[u-boot,v2019.04-aspeed-openbmc,v2,0/6] FIT verification

Message ID	20210127070054.81719-1-joel@jms.id.au
Headers	show Return-Path: <openbmc-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> From: Joel Stanley <joel@jms.id.au> To: Andrew Jeffery <andrew@aj.id.au>, Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>, Ryan Chen <ryan_chen@aspeedtech.com>, openbmc@lists.ozlabs.org Subject: [PATCH u-boot v2019.04-aspeed-openbmc v2 0/6] FIT verification Date: Wed, 27 Jan 2021 17:30:48 +1030 Message-Id: <20210127070054.81719-1-joel@jms.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: openbmc-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "openbmc" <openbmc-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	FIT verification \| expand [u-boot,v2019.04-aspeed-openbmc,v2,0/6] FIT verification [u-boot,v2019.04-aspeed-openbmc,v2,1/6] ast2600: Modify SPL SRAM layout [u-boot,v2019.04-aspeed-openbmc,v2,2/6] config: ast2600: Enable FIT signature verification [u-boot,v2019.04-aspeed-openbmc,v2,3/6] ast2600: Allow selection of SPL boot devices [u-boot,v2019.04-aspeed-openbmc,v2,4/6] config: ast2600: Disable unused features [u-boot,v2019.04-aspeed-openbmc,v2,5/6] config: ast2600: Disable SPL ymodem support [u-boot,v2019.04-aspeed-openbmc,v2,6/6] config: ast2600: Reduce SPL image size

Message ID

20210127070054.81719-1-joel@jms.id.au

Headers

From: Joel Stanley <joel@jms.id.au>
To: Andrew Jeffery <andrew@aj.id.au>,
 Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>,
 Ryan Chen <ryan_chen@aspeedtech.com>, openbmc@lists.ozlabs.org
Subject: [PATCH u-boot v2019.04-aspeed-openbmc v2 0/6] FIT verification
Date: Wed, 27 Jan 2021 17:30:48 +1030
Message-Id: <20210127070054.81719-1-joel@jms.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: openbmc-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "openbmc"
 <openbmc-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

FIT verification | expand

Message

Joel Stanley Jan. 27, 2021, 7 a.m. UTC

As part of our effort to enable secure boot in openbmc, this turns on
FIT verification in the SPL and u-boot.

It adjusts the SRAM layout to accommodate the extra code size, moving
the heap to the non-parity checked 24KB of SRAM.

It also modifies the way the SPL is built, including disabling features.
This reduces the SPL size to 59716, meaning we could choose to leave
ymodem support in the build for now. Please voice your thoughts when
reviewing.

Joel Stanley (6):
  ast2600: Modify SPL SRAM layout
  config: ast2600: Enable FIT signature verification
  ast2600: Allow selection of SPL boot devices
  config: ast2600: Disable unused features
  config: ast2600: Disable SPL ymodem support
  config: ast2600: Reduce SPL image size

 arch/arm/mach-aspeed/ast2600/Kconfig       | 12 ++++++++++++
 arch/arm/mach-aspeed/ast2600/spl_boot.c    |  9 +++++++++
 configs/ast2600_openbmc_spl_emmc_defconfig | 13 +++++++++++--
 include/configs/evb_ast2600a1_spl.h        |  4 ++--
 4 files changed, 34 insertions(+), 4 deletions(-)

Comments

Andrew Jeffery Jan. 27, 2021, 11:40 p.m. UTC | #1

On Wed, 27 Jan 2021, at 17:30, Joel Stanley wrote:
> As part of our effort to enable secure boot in openbmc, this turns on
> FIT verification in the SPL and u-boot.
> 
> It adjusts the SRAM layout to accommodate the extra code size, moving
> the heap to the non-parity checked 24KB of SRAM.
> 
> It also modifies the way the SPL is built, including disabling features.
> This reduces the SPL size to 59716, meaning we could choose to leave
> ymodem support in the build for now. Please voice your thoughts when
> reviewing.

If we leave ymodem in, after signing we have 1536 bytes spare*.

I suggest we drop the patch disabling ymodem support so we don't have to build 
a separate SPL config if we want to recover.

Andrew

* Signing requires 512-byte alignment, and aligns the signed image size to a 
512-byte boundary. So: (64×1024)−((59716+3656+(512−1))&(~(512−1))+512)