[U-Boot] [PATCH v1 0/7] The patchset fixes some issue in the generation of the imx image
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
The patchset allows to add to the imx Header the CSF (command Sequence File) generated by the tools provided by Freescale. The CSF is then simply concatenated to the u-boot image, making a signed bootloader, that the processor can verify if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not start a bootloader that cannot be verified - further infos how to configure the SOC to verify the bootloader can be found in the User Manual of the specific SOC.
Next step is to verify the kernel, that can be still done using Simon's patches for verified boot (CONFIG_OF_CONTROL must be set in the board configuarion file).
Stefano Babic (7): tools: imx_header should not include flash_offset tools: rename mximage_flash_offset to imximage_ivt_offset tools: dynamically allocate imx_header in imximage tools: add variable padding of data image in mkimage tools: add padding of data image file for imximage tools: add support for setting the CSF into imximage imx: add status reporting for HAB status
arch/arm/cpu/armv7/mx6/Makefile | 2 +- arch/arm/cpu/armv7/mx6/hab.c | 127 ++++++++++++++++++++++ arch/arm/include/asm/arch-mx6/hab.h | 80 ++++++++++++++ arch/arm/include/asm/arch-mx6/imx-regs.h | 8 +- doc/README.imximage | 18 +++- doc/README.mxc_hab | 48 +++++++++ tools/imximage.c | 168 +++++++++++++++++++++++++++--- tools/imximage.h | 20 +++- tools/mkimage.c | 24 ++++- tools/mkimage.h | 5 +- 10 files changed, 471 insertions(+), 29 deletions(-) create mode 100644 arch/arm/cpu/armv7/mx6/hab.c create mode 100644 arch/arm/include/asm/arch-mx6/hab.h create mode 100644 doc/README.mxc_hab
Doing a make distclean; make mx6qsabresd_config; make and hexdump -C u-boot.imx | less
... 00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000003f0 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 |................| ^^^^^^^^^^^ 00000400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001000 13 00 00 ea 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 |...ê.ð.å.ð.å.ð.å| ...
shows the flash_offset value being written into the final generated image, wich is not correct.
Instead create flash_offset as static variable such that the generated image is "clean".
00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001000 13 00 00 ea 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 |...ê.ð.å.ð.å.ð.å|
Signed-off-by: Stefano Babic sbabic@denx.de
--- tools/imximage.c | 15 ++++++++------- tools/imximage.h | 1 - 2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index 5e8e470..013fa80 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -68,6 +68,7 @@ static table_entry_t imximage_versions[] = {
static struct imx_header imximage_header; static uint32_t imximage_version; +static uint32_t imximage_flash_offset;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; @@ -343,9 +344,9 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, set_hdr_func(imxhdr); break; case CMD_BOOT_FROM: - imxhdr->flash_offset = get_table_entry_id(imximage_bootops, + imximage_flash_offset = get_table_entry_id(imximage_bootops, "imximage boot option", token); - if (imxhdr->flash_offset == -1) { + if (imximage_flash_offset == -1) { fprintf(stderr, "Error: %s[%d] -Invalid boot device" "(%s)\n", name, lineno, token); exit(EXIT_FAILURE); @@ -354,7 +355,7 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, cmd_ver_first = 0; break; case CMD_BOOT_OFFSET: - imxhdr->flash_offset = get_cfg_value(token, name, lineno); + imximage_flash_offset = get_cfg_value(token, name, lineno); if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; @@ -455,7 +456,7 @@ static uint32_t parse_cfg_file(struct imx_header *imxhdr, char *name) fclose(fd);
/* Exit if there is no BOOT_FROM field specifying the flash_offset */ - if (imxhdr->flash_offset == FLASH_OFFSET_UNDEFINED) { + if (imximage_flash_offset == FLASH_OFFSET_UNDEFINED) { fprintf(stderr, "Error: No BOOT_FROM tag in %s\n", name); exit(EXIT_FAILURE); } @@ -513,14 +514,14 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, */ imximage_version = IMXIMAGE_V1; /* Be able to detect if the cfg file has no BOOT_FROM tag */ - imxhdr->flash_offset = FLASH_OFFSET_UNDEFINED; + imximage_flash_offset = FLASH_OFFSET_UNDEFINED; set_hdr_func(imxhdr);
/* Parse dcd configuration file */ dcd_len = parse_cfg_file(imxhdr, params->imagename);
/* Set the imx header */ - (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imxhdr->flash_offset); + (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imximage_flash_offset);
/* * ROM bug alert @@ -531,7 +532,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * * The remaining fraction of a block bytes would not be loaded! */ - *header_size_ptr = ROUND(sbuf->st_size + imxhdr->flash_offset, 4096); + *header_size_ptr = ROUND(sbuf->st_size + imximage_flash_offset, 4096); }
int imximage_check_params(struct mkimage_params *params) diff --git a/tools/imximage.h b/tools/imximage.h index 5c929e4..da1c4ff 100644 --- a/tools/imximage.h +++ b/tools/imximage.h @@ -163,7 +163,6 @@ struct imx_header { imx_header_v1_t hdr_v1; imx_header_v2_t hdr_v2; } header; - uint32_t flash_offset; } __attribute__((aligned(4096)));
typedef void (*set_dcd_val_t)(struct imx_header *imxhdr,
This better reflects the naming from the Reference Manual as well as fits better since "flash" is not really applicabe for SATA.
Signed-off-by: Stefano Babic sbabic@denx.de --- tools/imximage.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index 013fa80..d87e94d 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -68,7 +68,8 @@ static table_entry_t imximage_versions[] = {
static struct imx_header imximage_header; static uint32_t imximage_version; -static uint32_t imximage_flash_offset; +/* Image Vector Table Offset */ +static uint32_t imximage_ivt_offset;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; @@ -344,9 +345,9 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, set_hdr_func(imxhdr); break; case CMD_BOOT_FROM: - imximage_flash_offset = get_table_entry_id(imximage_bootops, + imximage_ivt_offset = get_table_entry_id(imximage_bootops, "imximage boot option", token); - if (imximage_flash_offset == -1) { + if (imximage_ivt_offset == -1) { fprintf(stderr, "Error: %s[%d] -Invalid boot device" "(%s)\n", name, lineno, token); exit(EXIT_FAILURE); @@ -355,7 +356,7 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, cmd_ver_first = 0; break; case CMD_BOOT_OFFSET: - imximage_flash_offset = get_cfg_value(token, name, lineno); + imximage_ivt_offset = get_cfg_value(token, name, lineno); if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; @@ -456,7 +457,7 @@ static uint32_t parse_cfg_file(struct imx_header *imxhdr, char *name) fclose(fd);
/* Exit if there is no BOOT_FROM field specifying the flash_offset */ - if (imximage_flash_offset == FLASH_OFFSET_UNDEFINED) { + if (imximage_ivt_offset == FLASH_OFFSET_UNDEFINED) { fprintf(stderr, "Error: No BOOT_FROM tag in %s\n", name); exit(EXIT_FAILURE); } @@ -514,14 +515,14 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, */ imximage_version = IMXIMAGE_V1; /* Be able to detect if the cfg file has no BOOT_FROM tag */ - imximage_flash_offset = FLASH_OFFSET_UNDEFINED; + imximage_ivt_offset = FLASH_OFFSET_UNDEFINED; set_hdr_func(imxhdr);
/* Parse dcd configuration file */ dcd_len = parse_cfg_file(imxhdr, params->imagename);
/* Set the imx header */ - (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imximage_flash_offset); + (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imximage_ivt_offset);
/* * ROM bug alert @@ -532,7 +533,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * * The remaining fraction of a block bytes would not be loaded! */ - *header_size_ptr = ROUND(sbuf->st_size + imximage_flash_offset, 4096); + *header_size_ptr = ROUND(sbuf->st_size + imximage_ivt_offset, 4096); }
int imximage_check_params(struct mkimage_params *params)
Change to dynamically allocate the imx_header to correctly allocate the IVT, Boot Data and DCD at correct locations depending on the boot media.
Also check that the Image Vector Table Offset + IVT + Boot Data + DCD <= Initial Load Region Size.
Previously struct imx_header was always 4096 bytes and was not dealing correctly with the Image Vector Table Offset.
Now, the memory allocation looks for e.g. SD boot like this
Storage u-boot.imx RAM Device
00000000 177ff000 <-------------- | 00000400 00000000 d1 00 20 40 IVT.header 177ff400 <------- | 00000404 00000004 00 00 80 17 IVT.entry 177ff404 ----------- | 00000408 00000008 00 00 00 00 IVT.reserved1 177ff408 | | | 0000040C 0000000C 2c f4 7f 17 IVT.dcd 177ff40C ------ | | | 00000410 00000010 20 f4 7f 17 IVT.boot 177ff410 ---- | | | | 00000414 00000014 00 f4 7f 17 IVT.self 177ff414 -------- | | 00000418 00000018 00 00 00 00 IVT.csf 177ff418 | | | | 0000041C 0000001C 00 00 00 00 IVT.reserved2 177ff41C | | | | 00000420 00000020 00 f0 7f 17 BootData.start 177ff420 <--- | | --- 00000424 00000024 00 60 03 00 BootData.length 177ff424 | | 00000428 00000028 00 00 00 00 BootData.plugin 177ff428 | | 0000042C 0000002C d2 03 30 40 DCD.header 177ff42C <----- | ... | 00001000 00000c00 13 00 00 ea U-Boot Start 17800000 <----------
While at it also remove the unused #define HEADER_OFFSET.
Signed-off-by: Stefano Babic sbabic@denx.de --- tools/imximage.c | 44 +++++++++++++++++++++++++++++++++++++------- tools/imximage.h | 16 +++++++++++++--- 2 files changed, 50 insertions(+), 10 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index d87e94d..984cb9b 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -47,7 +47,7 @@ static table_entry_t imximage_cmds[] = { * Supported Boot options for configuration file * this is needed to set the correct flash offset */ -static table_entry_t imximage_bootops[] = { +static table_entry_t imximage_boot_offset[] = { {FLASH_OFFSET_ONENAND, "onenand", "OneNAND Flash",}, {FLASH_OFFSET_NAND, "nand", "NAND Flash", }, {FLASH_OFFSET_NOR, "nor", "NOR Flash", }, @@ -58,6 +58,20 @@ static table_entry_t imximage_bootops[] = { };
/* + * Supported Boot options for configuration file + * this is needed to determine the initial load size + */ +static table_entry_t imximage_boot_loadsize[] = { + {FLASH_LOADSIZE_ONENAND, "onenand", "OneNAND Flash",}, + {FLASH_LOADSIZE_NAND, "nand", "NAND Flash", }, + {FLASH_LOADSIZE_NOR, "nor", "NOR Flash", }, + {FLASH_LOADSIZE_SATA, "sata", "SATA Disk", }, + {FLASH_LOADSIZE_SD, "sd", "SD Card", }, + {FLASH_LOADSIZE_SPI, "spi", "SPI Flash", }, + {-1, "", "Invalid", }, +}; + +/* * IMXIMAGE version definition for i.MX chips */ static table_entry_t imximage_versions[] = { @@ -70,6 +84,8 @@ static struct imx_header imximage_header; static uint32_t imximage_version; /* Image Vector Table Offset */ static uint32_t imximage_ivt_offset; +/* Initial Load Region Size */ +static uint32_t imximage_init_loadsize;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; @@ -211,7 +227,9 @@ static void set_imx_hdr_v1(struct imx_header *imxhdr, uint32_t dcd_len, /* Set magic number */ fhdr_v1->app_code_barker = APP_CODE_BARKER;
- hdr_base = entry_point - sizeof(struct imx_header); + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + /* hdr_base = entry_point - imximage_init_loadsize + flash_offset; */ + hdr_base = entry_point - 4096; fhdr_v1->app_dest_ptr = hdr_base - flash_offset; fhdr_v1->app_code_jump_vector = entry_point;
@@ -238,12 +256,13 @@ static void set_imx_hdr_v2(struct imx_header *imxhdr, uint32_t dcd_len,
fhdr_v2->entry = entry_point; fhdr_v2->reserved1 = fhdr_v2->reserved2 = 0; - fhdr_v2->self = hdr_base = entry_point - sizeof(struct imx_header); - + hdr_base = entry_point - imximage_init_loadsize + + flash_offset; + fhdr_v2->self = hdr_base; fhdr_v2->dcd_ptr = hdr_base + offsetof(imx_header_v2_t, dcd_table); fhdr_v2->boot_data_ptr = hdr_base + offsetof(imx_header_v2_t, boot_data); - hdr_v2->boot_data.start = hdr_base - flash_offset; + hdr_v2->boot_data.start = entry_point - imximage_init_loadsize;
/* Security feature are not supported */ fhdr_v2->csf = 0; @@ -345,13 +364,24 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, set_hdr_func(imxhdr); break; case CMD_BOOT_FROM: - imximage_ivt_offset = get_table_entry_id(imximage_bootops, + imximage_ivt_offset = get_table_entry_id(imximage_boot_offset, "imximage boot option", token); if (imximage_ivt_offset == -1) { fprintf(stderr, "Error: %s[%d] -Invalid boot device" "(%s)\n", name, lineno, token); exit(EXIT_FAILURE); } + + imximage_init_loadsize = + get_table_entry_id(imximage_boot_loadsize, + "imximage boot option", token); + + if (imximage_init_loadsize == -1) { + fprintf(stderr, + "Error: %s[%d] -Invalid boot device(%s)\n", + name, lineno, token); + exit(EXIT_FAILURE); + } if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; @@ -533,7 +563,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * * The remaining fraction of a block bytes would not be loaded! */ - *header_size_ptr = ROUND(sbuf->st_size + imximage_ivt_offset, 4096); + *header_size_ptr = ROUND(sbuf->st_size, 4096); }
int imximage_check_params(struct mkimage_params *params) diff --git a/tools/imximage.h b/tools/imximage.h index da1c4ff..b0305bf 100644 --- a/tools/imximage.h +++ b/tools/imximage.h @@ -29,14 +29,14 @@ #define APP_CODE_BARKER 0xB1 #define DCD_BARKER 0xB17219E9
-#define HEADER_OFFSET 0x400 - /* * NOTE: This file must be kept in sync with arch/arm/include/asm/\ * imx-common/imximage.cfg because tools/imximage.c can not * cross-include headers from arch/arm/ and vice-versa. */ #define CMD_DATA_STR "DATA" + +/* Initial Vector Table Offset */ #define FLASH_OFFSET_UNDEFINED 0xFFFFFFFF #define FLASH_OFFSET_STANDARD 0x400 #define FLASH_OFFSET_NAND FLASH_OFFSET_STANDARD @@ -46,6 +46,16 @@ #define FLASH_OFFSET_NOR 0x1000 #define FLASH_OFFSET_SATA FLASH_OFFSET_STANDARD
+/* Initial Load Region Size */ +#define FLASH_LOADSIZE_UNDEFINED 0xFFFFFFFF +#define FLASH_LOADSIZE_STANDARD 0x1000 +#define FLASH_LOADSIZE_NAND FLASH_LOADSIZE_STANDARD +#define FLASH_LOADSIZE_SD FLASH_LOADSIZE_STANDARD +#define FLASH_LOADSIZE_SPI FLASH_LOADSIZE_STANDARD +#define FLASH_LOADSIZE_ONENAND 0x400 +#define FLASH_LOADSIZE_NOR 0x0 /* entire image */ +#define FLASH_LOADSIZE_SATA FLASH_LOADSIZE_STANDARD + #define IVT_HEADER_TAG 0xD1 #define IVT_VERSION 0x40 #define DCD_HEADER_TAG 0xD2 @@ -163,7 +173,7 @@ struct imx_header { imx_header_v1_t hdr_v1; imx_header_v2_t hdr_v2; } header; -} __attribute__((aligned(4096))); +};
typedef void (*set_dcd_val_t)(struct imx_header *imxhdr, char *name, int lineno,
Dear Stefano Babic,
Change to dynamically allocate the imx_header to correctly allocate the IVT, Boot Data and DCD at correct locations depending on the boot media.
Also check that the Image Vector Table Offset + IVT + Boot Data + DCD <= Initial Load Region Size.
Previously struct imx_header was always 4096 bytes and was not dealing correctly with the Image Vector Table Offset.
Now, the memory allocation looks for e.g. SD boot like this
Storage u-boot.imx RAM Device
00000000 177ff000 <--------------
00000400 00000000 d1 00 20 40 IVT.header 177ff400 <------- | 00000404 00000004 00 00 80 17 IVT.entry 177ff404 ----------- | 00000408 00000008 00 00 00 00 IVT.reserved1 177ff408 | | | 0000040C 0000000C 2c f4 7f 17 IVT.dcd 177ff40C ------ | | | 00000410 00000010 20 f4 7f 17 IVT.boot 177ff410 ---- | | | | 00000414 00000014 00 f4 7f 17 IVT.self 177ff414 -------- | | 00000418 00000018 00 00 00 00 IVT.csf 177ff418 | | | | 0000041C 0000001C 00 00 00 00 IVT.reserved2 177ff41C | | | | 00000420 00000020 00 f0 7f 17 BootData.start 177ff420 <--- | | --- 00000424 00000024 00 60 03 00 BootData.length 177ff424 | | 00000428 00000028 00 00 00 00 BootData.plugin 177ff428 | | 0000042C 0000002C d2 03 30 40 DCD.header 177ff42C <----- | ... | 00001000 00000c00 13 00 00 ea U-Boot Start 17800000 <----------
While at it also remove the unused #define HEADER_OFFSET.
Signed-off-by: Stefano Babic sbabic@denx.de
tools/imximage.c | 44 +++++++++++++++++++++++++++++++++++++------- tools/imximage.h | 16 +++++++++++++--- 2 files changed, 50 insertions(+), 10 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index d87e94d..984cb9b 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -47,7 +47,7 @@ static table_entry_t imximage_cmds[] = {
- Supported Boot options for configuration file
- this is needed to set the correct flash offset
*/ -static table_entry_t imximage_bootops[] = { +static table_entry_t imximage_boot_offset[] = { {FLASH_OFFSET_ONENAND, "onenand", "OneNAND Flash",}, {FLASH_OFFSET_NAND, "nand", "NAND Flash", }, {FLASH_OFFSET_NOR, "nor", "NOR Flash", }, @@ -58,6 +58,20 @@ static table_entry_t imximage_bootops[] = { };
/*
- Supported Boot options for configuration file
- this is needed to determine the initial load size
- */
+static table_entry_t imximage_boot_loadsize[] = {
- {FLASH_LOADSIZE_ONENAND, "onenand", "OneNAND Flash",},
- {FLASH_LOADSIZE_NAND, "nand", "NAND Flash", },
- {FLASH_LOADSIZE_NOR, "nor", "NOR Flash", },
- {FLASH_LOADSIZE_SATA, "sata", "SATA Disk", },
- {FLASH_LOADSIZE_SD, "sd", "SD Card", },
- {FLASH_LOADSIZE_SPI, "spi", "SPI Flash", },
- {-1, "", "Invalid", },
+};
+/*
- IMXIMAGE version definition for i.MX chips
*/ static table_entry_t imximage_versions[] = { @@ -70,6 +84,8 @@ static struct imx_header imximage_header; static uint32_t imximage_version; /* Image Vector Table Offset */ static uint32_t imximage_ivt_offset; +/* Initial Load Region Size */ +static uint32_t imximage_init_loadsize;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; @@ -211,7 +227,9 @@ static void set_imx_hdr_v1(struct imx_header *imxhdr, uint32_t dcd_len, /* Set magic number */ fhdr_v1->app_code_barker = APP_CODE_BARKER;
- hdr_base = entry_point - sizeof(struct imx_header);
- /* TODO: check i.MX image V1 handling, for now use 'old' style */
- /* hdr_base = entry_point - imximage_init_loadsize + flash_offset; */
The above line should probably be removed.
