[PATCH v2] imx: spl: fix imx8m secure boot
cherry-picked from NXP code: 719d665a87c6: ("MLK-20467 imx8m: Fix issue for booting signed image through uuu")
which fixes secure boot on imx8m based boards. Problem was that FIT header and so IVT header too, was loaded to memallocated address. So the ivt header address coded in IVT itself does not fit with the real position.
Signed-off-by: Heiko Schocher hs@denx.de
--- replaces Series: https://lists.denx.de/pipermail/u-boot/2021-August/457308.html
@Tim: could you please test this version on your hardware?
azure build: https://dev.azure.com/hs0298/hs/_build/results?buildId=72&view=results
Works on sdcard and QSPI NOR boot on phycore-imx8mp board.
Changes in v2: - use code from NXP commit 719d665 as Ye Li suggested.
arch/arm/mach-imx/spl.c | 14 ++++++++++++++ common/spl/spl_fit.c | 7 ++++++- 2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mach-imx/spl.c b/arch/arm/mach-imx/spl.c index 36033d611c..59c6c3752d 100644 --- a/arch/arm/mach-imx/spl.c +++ b/arch/arm/mach-imx/spl.c @@ -334,6 +334,20 @@ void board_spl_fit_post_load(const void *fit) } #endif
+void *board_spl_fit_buffer_addr(ulong fit_size, int sectors, int bl_len) +{ + int align_len = ARCH_DMA_MINALIGN - 1; + + /* Some devices like SDP, NOR, NAND, SPI are using bl_len =1, so their fit address + * is different with SD/MMC, this cause mismatch with signed address. Thus, adjust + * the bl_len to align with SD/MMC. + */ + if (bl_len < 512) + bl_len = 512; + + return (void *)((CONFIG_SYS_TEXT_BASE - fit_size - bl_len - + align_len) & ~align_len); +} #endif
#if defined(CONFIG_MX6) && defined(CONFIG_SPL_OS_BOOT) diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c index f41abca0cc..a4337d3c88 100644 --- a/common/spl/spl_fit.c +++ b/common/spl/spl_fit.c @@ -538,6 +538,11 @@ static void *spl_get_fit_load_buffer(size_t size) return buf; }
+__weak void *board_spl_fit_buffer_addr(ulong fit_size, int sectors, int bl_len) +{ + return spl_get_fit_load_buffer(sectors * bl_len); +} + /* * Weak default function to allow customizing SPL fit loading for load-only * use cases by allowing to skip the parsing/processing of the FIT contents @@ -631,7 +636,7 @@ static int spl_simple_fit_read(struct spl_fit_info *ctx, * For FIT with external data, data is not loaded in this step. */ sectors = get_aligned_image_size(info, size, 0); - buf = spl_get_fit_load_buffer(sectors * info->bl_len); + buf = board_spl_fit_buffer_addr(size, sectors, info->bl_len);
count = info->read(info, sector, sectors, buf); ctx->fit = buf;
On Mon, Aug 16, 2021 at 11:17 PM Heiko Schocher hs@denx.de wrote:
cherry-picked from NXP code: 719d665a87c6: ("MLK-20467 imx8m: Fix issue for booting signed image through uuu")
which fixes secure boot on imx8m based boards. Problem was that FIT header and so IVT header too, was loaded to memallocated address. So the ivt header address coded in IVT itself does not fit with the real position.
Signed-off-by: Heiko Schocher hs@denx.de
replaces Series: https://lists.denx.de/pipermail/u-boot/2021-August/457308.html
@Tim: could you please test this version on your hardware?
azure build: https://dev.azure.com/hs0298/hs/_build/results?buildId=72&view=results
Works on sdcard and QSPI NOR boot on phycore-imx8mp board.
