[U-Boot] [PATCH 0/3] Add i.MX HAB encryption support
Hi all,
This patch is actually a follow-up of the one from Peng Fan: https://patchwork.ozlabs.org/patch/616568/
As he mentioned at the time, the current i.MX source code doesn't allow to build a U-Boot that supports encryption features (dek commands). The reason is that the commit 2bb01482 did some cleanup, removing usec2ticks which is mandatory for the Freescale/NXP job ring code to build.
At the time of the original patch, Tom/Stefano said that a configuration would need to leverage those options and some of the config should be moved to Kconfig. The goal of this series is to enable it with the nitrogen6x platform configuration.
As a first version, this series only adds the CONFIG_SECURE_BOOT to the imx-common Kconfig so it can be enabled using menuconfig.
If this is not sufficient, the nitrogen6*_defconfig could be duplicated into nitrogen6*_hab_defconfig but it sounds like a lot of copy just to enable HAB features. No need to say that we would prefer keeping our default defconfig without the HAB feature enabled.
Then I think the variables could actually be moved from nitrogen6x.h to mx6_common.h and mx7_common.h. Maybe need to split it in 2 since CONFIG_CSF_SIZE is sufficient to achieve binary signature. The other options are only required if you want to encrypt the binary (which requires the use of dek_blob command.
Let me know your thoughts.
Regards, Gary
Gary Bisson (2): arm: imx-common: add SECURE_BOOT option to Kconfig nitrogen6x: add secure boot support
Peng Fan (1): arm: imx-common: introduce back usec2ticks
arch/arm/imx-common/Kconfig | 9 +++++++++ arch/arm/imx-common/timer.c | 16 ++++++++++++++++ board/boundary/nitrogen6x/nitrogen6dl.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s1g.cfg | 3 +++ include/configs/nitrogen6x.h | 9 +++++++++ 9 files changed, 52 insertions(+)
So the option can easily be selected through menuconfig.
Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com --- arch/arm/imx-common/Kconfig | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig index 1b7da5a..5ee230e 100644 --- a/arch/arm/imx-common/Kconfig +++ b/arch/arm/imx-common/Kconfig @@ -17,3 +17,12 @@ config IMX_BOOTAUX depends on ARCH_MX7 || ARCH_MX6 help bootaux [addr] to boot auxiliary core. + +config SECURE_BOOT + bool "Support i.MX HAB features" + depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 + help + This option enables the support for secure boot (HAB) which + includes adding a CSF section to the final imx image and + some security-related commands such as 'hab_status'. + See doc/README.mxc_hab for more details.
Nicely done Gary!
On 08/23/2016 02:55 PM, Gary Bisson wrote:
So the option can easily be selected through menuconfig.
Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com
arch/arm/imx-common/Kconfig | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig index 1b7da5a..5ee230e 100644 --- a/arch/arm/imx-common/Kconfig +++ b/arch/arm/imx-common/Kconfig @@ -17,3 +17,12 @@ config IMX_BOOTAUX depends on ARCH_MX7 || ARCH_MX6 help bootaux [addr] to boot auxiliary core.
+config SECURE_BOOT
- bool "Support i.MX HAB features"
- depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
- help
This option enables the support for secure boot (HAB) whichincludes adding a CSF section to the final imx image and
^^^ This doesn't add a CSF section.
Perhaps this should say "can enable a conditional section of an i.MX configuration (.cfg) file when producing an imx image".
some security-related commands such as 'hab_status'.See doc/README.mxc_hab for more details.
You should probably include a note in README.mxc_hab about use in .cfg files.
Hi Eric, all,
On Tue, Aug 23, 2016 at 05:24:48PM -0700, Eric Nelson wrote:
Nicely done Gary!
On 08/23/2016 02:55 PM, Gary Bisson wrote:
So the option can easily be selected through menuconfig.
Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com
arch/arm/imx-common/Kconfig | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig index 1b7da5a..5ee230e 100644 --- a/arch/arm/imx-common/Kconfig +++ b/arch/arm/imx-common/Kconfig @@ -17,3 +17,12 @@ config IMX_BOOTAUX depends on ARCH_MX7 || ARCH_MX6 help bootaux [addr] to boot auxiliary core.