[...]
@@ -163,7 +173,7 @@ struct imx_header { imx_header_v1_t hdr_v1; imx_header_v2_t hdr_v2; } header; -} __attribute__((aligned(4096))); +};
What about the alignment, is it preserved?
Best regards, Marek Vasut
Use previously unused return value of function vrec_header to return a padding size to generic mkimage. This padding size is used in copy_files to pad with zeros after copying the data image.
Signed-off-by: Stefano Babic sbabic@denx.de --- tools/mkimage.c | 24 +++++++++++++++++++++--- tools/mkimage.h | 5 ++++- 2 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/tools/mkimage.c b/tools/mkimage.c index d312844..d2f24e4 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -150,6 +150,7 @@ main (int argc, char **argv) char *ptr; int retval = 0; struct image_type_params *tparams = NULL; + int pad_len = 0;
/* Init Freescale PBL Boot image generation/list support */ init_pbl_image_type(); @@ -404,7 +405,7 @@ NXTARG: ; * allocate memory for the header itself. */ if (tparams->vrec_header) - tparams->vrec_header(¶ms, tparams); + pad_len = tparams->vrec_header(¶ms, tparams); else memset(tparams->hdr, 0, tparams->header_size);
@@ -476,7 +477,7 @@ NXTARG: ; /* PBL has special Image format, implements its' own */ pbl_load_uboot(ifd, ¶ms); } else { - copy_file (ifd, params.datafile, 0); + copy_file(ifd, params.datafile, pad_len); } }
@@ -550,10 +551,19 @@ copy_file (int ifd, const char *datafile, int pad) unsigned char *ptr; int tail; int zero = 0; + uint8_t zeros[4096]; int offset = 0; int size; struct image_type_params *tparams = mkimage_get_type (params.type);
+ if (pad >= sizeof(zeros)) { + fprintf(stderr, "%s: Can't pad to %d\n", + params.cmdname, pad); + exit(EXIT_FAILURE); + } + + memset(zeros, 0, sizeof(zeros)); + if (params.vflag) { fprintf (stderr, "Adding Image %s\n", datafile); } @@ -611,7 +621,8 @@ copy_file (int ifd, const char *datafile, int pad) exit (EXIT_FAILURE); }
- if (pad && ((tail = size % 4) != 0)) { + tail = size % 4; + if ((pad == 1) && (tail != 0)) {
if (write(ifd, (char *)&zero, 4-tail) != 4-tail) { fprintf (stderr, "%s: Write error on %s: %s\n", @@ -619,6 +630,13 @@ copy_file (int ifd, const char *datafile, int pad) strerror(errno)); exit (EXIT_FAILURE); } + } else if (pad > 1) { + if (write(ifd, (char *)&zeros, pad) != pad) { + fprintf(stderr, "%s: Write error on %s: %s\n", + params.cmdname, params.imagefile, + strerror(errno)); + exit(EXIT_FAILURE); + } }
(void) munmap((void *)ptr, sbuf.st_size); diff --git a/tools/mkimage.h b/tools/mkimage.h index 1d9984e..5b63ebf 100644 --- a/tools/mkimage.h +++ b/tools/mkimage.h @@ -145,7 +145,10 @@ struct image_type_params { /* * This callback function will be executed for variable size record * It is expected to build this header in memory and return its length - * and a pointer to it + * and a pointer to it by using image_type_params.header_size and + * image_type_params.hdr. The return value shall indicate if an + * additional padding should be used when copying the data image + * by returning the padding length. */ int (*vrec_header) (struct mkimage_params *, struct image_type_params *);
Implement function vrec_header to be able to pad the final data image file according the what has been calculated for boot_data.length.
Signed-off-by: Stefano Babic sbabic@denx.de --- tools/imximage.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 2 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index 984cb9b..85cc619 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -588,18 +588,96 @@ int imximage_check_params(struct mkimage_params *params) (params->xflag) || !(strlen(params->imagename)); }
+static int imximage_generate(struct mkimage_params *params, + struct image_type_params *tparams) +{ + struct imx_header *imxhdr; + size_t alloc_len; + int dfd; + struct stat sbuf; + char *datafile = params->datafile; + uint32_t pad_len; + + memset(&imximage_header, 0, sizeof(imximage_header)); + + /* + * In order to not change the old imx cfg file + * by adding VERSION command into it, here need + * set up function ptr group to V1 by default. + */ + imximage_version = IMXIMAGE_V1; + /* Be able to detect if the cfg file has no BOOT_FROM tag */ + imximage_ivt_offset = FLASH_OFFSET_UNDEFINED; + imximage_csf_size = 0; + set_hdr_func(imxhdr); + + /* Parse dcd configuration file */ + parse_cfg_file(&imximage_header, params->imagename); + + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + if (imximage_version == IMXIMAGE_V1) + alloc_len = 4096; + else + alloc_len = imximage_init_loadsize - imximage_ivt_offset; + + if (alloc_len < sizeof(struct imx_header)) { + fprintf(stderr, "%s: header error\n", + params->cmdname); + exit(EXIT_FAILURE); + } + + imxhdr = malloc(alloc_len); + + if (!imxhdr) { + fprintf(stderr, "%s: malloc return failure: %s\n", + params->cmdname, strerror(errno)); + exit(EXIT_FAILURE); + } + + memset(imxhdr, 0, alloc_len); + + tparams->header_size = alloc_len; + tparams->hdr = imxhdr; + + /* determine data image file length */ + dfd = open(datafile, O_RDONLY|O_BINARY); + if (dfd < 0) { + fprintf(stderr, "%s: Can't open %s: %s\n", + params->cmdname, datafile, strerror(errno)); + exit(EXIT_FAILURE); + } + + if (fstat(dfd, &sbuf) < 0) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + params->cmdname, datafile, strerror(errno)); + exit(EXIT_FAILURE); + } + + pad_len = ROUND(sbuf.st_size, 4096) - sbuf.st_size; + + close(dfd); + + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + if (imximage_version == IMXIMAGE_V1) + return 0; + else + return pad_len; +} + + /* * imximage parameters */ static struct image_type_params imximage_params = { .name = "Freescale i.MX Boot Image support", - .header_size = sizeof(struct imx_header), - .hdr = (void *)&imximage_header, + .header_size = 0, + .hdr = NULL, .check_image_type = imximage_check_image_types, .verify_header = imximage_verify_header, .print_header = imximage_print_header, .set_header = imximage_set_header, .check_params = imximage_check_params, + .vrec_header = imximage_generate, };
void init_imx_image_type(void)
Add support for setting the CSF (Command Sequence File) pointer which is used for HAB (High Assurance Boot) in the imximage by adding e.g.
CSF 0x2000
in the imximage.cfg file.
This will set the CSF pointer accordingly just after the padded data image area. The boot_data.length is adjusted with the value from the imximage.cfg config file.
The resulting u-boot.imx can be signed with the FSL HAB tooling. The generated CSF block needs to be appended to the u-boot.imx.
Signed-off-by: Stefano Babic sbabic@denx.de --- doc/README.imximage | 18 +++++++++++++++--- doc/README.mxc_hab | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ tools/imximage.c | 30 +++++++++++++++++++++++++++++- tools/imximage.h | 3 ++- 4 files changed, 94 insertions(+), 5 deletions(-) create mode 100644 doc/README.mxc_hab
diff --git a/doc/README.imximage b/doc/README.imximage index 802eb90..c10684f 100644 --- a/doc/README.imximage +++ b/doc/README.imximage @@ -15,9 +15,6 @@ Booting from NOR flash does not require to use this image type. For more details refer Chapter 2 - System Boot and section 2.14 (flash header description) of the processor's manual.
-This implementation does not use at the moment the secure boot feature -of the processor. The image is generated disabling all security fields. - Command syntax: -------------- ./tools/mkimage -l <mx u-boot_file> @@ -86,6 +83,21 @@ Configuration command line syntax: Example: BOOT_FROM spi
+ CSF value + + Total size of CSF (Command Sequence File) + used for Secure Boot/ High Assurance Boot + (HAB). + + Using this command will populate the IVT + (Initial Vector Table) CSF pointer and adjust + the length fields only. The CSF itself needs + to be generated with Freescale tools and + 'manually' appended to the u-boot.imx file. + + Example: + CSF 0x2000 + DATA type address value
type: word=4, halfword=2, byte=1 diff --git a/doc/README.mxc_hab b/doc/README.mxc_hab new file mode 100644 index 0000000..97f8b7d --- /dev/null +++ b/doc/README.mxc_hab @@ -0,0 +1,48 @@ +High Assurance Boot (HAB) for i.MX6 CPUs + +To authenticate U-Boot only by the CPU there is no code required in +U-Boot itself. However, the U-Boot image to be programmed into the +boot media needs to be properly constructed, i.e. it must contain a +proper Command Sequence File (CSF). + +The Initial Vector Table contains a pointer to the CSF. Please see +doc/README.imximage for how to prepare u-boot.imx. + +The CSF itself is being generated by Freescale HAB tools. + +mkimage will output additional information about "HAB Blocks" +which can be used in the Freescale tooling to authenticate U-Boot +(entries in the CSF file). + +Image Type: Freescale IMX Boot Image +Image Ver: 2 (i.MX53/6 compatible) +Data Size: 327680 Bytes = 320.00 kB = 0.31 MB +Load Address: 177ff420 +Entry Point: 17800000 +HAB Blocks: 177ff400 00000000 0004dc00 + ^^^^^^^^ ^^^^^^^^ ^^^^^^^^ + | | | + | | -------- (1) + | | + | ------------------- (2) + | + --------------------------- (3) + +(1) Size of area in file u-boot.imx to sign + This area should include the IVT, the Boot Data the DCD + and U-Boot itself. +(2) Start of area in u-boot.imx to sign +(3) Start of area in RAM to authenticate + +CONFIG_SECURE_BOOT currently enables only an additional command +'hab_status' in U-Boot to retrieve the HAB status and events. This +can be useful while developing and testing HAB. + +Commands to generate a signed U-Boot using Freescale HAB tools: +cst --o U-Boot_CSF.bin < U-Boot.CSF +objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ + U-Boot_CSF.bin U-Boot_CSF_pad.bin +cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx + +NOTE: U-Boot_CSF.bin needs to be padded to the value specified in +the imximage.cfg file. diff --git a/tools/imximage.c b/tools/imximage.c index 85cc619..3c4d0c1 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -39,6 +39,7 @@ static table_entry_t imximage_cmds[] = { {CMD_BOOT_FROM, "BOOT_FROM", "boot command", }, {CMD_BOOT_OFFSET, "BOOT_OFFSET", "Boot offset", }, {CMD_DATA, "DATA", "Reg Write Data", }, + {CMD_CSF, "CSF", "Command Sequence File", }, {CMD_IMAGE_VERSION, "IMAGE_VERSION", "image version", }, {-1, "", "", }, }; @@ -86,12 +87,14 @@ static uint32_t imximage_version; static uint32_t imximage_ivt_offset; /* Initial Load Region Size */ static uint32_t imximage_init_loadsize; +static uint32_t imximage_csf_size;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; static set_imx_hdr_t set_imx_hdr; static uint32_t max_dcd_entries; static uint32_t *header_size_ptr; +static uint32_t *csf_ptr;
static uint32_t get_cfg_value(char *token, char *name, int linenr) { @@ -264,9 +267,10 @@ static void set_imx_hdr_v2(struct imx_header *imxhdr, uint32_t dcd_len, + offsetof(imx_header_v2_t, boot_data); hdr_v2->boot_data.start = entry_point - imximage_init_loadsize;
- /* Security feature are not supported */ fhdr_v2->csf = 0; + header_size_ptr = &hdr_v2->boot_data.size; + csf_ptr = &fhdr_v2->csf; }
static void set_hdr_func(struct imx_header *imxhdr) @@ -343,6 +347,12 @@ static void print_hdr_v2(struct imx_header *imx_hdr) genimg_print_size(hdr_v2->boot_data.size); printf("Load Address: %08x\n", (uint32_t)fhdr_v2->boot_data_ptr); printf("Entry Point: %08x\n", (uint32_t)fhdr_v2->entry); + if (fhdr_v2->csf) { + printf("HAB Blocks: %08x %08x %08x\n", + (uint32_t)fhdr_v2->self, 0, + hdr_v2->boot_data.size - imximage_ivt_offset - + imximage_csf_size); + } }
static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, @@ -396,6 +406,17 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; + case CMD_CSF: + if (imximage_version != 2) { + fprintf(stderr, "Error: %s[%d] - " + "CSF only supported for IMAGE_VERSION 2(%s)\n", + name, lineno, token); + exit(EXIT_FAILURE); + } + imximage_csf_size = get_cfg_value(token, name, lineno); + if (unlikely(cmd_ver_first != 1)) + cmd_ver_first = 0; + break; } }
@@ -546,6 +567,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, imximage_version = IMXIMAGE_V1; /* Be able to detect if the cfg file has no BOOT_FROM tag */ imximage_ivt_offset = FLASH_OFFSET_UNDEFINED; + imximage_csf_size = 0; set_hdr_func(imxhdr);
/* Parse dcd configuration file */ @@ -564,6 +586,12 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * The remaining fraction of a block bytes would not be loaded! */ *header_size_ptr = ROUND(sbuf->st_size, 4096); + + if (csf_ptr && imximage_csf_size) { + *csf_ptr = params->ep - imximage_init_loadsize + + *header_size_ptr; + *header_size_ptr += imximage_csf_size; + } }
int imximage_check_params(struct mkimage_params *params) diff --git a/tools/imximage.h b/tools/imximage.h index b0305bf..4bba299 100644 --- a/tools/imximage.h +++ b/tools/imximage.h @@ -68,7 +68,8 @@ enum imximage_cmd { CMD_IMAGE_VERSION, CMD_BOOT_FROM, CMD_BOOT_OFFSET, - CMD_DATA + CMD_DATA, + CMD_CSF, };
enum imximage_fld_types {
Dear Stefano Babic,
In message 1373548001-19728-7-git-send-email-sbabic@denx.de you wrote:
Add support for setting the CSF (Command Sequence File) pointer which is used for HAB (High Assurance Boot) in the imximage by adding e.g.
This patch throws a checkpatch error that needs to be fixed:
WARNING: quoted string split across lines #265: FILE: tools/imximage.c:412: + fprintf(stderr, "Error: %s[%d] - " + "CSF only supported for IMAGE_VERSION 2(%s)\n",
Best regards,
Wolfgang Denk
Hi Wolfgang,
On 11/07/2013 20:14, Wolfgang Denk wrote:
Dear Stefano Babic,
In message 1373548001-19728-7-git-send-email-sbabic@denx.de you wrote:
Add support for setting the CSF (Command Sequence File) pointer which is used for HAB (High Assurance Boot) in the imximage by adding e.g.
This patch throws a checkpatch error that needs to be fixed:
WARNING: quoted string split across lines #265: FILE: tools/imximage.c:412:
fprintf(stderr, "Error: %s[%d] - ""CSF only supported for IMAGE_VERSION 2(%s)\n",
Fixed in V2.
Best regards, Stefano Babic
Add functions to report the HAB (High Assurance Boot) status of e.g. i.MX6 CPUs.