Changes in v2:
- use code from NXP commit 719d665 as Ye Li suggested.
arch/arm/mach-imx/spl.c | 14 ++++++++++++++ common/spl/spl_fit.c | 7 ++++++- 2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mach-imx/spl.c b/arch/arm/mach-imx/spl.c index 36033d611c..59c6c3752d 100644 --- a/arch/arm/mach-imx/spl.c +++ b/arch/arm/mach-imx/spl.c @@ -334,6 +334,20 @@ void board_spl_fit_post_load(const void *fit) } #endif
+void *board_spl_fit_buffer_addr(ulong fit_size, int sectors, int bl_len) +{
int align_len = ARCH_DMA_MINALIGN - 1;/* Some devices like SDP, NOR, NAND, SPI are using bl_len =1, so their fit address* is different with SD/MMC, this cause mismatch with signed address. Thus, adjust* the bl_len to align with SD/MMC.*/if (bl_len < 512)bl_len = 512;return (void *)((CONFIG_SYS_TEXT_BASE - fit_size - bl_len -align_len) & ~align_len);+} #endif
#if defined(CONFIG_MX6) && defined(CONFIG_SPL_OS_BOOT) diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c index f41abca0cc..a4337d3c88 100644 --- a/common/spl/spl_fit.c +++ b/common/spl/spl_fit.c @@ -538,6 +538,11 @@ static void *spl_get_fit_load_buffer(size_t size) return buf; }
+__weak void *board_spl_fit_buffer_addr(ulong fit_size, int sectors, int bl_len) +{
return spl_get_fit_load_buffer(sectors * bl_len);+}
/*
- Weak default function to allow customizing SPL fit loading for load-only
- use cases by allowing to skip the parsing/processing of the FIT contents
@@ -631,7 +636,7 @@ static int spl_simple_fit_read(struct spl_fit_info *ctx, * For FIT with external data, data is not loaded in this step. */ sectors = get_aligned_image_size(info, size, 0);
buf = spl_get_fit_load_buffer(sectors * info->bl_len);
buf = board_spl_fit_buffer_addr(size, sectors, info->bl_len); count = info->read(info, sector, sectors, buf); ctx->fit = buf;-- 2.31.1
Heiko,
Thanks - works great on imx8mm-venice boards with eMMC with both CONFIG_IMX_HAB=y and not.
Tested-by: Tim Harvey tharvey@gateworks.com
I am still interested in using binman to generate signed images but have not had time to look into and probably won't for another couple of weeks at the earliest.
Best regards,
Tim
Hello Tim,
On 18.08.21 23:02, Tim Harvey wrote:
On Mon, Aug 16, 2021 at 11:17 PM Heiko Schocher hs@denx.de wrote:
cherry-picked from NXP code: 719d665a87c6: ("MLK-20467 imx8m: Fix issue for booting signed image through uuu")
which fixes secure boot on imx8m based boards. Problem was that FIT header and so IVT header too, was loaded to memallocated address. So the ivt header address coded in IVT itself does not fit with the real position.
Signed-off-by: Heiko Schocher hs@denx.de
replaces Series: https://lists.denx.de/pipermail/u-boot/2021-August/457308.html
@Tim: could you please test this version on your hardware?
azure build: https://dev.azure.com/hs0298/hs/_build/results?buildId=72&view=results
Works on sdcard and QSPI NOR boot on phycore-imx8mp board.
Changes in v2:
- use code from NXP commit 719d665 as Ye Li suggested.
arch/arm/mach-imx/spl.c | 14 ++++++++++++++ common/spl/spl_fit.c | 7 ++++++- 2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mach-imx/spl.c b/arch/arm/mach-imx/spl.c index 36033d611c..59c6c3752d 100644 --- a/arch/arm/mach-imx/spl.c +++ b/arch/arm/mach-imx/spl.c @@ -334,6 +334,20 @@ void board_spl_fit_post_load(const void *fit) } #endif
+void *board_spl_fit_buffer_addr(ulong fit_size, int sectors, int bl_len) +{
int align_len = ARCH_DMA_MINALIGN - 1;/* Some devices like SDP, NOR, NAND, SPI are using bl_len =1, so their fit address* is different with SD/MMC, this cause mismatch with signed address. Thus, adjust* the bl_len to align with SD/MMC.*/if (bl_len < 512)bl_len = 512;return (void *)((CONFIG_SYS_TEXT_BASE - fit_size - bl_len -align_len) & ~align_len);+} #endif
#if defined(CONFIG_MX6) && defined(CONFIG_SPL_OS_BOOT) diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c index f41abca0cc..a4337d3c88 100644 --- a/common/spl/spl_fit.c +++ b/common/spl/spl_fit.c @@ -538,6 +538,11 @@ static void *spl_get_fit_load_buffer(size_t size) return buf; }
+__weak void *board_spl_fit_buffer_addr(ulong fit_size, int sectors, int bl_len) +{
return spl_get_fit_load_buffer(sectors * bl_len);+}
/*
- Weak default function to allow customizing SPL fit loading for load-only
- use cases by allowing to skip the parsing/processing of the FIT contents
@@ -631,7 +636,7 @@ static int spl_simple_fit_read(struct spl_fit_info *ctx, * For FIT with external data, data is not loaded in this step. */ sectors = get_aligned_image_size(info, size, 0);
buf = spl_get_fit_load_buffer(sectors * info->bl_len);
buf = board_spl_fit_buffer_addr(size, sectors, info->bl_len); count = info->read(info, sector, sectors, buf); ctx->fit = buf;-- 2.31.1
Heiko,
Thanks - works great on imx8mm-venice boards with eMMC with both CONFIG_IMX_HAB=y and not.