+config SECURE_BOOT
- bool "Support i.MX HAB features"
- depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
- help
This option enables the support for secure boot (HAB) whichincludes adding a CSF section to the final imx image and^^^This doesn't add a CSF section.
Perhaps this should say "can enable a conditional section of an i.MX configuration (.cfg) file when producing an imx image".
Well now that you pointed out this sentence, I realize that it doesn't even "add" the section per say, it just declares it in the IVT header. It is then up to you to create and concatenate the CSF binary to the u-boot.imx image.
For those not familiar with HAB: https://boundarydevices.com/high-assurance-boot-hab-dummies/
Maybe in V2 I should keep it simple and just point to the README: This option enables the support for secure boot (HAB). See doc/README.mxc_hab for more details.
some security-related commands such as 'hab_status'.See doc/README.mxc_hab for more details.You should probably include a note in README.mxc_hab about use in .cfg files.
Yes that is a good point, will do in V2.
Regards, Gary
Hi Gary,
On 08/24/2016 03:12 AM, Gary Bisson wrote:
Hi Eric, all,
On Tue, Aug 23, 2016 at 05:24:48PM -0700, Eric Nelson wrote:
Nicely done Gary!
On 08/23/2016 02:55 PM, Gary Bisson wrote:
So the option can easily be selected through menuconfig.
Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com
arch/arm/imx-common/Kconfig | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig index 1b7da5a..5ee230e 100644 --- a/arch/arm/imx-common/Kconfig +++ b/arch/arm/imx-common/Kconfig @@ -17,3 +17,12 @@ config IMX_BOOTAUX depends on ARCH_MX7 || ARCH_MX6 help bootaux [addr] to boot auxiliary core.
+config SECURE_BOOT
- bool "Support i.MX HAB features"
- depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
- help
This option enables the support for secure boot (HAB) whichincludes adding a CSF section to the final imx image and^^^This doesn't add a CSF section.
Perhaps this should say "can enable a conditional section of an i.MX configuration (.cfg) file when producing an imx image".
Well now that you pointed out this sentence, I realize that it doesn't even "add" the section per say, it just declares it in the IVT header. It is then up to you to create and concatenate the CSF binary to the u-boot.imx image.
For those not familiar with HAB: https://boundarydevices.com/high-assurance-boot-hab-dummies/
Nice!
Maybe in V2 I should keep it simple and just point to the README:
This option enables the support for secure boot (HAB). See doc/README.mxc_hab for more details.
Perfect.
I think most folks only glance at the help while in menuconfig and README.mxc_hab is a better place for background.
some security-related commands such as 'hab_status'.See doc/README.mxc_hab for more details.You should probably include a note in README.mxc_hab about use in .cfg files.
Yes that is a good point, will do in V2.
Regards, Gary
From: Peng Fan van.freenix@gmail.com
This commit "2bb014820c49a63902103bac710bc86b5772e843" do some clean up to use the code in lib/time.c. But usec2ticks is still being used by security related job ring code. Bring back the function to avoid build break when CONFIG_FSL_CAAM is defined. The computation logic has been changed, using 64-bit variable to ease the process, making it work on older (MX5) platforms.
Signed-off-by: Peng Fan van.freenix@gmail.com Signed-off-by: Troy Kisky troy.kisky@boundarydevices.com Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com --- arch/arm/imx-common/timer.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/arch/arm/imx-common/timer.c b/arch/arm/imx-common/timer.c index a01590c..a04c7ae 100644 --- a/arch/arm/imx-common/timer.c +++ b/arch/arm/imx-common/timer.c @@ -119,3 +119,19 @@ ulong get_tbclk(void) { return gpt_get_clk(); } + +/* + * This function is intended for SHORT delays only. + * It will overflow at around 10 seconds @ 400MHz, + * or 20 seconds @ 200MHz. + */ +unsigned long usec2ticks(unsigned long _usec) +{ + unsigned long long usec = _usec; + + usec *= get_tbclk(); + usec += 999999; + do_div(usec, 1000000); + + return usec; +}
Hi Gary and Peng,
On 08/23/2016 02:55 PM, Gary Bisson wrote:
From: Peng Fan van.freenix@gmail.com
This commit "2bb014820c49a63902103bac710bc86b5772e843" do some clean up to use the code in lib/time.c. But usec2ticks is still being used by security related job ring code. Bring back the function to avoid build break when CONFIG_FSL_CAAM is defined. The computation logic has been changed, using 64-bit variable to ease the process, making it work on older (MX5) platforms.