This is taken from
git://git.freescale.com/imx/uboot-imx.git branch imx_v2009.08_3.0.35_4.0.0 cpu/arm_cortexa8/mx6/generic.c include/asm-arm/arch-mx6/mx6_secure.h
Signed-off-by: Stefano Babic sbabic@denx.de --- arch/arm/cpu/armv7/mx6/Makefile | 2 +- arch/arm/cpu/armv7/mx6/hab.c | 127 ++++++++++++++++++++++++++++++ arch/arm/include/asm/arch-mx6/hab.h | 80 +++++++++++++++++++ arch/arm/include/asm/arch-mx6/imx-regs.h | 8 +- 4 files changed, 215 insertions(+), 2 deletions(-) create mode 100644 arch/arm/cpu/armv7/mx6/hab.c create mode 100644 arch/arm/include/asm/arch-mx6/hab.h
diff --git a/arch/arm/cpu/armv7/mx6/Makefile b/arch/arm/cpu/armv7/mx6/Makefile index 4f9ca68..7c18f43 100644 --- a/arch/arm/cpu/armv7/mx6/Makefile +++ b/arch/arm/cpu/armv7/mx6/Makefile @@ -27,7 +27,7 @@ include $(TOPDIR)/config.mk
LIB = $(obj)lib$(SOC).o
-COBJS = soc.o clock.o +COBJS = soc.o clock.o hab.o
SRCS := $(SOBJS:.o=.S) $(COBJS:.o=.c) OBJS := $(addprefix $(obj),$(SOBJS) $(COBJS)) diff --git a/arch/arm/cpu/armv7/mx6/hab.c b/arch/arm/cpu/armv7/mx6/hab.c new file mode 100644 index 0000000..c3c273f --- /dev/null +++ b/arch/arm/cpu/armv7/mx6/hab.c @@ -0,0 +1,127 @@ +/* + * Copyright (C) 2010-2013 Freescale Semiconductor, Inc. + * + * See file CREDITS for list of people who contributed to this + * project. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, + * MA 02111-1307 USA + */ + +#include <common.h> +#include <asm/io.h> +#if defined(CONFIG_SECURE_BOOT) +#include <asm/arch/hab.h> + +#ifdef CONFIG_SECURE_BOOT +/* -------- start of HAB API updates ------------*/ +#define hab_rvt_report_event ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT) +#define hab_rvt_report_status ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS) +#define hab_rvt_authenticate_image \ + ((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE) +#define hab_rvt_entry ((hab_rvt_entry_t *)HAB_RVT_ENTRY) +#define hab_rvt_exit ((hab_rvt_exit_t *)HAB_RVT_EXIT) +#define hab_rvt_clock_init HAB_RVT_CLOCK_INIT + + +bool is_hab_enabled(void) +{ + struct ocotp_regs *ocotp = (struct ocotp_regs *)OCOTP_BASE_ADDR; + struct fuse_bank *bank = &ocotp->bank[0]; + struct fuse_bank0_regs *fuse = + (struct fuse_bank0_regs *)bank->fuse_regs; + uint32_t reg = readl(&fuse->cfg5); + + return (reg & 0x2) == 0x2; +} + + +void display_event(uint8_t *event_data, size_t bytes) +{ + uint32_t i; + + if ((event_data) && (bytes > 0)) { + for (i = 0; i < bytes; i++) { + if (i == 0) + printf("\t0x%02x", event_data[i]); + else if ((i % 8) == 0) + printf("\n\t0x%02x", event_data[i]); + else + printf(" 0x%02x", event_data[i]); + } + } +} + +int get_hab_status(void) +{ + uint32_t index = 0; /* Loop index */ + uint8_t event_data[128]; /* Event data buffer */ + size_t bytes = sizeof(event_data); /* Event size in bytes */ + hab_config_t config = 0; + hab_state_t state = 0; + + if (is_hab_enabled()) + printf("\nSecure boot enabled\n"); + else + printf("\nSecure boot disabled\n"); + + /* Check HAB status */ + if (hab_rvt_report_status(&config, &state) != HAB_SUCCESS) { + printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n", + config, state); + + /* Display HAB Error events */ + while (hab_rvt_report_event(HAB_FAILURE, index, event_data, + &bytes) == HAB_SUCCESS) { + printf("\n"); + printf("--------- HAB Event %d -----------------\n", + index + 1); + printf("event data:\n"); + display_event(event_data, bytes); + printf("\n"); + bytes = sizeof(event_data); + index++; + } + } + /* Display message if no HAB events are found */ + else { + printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n", + config, state); + printf("No HAB Events Found!\n\n"); + } + return 0; +} + +int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) +{ + if ((argc != 1)) { + cmd_usage(cmdtp); + return 1; + } + + get_hab_status(); + + return 0; +} + +U_BOOT_CMD( + hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status, + "display HAB status", + "" +); + +#endif + +#endif diff --git a/arch/arm/include/asm/arch-mx6/hab.h b/arch/arm/include/asm/arch-mx6/hab.h new file mode 100644 index 0000000..927c280 --- /dev/null +++ b/arch/arm/include/asm/arch-mx6/hab.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2012 Freescale Semiconductor, Inc. All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Auto Generate file, please don't edit it + * + */ + +#ifndef __SECURE_MX6Q_H__ +#define __SECURE_MX6Q_H__ + +#include <linux/types.h> + +/* -------- start of HAB API updates ------------*/ +/* The following are taken from HAB4 SIS */ + +/* Status definitions */ +enum hab_status { + HAB_STS_ANY = 0x00, + HAB_FAILURE = 0x33, + HAB_WARNING = 0x69, + HAB_SUCCESS = 0xf0 +} hab_status_t; + +/* Security Configuration definitions */ +enum hab_config { + HAB_CFG_RETURN = 0x33, /**< Field Return IC */ + HAB_CFG_OPEN = 0xf0, /**< Non-secure IC */ + HAB_CFG_CLOSED = 0xcc /**< Secure IC */ +} hab_config_t; + +/* State definitions */ +enum hab_state { + HAB_STATE_INITIAL = 0x33, /**< Initialising state (transitory) */ + HAB_STATE_CHECK = 0x55, /**< Check state (non-secure) */ + HAB_STATE_NONSECURE = 0x66, /**< Non-secure state */ + HAB_STATE_TRUSTED = 0x99, /**< Trusted state */ + HAB_STATE_SECURE = 0xaa, /**< Secure state */ + HAB_STATE_FAIL_SOFT = 0xcc, /**< Soft fail state */ + HAB_STATE_FAIL_HARD = 0xff, /**< Hard fail state (terminal) */ + HAB_STATE_NONE = 0xf0, /**< No security state machine */ + HAB_STATE_MAX +} hab_state_t; + +/*Function prototype description*/ +typedef hab_status_t hab_rvt_report_event_t(hab_status_t, uint32_t, + uint8_t* , size_t*); +typedef hab_status_t hab_rvt_report_status_t(hab_config_t *, hab_state_t *); +typedef hab_status_t hab_loader_callback_f_t(void**, size_t*, const void*); +typedef hab_status_t hab_rvt_entry_t(void); +typedef hab_status_t hab_rvt_exit_t(void); +typedef void *hab_rvt_authenticate_image_t(uint8_t, ptrdiff_t, + void **, size_t *, hab_loader_callback_f_t); +typedef void hapi_clock_init_t(void); + +#define HAB_RVT_REPORT_EVENT (*(uint32_t *)0x000000B4) +#define HAB_RVT_REPORT_STATUS (*(uint32_t *)0x000000B8) +#define HAB_RVT_AUTHENTICATE_IMAGE (*(uint32_t *)0x000000A4) +#define HAB_RVT_ENTRY (*(uint32_t *)0x00000098) +#define HAB_RVT_EXIT (*(uint32_t *)0x0000009C) +#define HAB_RVT_CLOCK_INIT ((hapi_clock_init_t *)0x0000024D) + +#define HAB_CID_ROM 0 /**< ROM Caller ID */ +#define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/ +/* ----------- end of HAB API updates ------------*/ + +#endif diff --git a/arch/arm/include/asm/arch-mx6/imx-regs.h b/arch/arm/include/asm/arch-mx6/imx-regs.h index 03abb2a..4a2bba9 100644 --- a/arch/arm/include/asm/arch-mx6/imx-regs.h +++ b/arch/arm/include/asm/arch-mx6/imx-regs.h @@ -468,7 +468,13 @@ struct fuse_bank0_regs { u32 uid_low; u32 rsvd1[3]; u32 uid_high; - u32 rsvd2[0x17]; + u32 rsvd2[3]; + u32 rsvd3[4]; + u32 rsvd4[4]; + u32 rsvd5[4]; + u32 cfg5; + u32 rsvd6[3]; + u32 rsvd7[4]; };
struct fuse_bank4_regs {
Hi Stefano,
On Thu, Jul 11, 2013 at 10:06 AM, Stefano Babic sbabic@denx.de wrote:
--- a/arch/arm/cpu/armv7/mx6/Makefile +++ b/arch/arm/cpu/armv7/mx6/Makefile @@ -27,7 +27,7 @@ include $(TOPDIR)/config.mk
LIB = $(obj)lib$(SOC).o
Whole series looks good.
Only a minor comment:
-COBJS = soc.o clock.o +COBJS = soc.o clock.o hab.o
What about:
COBJS-y += soc.o clock.o COBJS-$(CONFIG_SECURE_BOOT) += hab.o
SRCS := $(SOBJS:.o=.S) $(COBJS:.o=.c) OBJS := $(addprefix $(obj),$(SOBJS) $(COBJS)) diff --git a/arch/arm/cpu/armv7/mx6/hab.c b/arch/arm/cpu/armv7/mx6/hab.c new file mode 100644 index 0000000..c3c273f --- /dev/null +++ b/arch/arm/cpu/armv7/mx6/hab.c @@ -0,0 +1,127 @@ +/*
- Copyright (C) 2010-2013 Freescale Semiconductor, Inc.
- See file CREDITS for list of people who contributed to this
- project.
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License as
- published by the Free Software Foundation; either version 2 of
- the License, or (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place, Suite 330, Boston,
- MA 02111-1307 USA
- */
+#include <common.h> +#include <asm/io.h> +#if defined(CONFIG_SECURE_BOOT)
,and then you remove this 'if defined' ?
Hi Fabio,
On 11/07/2013 19:17, Fabio Estevam wrote:
Hi Stefano,
On Thu, Jul 11, 2013 at 10:06 AM, Stefano Babic sbabic@denx.de wrote:
--- a/arch/arm/cpu/armv7/mx6/Makefile +++ b/arch/arm/cpu/armv7/mx6/Makefile @@ -27,7 +27,7 @@ include $(TOPDIR)/config.mk
LIB = $(obj)lib$(SOC).o
Whole series looks good.
Only a minor comment:
-COBJS = soc.o clock.o +COBJS = soc.o clock.o hab.o
What about:
COBJS-y += soc.o clock.o COBJS-$(CONFIG_SECURE_BOOT) += hab.o
Correct, fix in V2.
,and then you remove this 'if defined' ?
Agree.
Best regards, Stefano
Dear Stefano Babic,
Add functions to report the HAB (High Assurance Boot) status of e.g. i.MX6 CPUs.
This is taken from
git://git.freescale.com/imx/uboot-imx.git branch imx_v2009.08_3.0.35_4.0.0 cpu/arm_cortexa8/mx6/generic.c include/asm-arm/arch-mx6/mx6_secure.h
Signed-off-by: Stefano Babic sbabic@denx.de
arch/arm/cpu/armv7/mx6/Makefile | 2 +- arch/arm/cpu/armv7/mx6/hab.c | 127 ++++++++++++++++++++++++++++++ arch/arm/include/asm/arch-mx6/hab.h | 80 +++++++++++++++++++ arch/arm/include/asm/arch-mx6/imx-regs.h | 8 +- 4 files changed, 215 insertions(+), 2 deletions(-) create mode 100644 arch/arm/cpu/armv7/mx6/hab.c create mode 100644 arch/arm/include/asm/arch-mx6/hab.h
diff --git a/arch/arm/cpu/armv7/mx6/Makefile b/arch/arm/cpu/armv7/mx6/Makefile index 4f9ca68..7c18f43 100644 --- a/arch/arm/cpu/armv7/mx6/Makefile +++ b/arch/arm/cpu/armv7/mx6/Makefile @@ -27,7 +27,7 @@ include $(TOPDIR)/config.mk
LIB = $(obj)lib$(SOC).o
-COBJS = soc.o clock.o +COBJS = soc.o clock.o hab.o
SRCS := $(SOBJS:.o=.S) $(COBJS:.o=.c) OBJS := $(addprefix $(obj),$(SOBJS) $(COBJS)) diff --git a/arch/arm/cpu/armv7/mx6/hab.c b/arch/arm/cpu/armv7/mx6/hab.c new file mode 100644 index 0000000..c3c273f --- /dev/null +++ b/arch/arm/cpu/armv7/mx6/hab.c @@ -0,0 +1,127 @@ +/*
- Copyright (C) 2010-2013 Freescale Semiconductor, Inc.
- See file CREDITS for list of people who contributed to this
- project.
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License as
- published by the Free Software Foundation; either version 2 of
- the License, or (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place, Suite 330, Boston,
- MA 02111-1307 USA
- */
+#include <common.h> +#include <asm/io.h> +#if defined(CONFIG_SECURE_BOOT) +#include <asm/arch/hab.h>
+#ifdef CONFIG_SECURE_BOOT +/* -------- start of HAB API updates ------------*/ +#define hab_rvt_report_event ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT) +#define hab_rvt_report_status ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS) +#define hab_rvt_authenticate_image \
- ((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE)
+#define hab_rvt_entry ((hab_rvt_entry_t *)HAB_RVT_ENTRY) +#define hab_rvt_exit ((hab_rvt_exit_t *)HAB_RVT_EXIT) +#define hab_rvt_clock_init HAB_RVT_CLOCK_INIT
+bool is_hab_enabled(void) +{
- struct ocotp_regs *ocotp = (struct ocotp_regs *)OCOTP_BASE_ADDR;
- struct fuse_bank *bank = &ocotp->bank[0];
- struct fuse_bank0_regs *fuse =
(struct fuse_bank0_regs *)bank->fuse_regs;- uint32_t reg = readl(&fuse->cfg5);
- return (reg & 0x2) == 0x2;
+}
+void display_event(uint8_t *event_data, size_t bytes) +{
- uint32_t i;
- if ((event_data) && (bytes > 0)) {
if (!<cond>) return;
<The loop goes here>
for (i = 0; i < bytes; i++) {if (i == 0)printf("\t0x%02x", event_data[i]);else if ((i % 8) == 0)printf("\n\t0x%02x", event_data[i]);elseprintf(" 0x%02x", event_data[i]);}- }
+}
+int get_hab_status(void) +{
- uint32_t index = 0; /* Loop index */
- uint8_t event_data[128]; /* Event data buffer */
- size_t bytes = sizeof(event_data); /* Event size in bytes */
- hab_config_t config = 0;
- hab_state_t state = 0;
- if (is_hab_enabled())
printf("\nSecure boot enabled\n");- else
printf("\nSecure boot disabled\n");
Use puts() instead of printf() with no args.
Otherwise very nice ;-)
Best regards, Marek Vasut
Hi Marek,
On 11/07/2013 20:31, Marek Vasut wrote:
+void display_event(uint8_t *event_data, size_t bytes) +{
- uint32_t i;
- if ((event_data) && (bytes > 0)) {
if (!<cond>) return;
<The loop goes here>
Fix in V2, thanks.
- if (is_hab_enabled())
printf("\nSecure boot enabled\n");- else
printf("\nSecure boot disabled\n");Use puts() instead of printf() with no args.
Right, and I will fix also other similar cases in this file.
Regards, Stefano
On Thu, Jul 11, 2013 at 10:06 AM, Stefano Babic sbabic@denx.de wrote:
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
The patchset allows to add to the imx Header the CSF (command Sequence File) generated by the tools provided by Freescale. The CSF is then simply concatenated to the u-boot image, making a signed bootloader, that the processor can verify if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not start a bootloader that cannot be verified - further infos how to configure the SOC to verify the bootloader can be found in the User Manual of the specific SOC.
Next step is to verify the kernel, that can be still done using Simon's patches for verified boot (CONFIG_OF_CONTROL must be set in the board configuarion file).
I didn't yet test or reviewed the patchset (will do) but I must to say a big Thank you :-) Awesome!
-- Otavio Salvador O.S. Systems http://www.ossystems.com.br http://projetos.ossystems.com.br Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
On 07/11/2013 11:11 AM, Otavio Salvador wrote:
On Thu, Jul 11, 2013 at 10:06 AM, Stefano Babic sbabic@denx.de wrote:
<snip>
Next step is to verify the kernel, that can be still done using Simon's patches for verified boot (CONFIG_OF_CONTROL must be set in the board configuarion file).
I didn't yet test or reviewed the patchset (will do) but I must to say a big Thank you :-) Awesome!
+1
Thanks Stefano,
On 07/11/2013 06:06 AM, Stefano Babic wrote:
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
The patchset allows to add to the imx Header the CSF (command Sequence File) generated by the tools provided by Freescale. The CSF is then simply concatenated to the u-boot image, making a signed bootloader, that the processor can verify if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not start a bootloader that cannot be verified - further infos how to configure the SOC to verify the bootloader can be found in the User Manual of the specific SOC.
Next step is to verify the kernel, that can be still done using Simon's patches for verified boot (CONFIG_OF_CONTROL must be set in the board configuarion file).
I compile-tested the series against all of our boards (boundary/boundary/* and board/freescale/mx6qsabrelite).
Run-time tests (without signing) against nitrogen6s (solo) and nitrogen6q (quad). Both ran without a hitch.
Now we need to get configured for signing and burn some fuses!
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
The patchset allows to add to the imx Header the CSF (command Sequence File) generated by the tools provided by Freescale. The CSF is then simply concatenated to the u-boot image, making a signed bootloader, that the processor can verify if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not start a bootloader that cannot be verified - further infos how to configure the SOC to verify the bootloader can be found in the User Manual of the specific SOC.
Next step is to verify the kernel, that can be still done using Simon's patches for verified boot (CONFIG_OF_CONTROL must be set in the board configuarion file).
Changes in v2: - drop dead code (Marek Vasut) - Fix errors when SECURE_BOOT is selected due to enum - simplify display_event code (Marek Vasut) - compile hab code only if SECURE_BOOT is set (Fabio Estevam) - update licence with SPDX line according to new rules.
Stefano Babic (7): tools: imx_header should not include flash_offset tools: rename mximage_flash_offset to imximage_ivt_offset tools: dynamically allocate imx_header in imximage tools: add variable padding of data image in mkimage tools: add padding of data image file for imximage tools: add support for setting the CSF into imximage imx: add status reporting for HAB status
arch/arm/cpu/armv7/mx6/Makefile | 7 +- arch/arm/cpu/armv7/mx6/hab.c | 104 ++++++++++++++++++ arch/arm/include/asm/arch-mx6/hab.h | 67 ++++++++++++ arch/arm/include/asm/arch-mx6/imx-regs.h | 8 +- doc/README.imximage | 18 +++- doc/README.mxc_hab | 48 +++++++++ tools/imximage.c | 174 +++++++++++++++++++++++++++--- tools/imximage.h | 20 +++- tools/mkimage.c | 24 ++++- tools/mkimage.h | 5 +- 10 files changed, 444 insertions(+), 31 deletions(-) create mode 100644 arch/arm/cpu/armv7/mx6/hab.c create mode 100644 arch/arm/include/asm/arch-mx6/hab.h create mode 100644 doc/README.mxc_hab
Doing a make distclean; make mx6qsabresd_config; make and hexdump -C u-boot.imx | less
... 00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000003f0 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 |................| ^^^^^^^^^^^ 00000400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001000 13 00 00 ea 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 |...ê.ð.å.ð.å.ð.å| ...
shows the flash_offset value being written into the final generated image, wich is not correct.
Instead create flash_offset as static variable such that the generated image is "clean".
