| Message ID | 1515760819-15116-1-git-send-email-bryan.odonoghue@linaro.org |
|---|---|
| Headers | show |
| Series | Fix and extend i.MX HAB layer | expand |
On Fri, Jan 12, 2018 at 6:09 PM, Bryan O'Donoghue <bryan.odonoghue@linaro.org> wrote: > v6: > - Added patch 21/25 return zero on open (unlocked) board when > calling authenticate_image() - Breno > > - Added Tested-by: Breno Matheus Lima <brenomatheus@gmail.com> > as indicated for remainder 24/25 patches > > - Added Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com> > as indicated for remainder 24/25 patches > > v5: > - Drop dcache disable across HAB call. > We can't replicate this error on the current codebase and the available > images. We'll have to wait for the error to crop up again before pushing > that patch any further. > > v4: > - No change mixed extra patches @ v3 unnoticed with previous > git-send > > v3: > - Only call into ROM if headers are verified. - Bryan > > - Print HAB event log if and only if a call was made to HAB > and a meaningful status code has been obtained. - Breno > > v2: > - Fix compilation warnings and errors in SPL highlighted by > Breno Matheus Lima > > - Add CC: Breno Matheus Lima <brenomatheus@gmail.com> to all patches > > v1: > This patchset updates the i.MX HAB layer in u-boot to fix a list of > identified issues and then to add and extend existing functionality. > > The first block of patches 0001-0006 deal with fixing existing code, > > - Fixes indentation > - Fixes the treatment of input parameters to hab_auth_image. > > The second block of patches 0007-0013 are about tidying up the HAB code > > - Remove reliance on hard-coding to specific offsets > - IVT header drives locating CSF > - Continue to support existing boards > > Patches 0014 onwards extend out the HAB functionality. > > - hab_rvt_check_target is a recommended check in the NXP documents to > perform prior to hab_rvt_authenticate_image > - hab_rvt_failsafe is a useful function to set the board into BootROM > USB recovery mode. > > > > Bryan O'Donoghue (25): > arm: imx: hab: Make authenticate_image return int > arm: imx: hab: Fix authenticate_image result code > arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail > arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail > arm: imx: hab: Move IVT_SIZE to hab.h > arm: imx: hab: Move CSF_PAD_SIZE to hab.h > arm: imx: hab: Fix authenticate_image input parameters > arm: imx: hab: Add IVT header definitions > arm: imx: hab: Add IVT header verification > arm: imx: hab: Verify IVT self matches calculated address > arm: imx: hab: Only call ROM once headers are verified > arm: imx: hab: Print CSF based on IVT descriptor > arm: imx: hab: Print additional IVT elements during debug > arm: imx: hab: Define rvt_check_target() > arm: imx: hab: Implement hab_rvt_check_target > arm: imx: hab: Add a hab_rvt_check_target to image auth > arm: imx: hab: Print HAB event log only after calling ROM > arm: imx: hab: Make internal functions and data static > arm: imx: hab: Prefix authenticate_image with imx_hab > arm: imx: hab: Rename is_hab_enabled imx_hab_is_enabled > arm: imx: hab: Make authenticate_image() return zero on open boards > arm: imx: hab: Make imx_hab_is_enabled global > arm: imx: hab: Define rvt_failsafe() > arm: imx: hab: Implement hab_rvt_failsafe > arm: imx: hab: Add hab_failsafe console command > > arch/arm/include/asm/mach-imx/hab.h | 46 +++- > arch/arm/mach-imx/hab.c | 461 +++++++++++++++++++++--------------- > arch/arm/mach-imx/spl.c | 38 ++- > 3 files changed, 354 insertions(+), 191 deletions(-) I tried Secure boot before[1] with SPL and U-Boot proper and work well. I'm observing authentication issue while loading U-Boot proper, U-Boot proper now have features like SPL DM and SPL FIT etc U-Boot SPL 2018.03-rc1-00182-gb81f7c9 (Feb 08 2018 - 17:19:03 +0530) Trying to boot from MMC1 Expected Linux image is not found. Trying to start U-boot Authenticate image from DDR location 0x17800000... bad magic magic=0xb8 length=0x841b version=0x17 bad length magic=0xb8 length=0x841b version=0x17 bad version magic=0xb8 length=0x841b version=0x17 spl: ERROR: image authentication unsuccessful ### ERROR ### Please RESET the board ### Please let me know where I missed, I'm authenticating SPL and u-boot-dtb.img now. [1] https://openedev.amarulasolutions.com/display/ODUBOOT/SPL+HABv4