Signed-off-by: Peng Fan van.freenix@gmail.com Signed-off-by: Troy Kisky troy.kisky@boundarydevices.com Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com
arch/arm/imx-common/timer.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/arch/arm/imx-common/timer.c b/arch/arm/imx-common/timer.c index a01590c..a04c7ae 100644 --- a/arch/arm/imx-common/timer.c +++ b/arch/arm/imx-common/timer.c @@ -119,3 +119,19 @@ ulong get_tbclk(void) { return gpt_get_clk(); }
+/*
- This function is intended for SHORT delays only.
- It will overflow at around 10 seconds @ 400MHz,
- or 20 seconds @ 200MHz.
- */
+unsigned long usec2ticks(unsigned long _usec) +{
- unsigned long long usec = _usec;
- usec *= get_tbclk();
- usec += 999999;
- do_div(usec, 1000000);
- return usec;
+}
What about the version in imx-common/syscounter.c?
It seems that only one should be needed.
Hi Eric, all,
On Tue, Aug 23, 2016 at 05:30:36PM -0700, Eric Nelson wrote:
Hi Gary and Peng,
On 08/23/2016 02:55 PM, Gary Bisson wrote:
From: Peng Fan van.freenix@gmail.com
This commit "2bb014820c49a63902103bac710bc86b5772e843" do some clean up to use the code in lib/time.c. But usec2ticks is still being used by security related job ring code. Bring back the function to avoid build break when CONFIG_FSL_CAAM is defined. The computation logic has been changed, using 64-bit variable to ease the process, making it work on older (MX5) platforms.
Signed-off-by: Peng Fan van.freenix@gmail.com Signed-off-by: Troy Kisky troy.kisky@boundarydevices.com Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com
arch/arm/imx-common/timer.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/arch/arm/imx-common/timer.c b/arch/arm/imx-common/timer.c index a01590c..a04c7ae 100644 --- a/arch/arm/imx-common/timer.c +++ b/arch/arm/imx-common/timer.c @@ -119,3 +119,19 @@ ulong get_tbclk(void) { return gpt_get_clk(); }
+/*
- This function is intended for SHORT delays only.
- It will overflow at around 10 seconds @ 400MHz,
- or 20 seconds @ 200MHz.
- */
+unsigned long usec2ticks(unsigned long _usec) +{
- unsigned long long usec = _usec;
- usec *= get_tbclk();
- usec += 999999;
- do_div(usec, 1000000);
- return usec;
+}
What about the version in imx-common/syscounter.c?
It seems that only one should be needed.
Well syscounter.c is only built for mx7 platforms whereas timer.c only applies to mx6|mx5 (see Makefile).
Regards, Gary
Selecting the proper options to enable the build of the HAB tools.
Also adding a CSF section to the imx final image so it can contain the signature information.
Note, this support is disabled by default, one will have to select the SECURE_BOOT configuration through menuconfig to enable it.
Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com --- board/boundary/nitrogen6x/nitrogen6dl.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s1g.cfg | 3 +++ include/configs/nitrogen6x.h | 9 +++++++++ 7 files changed, 27 insertions(+)
diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg index 1cdccad..5c3e961 100644 --- a/board/boundary/nitrogen6x/nitrogen6dl.cfg +++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg index 516d67e..fe19ed0 100644 --- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg index b6642e6..60e1885 100644 --- a/board/boundary/nitrogen6x/nitrogen6q.cfg +++ b/board/boundary/nitrogen6x/nitrogen6q.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg index fe6dfc1..7a3ee94 100644 --- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg index ca30cd6..2540b7b 100644 --- a/board/boundary/nitrogen6x/nitrogen6s.cfg +++ b/board/boundary/nitrogen6x/nitrogen6s.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg index b1489fb..946af7b 100644 --- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/include/configs/nitrogen6x.h b/include/configs/nitrogen6x.h index b651eb3..3281e42 100644 --- a/include/configs/nitrogen6x.h +++ b/include/configs/nitrogen6x.h @@ -35,6 +35,15 @@ #define CONFIG_SF_DEFAULT_MODE (SPI_MODE_0) #endif
+/* Secure boot (HAB) support */ +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_CSF_SIZE 0x2000 +#define CONFIG_SYS_FSL_SEC_COMPAT 4 +#define CONFIG_FSL_CAAM +#define CONFIG_CMD_DEKBLOB +#define CONFIG_SYS_FSL_SEC_LE +#endif + /* I2C Configs */ #define CONFIG_SYS_I2C #define CONFIG_SYS_I2C_MXC
Hi Gary,
On 08/23/2016 02:55 PM, Gary Bisson wrote:
Selecting the proper options to enable the build of the HAB tools.
Also adding a CSF section to the imx final image so it can contain the signature information.
Note, this support is disabled by default, one will have to select the SECURE_BOOT configuration through menuconfig to enable it.
Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com
board/boundary/nitrogen6x/nitrogen6dl.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s1g.cfg | 3 +++ include/configs/nitrogen6x.h | 9 +++++++++ 7 files changed, 27 insertions(+)
diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg index 1cdccad..5c3e961 100644 --- a/board/boundary/nitrogen6x/nitrogen6dl.cfg +++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg index 516d67e..fe19ed0 100644 --- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg index b6642e6..60e1885 100644 --- a/board/boundary/nitrogen6x/nitrogen6q.cfg +++ b/board/boundary/nitrogen6x/nitrogen6q.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg index fe6dfc1..7a3ee94 100644 --- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg index ca30cd6..2540b7b 100644 --- a/board/boundary/nitrogen6x/nitrogen6s.cfg +++ b/board/boundary/nitrogen6x/nitrogen6s.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg index b1489fb..946af7b 100644 --- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/include/configs/nitrogen6x.h b/include/configs/nitrogen6x.h index b651eb3..3281e42 100644 --- a/include/configs/nitrogen6x.h +++ b/include/configs/nitrogen6x.h @@ -35,6 +35,15 @@ #define CONFIG_SF_DEFAULT_MODE (SPI_MODE_0) #endif
+/* Secure boot (HAB) support */ +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_CSF_SIZE 0x2000 +#define CONFIG_SYS_FSL_SEC_COMPAT 4 +#define CONFIG_FSL_CAAM +#define CONFIG_CMD_DEKBLOB +#define CONFIG_SYS_FSL_SEC_LE +#endif
I agree with the comment in your cover letter, that this belongs in a common place.
Hi Eric, all,
On Tue, Aug 23, 2016 at 05:35:14PM -0700, Eric Nelson wrote:
Hi Gary,
On 08/23/2016 02:55 PM, Gary Bisson wrote:
Selecting the proper options to enable the build of the HAB tools.
Also adding a CSF section to the imx final image so it can contain the signature information.
Note, this support is disabled by default, one will have to select the SECURE_BOOT configuration through menuconfig to enable it.
Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com
board/boundary/nitrogen6x/nitrogen6dl.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s1g.cfg | 3 +++ include/configs/nitrogen6x.h | 9 +++++++++ 7 files changed, 27 insertions(+)
diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg index 1cdccad..5c3e961 100644 --- a/board/boundary/nitrogen6x/nitrogen6dl.cfg +++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg index 516d67e..fe19ed0 100644 --- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg index b6642e6..60e1885 100644 --- a/board/boundary/nitrogen6x/nitrogen6q.cfg +++ b/board/boundary/nitrogen6x/nitrogen6q.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg index fe6dfc1..7a3ee94 100644 --- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg index ca30cd6..2540b7b 100644 --- a/board/boundary/nitrogen6x/nitrogen6s.cfg +++ b/board/boundary/nitrogen6x/nitrogen6s.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg index b1489fb..946af7b 100644 --- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/include/configs/nitrogen6x.h b/include/configs/nitrogen6x.h index b651eb3..3281e42 100644 --- a/include/configs/nitrogen6x.h +++ b/include/configs/nitrogen6x.h @@ -35,6 +35,15 @@ #define CONFIG_SF_DEFAULT_MODE (SPI_MODE_0) #endif
+/* Secure boot (HAB) support */ +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_CSF_SIZE 0x2000 +#define CONFIG_SYS_FSL_SEC_COMPAT 4 +#define CONFIG_FSL_CAAM +#define CONFIG_CMD_DEKBLOB +#define CONFIG_SYS_FSL_SEC_LE +#endif
I agree with the comment in your cover letter, that this belongs in a common place.
Does Fabio agree with that? Also, should we differenciate the options needed for signature only (SECURE_BOOT and CSF_SIZE) to the other that are only useful when encryption is needed.
Regards, Gary
Hi Gary,
On Wed, Aug 24, 2016 at 7:17 AM, Gary Bisson gary.bisson@boundarydevices.com wrote:
I agree with the comment in your cover letter, that this belongs in a common place.
Does Fabio agree with that? Also, should we differenciate the options
What about placing the options below:
+/* Secure boot (HAB) support */ +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_CSF_SIZE 0x2000 +#define CONFIG_SYS_FSL_SEC_COMPAT 4 +#define CONFIG_FSL_CAAM +#define CONFIG_CMD_DEKBLOB +#define CONFIG_SYS_FSL_SEC_LE +#endif
,into include/configs/mx6_common.h ?
Thanks
Hi all,
This patch is actually a follow-up of the one from Peng Fan: https://patchwork.ozlabs.org/patch/616568/
As he mentioned at the time, the current i.MX source code doesn't allow to build a U-Boot that supports encryption features (dek commands). The reason is that the commit 2bb01482 did some cleanup, removing usec2ticks which is mandatory for the Freescale/NXP job ring code to build.
At the time of the original patch, Tom/Stefano said that a configuration would need to leverage those options and some of the config should be moved to Kconfig. The goal of this series is to enable it in the common mx6/7 configuration files.
The series also adds the missing CSF declaration in nitrogen6* cfg files.
Changes v1->v2: - Simplified the help comment of the SECURE_BOOT config option - Moved SECURE_BOOT options to mx6/7_common.h
Let me know your thoughts.
Regards, Gary
Gary Bisson (4): arm: imx-common: add SECURE_BOOT option to Kconfig mx6_common: add secure boot support mx7_common: add secure boot support nitrogen6x: add secure boot support
Peng Fan (1): arm: imx-common: introduce back usec2ticks
arch/arm/imx-common/Kconfig | 7 +++++++ arch/arm/imx-common/timer.c | 16 ++++++++++++++++ board/boundary/nitrogen6x/nitrogen6dl.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s1g.cfg | 3 +++ include/configs/colibri_imx7.h | 4 ---- include/configs/mx6_common.h | 9 +++++++++ include/configs/mx7_common.h | 9 +++++++++ include/configs/mx7dsabresd.h | 4 ---- 12 files changed, 59 insertions(+), 8 deletions(-)
So the option can easily be selected through menuconfig.
Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com --- arch/arm/imx-common/Kconfig | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig index 1b7da5a..1a09a2c 100644 --- a/arch/arm/imx-common/Kconfig +++ b/arch/arm/imx-common/Kconfig @@ -17,3 +17,10 @@ config IMX_BOOTAUX depends on ARCH_MX7 || ARCH_MX6 help bootaux [addr] to boot auxiliary core. + +config SECURE_BOOT + bool "Support i.MX HAB features" + depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 + help + This option enables the support for secure boot (HAB). + See doc/README.mxc_hab for more details.