00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001000 13 00 00 ea 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 |...ê.ð.å.ð.å.ð.å|
Signed-off-by: Stefano Babic sbabic@denx.de
--- Changes in v2: None
tools/imximage.c | 15 ++++++++------- tools/imximage.h | 1 - 2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index c8a9ad5..a347b9b 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -52,6 +52,7 @@ static table_entry_t imximage_versions[] = {
static struct imx_header imximage_header; static uint32_t imximage_version; +static uint32_t imximage_flash_offset;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; @@ -327,9 +328,9 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, set_hdr_func(imxhdr); break; case CMD_BOOT_FROM: - imxhdr->flash_offset = get_table_entry_id(imximage_bootops, + imximage_flash_offset = get_table_entry_id(imximage_bootops, "imximage boot option", token); - if (imxhdr->flash_offset == -1) { + if (imximage_flash_offset == -1) { fprintf(stderr, "Error: %s[%d] -Invalid boot device" "(%s)\n", name, lineno, token); exit(EXIT_FAILURE); @@ -338,7 +339,7 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, cmd_ver_first = 0; break; case CMD_BOOT_OFFSET: - imxhdr->flash_offset = get_cfg_value(token, name, lineno); + imximage_flash_offset = get_cfg_value(token, name, lineno); if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; @@ -439,7 +440,7 @@ static uint32_t parse_cfg_file(struct imx_header *imxhdr, char *name) fclose(fd);
/* Exit if there is no BOOT_FROM field specifying the flash_offset */ - if (imxhdr->flash_offset == FLASH_OFFSET_UNDEFINED) { + if (imximage_flash_offset == FLASH_OFFSET_UNDEFINED) { fprintf(stderr, "Error: No BOOT_FROM tag in %s\n", name); exit(EXIT_FAILURE); } @@ -497,14 +498,14 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, */ imximage_version = IMXIMAGE_V1; /* Be able to detect if the cfg file has no BOOT_FROM tag */ - imxhdr->flash_offset = FLASH_OFFSET_UNDEFINED; + imximage_flash_offset = FLASH_OFFSET_UNDEFINED; set_hdr_func(imxhdr);
/* Parse dcd configuration file */ dcd_len = parse_cfg_file(imxhdr, params->imagename);
/* Set the imx header */ - (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imxhdr->flash_offset); + (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imximage_flash_offset);
/* * ROM bug alert @@ -515,7 +516,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * * The remaining fraction of a block bytes would not be loaded! */ - *header_size_ptr = ROUND(sbuf->st_size + imxhdr->flash_offset, 4096); + *header_size_ptr = ROUND(sbuf->st_size + imximage_flash_offset, 4096); }
int imximage_check_params(struct mkimage_params *params) diff --git a/tools/imximage.h b/tools/imximage.h index 214187b..ec629a5 100644 --- a/tools/imximage.h +++ b/tools/imximage.h @@ -147,7 +147,6 @@ struct imx_header { imx_header_v1_t hdr_v1; imx_header_v2_t hdr_v2; } header; - uint32_t flash_offset; } __attribute__((aligned(4096)));
typedef void (*set_dcd_val_t)(struct imx_header *imxhdr,
This better reflects the naming from the Reference Manual as well as fits better since "flash" is not really applicabe for SATA.
Signed-off-by: Stefano Babic sbabic@denx.de --- Changes in v2: None
tools/imximage.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index a347b9b..494446e 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -52,7 +52,8 @@ static table_entry_t imximage_versions[] = {
static struct imx_header imximage_header; static uint32_t imximage_version; -static uint32_t imximage_flash_offset; +/* Image Vector Table Offset */ +static uint32_t imximage_ivt_offset;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; @@ -328,9 +329,9 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, set_hdr_func(imxhdr); break; case CMD_BOOT_FROM: - imximage_flash_offset = get_table_entry_id(imximage_bootops, + imximage_ivt_offset = get_table_entry_id(imximage_bootops, "imximage boot option", token); - if (imximage_flash_offset == -1) { + if (imximage_ivt_offset == -1) { fprintf(stderr, "Error: %s[%d] -Invalid boot device" "(%s)\n", name, lineno, token); exit(EXIT_FAILURE); @@ -339,7 +340,7 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, cmd_ver_first = 0; break; case CMD_BOOT_OFFSET: - imximage_flash_offset = get_cfg_value(token, name, lineno); + imximage_ivt_offset = get_cfg_value(token, name, lineno); if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; @@ -440,7 +441,7 @@ static uint32_t parse_cfg_file(struct imx_header *imxhdr, char *name) fclose(fd);
/* Exit if there is no BOOT_FROM field specifying the flash_offset */ - if (imximage_flash_offset == FLASH_OFFSET_UNDEFINED) { + if (imximage_ivt_offset == FLASH_OFFSET_UNDEFINED) { fprintf(stderr, "Error: No BOOT_FROM tag in %s\n", name); exit(EXIT_FAILURE); } @@ -498,14 +499,14 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, */ imximage_version = IMXIMAGE_V1; /* Be able to detect if the cfg file has no BOOT_FROM tag */ - imximage_flash_offset = FLASH_OFFSET_UNDEFINED; + imximage_ivt_offset = FLASH_OFFSET_UNDEFINED; set_hdr_func(imxhdr);
/* Parse dcd configuration file */ dcd_len = parse_cfg_file(imxhdr, params->imagename);
/* Set the imx header */ - (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imximage_flash_offset); + (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imximage_ivt_offset);
/* * ROM bug alert @@ -516,7 +517,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * * The remaining fraction of a block bytes would not be loaded! */ - *header_size_ptr = ROUND(sbuf->st_size + imximage_flash_offset, 4096); + *header_size_ptr = ROUND(sbuf->st_size + imximage_ivt_offset, 4096); }
int imximage_check_params(struct mkimage_params *params)
Change to dynamically allocate the imx_header to correctly allocate the IVT, Boot Data and DCD at correct locations depending on the boot media.
Also check that the Image Vector Table Offset + IVT + Boot Data + DCD <= Initial Load Region Size.
Previously struct imx_header was always 4096 bytes and was not dealing correctly with the Image Vector Table Offset.
Now, the memory allocation looks for e.g. SD boot like this
Storage u-boot.imx RAM Device
00000000 177ff000 <-------------- | 00000400 00000000 d1 00 20 40 IVT.header 177ff400 <------- | 00000404 00000004 00 00 80 17 IVT.entry 177ff404 ----------- | 00000408 00000008 00 00 00 00 IVT.reserved1 177ff408 | | | 0000040C 0000000C 2c f4 7f 17 IVT.dcd 177ff40C ------ | | | 00000410 00000010 20 f4 7f 17 IVT.boot 177ff410 ---- | | | | 00000414 00000014 00 f4 7f 17 IVT.self 177ff414 -------- | | 00000418 00000018 00 00 00 00 IVT.csf 177ff418 | | | | 0000041C 0000001C 00 00 00 00 IVT.reserved2 177ff41C | | | | 00000420 00000020 00 f0 7f 17 BootData.start 177ff420 <--- | | --- 00000424 00000024 00 60 03 00 BootData.length 177ff424 | | 00000428 00000028 00 00 00 00 BootData.plugin 177ff428 | | 0000042C 0000002C d2 03 30 40 DCD.header 177ff42C <----- | ... | 00001000 00000c00 13 00 00 ea U-Boot Start 17800000 <----------
While at it also remove the unused #define HEADER_OFFSET.
Signed-off-by: Stefano Babic sbabic@denx.de
--- Changes in v2: - drop dead code (Marek Vasut)
tools/imximage.c | 43 ++++++++++++++++++++++++++++++++++++------- tools/imximage.h | 16 +++++++++++++--- 2 files changed, 49 insertions(+), 10 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index 494446e..2b4909e 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -31,7 +31,7 @@ static table_entry_t imximage_cmds[] = { * Supported Boot options for configuration file * this is needed to set the correct flash offset */ -static table_entry_t imximage_bootops[] = { +static table_entry_t imximage_boot_offset[] = { {FLASH_OFFSET_ONENAND, "onenand", "OneNAND Flash",}, {FLASH_OFFSET_NAND, "nand", "NAND Flash", }, {FLASH_OFFSET_NOR, "nor", "NOR Flash", }, @@ -42,6 +42,20 @@ static table_entry_t imximage_bootops[] = { };
/* + * Supported Boot options for configuration file + * this is needed to determine the initial load size + */ +static table_entry_t imximage_boot_loadsize[] = { + {FLASH_LOADSIZE_ONENAND, "onenand", "OneNAND Flash",}, + {FLASH_LOADSIZE_NAND, "nand", "NAND Flash", }, + {FLASH_LOADSIZE_NOR, "nor", "NOR Flash", }, + {FLASH_LOADSIZE_SATA, "sata", "SATA Disk", }, + {FLASH_LOADSIZE_SD, "sd", "SD Card", }, + {FLASH_LOADSIZE_SPI, "spi", "SPI Flash", }, + {-1, "", "Invalid", }, +}; + +/* * IMXIMAGE version definition for i.MX chips */ static table_entry_t imximage_versions[] = { @@ -54,6 +68,8 @@ static struct imx_header imximage_header; static uint32_t imximage_version; /* Image Vector Table Offset */ static uint32_t imximage_ivt_offset; +/* Initial Load Region Size */ +static uint32_t imximage_init_loadsize;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; @@ -195,7 +211,8 @@ static void set_imx_hdr_v1(struct imx_header *imxhdr, uint32_t dcd_len, /* Set magic number */ fhdr_v1->app_code_barker = APP_CODE_BARKER;
- hdr_base = entry_point - sizeof(struct imx_header); + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + hdr_base = entry_point - 4096; fhdr_v1->app_dest_ptr = hdr_base - flash_offset; fhdr_v1->app_code_jump_vector = entry_point;
@@ -222,12 +239,13 @@ static void set_imx_hdr_v2(struct imx_header *imxhdr, uint32_t dcd_len,
fhdr_v2->entry = entry_point; fhdr_v2->reserved1 = fhdr_v2->reserved2 = 0; - fhdr_v2->self = hdr_base = entry_point - sizeof(struct imx_header); - + hdr_base = entry_point - imximage_init_loadsize + + flash_offset; + fhdr_v2->self = hdr_base; fhdr_v2->dcd_ptr = hdr_base + offsetof(imx_header_v2_t, dcd_table); fhdr_v2->boot_data_ptr = hdr_base + offsetof(imx_header_v2_t, boot_data); - hdr_v2->boot_data.start = hdr_base - flash_offset; + hdr_v2->boot_data.start = entry_point - imximage_init_loadsize;
/* Security feature are not supported */ fhdr_v2->csf = 0; @@ -329,13 +347,24 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, set_hdr_func(imxhdr); break; case CMD_BOOT_FROM: - imximage_ivt_offset = get_table_entry_id(imximage_bootops, + imximage_ivt_offset = get_table_entry_id(imximage_boot_offset, "imximage boot option", token); if (imximage_ivt_offset == -1) { fprintf(stderr, "Error: %s[%d] -Invalid boot device" "(%s)\n", name, lineno, token); exit(EXIT_FAILURE); } + + imximage_init_loadsize = + get_table_entry_id(imximage_boot_loadsize, + "imximage boot option", token); + + if (imximage_init_loadsize == -1) { + fprintf(stderr, + "Error: %s[%d] -Invalid boot device(%s)\n", + name, lineno, token); + exit(EXIT_FAILURE); + } if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; @@ -517,7 +546,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * * The remaining fraction of a block bytes would not be loaded! */ - *header_size_ptr = ROUND(sbuf->st_size + imximage_ivt_offset, 4096); + *header_size_ptr = ROUND(sbuf->st_size, 4096); }
int imximage_check_params(struct mkimage_params *params) diff --git a/tools/imximage.h b/tools/imximage.h index ec629a5..bb04a43 100644 --- a/tools/imximage.h +++ b/tools/imximage.h @@ -13,14 +13,14 @@ #define APP_CODE_BARKER 0xB1 #define DCD_BARKER 0xB17219E9
-#define HEADER_OFFSET 0x400 - /* * NOTE: This file must be kept in sync with arch/arm/include/asm/\ * imx-common/imximage.cfg because tools/imximage.c can not * cross-include headers from arch/arm/ and vice-versa. */ #define CMD_DATA_STR "DATA" + +/* Initial Vector Table Offset */ #define FLASH_OFFSET_UNDEFINED 0xFFFFFFFF #define FLASH_OFFSET_STANDARD 0x400 #define FLASH_OFFSET_NAND FLASH_OFFSET_STANDARD @@ -30,6 +30,16 @@ #define FLASH_OFFSET_NOR 0x1000 #define FLASH_OFFSET_SATA FLASH_OFFSET_STANDARD
+/* Initial Load Region Size */ +#define FLASH_LOADSIZE_UNDEFINED 0xFFFFFFFF +#define FLASH_LOADSIZE_STANDARD 0x1000 +#define FLASH_LOADSIZE_NAND FLASH_LOADSIZE_STANDARD +#define FLASH_LOADSIZE_SD FLASH_LOADSIZE_STANDARD +#define FLASH_LOADSIZE_SPI FLASH_LOADSIZE_STANDARD +#define FLASH_LOADSIZE_ONENAND 0x400 +#define FLASH_LOADSIZE_NOR 0x0 /* entire image */ +#define FLASH_LOADSIZE_SATA FLASH_LOADSIZE_STANDARD + #define IVT_HEADER_TAG 0xD1 #define IVT_VERSION 0x40 #define DCD_HEADER_TAG 0xD2 @@ -147,7 +157,7 @@ struct imx_header { imx_header_v1_t hdr_v1; imx_header_v2_t hdr_v2; } header; -} __attribute__((aligned(4096))); +};
typedef void (*set_dcd_val_t)(struct imx_header *imxhdr, char *name, int lineno,
Use previously unused return value of function vrec_header to return a padding size to generic mkimage. This padding size is used in copy_files to pad with zeros after copying the data image.
Signed-off-by: Stefano Babic sbabic@denx.de --- Changes in v2: None
tools/mkimage.c | 24 +++++++++++++++++++++--- tools/mkimage.h | 5 ++++- 2 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/tools/mkimage.c b/tools/mkimage.c index b700b9e..58d25fa 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -137,6 +137,7 @@ main (int argc, char **argv) char *ptr; int retval = 0; struct image_type_params *tparams = NULL; + int pad_len = 0;
/* Init Freescale PBL Boot image generation/list support */ init_pbl_image_type(); @@ -391,7 +392,7 @@ NXTARG: ; * allocate memory for the header itself. */ if (tparams->vrec_header) - tparams->vrec_header(¶ms, tparams); + pad_len = tparams->vrec_header(¶ms, tparams); else memset(tparams->hdr, 0, tparams->header_size);
@@ -463,7 +464,7 @@ NXTARG: ; /* PBL has special Image format, implements its' own */ pbl_load_uboot(ifd, ¶ms); } else { - copy_file (ifd, params.datafile, 0); + copy_file(ifd, params.datafile, pad_len); } }
@@ -537,10 +538,19 @@ copy_file (int ifd, const char *datafile, int pad) unsigned char *ptr; int tail; int zero = 0; + uint8_t zeros[4096]; int offset = 0; int size; struct image_type_params *tparams = mkimage_get_type (params.type);
+ if (pad >= sizeof(zeros)) { + fprintf(stderr, "%s: Can't pad to %d\n", + params.cmdname, pad); + exit(EXIT_FAILURE); + } + + memset(zeros, 0, sizeof(zeros)); + if (params.vflag) { fprintf (stderr, "Adding Image %s\n", datafile); } @@ -598,7 +608,8 @@ copy_file (int ifd, const char *datafile, int pad) exit (EXIT_FAILURE); }
- if (pad && ((tail = size % 4) != 0)) { + tail = size % 4; + if ((pad == 1) && (tail != 0)) {
if (write(ifd, (char *)&zero, 4-tail) != 4-tail) { fprintf (stderr, "%s: Write error on %s: %s\n", @@ -606,6 +617,13 @@ copy_file (int ifd, const char *datafile, int pad) strerror(errno)); exit (EXIT_FAILURE); } + } else if (pad > 1) { + if (write(ifd, (char *)&zeros, pad) != pad) { + fprintf(stderr, "%s: Write error on %s: %s\n", + params.cmdname, params.imagefile, + strerror(errno)); + exit(EXIT_FAILURE); + } }
(void) munmap((void *)ptr, sbuf.st_size); diff --git a/tools/mkimage.h b/tools/mkimage.h index 950e190..ecb3032 100644 --- a/tools/mkimage.h +++ b/tools/mkimage.h @@ -132,7 +132,10 @@ struct image_type_params { /* * This callback function will be executed for variable size record * It is expected to build this header in memory and return its length - * and a pointer to it + * and a pointer to it by using image_type_params.header_size and + * image_type_params.hdr. The return value shall indicate if an + * additional padding should be used when copying the data image + * by returning the padding length. */ int (*vrec_header) (struct mkimage_params *, struct image_type_params *);
Implement function vrec_header to be able to pad the final data image file according the what has been calculated for boot_data.length.
Signed-off-by: Stefano Babic sbabic@denx.de --- Changes in v2: None
tools/imximage.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 2 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index 2b4909e..5981625 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -571,18 +571,96 @@ int imximage_check_params(struct mkimage_params *params) (params->xflag) || !(strlen(params->imagename)); }
+static int imximage_generate(struct mkimage_params *params, + struct image_type_params *tparams) +{ + struct imx_header *imxhdr; + size_t alloc_len; + int dfd; + struct stat sbuf; + char *datafile = params->datafile; + uint32_t pad_len; + + memset(&imximage_header, 0, sizeof(imximage_header)); + + /* + * In order to not change the old imx cfg file + * by adding VERSION command into it, here need + * set up function ptr group to V1 by default. + */ + imximage_version = IMXIMAGE_V1; + /* Be able to detect if the cfg file has no BOOT_FROM tag */ + imximage_ivt_offset = FLASH_OFFSET_UNDEFINED; + imximage_csf_size = 0; + set_hdr_func(imxhdr); + + /* Parse dcd configuration file */ + parse_cfg_file(&imximage_header, params->imagename); + + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + if (imximage_version == IMXIMAGE_V1) + alloc_len = 4096; + else + alloc_len = imximage_init_loadsize - imximage_ivt_offset; + + if (alloc_len < sizeof(struct imx_header)) { + fprintf(stderr, "%s: header error\n", + params->cmdname); + exit(EXIT_FAILURE); + } + + imxhdr = malloc(alloc_len); + + if (!imxhdr) { + fprintf(stderr, "%s: malloc return failure: %s\n", + params->cmdname, strerror(errno)); + exit(EXIT_FAILURE); + } + + memset(imxhdr, 0, alloc_len); + + tparams->header_size = alloc_len; + tparams->hdr = imxhdr; + + /* determine data image file length */ + dfd = open(datafile, O_RDONLY|O_BINARY); + if (dfd < 0) { + fprintf(stderr, "%s: Can't open %s: %s\n", + params->cmdname, datafile, strerror(errno)); + exit(EXIT_FAILURE); + } + + if (fstat(dfd, &sbuf) < 0) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + params->cmdname, datafile, strerror(errno)); + exit(EXIT_FAILURE); + } + + pad_len = ROUND(sbuf.st_size, 4096) - sbuf.st_size; + + close(dfd); + + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + if (imximage_version == IMXIMAGE_V1) + return 0; + else + return pad_len; +} + + /* * imximage parameters */ static struct image_type_params imximage_params = { .name = "Freescale i.MX Boot Image support", - .header_size = sizeof(struct imx_header), - .hdr = (void *)&imximage_header, + .header_size = 0, + .hdr = NULL, .check_image_type = imximage_check_image_types, .verify_header = imximage_verify_header, .print_header = imximage_print_header, .set_header = imximage_set_header, .check_params = imximage_check_params, + .vrec_header = imximage_generate, };
void init_imx_image_type(void)
Dear Stefano Babic,
Implement function vrec_header to be able to pad the final data image file according the what has been calculated for boot_data.length.
Signed-off-by: Stefano Babic sbabic@denx.de
[...]