On 08/02/18 12:43, Jagan Teki wrote: > On Fri, Jan 12, 2018 at 6:09 PM, Bryan O'Donoghue > <bryan.odonoghue@linaro.org> wrote: >> v6: >> - Added patch 21/25 return zero on open (unlocked) board when >> calling authenticate_image() - Breno >> >> - Added Tested-by: Breno Matheus Lima <brenomatheus@gmail.com> >> as indicated for remainder 24/25 patches >> >> - Added Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com> >> as indicated for remainder 24/25 patches >> >> v5: >> - Drop dcache disable across HAB call. >> We can't replicate this error on the current codebase and the available >> images. We'll have to wait for the error to crop up again before pushing >> that patch any further. >> >> v4: >> - No change mixed extra patches @ v3 unnoticed with previous >> git-send >> >> v3: >> - Only call into ROM if headers are verified. - Bryan >> >> - Print HAB event log if and only if a call was made to HAB >> and a meaningful status code has been obtained. - Breno >> >> v2: >> - Fix compilation warnings and errors in SPL highlighted by >> Breno Matheus Lima >> >> - Add CC: Breno Matheus Lima <brenomatheus@gmail.com> to all patches >> >> v1: >> This patchset updates the i.MX HAB layer in u-boot to fix a list of >> identified issues and then to add and extend existing functionality. >> >> The first block of patches 0001-0006 deal with fixing existing code, >> >> - Fixes indentation >> - Fixes the treatment of input parameters to hab_auth_image. >> >> The second block of patches 0007-0013 are about tidying up the HAB code >> >> - Remove reliance on hard-coding to specific offsets >> - IVT header drives locating CSF >> - Continue to support existing boards >> >> Patches 0014 onwards extend out the HAB functionality. >> >> - hab_rvt_check_target is a recommended check in the NXP documents to >> perform prior to hab_rvt_authenticate_image >> - hab_rvt_failsafe is a useful function to set the board into BootROM >> USB recovery mode. >> >> >> >> Bryan O'Donoghue (25): >> arm: imx: hab: Make authenticate_image return int >> arm: imx: hab: Fix authenticate_image result code >> arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail >> arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail >> arm: imx: hab: Move IVT_SIZE to hab.h >> arm: imx: hab: Move CSF_PAD_SIZE to hab.h >> arm: imx: hab: Fix authenticate_image input parameters >> arm: imx: hab: Add IVT header definitions >> arm: imx: hab: Add IVT header verification >> arm: imx: hab: Verify IVT self matches calculated address >> arm: imx: hab: Only call ROM once headers are verified >> arm: imx: hab: Print CSF based on IVT descriptor >> arm: imx: hab: Print additional IVT elements during debug >> arm: imx: hab: Define rvt_check_target() >> arm: imx: hab: Implement hab_rvt_check_target >> arm: imx: hab: Add a hab_rvt_check_target to image auth >> arm: imx: hab: Print HAB event log only after calling ROM >> arm: imx: hab: Make internal functions and data static >> arm: imx: hab: Prefix authenticate_image with imx_hab >> arm: imx: hab: Rename is_hab_enabled imx_hab_is_enabled >> arm: imx: hab: Make authenticate_image() return zero on open boards >> arm: imx: hab: Make imx_hab_is_enabled global >> arm: imx: hab: Define rvt_failsafe() >> arm: imx: hab: Implement hab_rvt_failsafe >> arm: imx: hab: Add hab_failsafe console command >> >> arch/arm/include/asm/mach-imx/hab.h | 46 +++- >> arch/arm/mach-imx/hab.c | 461 +++++++++++++++++++++--------------- >> arch/arm/mach-imx/spl.c | 38 ++- >> 3 files changed, 354 insertions(+), 191 deletions(-) > > I tried Secure boot before[1] with SPL and U-Boot proper and work well. > > I'm observing authentication issue while loading U-Boot proper, U-Boot > proper now have features like SPL DM and SPL FIT etc > > U-Boot SPL 2018.03-rc1-00182-gb81f7c9 (Feb 08 2018 - 17:19:03 +0530) > Trying to boot from MMC1 > Expected Linux image is not found. Trying to start U-boot > > Authenticate image from DDR location 0x17800000... > bad magic magic=0xb8 length=0x841b version=0x17 > bad length magic=0xb8 length=0x841b version=0x17 > bad version magic=0xb8 length=0x841b version=0x17 > spl: ERROR: image authentication unsuccessful > ### ERROR ### Please RESET the board ### > > Please let me know where I missed, I'm authenticating SPL and > u-boot-dtb.img now. Can you send 1. The load address of the binary 2. The command you are using for authenticate image ?