Tested-by: Tim Harvey tharvey@gateworks.com
Thanks for testing!
I am still interested in using binman to generate signed images but have not had time to look into and probably won't for another couple of weeks at the earliest.
Me too, but may I do not find time in the near future, but if you have some patches, I can test them!
bye, Heiko
cherry-picked from NXP code: 719d665a87c6: ("MLK-20467 imx8m: Fix issue for booting signed image through uuu") which fixes secure boot on imx8m based boards. Problem was that FIT header and so IVT header too, was loaded to memallocated address. So the ivt header address coded in IVT itself does not fit with the real position. Signed-off-by: Heiko Schocher hs@denx.de Tested-by: Tim Harvey tharvey@gateworks.com
Applied to u-boot-imx, master, thanks !
Best regards, Stefano Babic
On 17/08/2021 08.17, Heiko Schocher wrote:
cherry-picked from NXP code: 719d665a87c6: ("MLK-20467 imx8m: Fix issue for booting signed image through uuu")
which fixes secure boot on imx8m based boards.
[...]
Works on sdcard and QSPI NOR boot on phycore-imx8mp board.
Hm, the subject of that patch mentions booting through uuu, and here you mention imx8mp. I'm quite interested in that combination, as it doesn't seem that the imx8mp_evk in mainline U-Boot (signed or not) can be booted via uuu. Does serial download work on phycore-imx8mp?
As I mentioned in https://lore.kernel.org/u-boot/0996154d-774c-607f-8b5c-9cc0d268ecaa@prevas.d... , I've bisected the start of it working in the NXP fork to a specific commit, but I can't figure out what part of that is really responsible (and if it's just that that commit enables some CONFIG_* symbols for imx8mp_evk, the real meat is likely in earlier commits adding the code that thus gets enabled).
Any ideas?
Rasmus
Hello Rasmus,
On 01.11.21 08:52, Rasmus Villemoes wrote:
On 17/08/2021 08.17, Heiko Schocher wrote:
cherry-picked from NXP code: 719d665a87c6: ("MLK-20467 imx8m: Fix issue for booting signed image through uuu")
which fixes secure boot on imx8m based boards.
[...]
Works on sdcard and QSPI NOR boot on phycore-imx8mp board.
Hm, the subject of that patch mentions booting through uuu, and here you mention imx8mp. I'm quite interested in that combination, as it doesn't seem that the imx8mp_evk in mainline U-Boot (signed or not) can be booted via uuu. Does serial download work on phycore-imx8mp?
Yes, attached current log (with 2021.07 u-boot)
As I mentioned in https://lore.kernel.org/u-boot/0996154d-774c-607f-8b5c-9cc0d268ecaa@prevas.d... , I've bisected the start of it working in the NXP fork to a specific commit, but I can't figure out what part of that is really responsible (and if it's just that that commit enables some CONFIG_* symbols for imx8mp_evk, the real meat is likely in earlier commits adding the code that thus gets enabled).
Any ideas?