- if (!imxhdr) {
fprintf(stderr, "%s: malloc return failure: %s\n",params->cmdname, strerror(errno));exit(EXIT_FAILURE);- }
- memset(imxhdr, 0, alloc_len);
- tparams->header_size = alloc_len;
- tparams->hdr = imxhdr;
- /* determine data image file length */
Why dont you just call stat(2) here instead of the open+fstat+close combo?
- dfd = open(datafile, O_RDONLY|O_BINARY);
- if (dfd < 0) {
fprintf(stderr, "%s: Can't open %s: %s\n",params->cmdname, datafile, strerror(errno));exit(EXIT_FAILURE);- }
- if (fstat(dfd, &sbuf) < 0) {
fprintf(stderr, "%s: Can't stat %s: %s\n",params->cmdname, datafile, strerror(errno));exit(EXIT_FAILURE);- }
- pad_len = ROUND(sbuf.st_size, 4096) - sbuf.st_size;
- close(dfd);
- /* TODO: check i.MX image V1 handling, for now use 'old' style */
[...]
Best regards, Marek Vasut
Hi Marek,
On 13/08/2013 07:10, Marek Vasut wrote:
Dear Stefano Babic,
Implement function vrec_header to be able to pad the final data image file according the what has been calculated for boot_data.length.
Signed-off-by: Stefano Babic sbabic@denx.de
[...]
- if (!imxhdr) {
fprintf(stderr, "%s: malloc return failure: %s\n",params->cmdname, strerror(errno));exit(EXIT_FAILURE);- }
- memset(imxhdr, 0, alloc_len);
- tparams->header_size = alloc_len;
- tparams->hdr = imxhdr;
- /* determine data image file length */
Why dont you just call stat(2) here instead of the open+fstat+close combo?
Thanks, replaced in V3.
Best regards, Stefano Babic
Add support for setting the CSF (Command Sequence File) pointer which is used for HAB (High Assurance Boot) in the imximage by adding e.g.
CSF 0x2000
in the imximage.cfg file.
This will set the CSF pointer accordingly just after the padded data image area. The boot_data.length is adjusted with the value from the imximage.cfg config file.
The resulting u-boot.imx can be signed with the FSL HAB tooling. The generated CSF block needs to be appended to the u-boot.imx.
Signed-off-by: Stefano Babic sbabic@denx.de
Series-changes : 2 - checkpatch warning - do not output HAB values when csf values are not defined by cfg --- Changes in v2: None
doc/README.imximage | 18 +++++++++++++++--- doc/README.mxc_hab | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ tools/imximage.c | 41 ++++++++++++++++++++++++++++++++++++++--- tools/imximage.h | 3 ++- 4 files changed, 103 insertions(+), 7 deletions(-) create mode 100644 doc/README.mxc_hab
diff --git a/doc/README.imximage b/doc/README.imximage index 802eb90..c10684f 100644 --- a/doc/README.imximage +++ b/doc/README.imximage @@ -15,9 +15,6 @@ Booting from NOR flash does not require to use this image type. For more details refer Chapter 2 - System Boot and section 2.14 (flash header description) of the processor's manual.
-This implementation does not use at the moment the secure boot feature -of the processor. The image is generated disabling all security fields. - Command syntax: -------------- ./tools/mkimage -l <mx u-boot_file> @@ -86,6 +83,21 @@ Configuration command line syntax: Example: BOOT_FROM spi
+ CSF value + + Total size of CSF (Command Sequence File) + used for Secure Boot/ High Assurance Boot + (HAB). + + Using this command will populate the IVT + (Initial Vector Table) CSF pointer and adjust + the length fields only. The CSF itself needs + to be generated with Freescale tools and + 'manually' appended to the u-boot.imx file. + + Example: + CSF 0x2000 + DATA type address value
type: word=4, halfword=2, byte=1 diff --git a/doc/README.mxc_hab b/doc/README.mxc_hab new file mode 100644 index 0000000..97f8b7d --- /dev/null +++ b/doc/README.mxc_hab @@ -0,0 +1,48 @@ +High Assurance Boot (HAB) for i.MX6 CPUs + +To authenticate U-Boot only by the CPU there is no code required in +U-Boot itself. However, the U-Boot image to be programmed into the +boot media needs to be properly constructed, i.e. it must contain a +proper Command Sequence File (CSF). + +The Initial Vector Table contains a pointer to the CSF. Please see +doc/README.imximage for how to prepare u-boot.imx. + +The CSF itself is being generated by Freescale HAB tools. + +mkimage will output additional information about "HAB Blocks" +which can be used in the Freescale tooling to authenticate U-Boot +(entries in the CSF file). + +Image Type: Freescale IMX Boot Image +Image Ver: 2 (i.MX53/6 compatible) +Data Size: 327680 Bytes = 320.00 kB = 0.31 MB +Load Address: 177ff420 +Entry Point: 17800000 +HAB Blocks: 177ff400 00000000 0004dc00 + ^^^^^^^^ ^^^^^^^^ ^^^^^^^^ + | | | + | | -------- (1) + | | + | ------------------- (2) + | + --------------------------- (3) + +(1) Size of area in file u-boot.imx to sign + This area should include the IVT, the Boot Data the DCD + and U-Boot itself. +(2) Start of area in u-boot.imx to sign +(3) Start of area in RAM to authenticate + +CONFIG_SECURE_BOOT currently enables only an additional command +'hab_status' in U-Boot to retrieve the HAB status and events. This +can be useful while developing and testing HAB. + +Commands to generate a signed U-Boot using Freescale HAB tools: +cst --o U-Boot_CSF.bin < U-Boot.CSF +objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ + U-Boot_CSF.bin U-Boot_CSF_pad.bin +cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx + +NOTE: U-Boot_CSF.bin needs to be padded to the value specified in +the imximage.cfg file. diff --git a/tools/imximage.c b/tools/imximage.c index 5981625..50fe22c 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -16,6 +16,8 @@ #include <image.h> #include "imximage.h"
+#define UNDEFINED 0xFFFFFFFF + /* * Supported commands for configuration file */ @@ -23,6 +25,7 @@ static table_entry_t imximage_cmds[] = { {CMD_BOOT_FROM, "BOOT_FROM", "boot command", }, {CMD_BOOT_OFFSET, "BOOT_OFFSET", "Boot offset", }, {CMD_DATA, "DATA", "Reg Write Data", }, + {CMD_CSF, "CSF", "Command Sequence File", }, {CMD_IMAGE_VERSION, "IMAGE_VERSION", "image version", }, {-1, "", "", }, }; @@ -66,8 +69,13 @@ static table_entry_t imximage_versions[] = {
static struct imx_header imximage_header; static uint32_t imximage_version; -/* Image Vector Table Offset */ -static uint32_t imximage_ivt_offset; +/* + * Image Vector Table Offset + * Initialized to a wrong not 4-bytes aligned address to + * check if it is was set by the cfg file. + */ +static uint32_t imximage_ivt_offset = UNDEFINED; +static uint32_t imximage_csf_size = UNDEFINED; /* Initial Load Region Size */ static uint32_t imximage_init_loadsize;
@@ -76,6 +84,7 @@ static set_dcd_rst_t set_dcd_rst; static set_imx_hdr_t set_imx_hdr; static uint32_t max_dcd_entries; static uint32_t *header_size_ptr; +static uint32_t *csf_ptr;
static uint32_t get_cfg_value(char *token, char *name, int linenr) { @@ -247,9 +256,10 @@ static void set_imx_hdr_v2(struct imx_header *imxhdr, uint32_t dcd_len, + offsetof(imx_header_v2_t, boot_data); hdr_v2->boot_data.start = entry_point - imximage_init_loadsize;
- /* Security feature are not supported */ fhdr_v2->csf = 0; + header_size_ptr = &hdr_v2->boot_data.size; + csf_ptr = &fhdr_v2->csf; }
static void set_hdr_func(struct imx_header *imxhdr) @@ -326,6 +336,13 @@ static void print_hdr_v2(struct imx_header *imx_hdr) genimg_print_size(hdr_v2->boot_data.size); printf("Load Address: %08x\n", (uint32_t)fhdr_v2->boot_data_ptr); printf("Entry Point: %08x\n", (uint32_t)fhdr_v2->entry); + if (fhdr_v2->csf && (imximage_ivt_offset != UNDEFINED) && + (imximage_csf_size != UNDEFINED)) { + printf("HAB Blocks: %08x %08x %08x\n", + (uint32_t)fhdr_v2->self, 0, + hdr_v2->boot_data.size - imximage_ivt_offset - + imximage_csf_size); + } }
static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, @@ -379,6 +396,17 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; + case CMD_CSF: + if (imximage_version != 2) { + fprintf(stderr, + "Error: %s[%d] - CSF only supported for VERSION 2(%s)\n", + name, lineno, token); + exit(EXIT_FAILURE); + } + imximage_csf_size = get_cfg_value(token, name, lineno); + if (unlikely(cmd_ver_first != 1)) + cmd_ver_first = 0; + break; } }
@@ -529,6 +557,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, imximage_version = IMXIMAGE_V1; /* Be able to detect if the cfg file has no BOOT_FROM tag */ imximage_ivt_offset = FLASH_OFFSET_UNDEFINED; + imximage_csf_size = 0; set_hdr_func(imxhdr);
/* Parse dcd configuration file */ @@ -547,6 +576,12 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * The remaining fraction of a block bytes would not be loaded! */ *header_size_ptr = ROUND(sbuf->st_size, 4096); + + if (csf_ptr && imximage_csf_size) { + *csf_ptr = params->ep - imximage_init_loadsize + + *header_size_ptr; + *header_size_ptr += imximage_csf_size; + } }
int imximage_check_params(struct mkimage_params *params) diff --git a/tools/imximage.h b/tools/imximage.h index bb04a43..efe6a88 100644 --- a/tools/imximage.h +++ b/tools/imximage.h @@ -52,7 +52,8 @@ enum imximage_cmd { CMD_IMAGE_VERSION, CMD_BOOT_FROM, CMD_BOOT_OFFSET, - CMD_DATA + CMD_DATA, + CMD_CSF, };
enum imximage_fld_types {
Am 12.08.13 16:39, schrieb Stefano Babic:
BOOT_FROM spi
- CSF value
Total size of CSF (Command Sequence File)used for Secure Boot/ High Assurance Boot(HAB).Using this command will populate the IVT(Initial Vector Table) CSF pointer and adjust
^^^^^^^^^^^^^^^^^^^^
Isn't that "Image Vector Table"?
Regards, Bernhard
Add functions to report the HAB (High Assurance Boot) status of e.g. i.MX6 CPUs.
This is taken from
git://git.freescale.com/imx/uboot-imx.git branch imx_v2009.08_3.0.35_4.0.0 cpu/arm_cortexa8/mx6/generic.c include/asm-arm/arch-mx6/mx6_secure.h
Signed-off-by: Stefano Babic sbabic@denx.de
--- Changes in v2: - Fix errors when SECURE_BOOT is selected due to enum - simplify display_event code (Marek Vasut) - compile hab code only if SECURE_BOOT is set (Fabio Estevam) - update licence with SPDX line according to new rules.
arch/arm/cpu/armv7/mx6/Makefile | 7 +- arch/arm/cpu/armv7/mx6/hab.c | 104 ++++++++++++++++++++++++++++++ arch/arm/include/asm/arch-mx6/hab.h | 67 +++++++++++++++++++ arch/arm/include/asm/arch-mx6/imx-regs.h | 8 ++- 4 files changed, 182 insertions(+), 4 deletions(-) create mode 100644 arch/arm/cpu/armv7/mx6/hab.c create mode 100644 arch/arm/include/asm/arch-mx6/hab.h
diff --git a/arch/arm/cpu/armv7/mx6/Makefile b/arch/arm/cpu/armv7/mx6/Makefile index c5e9858..6d73617 100644 --- a/arch/arm/cpu/armv7/mx6/Makefile +++ b/arch/arm/cpu/armv7/mx6/Makefile @@ -11,10 +11,11 @@ include $(TOPDIR)/config.mk
LIB = $(obj)lib$(SOC).o
-COBJS = soc.o clock.o +COBJS-y = soc.o clock.o +COBJS-$(CONFIG_SECURE_BOOT) += hab.o
-SRCS := $(SOBJS:.o=.S) $(COBJS:.o=.c) -OBJS := $(addprefix $(obj),$(SOBJS) $(COBJS)) +SRCS := $(SOBJS:.o=.S) $(COBJS-y:.o=.c) +OBJS := $(addprefix $(obj),$(SOBJS) $(COBJS-y))
all: $(obj).depend $(LIB)
diff --git a/arch/arm/cpu/armv7/mx6/hab.c b/arch/arm/cpu/armv7/mx6/hab.c new file mode 100644 index 0000000..5187775 --- /dev/null +++ b/arch/arm/cpu/armv7/mx6/hab.c @@ -0,0 +1,104 @@ +/* + * Copyright (C) 2010-2013 Freescale Semiconductor, Inc. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#include <common.h> +#include <asm/io.h> +#include <asm/arch/hab.h> + +/* -------- start of HAB API updates ------------*/ +#define hab_rvt_report_event ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT) +#define hab_rvt_report_status ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS) +#define hab_rvt_authenticate_image \ + ((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE) +#define hab_rvt_entry ((hab_rvt_entry_t *)HAB_RVT_ENTRY) +#define hab_rvt_exit ((hab_rvt_exit_t *)HAB_RVT_EXIT) +#define hab_rvt_clock_init HAB_RVT_CLOCK_INIT + +bool is_hab_enabled(void) +{ + struct ocotp_regs *ocotp = (struct ocotp_regs *)OCOTP_BASE_ADDR; + struct fuse_bank *bank = &ocotp->bank[0]; + struct fuse_bank0_regs *fuse = + (struct fuse_bank0_regs *)bank->fuse_regs; + uint32_t reg = readl(&fuse->cfg5); + + return (reg & 0x2) == 0x2; +} + +void display_event(uint8_t *event_data, size_t bytes) +{ + uint32_t i; + + if (!(event_data && bytes > 0)) + return; + + for (i = 0; i < bytes; i++) { + if (i == 0) + printf("\t0x%02x", event_data[i]); + else if ((i % 8) == 0) + printf("\n\t0x%02x", event_data[i]); + else + printf(" 0x%02x", event_data[i]); + } +} + +int get_hab_status(void) +{ + uint32_t index = 0; /* Loop index */ + uint8_t event_data[128]; /* Event data buffer */ + size_t bytes = sizeof(event_data); /* Event size in bytes */ + enum hab_config config = 0; + enum hab_state state = 0; + + if (is_hab_enabled()) + puts("\nSecure boot enabled\n"); + else + puts("\nSecure boot disabled\n"); + + /* Check HAB status */ + if (hab_rvt_report_status(&config, &state) != HAB_SUCCESS) { + printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n", + config, state); + + /* Display HAB Error events */ + while (hab_rvt_report_event(HAB_FAILURE, index, event_data, + &bytes) == HAB_SUCCESS) { + puts("\n"); + printf("--------- HAB Event %d -----------------\n", + index + 1); + puts("event data:\n"); + display_event(event_data, bytes); + puts("\n"); + bytes = sizeof(event_data); + index++; + } + } + /* Display message if no HAB events are found */ + else { + printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n", + config, state); + puts("No HAB Events Found!\n\n"); + } + return 0; +} + +int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) +{ + if ((argc != 1)) { + cmd_usage(cmdtp); + return 1; + } + + get_hab_status(); + + return 0; +} + +U_BOOT_CMD( + hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status, + "display HAB status", + "" + ); diff --git a/arch/arm/include/asm/arch-mx6/hab.h b/arch/arm/include/asm/arch-mx6/hab.h new file mode 100644 index 0000000..d724f20 --- /dev/null +++ b/arch/arm/include/asm/arch-mx6/hab.h @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2012 Freescale Semiconductor, Inc. All Rights Reserved. + * + * SPDX-License-Identifier: GPL-2.0+ + * +*/ + +#ifndef __SECURE_MX6Q_H__ +#define __SECURE_MX6Q_H__ + +#include <linux/types.h> + +/* -------- start of HAB API updates ------------*/ +/* The following are taken from HAB4 SIS */ + +/* Status definitions */ +enum hab_status { + HAB_STS_ANY = 0x00, + HAB_FAILURE = 0x33, + HAB_WARNING = 0x69, + HAB_SUCCESS = 0xf0 +}; + +/* Security Configuration definitions */ +enum hab_config { + HAB_CFG_RETURN = 0x33, /**< Field Return IC */ + HAB_CFG_OPEN = 0xf0, /**< Non-secure IC */ + HAB_CFG_CLOSED = 0xcc /**< Secure IC */ +}; + +/* State definitions */ +enum hab_state { + HAB_STATE_INITIAL = 0x33, /**< Initialising state (transitory) */ + HAB_STATE_CHECK = 0x55, /**< Check state (non-secure) */ + HAB_STATE_NONSECURE = 0x66, /**< Non-secure state */ + HAB_STATE_TRUSTED = 0x99, /**< Trusted state */ + HAB_STATE_SECURE = 0xaa, /**< Secure state */ + HAB_STATE_FAIL_SOFT = 0xcc, /**< Soft fail state */ + HAB_STATE_FAIL_HARD = 0xff, /**< Hard fail state (terminal) */ + HAB_STATE_NONE = 0xf0, /**< No security state machine */ + HAB_STATE_MAX +}; + +/*Function prototype description*/ +typedef enum hab_status hab_rvt_report_event_t(enum hab_status, uint32_t, + uint8_t* , size_t*); +typedef enum hab_status hab_rvt_report_status_t(enum hab_config *, + enum hab_state *); +typedef enum hab_status hab_loader_callback_f_t(void**, size_t*, const void*); +typedef enum hab_status hab_rvt_entry_t(void); +typedef enum hab_status hab_rvt_exit_t(void); +typedef void *hab_rvt_authenticate_image_t(uint8_t, ptrdiff_t, + void **, size_t *, hab_loader_callback_f_t); +typedef void hapi_clock_init_t(void); + +#define HAB_RVT_REPORT_EVENT (*(uint32_t *)0x000000B4) +#define HAB_RVT_REPORT_STATUS (*(uint32_t *)0x000000B8) +#define HAB_RVT_AUTHENTICATE_IMAGE (*(uint32_t *)0x000000A4) +#define HAB_RVT_ENTRY (*(uint32_t *)0x00000098) +#define HAB_RVT_EXIT (*(uint32_t *)0x0000009C) +#define HAB_RVT_CLOCK_INIT ((hapi_clock_init_t *)0x0000024D) + +#define HAB_CID_ROM 0 /**< ROM Caller ID */ +#define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/ +/* ----------- end of HAB API updates ------------*/ + +#endif diff --git a/arch/arm/include/asm/arch-mx6/imx-regs.h b/arch/arm/include/asm/arch-mx6/imx-regs.h index 5d6bccb..621919f 100644 --- a/arch/arm/include/asm/arch-mx6/imx-regs.h +++ b/arch/arm/include/asm/arch-mx6/imx-regs.h @@ -456,7 +456,13 @@ struct fuse_bank0_regs { u32 uid_low; u32 rsvd1[3]; u32 uid_high; - u32 rsvd2[0x17]; + u32 rsvd2[3]; + u32 rsvd3[4]; + u32 rsvd4[4]; + u32 rsvd5[4]; + u32 cfg5; + u32 rsvd6[3]; + u32 rsvd7[4]; };
struct fuse_bank4_regs {
Hi,
Am 12.08.13 16:39, schrieb Stefano Babic:
+bool is_hab_enabled(void) +{
- struct ocotp_regs *ocotp = (struct ocotp_regs *)OCOTP_BASE_ADDR;
- struct fuse_bank *bank = &ocotp->bank[0];
- struct fuse_bank0_regs *fuse =
(struct fuse_bank0_regs *)bank->fuse_regs;- uint32_t reg = readl(&fuse->cfg5);
- return (reg & 0x2) == 0x2;
+}
With the exception of that function and the required structure definitions, the whole code also works with i.MX53 (tested with LOCO board), too. Also AN4581 [1] that describes HAB doesn't differentiate between i.MX53 and i.MX6 in that case as they both use HAB v4.