Hi Jagan, 2018-02-08 10:43 GMT-02:00 Jagan Teki <jagan@amarulasolutions.com>: > On Fri, Jan 12, 2018 at 6:09 PM, Bryan O'Donoghue > <bryan.odonoghue@linaro.org> wrote: >> v6: >> - Added patch 21/25 return zero on open (unlocked) board when >> calling authenticate_image() - Breno >> >> - Added Tested-by: Breno Matheus Lima <brenomatheus@gmail.com> >> as indicated for remainder 24/25 patches >> >> - Added Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com> >> as indicated for remainder 24/25 patches >> >> v5: >> - Drop dcache disable across HAB call. >> We can't replicate this error on the current codebase and the available >> images. We'll have to wait for the error to crop up again before pushing >> that patch any further. >> >> v4: >> - No change mixed extra patches @ v3 unnoticed with previous >> git-send >> >> v3: >> - Only call into ROM if headers are verified. - Bryan >> >> - Print HAB event log if and only if a call was made to HAB >> and a meaningful status code has been obtained. - Breno >> >> v2: >> - Fix compilation warnings and errors in SPL highlighted by >> Breno Matheus Lima >> >> - Add CC: Breno Matheus Lima <brenomatheus@gmail.com> to all patches >> >> v1: >> This patchset updates the i.MX HAB layer in u-boot to fix a list of >> identified issues and then to add and extend existing functionality. >> >> The first block of patches 0001-0006 deal with fixing existing code, >> >> - Fixes indentation >> - Fixes the treatment of input parameters to hab_auth_image. >> >> The second block of patches 0007-0013 are about tidying up the HAB code >> >> - Remove reliance on hard-coding to specific offsets >> - IVT header drives locating CSF >> - Continue to support existing boards >> >> Patches 0014 onwards extend out the HAB functionality. >> >> - hab_rvt_check_target is a recommended check in the NXP documents to >> perform prior to hab_rvt_authenticate_image >> - hab_rvt_failsafe is a useful function to set the board into BootROM >> USB recovery mode. >> >> >> >> Bryan O'Donoghue (25): >> arm: imx: hab: Make authenticate_image return int >> arm: imx: hab: Fix authenticate_image result code >> arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail >> arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail >> arm: imx: hab: Move IVT_SIZE to hab.h >> arm: imx: hab: Move CSF_PAD_SIZE to hab.h >> arm: imx: hab: Fix authenticate_image input parameters >> arm: imx: hab: Add IVT header definitions >> arm: imx: hab: Add IVT header verification >> arm: imx: hab: Verify IVT self matches calculated address >> arm: imx: hab: Only call ROM once headers are verified >> arm: imx: hab: Print CSF based on IVT descriptor >> arm: imx: hab: Print additional IVT elements during debug >> arm: imx: hab: Define rvt_check_target() >> arm: imx: hab: Implement hab_rvt_check_target >> arm: imx: hab: Add a hab_rvt_check_target to image auth >> arm: imx: hab: Print HAB event log only after calling ROM >> arm: imx: hab: Make internal functions and data static >> arm: imx: hab: Prefix authenticate_image with imx_hab >> arm: imx: hab: Rename is_hab_enabled imx_hab_is_enabled >> arm: imx: hab: Make authenticate_image() return zero on open boards >> arm: imx: hab: Make imx_hab_is_enabled global >> arm: imx: hab: Define rvt_failsafe() >> arm: imx: hab: Implement hab_rvt_failsafe >> arm: imx: hab: Add hab_failsafe console command >> >> arch/arm/include/asm/mach-imx/hab.h | 46 +++- >> arch/arm/mach-imx/hab.c | 461 +++++++++++++++++++++--------------- >> arch/arm/mach-imx/spl.c | 38 ++- >> 3 files changed, 354 insertions(+), 191 deletions(-) > > I tried Secure boot before[1] with SPL and U-Boot proper and work well. > > I'm observing authentication issue while loading U-Boot proper, U-Boot > proper now have features like SPL DM and SPL FIT etc > > U-Boot SPL 2018.03-rc1-00182-gb81f7c9 (Feb 08 2018 - 17:19:03 +0530) > Trying to boot from MMC1 > Expected Linux image is not found. Trying to start U-boot > > Authenticate image from DDR