From: Peng Fan van.freenix@gmail.com
This commit "2bb014820c49a63902103bac710bc86b5772e843" do some clean up to use the code in lib/time.c. But usec2ticks is still being used by security related job ring code. Bring back the function to avoid build break when CONFIG_FSL_CAAM is defined. The computation logic has been changed, using 64-bit variable to ease the process, making it work on older (MX5) platforms.
Signed-off-by: Peng Fan van.freenix@gmail.com Signed-off-by: Troy Kisky troy.kisky@boundarydevices.com Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com --- arch/arm/imx-common/timer.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/arch/arm/imx-common/timer.c b/arch/arm/imx-common/timer.c index a01590c..a04c7ae 100644 --- a/arch/arm/imx-common/timer.c +++ b/arch/arm/imx-common/timer.c @@ -119,3 +119,19 @@ ulong get_tbclk(void) { return gpt_get_clk(); } + +/* + * This function is intended for SHORT delays only. + * It will overflow at around 10 seconds @ 400MHz, + * or 20 seconds @ 200MHz. + */ +unsigned long usec2ticks(unsigned long _usec) +{ + unsigned long long usec = _usec; + + usec *= get_tbclk(); + usec += 999999; + do_div(usec, 1000000); + + return usec; +}
Selecting the proper options to enable the build of the HAB tools.
Note, this support is disabled by default, one will have to select the SECURE_BOOT configuration through menuconfig to enable it.
See doc/README.mxc_hab for more details.
Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com --- include/configs/mx6_common.h | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/include/configs/mx6_common.h b/include/configs/mx6_common.h index fb49322..02afe8a 100644 --- a/include/configs/mx6_common.h +++ b/include/configs/mx6_common.h @@ -93,4 +93,13 @@ #define CONFIG_CMD_FUSE #define CONFIG_MXC_OCOTP
+/* Secure boot (HAB) support */ +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_CSF_SIZE 0x2000 +#define CONFIG_SYS_FSL_SEC_COMPAT 4 +#define CONFIG_FSL_CAAM +#define CONFIG_CMD_DEKBLOB +#define CONFIG_SYS_FSL_SEC_LE +#endif + #endif
Selecting the proper options to enable the build of the HAB tools.
Note, this support is disabled by default, one will have to select the SECURE_BOOT configuration through menuconfig to enable it.
See doc/README.mxc_hab for more details.
Also remove duplicate options from board config headers.
Cc: Stefan Agner stefan.agner@toradex.com Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com --- include/configs/colibri_imx7.h | 4 ---- include/configs/mx7_common.h | 9 +++++++++ include/configs/mx7dsabresd.h | 4 ---- 3 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/include/configs/colibri_imx7.h b/include/configs/colibri_imx7.h index 9da219c..486f2a4 100644 --- a/include/configs/colibri_imx7.h +++ b/include/configs/colibri_imx7.h @@ -29,10 +29,6 @@ /* Size of malloc() pool */ #define CONFIG_SYS_MALLOC_LEN (32 * SZ_1M)
-/* Uncomment to enable secure boot support */ -/* #define CONFIG_SECURE_BOOT */ -#define CONFIG_CSF_SIZE 0x4000 - #define CONFIG_CMD_BMODE
/* Network */ diff --git a/include/configs/mx7_common.h b/include/configs/mx7_common.h index 7295fa6..c339e24 100644 --- a/include/configs/mx7_common.h +++ b/include/configs/mx7_common.h @@ -76,4 +76,13 @@ #define CONFIG_ARMV7_PSCI_NR_CPUS 2 #define CONFIG_ARMV7_SECURE_BASE 0x00900000
+/* Secure boot (HAB) support */ +#ifdef CONFIG_SECURE_BOOT +#define CONFIG_CSF_SIZE 0x2000 +#define CONFIG_SYS_FSL_SEC_COMPAT 4 +#define CONFIG_FSL_CAAM +#define CONFIG_CMD_DEKBLOB +#define CONFIG_SYS_FSL_SEC_LE +#endif + #endif diff --git a/include/configs/mx7dsabresd.h b/include/configs/mx7dsabresd.h index 822d81f..f2d5dea 100644 --- a/include/configs/mx7dsabresd.h +++ b/include/configs/mx7dsabresd.h @@ -24,10 +24,6 @@
#define CONFIG_DISPLAY_BOARDINFO
-/* Uncomment to enable secure boot support */ -/* #define CONFIG_SECURE_BOOT */ -#define CONFIG_CSF_SIZE 0x4000 - /* Network */ #define CONFIG_FEC_MXC #define CONFIG_MII
Declaring a CSF section makes the imximage tool increase the size of data to be loaded by the BootROM and also adds a pointer to that CSF section in the IVT header to the BootROM can check the signature.