I think you have more experience how to organize the code (I added a few symlinks and modified only the Makefile, but I guess that symlink are not the best solution).
Regards, Bernhard
[1] http://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
On Mon, Aug 12, 2013 at 11:39 AM, Stefano Babic sbabic@denx.de wrote: ...
The patchset allows to add to the imx Header the CSF (command Sequence File) generated by the tools provided by Freescale. The CSF is then simply concatenated to the u-boot image, making a signed bootloader, that the processor can verify if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not start a bootloader that cannot be verified - further infos how to configure the SOC to verify the bootloader can be found in the User Manual of the specific SOC.
...
Couldn't a brief 'how-to' to be added to the README and also the pointers to the documents where this is documented?
Hio Otavio,
On 12/08/2013 17:23, Otavio Salvador wrote:
On Mon, Aug 12, 2013 at 11:39 AM, Stefano Babic sbabic@denx.de wrote: ...
The patchset allows to add to the imx Header the CSF (command Sequence File) generated by the tools provided by Freescale. The CSF is then simply concatenated to the u-boot image, making a signed bootloader, that the processor can verify if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not start a bootloader that cannot be verified - further infos how to configure the SOC to verify the bootloader can be found in the User Manual of the specific SOC.
...
Couldn't a brief 'how-to' to be added to the README
I do not thnk so, because it will be a duplication of documentation already provided by the manufacturer.
and also the pointers to the documents where this is documented?
Maybe I should point out in which document this stuff is covered. Freescale can move the link (I find a link for each processor on the Freescale's website). Something like "can be found in the "High Assurance Boot Version Application Priogramming Interface Reference Manual" as part of the Freescale Code Signing Tool, available on the manufacturer's website ?"
Best regards, Stefano Babic
On Mon, Aug 19, 2013 at 8:30 AM, Stefano Babic sbabic@denx.de wrote:
Hio Otavio,
On 12/08/2013 17:23, Otavio Salvador wrote:
On Mon, Aug 12, 2013 at 11:39 AM, Stefano Babic sbabic@denx.de wrote: ...
The patchset allows to add to the imx Header the CSF (command Sequence File) generated by the tools provided by Freescale. The CSF is then simply concatenated to the u-boot image, making a signed bootloader, that the processor can verify if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not start a bootloader that cannot be verified - further infos how to configure the SOC to verify the bootloader can be found in the User Manual of the specific SOC.
...
Couldn't a brief 'how-to' to be added to the README
I do not thnk so, because it will be a duplication of documentation already provided by the manufacturer.
Yes; ok.
and also the pointers to the documents where this is documented?
Maybe I should point out in which document this stuff is covered. Freescale can move the link (I find a link for each processor on the Freescale's website). Something like "can be found in the "High Assurance Boot Version Application Priogramming Interface Reference Manual" as part of the Freescale Code Signing Tool, available on the manufacturer's website ?"
Yes; this would help people to find it.
On Mon, Aug 12, 2013 at 04:39:27PM +0200, Stefano Babic wrote:
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
Where does Marek's patch fall in here exactly? Should he be based on top of yours, yours on his? It should all go via u-boot-imx, so you'll have to do the merging anyhow :) And on that note, things seem as sane as they're likley going to be, with the caveat of what you've already said you'll v3.
Hi Tom,
On 19/08/2013 18:19, Tom Rini wrote:
On Mon, Aug 12, 2013 at 04:39:27PM +0200, Stefano Babic wrote:
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
Where does Marek's patch fall in here exactly?
Marek's patch is intended to add support for mxs based processor (mx23 / mx28) and it is quite parallel to mine and I think Marek will replace Freescale's own tool elftosb.
Should he be based on top of yours, yours on his? It should all go via u-boot-imx, so you'll have to do the merging anyhow :)
I agree - I will do the merge with Marek's patch ;-). If there are some conflicts (I have not yet tried), I will solve them directly with Marek.
Best regards, Stefano
On Mon, Aug 19, 2013 at 06:44:03PM +0200, Stefano Babic wrote:
Hi Tom,
On 19/08/2013 18:19, Tom Rini wrote:
On Mon, Aug 12, 2013 at 04:39:27PM +0200, Stefano Babic wrote:
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
Where does Marek's patch fall in here exactly?
Marek's patch is intended to add support for mxs based processor (mx23 / mx28) and it is quite parallel to mine and I think Marek will replace Freescale's own tool elftosb.
But, for clarity, there's not a whole bunch of common code that could be used here, and these i.MXes are different from those i.MXes?
Dear Tom Rini,
On Mon, Aug 19, 2013 at 06:44:03PM +0200, Stefano Babic wrote:
Hi Tom,
On 19/08/2013 18:19, Tom Rini wrote:
On Mon, Aug 12, 2013 at 04:39:27PM +0200, Stefano Babic wrote:
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
Where does Marek's patch fall in here exactly?
Marek's patch is intended to add support for mxs based processor (mx23 / mx28) and it is quite parallel to mine and I think Marek will replace Freescale's own tool elftosb.
But, for clarity, there's not a whole bunch of common code that could be used here, and these i.MXes are different from those i.MXes?
MX23/28 and the rest of IMX use the same "HAB" thing, but due to differences in their bootrom (MXS is sigmatel design, IMX is freescale), it's done differently on both MXS and IMX. Thus we need two implementations :-( IIRC there is HABv3 on IMX and HABv4 on MXS, no ?
Best regards, Marek Vasut
On Mon, Aug 19, 2013 at 09:45:55PM +0200, Marek Vasut wrote:
Dear Tom Rini,
On Mon, Aug 19, 2013 at 06:44:03PM +0200, Stefano Babic wrote:
Hi Tom,
On 19/08/2013 18:19, Tom Rini wrote:
On Mon, Aug 12, 2013 at 04:39:27PM +0200, Stefano Babic wrote:
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
Where does Marek's patch fall in here exactly?
Marek's patch is intended to add support for mxs based processor (mx23 / mx28) and it is quite parallel to mine and I think Marek will replace Freescale's own tool elftosb.
But, for clarity, there's not a whole bunch of common code that could be used here, and these i.MXes are different from those i.MXes?
MX23/28 and the rest of IMX use the same "HAB" thing, but due to differences in their bootrom (MXS is sigmatel design, IMX is freescale), it's done differently on both MXS and IMX. Thus we need two implementations :-( IIRC there is HABv3 on IMX and HABv4 on MXS, no ?
OK, thanks.
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
The patchset allows to add to the imx Header the CSF (command Sequence File) generated by the tools provided by Freescale. The CSF is then simply concatenated to the u-boot image, making a signed bootloader, that the processor can verify if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not start a bootloader that cannot be verified - further infos how to configure the SOC to verify the bootloader can be found in the User Manual of the specific SOC.
Next step is to verify the kernel, that can be still done using Simon's patches for verified boot (CONFIG_OF_CONTROL must be set in the board configuarion file).
Changes in v3: - uses stat instead of open / fstat / close (Marek Vasut) - add info in the README where to find description of signing process in the Freescale Website (Otavio Salvador)
Changes in v2: - drop dead code (Marek Vasut) - checkpatch warning - do not output HAB values when csf values are not defined by cfg - Fix errors when SECURE_BOOT is selected due to enum - simplify display_event code (Marek Vasut) - compile hab code only if SECURE_BOOT is set (Fabio Estevam) - update licence with SPDX line according to new rules.
Stefano Babic (7): tools: imx_header should not include flash_offset tools: rename mximage_flash_offset to imximage_ivt_offset tools: dynamically allocate imx_header in imximage tools: add variable padding of data image in mkimage tools: add padding of data image file for imximage tools: add support for setting the CSF into imximage imx: add status reporting for HAB status
arch/arm/cpu/armv7/mx6/Makefile | 7 +- arch/arm/cpu/armv7/mx6/hab.c | 104 +++++++++++++++++++ arch/arm/include/asm/arch-mx6/hab.h | 67 ++++++++++++ arch/arm/include/asm/arch-mx6/imx-regs.h | 8 +- doc/README.imximage | 30 +++++- doc/README.mxc_hab | 48 +++++++++ tools/imximage.c | 166 +++++++++++++++++++++++++++--- tools/imximage.h | 20 +++- tools/mkimage.c | 24 ++++- tools/mkimage.h | 5 +- 10 files changed, 448 insertions(+), 31 deletions(-) create mode 100644 arch/arm/cpu/armv7/mx6/hab.c create mode 100644 arch/arm/include/asm/arch-mx6/hab.h create mode 100644 doc/README.mxc_hab
Doing a make distclean; make mx6qsabresd_config; make and hexdump -C u-boot.imx | less
... 00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000003f0 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 |................| ^^^^^^^^^^^ 00000400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001000 13 00 00 ea 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 |...ê.ð.å.ð.å.ð.å| ...
shows the flash_offset value being written into the final generated image, wich is not correct.
Instead create flash_offset as static variable such that the generated image is "clean".
00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001000 13 00 00 ea 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 |...ê.ð.å.ð.å.ð.å|
Signed-off-by: Stefano Babic sbabic@denx.de
--- Changes in v3: None Changes in v2: None
tools/imximage.c | 15 ++++++++------- tools/imximage.h | 1 - 2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index c8a9ad5..a347b9b 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -52,6 +52,7 @@ static table_entry_t imximage_versions[] = {
static struct imx_header imximage_header; static uint32_t imximage_version; +static uint32_t imximage_flash_offset;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; @@ -327,9 +328,9 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, set_hdr_func(imxhdr); break; case CMD_BOOT_FROM: - imxhdr->flash_offset = get_table_entry_id(imximage_bootops, + imximage_flash_offset = get_table_entry_id(imximage_bootops, "imximage boot option", token); - if (imxhdr->flash_offset == -1) { + if (imximage_flash_offset == -1) { fprintf(stderr, "Error: %s[%d] -Invalid boot device" "(%s)\n", name, lineno, token); exit(EXIT_FAILURE); @@ -338,7 +339,7 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, cmd_ver_first = 0; break; case CMD_BOOT_OFFSET: - imxhdr->flash_offset = get_cfg_value(token, name, lineno); + imximage_flash_offset = get_cfg_value(token, name, lineno); if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; @@ -439,7 +440,7 @@ static uint32_t parse_cfg_file(struct imx_header *imxhdr, char *name) fclose(fd);
/* Exit if there is no BOOT_FROM field specifying the flash_offset */ - if (imxhdr->flash_offset == FLASH_OFFSET_UNDEFINED) { + if (imximage_flash_offset == FLASH_OFFSET_UNDEFINED) { fprintf(stderr, "Error: No BOOT_FROM tag in %s\n", name); exit(EXIT_FAILURE); } @@ -497,14 +498,14 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, */ imximage_version = IMXIMAGE_V1; /* Be able to detect if the cfg file has no BOOT_FROM tag */ - imxhdr->flash_offset = FLASH_OFFSET_UNDEFINED; + imximage_flash_offset = FLASH_OFFSET_UNDEFINED; set_hdr_func(imxhdr);
/* Parse dcd configuration file */ dcd_len = parse_cfg_file(imxhdr, params->imagename);
/* Set the imx header */ - (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imxhdr->flash_offset); + (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imximage_flash_offset);
/* * ROM bug alert @@ -515,7 +516,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * * The remaining fraction of a block bytes would not be loaded! */ - *header_size_ptr = ROUND(sbuf->st_size + imxhdr->flash_offset, 4096); + *header_size_ptr = ROUND(sbuf->st_size + imximage_flash_offset, 4096); }
int imximage_check_params(struct mkimage_params *params) diff --git a/tools/imximage.h b/tools/imximage.h index 214187b..ec629a5 100644 --- a/tools/imximage.h +++ b/tools/imximage.h @@ -147,7 +147,6 @@ struct imx_header { imx_header_v1_t hdr_v1; imx_header_v2_t hdr_v2; } header; - uint32_t flash_offset; } __attribute__((aligned(4096)));
typedef void (*set_dcd_val_t)(struct imx_header *imxhdr,
This better reflects the naming from the Reference Manual as well as fits better since "flash" is not really applicabe for SATA.
Signed-off-by: Stefano Babic sbabic@denx.de --- Changes in v3: None Changes in v2: None
tools/imximage.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index a347b9b..494446e 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -52,7 +52,8 @@ static table_entry_t imximage_versions[] = {
static struct imx_header imximage_header; static uint32_t imximage_version; -static uint32_t imximage_flash_offset; +/* Image Vector Table Offset */ +static uint32_t imximage_ivt_offset;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; @@ -328,9 +329,9 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, set_hdr_func(imxhdr); break; case CMD_BOOT_FROM: - imximage_flash_offset = get_table_entry_id(imximage_bootops, + imximage_ivt_offset = get_table_entry_id(imximage_bootops, "imximage boot option", token); - if (imximage_flash_offset == -1) { + if (imximage_ivt_offset == -1) { fprintf(stderr, "Error: %s[%d] -Invalid boot device" "(%s)\n", name, lineno, token); exit(EXIT_FAILURE); @@ -339,7 +340,7 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, cmd_ver_first = 0; break; case CMD_BOOT_OFFSET: - imximage_flash_offset = get_cfg_value(token, name, lineno); + imximage_ivt_offset = get_cfg_value(token, name, lineno); if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; @@ -440,7 +441,7 @@ static uint32_t parse_cfg_file(struct imx_header *imxhdr, char *name) fclose(fd);
/* Exit if there is no BOOT_FROM field specifying the flash_offset */ - if (imximage_flash_offset == FLASH_OFFSET_UNDEFINED) { + if (imximage_ivt_offset == FLASH_OFFSET_UNDEFINED) { fprintf(stderr, "Error: No BOOT_FROM tag in %s\n", name); exit(EXIT_FAILURE); } @@ -498,14 +499,14 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, */ imximage_version = IMXIMAGE_V1; /* Be able to detect if the cfg file has no BOOT_FROM tag */ - imximage_flash_offset = FLASH_OFFSET_UNDEFINED; + imximage_ivt_offset = FLASH_OFFSET_UNDEFINED; set_hdr_func(imxhdr);
/* Parse dcd configuration file */ dcd_len = parse_cfg_file(imxhdr, params->imagename);
/* Set the imx header */ - (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imximage_flash_offset); + (*set_imx_hdr)(imxhdr, dcd_len, params->ep, imximage_ivt_offset);
/* * ROM bug alert @@ -516,7 +517,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * * The remaining fraction of a block bytes would not be loaded! */ - *header_size_ptr = ROUND(sbuf->st_size + imximage_flash_offset, 4096); + *header_size_ptr = ROUND(sbuf->st_size + imximage_ivt_offset, 4096); }
int imximage_check_params(struct mkimage_params *params)
Change to dynamically allocate the imx_header to correctly allocate the IVT, Boot Data and DCD at correct locations depending on the boot media.
Also check that the Image Vector Table Offset + IVT + Boot Data + DCD <= Initial Load Region Size.
Previously struct imx_header was always 4096 bytes and was not dealing correctly with the Image Vector Table Offset.
Now, the memory allocation looks for e.g. SD boot like this
Storage u-boot.imx RAM Device
00000000 177ff000 <-------------- | 00000400 00000000 d1 00 20 40 IVT.header 177ff400 <------- | 00000404 00000004 00 00 80 17 IVT.entry 177ff404 ----------- | 00000408 00000008 00 00 00 00 IVT.reserved1 177ff408 | | | 0000040C 0000000C 2c f4 7f 17 IVT.dcd 177ff40C ------ | | | 00000410 00000010 20 f4 7f 17 IVT.boot 177ff410 ---- | | | | 00000414 00000014 00 f4 7f 17 IVT.self 177ff414 -------- | | 00000418 00000018 00 00 00 00 IVT.csf 177ff418 | | | | 0000041C 0000001C 00 00 00 00 IVT.reserved2 177ff41C | | | | 00000420 00000020 00 f0 7f 17 BootData.start 177ff420 <--- | | --- 00000424 00000024 00 60 03 00 BootData.length 177ff424 | | 00000428 00000028 00 00 00 00 BootData.plugin 177ff428 | | 0000042C 0000002C d2 03 30 40 DCD.header 177ff42C <----- | ... | 00001000 00000c00 13 00 00 ea U-Boot Start 17800000 <----------
While at it also remove the unused #define HEADER_OFFSET.