location 0x17800000... > bad magic magic=0xb8 length=0x841b version=0x17 > bad length magic=0xb8 length=0x841b version=0x17 > bad version magic=0xb8 length=0x841b version=0x17 > spl: ERROR: image authentication unsuccessful > ### ERROR ### Please RESET the board ### > > Please let me know where I missed, I'm authenticating SPL and > u-boot-dtb.img now. Can you please check if the generated u-boot-dtb.img contains a IVT table appended in the end of the image? The mx6slevk_spl_defconfig target also generates SPL + u-boot-dtb.img but I have to use the u-boot-ivt.img binary instead. In my case u-boot-dtb.img does not includes a IVT table. Best Regards, Breno Lima
>> >> I'm observing authentication issue while loading U-Boot proper, U-Boot >> proper now have features like SPL DM and SPL FIT etc >> >> U-Boot SPL 2018.03-rc1-00182-gb81f7c9 (Feb 08 2018 - 17:19:03 +0530) >> Trying to boot from MMC1 >> Expected Linux image is not found. Trying to start U-boot >> >> Authenticate image from DDR location 0x17800000... >> bad magic magic=0xb8 length=0x841b version=0x17 >> bad length magic=0xb8 length=0x841b version=0x17 >> bad version magic=0xb8 length=0x841b version=0x17 >> spl: ERROR: image authentication unsuccessful >> ### ERROR ### Please RESET the board ### >> >> Please let me know where I missed, I'm authenticating SPL and >> u-boot-dtb.img now. > > Can you please check if the generated u-boot-dtb.img contains a IVT > table appended in the end of the image? > > The mx6slevk_spl_defconfig target also generates SPL + u-boot-dtb.img > but I have to use the u-boot-ivt.img binary instead. In my case > u-boot-dtb.img does not includes a IVT table. > > Best Regards, > Breno Lima > At a guess I'd say it's the fix we did for hab_auth_img - I guess Jagan you have an out-of-tree implementation here ? If you have a command in your environment that looks like this hab_auth_img 0x17800000 0x10000 that should now be hab_auth_img 0x17800000 0x10000 0xF400 assuming the CSF footer is aprox 0xC00 bytes padded. git show c5800b2 arm: imx: hab: Fix authenticate_image input parameters 1: Adding a new parameter to hab_auth_img - addr : image hex address - length : total length of the image - offset : offset of IVT from addr --- bod
On Thu, Feb 8, 2018 at 9:47 PM, Bryan O'Donoghue <bryan.odonoghue@linaro.org> wrote: > >>> >>> I'm observing authentication issue while loading U-Boot proper, U-Boot >>> proper now have features like SPL DM and SPL FIT etc >>> >>> U-Boot SPL 2018.03-rc1-00182-gb81f7c9 (Feb 08 2018 - 17:19:03 +0530) >>> Trying to boot from MMC1 >>> Expected Linux image is not found. Trying to start U-boot >>> >>> Authenticate image from DDR location 0x17800000... >>> bad magic magic=0xb8 length=0x841b version=0x17 >>> bad length magic=0xb8 length=0x841b version=0x17 >>> bad version magic=0xb8 length=0x841b version=0x17 >>> spl: ERROR: image authentication unsuccessful >>> ### ERROR ### Please RESET the board ### >>> >>> Please let me know where I missed, I'm authenticating SPL and >>> u-boot-dtb.img now. >> >> >> Can you please check if the generated u-boot-dtb.img contains a IVT >> table appended in the end of the image? >> >> The mx6slevk_spl_defconfig target also generates SPL + u-boot-dtb.img >> but I have to use the u-boot-ivt.img binary instead. In my case >> u-boot-dtb.img does not includes a IVT table. >> >> Best Regards, >> Breno Lima >> > > At a guess I'd say it's the fix we did for hab_auth_img - I guess Jagan you > have an out-of-tree implementation here ? Basically I'm trying to compare this with implementation before, look like issue is IVT image signature is missing for when CONFIG_SPL_LOAD_FIT defined. It's working without SPL_LOAD_FIT. > > If you have a command in your environment that looks like this > > hab_auth_img 0x17800000 0x10000 > > that should now be > > hab_auth_img 0x17800000 0x10000 0xF400 > > assuming the CSF footer is aprox 0xC00 bytes padded. > > git show c5800b2 > > arm: imx: hab: Fix authenticate_image