Puh... hard to say... I use imx-atf 2.5, there changed the loadaddress:
--- a/arch/arm/dts/imx8mp-phyboard-pollux-rdk-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-phyboard-pollux-rdk-u-boot.dtsi @@ -246,8 +246,8 @@ type = "firmware"; arch = "arm64"; compression = "none"; - load = <0x960000>; - entry = <0x960000>; + load = <0x970000>; + entry = <0x970000>;
I try to find time to look into my state, may I have some patches on top of 2021.07 ...
bye, Heiko
[1] loading SPL/U-Boot with uuu tool $ tbot @argsxxx-local-noethinit-uuu interactive_uboot tbot starting ... ├─Flags: │ 'local', 'noethinit', 'uuuloader', 'do_power' ├─Boardname: xxx ├─Calling interactive_uboot ... │ ├─[lab6] kermit /home/pi/kermrc_imx8mp │ ├─POWERON (xxx) │ ├─[lab6] sispmctl -D 01:01:4f:d4:b1 -o 2 │ │ ## Accessing Gembird #0 USB device 004 │ │ ## Switched outlet 2 on │ ├─[lab6] sudo ls /home/pi/source/mfgtools/uuu/uuu │ │ ## /home/pi/source/mfgtools/uuu/uuu │ ├─[lab6] sudo /home/pi/source/mfgtools/uuu/uuu /srv/tftpboot/xxx/20210825-ml/imx-boot.signed │ │ ## uuu (Universal Update Utility) for nxp imx chips -- libuuu_1.4.107-16-g19e2890 │ │ ## │ │ ## Success 1 Failure 0
│ │ ##
│ │ ##
│ │ ## 1:1134 2/ 2 [Done ] SDPS: done
│ │ ## │ │ ## │ ├─UBOOT (xxx-uboot) │ │ <> 18 │ │ <> OpenSSL versions prior to 1.0.0 must be the same. │ │ <> Set LD_LIBRARY_PATH for OpenSSL 1.0.2j 26 Sep 2016. │ │ <> Or rebuild C-Kermit from source on this computer to make versions agree. │ │ <> C-Kermit makefile target: linux+krb5+openssl │ │ <> Or if that is what you did then try to find out why │ │ <> the program loader (image activator) is choosing a │ │ <> different OpenSSL library than the one specified in the build. │ │ <> │ │ <> All SSL/TLS features disabled. │ │ <> │ │ <> Connecting to /dev/serial/by-id/usb-Prolific_Technology_Inc._USB-Serial_Controller-if00-port0, speed 115200 │ │ <> Escape character: Ctrl-\ (ASCII 28, FS): enabled │ │ <> Type the escape character followed by C to get back, │ │ <> or followed by ? to see other options. │ │ <> ---------------------------------------------------- │ │ <> │ │ <> U-Boot SPL 2021.07 (Nov 03 2021 - 05:37:46 +0000) │ │ <> Normal Boot │ │ <> WDT: Not starting │ │ <> Find FIT header 0x&48025000, size 872 │ │ <> hab fuse not enabled │ │ <> │ │ <> Authenticate image from DDR location 0x401fcdc0... │ │ <> Download 803692, total fit 804716 │ │ <> hab fuse not enabled │ │ <> │ │ <> Authenticate image from DDR location 0x401fcdc0... │ │ <> ERROR: mmap_add_region_check() failed. error -1 │ │ <> NOTICE: BL31: v2.5(release):v2.5-90-g111debd22 │ │ <> NOTICE: BL31: Built : 04:17:49, Jun 22 2021 │ │ <> │ │ <> │ │ <> U-Boot 2021.07 (Nov 03 2021 - 05:37:46 +0000) │ │ <> │ │ <> CPU: Freescale i.MX8MP[8] rev1.1 at 1200 MHz │ │ <> Reset cause: POR │ │ <> Model: PHYTEC phyBOARD-Pollux i.MX8MP │ │ <> DRAM: 2 GiB │ │ <> WDT: Started with servicing (60s timeout) │ │ <> MMC: FSL_SDHC: 1, FSL_SDHC: 2 │ │ <> Loading Environment from nowhere... OK │ │ <> Loading Environment from SPIFlash... clk qspi_root_clk already disabled │ │ <> clk qspi_root_clk already disabled │ │ <> SF: Detected mt25qu512a with page size 256 Bytes, erase size 64 KiB, total 64 MiB │ │ <> OK │ │ <> In: serial@30890000 │ │ <> Out: serial@30890000 │ │ <> Err: serial@30890000 │ │ <> POR: reset bootcount │ │ <> Net: No ethernet found. │ │ <> Hit any key to stop autoboot: 0 │ │ <> DEVEL: autoboot failed, go to cmdline │ │ <> u-boot=>
participants (4)
-
Heiko Schocher -
Rasmus Villemoes -
sbabic@denx.de -
Tim Harvey