Signed-off-by: Stefano Babic sbabic@denx.de
--- Changes in v3: None Changes in v2: - drop dead code (Marek Vasut)
tools/imximage.c | 43 ++++++++++++++++++++++++++++++++++++------- tools/imximage.h | 16 +++++++++++++--- 2 files changed, 49 insertions(+), 10 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index 494446e..2b4909e 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -31,7 +31,7 @@ static table_entry_t imximage_cmds[] = { * Supported Boot options for configuration file * this is needed to set the correct flash offset */ -static table_entry_t imximage_bootops[] = { +static table_entry_t imximage_boot_offset[] = { {FLASH_OFFSET_ONENAND, "onenand", "OneNAND Flash",}, {FLASH_OFFSET_NAND, "nand", "NAND Flash", }, {FLASH_OFFSET_NOR, "nor", "NOR Flash", }, @@ -42,6 +42,20 @@ static table_entry_t imximage_bootops[] = { };
/* + * Supported Boot options for configuration file + * this is needed to determine the initial load size + */ +static table_entry_t imximage_boot_loadsize[] = { + {FLASH_LOADSIZE_ONENAND, "onenand", "OneNAND Flash",}, + {FLASH_LOADSIZE_NAND, "nand", "NAND Flash", }, + {FLASH_LOADSIZE_NOR, "nor", "NOR Flash", }, + {FLASH_LOADSIZE_SATA, "sata", "SATA Disk", }, + {FLASH_LOADSIZE_SD, "sd", "SD Card", }, + {FLASH_LOADSIZE_SPI, "spi", "SPI Flash", }, + {-1, "", "Invalid", }, +}; + +/* * IMXIMAGE version definition for i.MX chips */ static table_entry_t imximage_versions[] = { @@ -54,6 +68,8 @@ static struct imx_header imximage_header; static uint32_t imximage_version; /* Image Vector Table Offset */ static uint32_t imximage_ivt_offset; +/* Initial Load Region Size */ +static uint32_t imximage_init_loadsize;
static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; @@ -195,7 +211,8 @@ static void set_imx_hdr_v1(struct imx_header *imxhdr, uint32_t dcd_len, /* Set magic number */ fhdr_v1->app_code_barker = APP_CODE_BARKER;
- hdr_base = entry_point - sizeof(struct imx_header); + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + hdr_base = entry_point - 4096; fhdr_v1->app_dest_ptr = hdr_base - flash_offset; fhdr_v1->app_code_jump_vector = entry_point;
@@ -222,12 +239,13 @@ static void set_imx_hdr_v2(struct imx_header *imxhdr, uint32_t dcd_len,
fhdr_v2->entry = entry_point; fhdr_v2->reserved1 = fhdr_v2->reserved2 = 0; - fhdr_v2->self = hdr_base = entry_point - sizeof(struct imx_header); - + hdr_base = entry_point - imximage_init_loadsize + + flash_offset; + fhdr_v2->self = hdr_base; fhdr_v2->dcd_ptr = hdr_base + offsetof(imx_header_v2_t, dcd_table); fhdr_v2->boot_data_ptr = hdr_base + offsetof(imx_header_v2_t, boot_data); - hdr_v2->boot_data.start = hdr_base - flash_offset; + hdr_v2->boot_data.start = entry_point - imximage_init_loadsize;
/* Security feature are not supported */ fhdr_v2->csf = 0; @@ -329,13 +347,24 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, set_hdr_func(imxhdr); break; case CMD_BOOT_FROM: - imximage_ivt_offset = get_table_entry_id(imximage_bootops, + imximage_ivt_offset = get_table_entry_id(imximage_boot_offset, "imximage boot option", token); if (imximage_ivt_offset == -1) { fprintf(stderr, "Error: %s[%d] -Invalid boot device" "(%s)\n", name, lineno, token); exit(EXIT_FAILURE); } + + imximage_init_loadsize = + get_table_entry_id(imximage_boot_loadsize, + "imximage boot option", token); + + if (imximage_init_loadsize == -1) { + fprintf(stderr, + "Error: %s[%d] -Invalid boot device(%s)\n", + name, lineno, token); + exit(EXIT_FAILURE); + } if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; @@ -517,7 +546,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * * The remaining fraction of a block bytes would not be loaded! */ - *header_size_ptr = ROUND(sbuf->st_size + imximage_ivt_offset, 4096); + *header_size_ptr = ROUND(sbuf->st_size, 4096); }
int imximage_check_params(struct mkimage_params *params) diff --git a/tools/imximage.h b/tools/imximage.h index ec629a5..bb04a43 100644 --- a/tools/imximage.h +++ b/tools/imximage.h @@ -13,14 +13,14 @@ #define APP_CODE_BARKER 0xB1 #define DCD_BARKER 0xB17219E9
-#define HEADER_OFFSET 0x400 - /* * NOTE: This file must be kept in sync with arch/arm/include/asm/\ * imx-common/imximage.cfg because tools/imximage.c can not * cross-include headers from arch/arm/ and vice-versa. */ #define CMD_DATA_STR "DATA" + +/* Initial Vector Table Offset */ #define FLASH_OFFSET_UNDEFINED 0xFFFFFFFF #define FLASH_OFFSET_STANDARD 0x400 #define FLASH_OFFSET_NAND FLASH_OFFSET_STANDARD @@ -30,6 +30,16 @@ #define FLASH_OFFSET_NOR 0x1000 #define FLASH_OFFSET_SATA FLASH_OFFSET_STANDARD
+/* Initial Load Region Size */ +#define FLASH_LOADSIZE_UNDEFINED 0xFFFFFFFF +#define FLASH_LOADSIZE_STANDARD 0x1000 +#define FLASH_LOADSIZE_NAND FLASH_LOADSIZE_STANDARD +#define FLASH_LOADSIZE_SD FLASH_LOADSIZE_STANDARD +#define FLASH_LOADSIZE_SPI FLASH_LOADSIZE_STANDARD +#define FLASH_LOADSIZE_ONENAND 0x400 +#define FLASH_LOADSIZE_NOR 0x0 /* entire image */ +#define FLASH_LOADSIZE_SATA FLASH_LOADSIZE_STANDARD + #define IVT_HEADER_TAG 0xD1 #define IVT_VERSION 0x40 #define DCD_HEADER_TAG 0xD2 @@ -147,7 +157,7 @@ struct imx_header { imx_header_v1_t hdr_v1; imx_header_v2_t hdr_v2; } header; -} __attribute__((aligned(4096))); +};
typedef void (*set_dcd_val_t)(struct imx_header *imxhdr, char *name, int lineno,
Use previously unused return value of function vrec_header to return a padding size to generic mkimage. This padding size is used in copy_files to pad with zeros after copying the data image.
Signed-off-by: Stefano Babic sbabic@denx.de --- Changes in v3: None Changes in v2: None
tools/mkimage.c | 24 +++++++++++++++++++++--- tools/mkimage.h | 5 ++++- 2 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/tools/mkimage.c b/tools/mkimage.c index b700b9e..58d25fa 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -137,6 +137,7 @@ main (int argc, char **argv) char *ptr; int retval = 0; struct image_type_params *tparams = NULL; + int pad_len = 0;
/* Init Freescale PBL Boot image generation/list support */ init_pbl_image_type(); @@ -391,7 +392,7 @@ NXTARG: ; * allocate memory for the header itself. */ if (tparams->vrec_header) - tparams->vrec_header(¶ms, tparams); + pad_len = tparams->vrec_header(¶ms, tparams); else memset(tparams->hdr, 0, tparams->header_size);
@@ -463,7 +464,7 @@ NXTARG: ; /* PBL has special Image format, implements its' own */ pbl_load_uboot(ifd, ¶ms); } else { - copy_file (ifd, params.datafile, 0); + copy_file(ifd, params.datafile, pad_len); } }
@@ -537,10 +538,19 @@ copy_file (int ifd, const char *datafile, int pad) unsigned char *ptr; int tail; int zero = 0; + uint8_t zeros[4096]; int offset = 0; int size; struct image_type_params *tparams = mkimage_get_type (params.type);
+ if (pad >= sizeof(zeros)) { + fprintf(stderr, "%s: Can't pad to %d\n", + params.cmdname, pad); + exit(EXIT_FAILURE); + } + + memset(zeros, 0, sizeof(zeros)); + if (params.vflag) { fprintf (stderr, "Adding Image %s\n", datafile); } @@ -598,7 +608,8 @@ copy_file (int ifd, const char *datafile, int pad) exit (EXIT_FAILURE); }
- if (pad && ((tail = size % 4) != 0)) { + tail = size % 4; + if ((pad == 1) && (tail != 0)) {
if (write(ifd, (char *)&zero, 4-tail) != 4-tail) { fprintf (stderr, "%s: Write error on %s: %s\n", @@ -606,6 +617,13 @@ copy_file (int ifd, const char *datafile, int pad) strerror(errno)); exit (EXIT_FAILURE); } + } else if (pad > 1) { + if (write(ifd, (char *)&zeros, pad) != pad) { + fprintf(stderr, "%s: Write error on %s: %s\n", + params.cmdname, params.imagefile, + strerror(errno)); + exit(EXIT_FAILURE); + } }
(void) munmap((void *)ptr, sbuf.st_size); diff --git a/tools/mkimage.h b/tools/mkimage.h index 950e190..ecb3032 100644 --- a/tools/mkimage.h +++ b/tools/mkimage.h @@ -132,7 +132,10 @@ struct image_type_params { /* * This callback function will be executed for variable size record * It is expected to build this header in memory and return its length - * and a pointer to it + * and a pointer to it by using image_type_params.header_size and + * image_type_params.hdr. The return value shall indicate if an + * additional padding should be used when copying the data image + * by returning the padding length. */ int (*vrec_header) (struct mkimage_params *, struct image_type_params *);
Implement function vrec_header to be able to pad the final data image file according the what has been calculated for boot_data.length.
Signed-off-by: Stefano Babic sbabic@denx.de
--- Changes in v3: - uses stat instead of open / fstat / close (Marek Vasut)
Changes in v2: None
tools/imximage.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 72 insertions(+), 2 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index 2b4909e..7281292 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -571,18 +571,88 @@ int imximage_check_params(struct mkimage_params *params) (params->xflag) || !(strlen(params->imagename)); }
+static int imximage_generate(struct mkimage_params *params, + struct image_type_params *tparams) +{ + struct imx_header *imxhdr; + size_t alloc_len; + int dfd; + struct stat sbuf; + char *datafile = params->datafile; + uint32_t pad_len; + + memset(&imximage_header, 0, sizeof(imximage_header)); + + /* + * In order to not change the old imx cfg file + * by adding VERSION command into it, here need + * set up function ptr group to V1 by default. + */ + imximage_version = IMXIMAGE_V1; + /* Be able to detect if the cfg file has no BOOT_FROM tag */ + imximage_ivt_offset = FLASH_OFFSET_UNDEFINED; + imximage_csf_size = 0; + set_hdr_func(imxhdr); + + /* Parse dcd configuration file */ + parse_cfg_file(&imximage_header, params->imagename); + + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + if (imximage_version == IMXIMAGE_V1) + alloc_len = 4096; + else + alloc_len = imximage_init_loadsize - imximage_ivt_offset; + + if (alloc_len < sizeof(struct imx_header)) { + fprintf(stderr, "%s: header error\n", + params->cmdname); + exit(EXIT_FAILURE); + } + + imxhdr = malloc(alloc_len); + + if (!imxhdr) { + fprintf(stderr, "%s: malloc return failure: %s\n", + params->cmdname, strerror(errno)); + exit(EXIT_FAILURE); + } + + memset(imxhdr, 0, alloc_len); + + tparams->header_size = alloc_len; + tparams->hdr = imxhdr; + + /* determine data image file length */ + + if (stat(datafile, &sbuf) < 0) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + params->cmdname, datafile, strerror(errno)); + exit(EXIT_FAILURE); + } + + pad_len = ROUND(sbuf.st_size, 4096) - sbuf.st_size; + + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + if (imximage_version == IMXIMAGE_V1) + return 0; + else + return pad_len; +} + + /* * imximage parameters */ static struct image_type_params imximage_params = { .name = "Freescale i.MX Boot Image support", - .header_size = sizeof(struct imx_header), - .hdr = (void *)&imximage_header, + .header_size = 0, + .hdr = NULL, .check_image_type = imximage_check_image_types, .verify_header = imximage_verify_header, .print_header = imximage_print_header, .set_header = imximage_set_header, .check_params = imximage_check_params, + .vrec_header = imximage_generate, };
void init_imx_image_type(void)
Implement function vrec_header to be able to pad the final data image file according the what has been calculated for boot_data.length.
Signed-off-by: Stefano Babic sbabic@denx.de
--- Changes in v4: - fix crash when imximage_init_loadsize is not set Found during regression tests with boards ima3-mx53 and m53evk (Stefano Babic)
Changes in v3: - uses stat instead of open / fstat / close (Marek Vasut)
Changes in v2: None
tools/imximage.c | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 85 insertions(+), 3 deletions(-)
diff --git a/tools/imximage.c b/tools/imximage.c index 2b4909e..26460bf 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -365,6 +365,13 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, name, lineno, token); exit(EXIT_FAILURE); } + + /* + * The SOC loads from the storage starting at address 0 + * then ensures that the load size contains the offset + */ + if (imximage_init_loadsize < imximage_ivt_offset) + imximage_init_loadsize = imximage_ivt_offset; if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; @@ -439,7 +446,8 @@ static uint32_t parse_cfg_file(struct imx_header *imxhdr, char *name) exit(EXIT_FAILURE); }
- /* Very simple parsing, line starting with # are comments + /* + * Very simple parsing, line starting with # are comments * and are dropped */ while ((getline(&line, &len, fd)) > 0) { @@ -571,18 +579,92 @@ int imximage_check_params(struct mkimage_params *params) (params->xflag) || !(strlen(params->imagename)); }
+static int imximage_generate(struct mkimage_params *params, + struct image_type_params *tparams) +{ + struct imx_header *imxhdr; + size_t alloc_len; + struct stat sbuf; + char *datafile = params->datafile; + uint32_t pad_len; + + memset(&imximage_header, 0, sizeof(imximage_header)); + + /* + * In order to not change the old imx cfg file + * by adding VERSION command into it, here need + * set up function ptr group to V1 by default. + */ + imximage_version = IMXIMAGE_V1; + /* Be able to detect if the cfg file has no BOOT_FROM tag */ + imximage_ivt_offset = FLASH_OFFSET_UNDEFINED; + imximage_csf_size = 0; + set_hdr_func(imxhdr); + + /* Parse dcd configuration file */ + parse_cfg_file(&imximage_header, params->imagename); + + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + if (imximage_version == IMXIMAGE_V1) { + alloc_len = 4096; + } else { + if (imximage_init_loadsize < imximage_ivt_offset + + sizeof(imx_header_v2_t)) + imximage_init_loadsize = imximage_ivt_offset + + sizeof(imx_header_v2_t); + alloc_len = imximage_init_loadsize - imximage_ivt_offset; + } + + if (alloc_len < sizeof(struct imx_header)) { + fprintf(stderr, "%s: header error\n", + params->cmdname); + exit(EXIT_FAILURE); + } + + imxhdr = malloc(alloc_len); + + if (!imxhdr) { + fprintf(stderr, "%s: malloc return failure: %s\n", + params->cmdname, strerror(errno)); + exit(EXIT_FAILURE); + } + + memset(imxhdr, 0, alloc_len); + + tparams->header_size = alloc_len; + tparams->hdr = imxhdr; + + /* determine data image file length */ + + if (stat(datafile, &sbuf) < 0) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + params->cmdname, datafile, strerror(errno)); + exit(EXIT_FAILURE); + } + + pad_len = ROUND(sbuf.st_size, 4096) - sbuf.st_size; + + /* TODO: check i.MX image V1 handling, for now use 'old' style */ + if (imximage_version == IMXIMAGE_V1) + return 0; + else + return pad_len; +} + + /* * imximage parameters */ static struct image_type_params imximage_params = { .name = "Freescale i.MX Boot Image support", - .header_size = sizeof(struct imx_header), - .hdr = (void *)&imximage_header, + .header_size = 0, + .hdr = NULL, .check_image_type = imximage_check_image_types, .verify_header = imximage_verify_header, .print_header = imximage_print_header, .set_header = imximage_set_header, .check_params = imximage_check_params, + .vrec_header = imximage_generate, };
void init_imx_image_type(void)
On 08/27/2013 08:17 AM, Stefano Babic wrote:
Implement function vrec_header to be able to pad the final data image file according the what has been calculated for boot_data.length.
Signed-off-by: Stefano Babic sbabic@denx.de
Changes in v4:
- fix crash when imximage_init_loadsize is not set
Found during regression tests with boards ima3-mx53 and m53evk (Stefano Babic)
Changes in v3:
- uses stat instead of open / fstat / close (Marek Vasut)
Changes in v2: None
tools/imximage.c | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 85 insertions(+), 3 deletions(-)
<snip>
+static int imximage_generate(struct mkimage_params *params,
- struct image_type_params *tparams)
+{
- struct imx_header *imxhdr;
- size_t alloc_len;
- struct stat sbuf;
- char *datafile = params->datafile;
- uint32_t pad_len;
- memset(&imximage_header, 0, sizeof(imximage_header));
- /*
* In order to not change the old imx cfg file* by adding VERSION command into it, here need* set up function ptr group to V1 by default.*/- imximage_version = IMXIMAGE_V1;
- /* Be able to detect if the cfg file has no BOOT_FROM tag */
- imximage_ivt_offset = FLASH_OFFSET_UNDEFINED;
- imximage_csf_size = 0;
- set_hdr_func(imxhdr);
Doesn't this line has compiling warning for you?
imximage.c: In function ‘imximage_generate’: imximage.c:634: warning: ‘imxhdr’ is used uninitialized in this function
York
Hi York,
On 11/09/2013 00:14, York Sun wrote:
+static int imximage_generate(struct mkimage_params *params,
- struct image_type_params *tparams)
+{
- struct imx_header *imxhdr;
- size_t alloc_len;
- struct stat sbuf;
- char *datafile = params->datafile;
- uint32_t pad_len;
- memset(&imximage_header, 0, sizeof(imximage_header));
- /*
* In order to not change the old imx cfg file* by adding VERSION command into it, here need* set up function ptr group to V1 by default.*/- imximage_version = IMXIMAGE_V1;
- /* Be able to detect if the cfg file has no BOOT_FROM tag */
- imximage_ivt_offset = FLASH_OFFSET_UNDEFINED;
- imximage_csf_size = 0;
- set_hdr_func(imxhdr);
Doesn't this line has compiling warning for you?
imximage.c: In function ‘imximage_generate’: imximage.c:634: warning: ‘imxhdr’ is used uninitialized in this function
I see the issue, but I hadn't warnings, gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5). Which gcc version do you have ?
Anyway, set_hdr_func() does not use parameters anymore. It can be converted to set_hdr_func(void) and we get rid of warnings.
Stefano
On 09/11/2013 12:13 AM, Stefano Babic wrote:
Hi York,
On 11/09/2013 00:14, York Sun wrote:
+static int imximage_generate(struct mkimage_params *params,
- struct image_type_params *tparams)
+{
- struct imx_header *imxhdr;
- size_t alloc_len;
- struct stat sbuf;
- char *datafile = params->datafile;
- uint32_t pad_len;
- memset(&imximage_header, 0, sizeof(imximage_header));
- /*
* In order to not change the old imx cfg file* by adding VERSION command into it, here need* set up function ptr group to V1 by default.*/- imximage_version = IMXIMAGE_V1;
- /* Be able to detect if the cfg file has no BOOT_FROM tag */
- imximage_ivt_offset = FLASH_OFFSET_UNDEFINED;
- imximage_csf_size = 0;
- set_hdr_func(imxhdr);
Doesn't this line has compiling warning for you?
imximage.c: In function ‘imximage_generate’: imximage.c:634: warning: ‘imxhdr’ is used uninitialized in this function
I see the issue, but I hadn't warnings, gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5). Which gcc version do you have ?