input parameters > > 1: Adding a new parameter to hab_auth_img > - addr : image hex address > - length : total length of the image > - offset : offset of IVT from addr > I've created u-boot-ivt.image which we did in previous releases[2] and padded 0x2000 to CSF to align the size of CONFIG_CSF_SIZE Image Name: U-Boot 2018.03-rc1-00182-gb81f7c Created: Fri Feb 9 11:00:05 2018 Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) Data Size: 360384 Bytes = 351.94 KiB = 0.34 MiB Load Address: 17800000 Entry Point: 00000000 HAB Blocks: 0x177fffc0 0x0000 0x00056020 icorem6qdl-rqs> hab_auth_img 0x177fffc0 0x58020 0x56020 Authenticate image from DDR location 0x177fffc0... bad magic magic=0xd4 length=0x5000 version=0x41 bad length magic=0xd4 length=0x5000 version=0x41 [2] https://openedev.amarulasolutions.com/display/ODUBOOT/i.MX6+HABv4#i.MX6HABv4-SignedBoot-Usage
On 09/02/18 07:27, Jagan Teki wrote: > On Thu, Feb 8, 2018 at 9:47 PM, Bryan O'Donoghue > <bryan.odonoghue@linaro.org> wrote: >> >>>> >>>> I'm observing authentication issue while loading U-Boot proper, U-Boot >>>> proper now have features like SPL DM and SPL FIT etc >>>> >>>> U-Boot SPL 2018.03-rc1-00182-gb81f7c9 (Feb 08 2018 - 17:19:03 +0530) >>>> Trying to boot from MMC1 >>>> Expected Linux image is not found. Trying to start U-boot >>>> >>>> Authenticate image from DDR location 0x17800000... >>>> bad magic magic=0xb8 length=0x841b version=0x17 >>>> bad length magic=0xb8 length=0x841b version=0x17 >>>> bad version magic=0xb8 length=0x841b version=0x17 >>>> spl: ERROR: image authentication unsuccessful >>>> ### ERROR ### Please RESET the board ### >>>> >>>> Please let me know where I missed, I'm authenticating SPL and >>>> u-boot-dtb.img now. >>> >>> >>> Can you please check if the generated u-boot-dtb.img contains a IVT >>> table appended in the end of the image? >>> >>> The mx6slevk_spl_defconfig target also generates SPL + u-boot-dtb.img >>> but I have to use the u-boot-ivt.img binary instead. In my case >>> u-boot-dtb.img does not includes a IVT table. >>> >>> Best Regards, >>> Breno Lima >>> >> >> At a guess I'd say it's the fix we did for hab_auth_img - I guess Jagan you >> have an out-of-tree implementation here ? > > Basically I'm trying to compare this with implementation before, look > like issue is IVT image signature is missing for when > CONFIG_SPL_LOAD_FIT defined. It's working without SPL_LOAD_FIT. > >> >> If you have a command in your environment that looks like this >> >> hab_auth_img 0x17800000 0x10000 >> >> that should now be >> >> hab_auth_img 0x17800000 0x10000 0xF400 >> >> assuming the CSF footer is aprox 0xC00 bytes padded. >> >> git show c5800b2 >> >> arm: imx: hab: Fix authenticate_image input parameters >> >> 1: Adding a new parameter to hab_auth_img >> - addr : image hex address >> - length : total length of the image >> - offset : offset of IVT from addr >> > > I've created u-boot-ivt.image which we did in previous releases[2] and > padded 0x2000 to CSF to align the size of CONFIG_CSF_SIZE > > Image Name: U-Boot 2018.03-rc1-00182-gb81f7c > Created: Fri Feb 9 11:00:05 2018 > Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) > Data Size: 360384 Bytes = 351.94 KiB = 0.34 MiB > Load Address: 17800000 > Entry Point: 00000000 > HAB Blocks: 0x177fffc0 0x0000 0x00056020 > > icorem6qdl-rqs> hab_auth_img 0x177fffc0 0x58020 0x56020 > > Authenticate image from DDR location 0x177fffc0... > bad magic magic=0xd4 length=0x5000 version=0x41 > bad length magic=0xd4 length=0x5000 version=0x41 > > [2] https://openedev.amarulasolutions.com/display/ODUBOOT/i.MX6+HABv4#i.MX6HABv4-SignedBoot-Usage > Ah... is that diagram accurate ? You are perpending the IVT to your image header In which case your command should be icorem6qdl-rqs> hab_auth_img 0x177fffc0 0x58020 0 Incidentially you are pointed at the CSF there not the IVT. High Assurance Boot Version 4 Application Programming Interface Reference Manual section 6.2 tag = 0xD4 => CSF tag = 0xD1 => IVT --- bod