Signed-off-by: Gary Bisson gary.bisson@boundarydevices.com --- board/boundary/nitrogen6x/nitrogen6dl.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s1g.cfg | 3 +++ 6 files changed, 18 insertions(+)
diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg index 1cdccad..5c3e961 100644 --- a/board/boundary/nitrogen6x/nitrogen6dl.cfg +++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg index 516d67e..fe19ed0 100644 --- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg index b6642e6..60e1885 100644 --- a/board/boundary/nitrogen6x/nitrogen6q.cfg +++ b/board/boundary/nitrogen6x/nitrogen6q.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg index fe6dfc1..7a3ee94 100644 --- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg index ca30cd6..2540b7b 100644 --- a/board/boundary/nitrogen6x/nitrogen6s.cfg +++ b/board/boundary/nitrogen6x/nitrogen6s.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h" diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg index b1489fb..946af7b 100644 --- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg +++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg @@ -20,6 +20,9 @@ BOOT_FROM spi
#define __ASSEMBLY__ #include <config.h> +#ifdef CONFIG_SECURE_BOOT +CSF CONFIG_CSF_SIZE +#endif #include "asm/arch/mx6-ddr.h" #include "asm/arch/iomux.h" #include "asm/arch/crm_regs.h"
Hi Gary,
On 25/08/2016 19:03, Gary Bisson wrote:
Hi all,
This patch is actually a follow-up of the one from Peng Fan: https://patchwork.ozlabs.org/patch/616568/
As he mentioned at the time, the current i.MX source code doesn't allow to build a U-Boot that supports encryption features (dek commands). The reason is that the commit 2bb01482 did some cleanup, removing usec2ticks which is mandatory for the Freescale/NXP job ring code to build.
At the time of the original patch, Tom/Stefano said that a configuration would need to leverage those options and some of the config should be moved to Kconfig. The goal of this series is to enable it in the common mx6/7 configuration files.
The series also adds the missing CSF declaration in nitrogen6* cfg files.
Changes v1->v2:
- Simplified the help comment of the SECURE_BOOT config option
- Moved SECURE_BOOT options to mx6/7_common.h
Let me know your thoughts.
Regards, Gary
Gary Bisson (4): arm: imx-common: add SECURE_BOOT option to Kconfig mx6_common: add secure boot support mx7_common: add secure boot support nitrogen6x: add secure boot support
Peng Fan (1): arm: imx-common: introduce back usec2ticks
arch/arm/imx-common/Kconfig | 7 +++++++ arch/arm/imx-common/timer.c | 16 ++++++++++++++++ board/boundary/nitrogen6x/nitrogen6dl.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6q2g.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s.cfg | 3 +++ board/boundary/nitrogen6x/nitrogen6s1g.cfg | 3 +++ include/configs/colibri_imx7.h | 4 ---- include/configs/mx6_common.h | 9 +++++++++ include/configs/mx7_common.h | 9 +++++++++ include/configs/mx7dsabresd.h | 4 ---- 12 files changed, 59 insertions(+), 8 deletions(-)
Applied to u-boot-imx, thanks - sorry for delay !
Best regards, Stefano Babic
participants (4)
-
Eric Nelson -
Fabio Estevam -
Gary Bisson -
Stefano Babic