Anyway, set_hdr_func() does not use parameters anymore. It can be converted to set_hdr_func(void) and we get rid of warnings.
I have gcc version 4.6.2 and 4.7.2.
York
Add support for setting the CSF (Command Sequence File) pointer which is used for HAB (High Assurance Boot) in the imximage by adding e.g.
CSF 0x2000
in the imximage.cfg file.
This will set the CSF pointer accordingly just after the padded data image area. The boot_data.length is adjusted with the value from the imximage.cfg config file.
The resulting u-boot.imx can be signed with the FSL HAB tooling. The generated CSF block needs to be appended to the u-boot.imx.
Signed-off-by: Stefano Babic sbabic@denx.de
--- Changes in v3: - add info in the README where to find description of signing process in the Freescale Website (Otavio Salvador)
Changes in v2: - checkpatch warning - do not output HAB values when csf values are not defined by cfg
doc/README.imximage | 30 +++++++++++++++++++++++++++--- doc/README.mxc_hab | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ tools/imximage.c | 41 ++++++++++++++++++++++++++++++++++++++--- tools/imximage.h | 3 ++- 4 files changed, 115 insertions(+), 7 deletions(-) create mode 100644 doc/README.mxc_hab
diff --git a/doc/README.imximage b/doc/README.imximage index 802eb90..dcda200 100644 --- a/doc/README.imximage +++ b/doc/README.imximage @@ -15,9 +15,6 @@ Booting from NOR flash does not require to use this image type. For more details refer Chapter 2 - System Boot and section 2.14 (flash header description) of the processor's manual.
-This implementation does not use at the moment the secure boot feature -of the processor. The image is generated disabling all security fields. - Command syntax: -------------- ./tools/mkimage -l <mx u-boot_file> @@ -86,6 +83,33 @@ Configuration command line syntax: Example: BOOT_FROM spi
+ CSF value + + Total size of CSF (Command Sequence File) + used for Secure Boot/ High Assurance Boot + (HAB). + + Using this command will populate the IVT + (Initial Vector Table) CSF pointer and adjust + the length fields only. The CSF itself needs + to be generated with Freescale tools and + 'manually' appended to the u-boot.imx file. + + The CSF is then simply concatenated + to the u-boot image, making a signed bootloader, + that the processor can verify + if the fuses for the keys are burned. + + Further infos how to configure the SOC to verify + the bootloader can be found in the "High + Assurance Boot Version Application Programming + Interface Reference Manual" as part of the + Freescale Code Signing Tool, available on the + manufacturer's website. + + Example: + CSF 0x2000 + DATA type address value
type: word=4, halfword=2, byte=1 diff --git a/doc/README.mxc_hab b/doc/README.mxc_hab new file mode 100644 index 0000000..97f8b7d --- /dev/null +++ b/doc/README.mxc_hab @@ -0,0 +1,48 @@ +High Assurance Boot (HAB) for i.MX6 CPUs + +To authenticate U-Boot only by the CPU there is no code required in +U-Boot itself. However, the U-Boot image to be programmed into the +boot media needs to be properly constructed, i.e. it must contain a +proper Command Sequence File (CSF). + +The Initial Vector Table contains a pointer to the CSF. Please see +doc/README.imximage for how to prepare u-boot.imx. + +The CSF itself is being generated by Freescale HAB tools. + +mkimage will output additional information about "HAB Blocks" +which can be used in the Freescale tooling to authenticate U-Boot +(entries in the CSF file). + +Image Type: Freescale IMX Boot Image +Image Ver: 2 (i.MX53/6 compatible) +Data Size: 327680 Bytes = 320.00 kB = 0.31 MB +Load Address: 177ff420 +Entry Point: 17800000 +HAB Blocks: 177ff400 00000000 0004dc00 + ^^^^^^^^ ^^^^^^^^ ^^^^^^^^ + | | | + | | -------- (1) + | | + | ------------------- (2) + | + --------------------------- (3) + +(1) Size of area in file u-boot.imx to sign + This area should include the IVT, the Boot Data the DCD + and U-Boot itself. +(2) Start of area in u-boot.imx to sign +(3) Start of area in RAM to authenticate + +CONFIG_SECURE_BOOT currently enables only an additional command +'hab_status' in U-Boot to retrieve the HAB status and events. This +can be useful while developing and testing HAB. + +Commands to generate a signed U-Boot using Freescale HAB tools: +cst --o U-Boot_CSF.bin < U-Boot.CSF +objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ + U-Boot_CSF.bin U-Boot_CSF_pad.bin +cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx + +NOTE: U-Boot_CSF.bin needs to be padded to the value specified in +the imximage.cfg file. diff --git a/tools/imximage.c b/tools/imximage.c index 7281292..2c4c84e 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -16,6 +16,8 @@ #include <image.h> #include "imximage.h"
+#define UNDEFINED 0xFFFFFFFF + /* * Supported commands for configuration file */ @@ -23,6 +25,7 @@ static table_entry_t imximage_cmds[] = { {CMD_BOOT_FROM, "BOOT_FROM", "boot command", }, {CMD_BOOT_OFFSET, "BOOT_OFFSET", "Boot offset", }, {CMD_DATA, "DATA", "Reg Write Data", }, + {CMD_CSF, "CSF", "Command Sequence File", }, {CMD_IMAGE_VERSION, "IMAGE_VERSION", "image version", }, {-1, "", "", }, }; @@ -66,8 +69,13 @@ static table_entry_t imximage_versions[] = {
static struct imx_header imximage_header; static uint32_t imximage_version; -/* Image Vector Table Offset */ -static uint32_t imximage_ivt_offset; +/* + * Image Vector Table Offset + * Initialized to a wrong not 4-bytes aligned address to + * check if it is was set by the cfg file. + */ +static uint32_t imximage_ivt_offset = UNDEFINED; +static uint32_t imximage_csf_size = UNDEFINED; /* Initial Load Region Size */ static uint32_t imximage_init_loadsize;
@@ -76,6 +84,7 @@ static set_dcd_rst_t set_dcd_rst; static set_imx_hdr_t set_imx_hdr; static uint32_t max_dcd_entries; static uint32_t *header_size_ptr; +static uint32_t *csf_ptr;
static uint32_t get_cfg_value(char *token, char *name, int linenr) { @@ -247,9 +256,10 @@ static void set_imx_hdr_v2(struct imx_header *imxhdr, uint32_t dcd_len, + offsetof(imx_header_v2_t, boot_data); hdr_v2->boot_data.start = entry_point - imximage_init_loadsize;
- /* Security feature are not supported */ fhdr_v2->csf = 0; + header_size_ptr = &hdr_v2->boot_data.size; + csf_ptr = &fhdr_v2->csf; }
static void set_hdr_func(struct imx_header *imxhdr) @@ -326,6 +336,13 @@ static void print_hdr_v2(struct imx_header *imx_hdr) genimg_print_size(hdr_v2->boot_data.size); printf("Load Address: %08x\n", (uint32_t)fhdr_v2->boot_data_ptr); printf("Entry Point: %08x\n", (uint32_t)fhdr_v2->entry); + if (fhdr_v2->csf && (imximage_ivt_offset != UNDEFINED) && + (imximage_csf_size != UNDEFINED)) { + printf("HAB Blocks: %08x %08x %08x\n", + (uint32_t)fhdr_v2->self, 0, + hdr_v2->boot_data.size - imximage_ivt_offset - + imximage_csf_size); + } }
static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, @@ -379,6 +396,17 @@ static void parse_cfg_cmd(struct imx_header *imxhdr, int32_t cmd, char *token, if (unlikely(cmd_ver_first != 1)) cmd_ver_first = 0; break; + case CMD_CSF: + if (imximage_version != 2) { + fprintf(stderr, + "Error: %s[%d] - CSF only supported for VERSION 2(%s)\n", + name, lineno, token); + exit(EXIT_FAILURE); + } + imximage_csf_size = get_cfg_value(token, name, lineno); + if (unlikely(cmd_ver_first != 1)) + cmd_ver_first = 0; + break; } }
@@ -529,6 +557,7 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, imximage_version = IMXIMAGE_V1; /* Be able to detect if the cfg file has no BOOT_FROM tag */ imximage_ivt_offset = FLASH_OFFSET_UNDEFINED; + imximage_csf_size = 0; set_hdr_func(imxhdr);
/* Parse dcd configuration file */ @@ -547,6 +576,12 @@ static void imximage_set_header(void *ptr, struct stat *sbuf, int ifd, * The remaining fraction of a block bytes would not be loaded! */ *header_size_ptr = ROUND(sbuf->st_size, 4096); + + if (csf_ptr && imximage_csf_size) { + *csf_ptr = params->ep - imximage_init_loadsize + + *header_size_ptr; + *header_size_ptr += imximage_csf_size; + } }
int imximage_check_params(struct mkimage_params *params) diff --git a/tools/imximage.h b/tools/imximage.h index bb04a43..efe6a88 100644 --- a/tools/imximage.h +++ b/tools/imximage.h @@ -52,7 +52,8 @@ enum imximage_cmd { CMD_IMAGE_VERSION, CMD_BOOT_FROM, CMD_BOOT_OFFSET, - CMD_DATA + CMD_DATA, + CMD_CSF, };
enum imximage_fld_types {
Add functions to report the HAB (High Assurance Boot) status of e.g. i.MX6 CPUs.
This is taken from
git://git.freescale.com/imx/uboot-imx.git branch imx_v2009.08_3.0.35_4.0.0 cpu/arm_cortexa8/mx6/generic.c include/asm-arm/arch-mx6/mx6_secure.h
Signed-off-by: Stefano Babic sbabic@denx.de
--- Changes in v3: None Changes in v2: - Fix errors when SECURE_BOOT is selected due to enum - simplify display_event code (Marek Vasut) - compile hab code only if SECURE_BOOT is set (Fabio Estevam) - update licence with SPDX line according to new rules.
arch/arm/cpu/armv7/mx6/Makefile | 7 +- arch/arm/cpu/armv7/mx6/hab.c | 104 ++++++++++++++++++++++++++++++ arch/arm/include/asm/arch-mx6/hab.h | 67 +++++++++++++++++++ arch/arm/include/asm/arch-mx6/imx-regs.h | 8 ++- 4 files changed, 182 insertions(+), 4 deletions(-) create mode 100644 arch/arm/cpu/armv7/mx6/hab.c create mode 100644 arch/arm/include/asm/arch-mx6/hab.h
diff --git a/arch/arm/cpu/armv7/mx6/Makefile b/arch/arm/cpu/armv7/mx6/Makefile index c5e9858..6d73617 100644 --- a/arch/arm/cpu/armv7/mx6/Makefile +++ b/arch/arm/cpu/armv7/mx6/Makefile @@ -11,10 +11,11 @@ include $(TOPDIR)/config.mk
LIB = $(obj)lib$(SOC).o
-COBJS = soc.o clock.o +COBJS-y = soc.o clock.o +COBJS-$(CONFIG_SECURE_BOOT) += hab.o
-SRCS := $(SOBJS:.o=.S) $(COBJS:.o=.c) -OBJS := $(addprefix $(obj),$(SOBJS) $(COBJS)) +SRCS := $(SOBJS:.o=.S) $(COBJS-y:.o=.c) +OBJS := $(addprefix $(obj),$(SOBJS) $(COBJS-y))
all: $(obj).depend $(LIB)
diff --git a/arch/arm/cpu/armv7/mx6/hab.c b/arch/arm/cpu/armv7/mx6/hab.c new file mode 100644 index 0000000..5187775 --- /dev/null +++ b/arch/arm/cpu/armv7/mx6/hab.c @@ -0,0 +1,104 @@ +/* + * Copyright (C) 2010-2013 Freescale Semiconductor, Inc. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#include <common.h> +#include <asm/io.h> +#include <asm/arch/hab.h> + +/* -------- start of HAB API updates ------------*/ +#define hab_rvt_report_event ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT) +#define hab_rvt_report_status ((hab_rvt_report_status_t *)HAB_RVT_REPORT_STATUS) +#define hab_rvt_authenticate_image \ + ((hab_rvt_authenticate_image_t *)HAB_RVT_AUTHENTICATE_IMAGE) +#define hab_rvt_entry ((hab_rvt_entry_t *)HAB_RVT_ENTRY) +#define hab_rvt_exit ((hab_rvt_exit_t *)HAB_RVT_EXIT) +#define hab_rvt_clock_init HAB_RVT_CLOCK_INIT + +bool is_hab_enabled(void) +{ + struct ocotp_regs *ocotp = (struct ocotp_regs *)OCOTP_BASE_ADDR; + struct fuse_bank *bank = &ocotp->bank[0]; + struct fuse_bank0_regs *fuse = + (struct fuse_bank0_regs *)bank->fuse_regs; + uint32_t reg = readl(&fuse->cfg5); + + return (reg & 0x2) == 0x2; +} + +void display_event(uint8_t *event_data, size_t bytes) +{ + uint32_t i; + + if (!(event_data && bytes > 0)) + return; + + for (i = 0; i < bytes; i++) { + if (i == 0) + printf("\t0x%02x", event_data[i]); + else if ((i % 8) == 0) + printf("\n\t0x%02x", event_data[i]); + else + printf(" 0x%02x", event_data[i]); + } +} + +int get_hab_status(void) +{ + uint32_t index = 0; /* Loop index */ + uint8_t event_data[128]; /* Event data buffer */ + size_t bytes = sizeof(event_data); /* Event size in bytes */ + enum hab_config config = 0; + enum hab_state state = 0; + + if (is_hab_enabled()) + puts("\nSecure boot enabled\n"); + else + puts("\nSecure boot disabled\n"); + + /* Check HAB status */ + if (hab_rvt_report_status(&config, &state) != HAB_SUCCESS) { + printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n", + config, state); + + /* Display HAB Error events */ + while (hab_rvt_report_event(HAB_FAILURE, index, event_data, + &bytes) == HAB_SUCCESS) { + puts("\n"); + printf("--------- HAB Event %d -----------------\n", + index + 1); + puts("event data:\n"); + display_event(event_data, bytes); + puts("\n"); + bytes = sizeof(event_data); + index++; + } + } + /* Display message if no HAB events are found */ + else { + printf("\nHAB Configuration: 0x%02x, HAB State: 0x%02x\n", + config, state); + puts("No HAB Events Found!\n\n"); + } + return 0; +} + +int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) +{ + if ((argc != 1)) { + cmd_usage(cmdtp); + return 1; + } + + get_hab_status(); + + return 0; +} + +U_BOOT_CMD( + hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status, + "display HAB status", + "" + ); diff --git a/arch/arm/include/asm/arch-mx6/hab.h b/arch/arm/include/asm/arch-mx6/hab.h new file mode 100644 index 0000000..d724f20 --- /dev/null +++ b/arch/arm/include/asm/arch-mx6/hab.h @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2012 Freescale Semiconductor, Inc. All Rights Reserved. + * + * SPDX-License-Identifier: GPL-2.0+ + * +*/ + +#ifndef __SECURE_MX6Q_H__ +#define __SECURE_MX6Q_H__ + +#include <linux/types.h> + +/* -------- start of HAB API updates ------------*/ +/* The following are taken from HAB4 SIS */ + +/* Status definitions */ +enum hab_status { + HAB_STS_ANY = 0x00, + HAB_FAILURE = 0x33, + HAB_WARNING = 0x69, + HAB_SUCCESS = 0xf0 +}; + +/* Security Configuration definitions */ +enum hab_config { + HAB_CFG_RETURN = 0x33, /**< Field Return IC */ + HAB_CFG_OPEN = 0xf0, /**< Non-secure IC */ + HAB_CFG_CLOSED = 0xcc /**< Secure IC */ +}; + +/* State definitions */ +enum hab_state { + HAB_STATE_INITIAL = 0x33, /**< Initialising state (transitory) */ + HAB_STATE_CHECK = 0x55, /**< Check state (non-secure) */ + HAB_STATE_NONSECURE = 0x66, /**< Non-secure state */ + HAB_STATE_TRUSTED = 0x99, /**< Trusted state */ + HAB_STATE_SECURE = 0xaa, /**< Secure state */ + HAB_STATE_FAIL_SOFT = 0xcc, /**< Soft fail state */ + HAB_STATE_FAIL_HARD = 0xff, /**< Hard fail state (terminal) */ + HAB_STATE_NONE = 0xf0, /**< No security state machine */ + HAB_STATE_MAX +}; + +/*Function prototype description*/ +typedef enum hab_status hab_rvt_report_event_t(enum hab_status, uint32_t, + uint8_t* , size_t*); +typedef enum hab_status hab_rvt_report_status_t(enum hab_config *, + enum hab_state *); +typedef enum hab_status hab_loader_callback_f_t(void**, size_t*, const void*); +typedef enum hab_status hab_rvt_entry_t(void); +typedef enum hab_status hab_rvt_exit_t(void); +typedef void *hab_rvt_authenticate_image_t(uint8_t, ptrdiff_t, + void **, size_t *, hab_loader_callback_f_t); +typedef void hapi_clock_init_t(void); + +#define HAB_RVT_REPORT_EVENT (*(uint32_t *)0x000000B4) +#define HAB_RVT_REPORT_STATUS (*(uint32_t *)0x000000B8) +#define HAB_RVT_AUTHENTICATE_IMAGE (*(uint32_t *)0x000000A4) +#define HAB_RVT_ENTRY (*(uint32_t *)0x00000098) +#define HAB_RVT_EXIT (*(uint32_t *)0x0000009C) +#define HAB_RVT_CLOCK_INIT ((hapi_clock_init_t *)0x0000024D) + +#define HAB_CID_ROM 0 /**< ROM Caller ID */ +#define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/ +/* ----------- end of HAB API updates ------------*/ + +#endif diff --git a/arch/arm/include/asm/arch-mx6/imx-regs.h b/arch/arm/include/asm/arch-mx6/imx-regs.h index 5d6bccb..621919f 100644 --- a/arch/arm/include/asm/arch-mx6/imx-regs.h +++ b/arch/arm/include/asm/arch-mx6/imx-regs.h @@ -456,7 +456,13 @@ struct fuse_bank0_regs { u32 uid_low; u32 rsvd1[3]; u32 uid_high; - u32 rsvd2[0x17]; + u32 rsvd2[3]; + u32 rsvd3[4]; + u32 rsvd4[4]; + u32 rsvd5[4]; + u32 cfg5; + u32 rsvd6[3]; + u32 rsvd7[4]; };
struct fuse_bank4_regs {
participants (9)
-
Bernhard Walle -
Eric Nelson -
Fabio Estevam -
Marek Vasut -
Otavio Salvador -
Stefano Babic -
Tom Rini -
Wolfgang Denk -
York Sun