Donoghue bryan.odonoghue@linaro.org wrote:
Ah not _yet_
There's a bunch of code in a BSP mod I plan to bomb the list with that makes use of this.
In this case, please make this patch part of the series where we actually see its usage, thanks.
sure OK
This patch adds hab_auth_img_or_fail() a command line function that encapsulates a common usage of authenticate and failover, namely if authenticate image fails, then drop to BootROM USB recovery mode.
For secure-boot systems, this type of locked down behavior is important to ensure no unsigned images can be run.
It's possible to script this logic but, when done over and over again the environment starts get very complex and repetitive, reducing that script repetition down to a command line function makes sense.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Utkarsh Gupta utkarsh.gupta@nxp.com Cc: Breno Lima breno.lima@nxp.com Cc: Fabio Estevam fabio.estevam@nxp.com --- arch/arm/mach-imx/hab.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+)
diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c index c730c8f..9ca7bad 100644 --- a/arch/arm/mach-imx/hab.c +++ b/arch/arm/mach-imx/hab.c @@ -341,6 +341,31 @@ static int do_hab_failsafe(cmd_tbl_t *cmdtp, int flag, int argc, return 0; }
+static int do_authenticate_image_or_failover(cmd_tbl_t *cmdtp, int flag, + int argc, char * const argv[]) +{ + int ret = CMD_RET_FAILURE; + + if (argc != 4) { + ret = CMD_RET_USAGE; + goto error; + } + + if (!imx_hab_is_enabled()) { + printf("error: secure boot disabled\n"); + goto error; + } + + if (do_authenticate_image(NULL, flag, argc, argv) != CMD_RET_SUCCESS) { + fprintf(stderr, "authentication fail -> %s %s %s %s\n", + argv[0], argv[1], argv[2], argv[3]); + do_hab_failsafe(0, 0, 1, NULL); + }; + ret = CMD_RET_SUCCESS; +error: + return ret; +} + U_BOOT_CMD( hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status, "display HAB status", @@ -362,6 +387,16 @@ U_BOOT_CMD( "" );
+U_BOOT_CMD( + hab_auth_img_or_fail, 4, 0, + do_authenticate_image_or_failover, + "authenticate image via HAB on failure drop to USB BootROM mode", + "addr length ivt_offset\n" + "addr - image hex address\n" + "length - image hex length\n" + "ivt_offset - hex offset of IVT in the image" + ); + #endif /* !defined(CONFIG_SPL_BUILD) */
/* Get CSF Header length */
Hi Bryan,
2018-03-26 11:11 GMT-03:00 Bryan O'Donoghue bryan.odonoghue@linaro.org:
This patch adds hab_auth_img_or_fail() a command line function that encapsulates a common usage of authenticate and failover, namely if authenticate image fails, then drop to BootROM USB recovery mode.
For secure-boot systems, this type of locked down behavior is important to ensure no unsigned images can be run.
It's possible to script this logic but, when done over and over again the environment starts get very complex and repetitive, reducing that script repetition down to a command line function makes sense.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Utkarsh Gupta utkarsh.gupta@nxp.com Cc: Breno Lima breno.lima@nxp.com Cc: Fabio Estevam fabio.estevam@nxp.com
Tested-by: Breno Lima breno.lima@nxp.com
Thanks, Breno
Hi All,
2018-03-27 19:44 GMT-03:00 Breno Matheus Lima brenomatheus@gmail.com:
Hi Bryan,
2018-03-26 11:11 GMT-03:00 Bryan O'Donoghue bryan.odonoghue@linaro.org:
This patch adds hab_auth_img_or_fail() a command line function that encapsulates a common usage of authenticate and failover, namely if authenticate image fails, then drop to BootROM USB recovery mode.
For secure-boot systems, this type of locked down behavior is important to ensure no unsigned images can be run.
It's possible to script this logic but, when done over and over again the environment starts get very complex and repetitive, reducing that script repetition down to a command line function makes sense.
Signed-off-by: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Utkarsh Gupta utkarsh.gupta@nxp.com Cc: Breno Lima breno.lima@nxp.com Cc: Fabio Estevam fabio.estevam@nxp.com
Tested-by: Breno Lima breno.lima@nxp.com
Thanks, Breno
Sorry, I have comment on the wrong series, my intention was to comment on V3 series. I will resend the tested-by
Thanks, Breno Matheus Lima
participants (3)
-
Breno Matheus Lima -
Bryan O'Donoghue -
Fabio Estevam