From patchwork Wed Dec 13 06:03:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jagan Teki X-Patchwork-Id: 847767 X-Patchwork-Delegate: jagannadh.teki@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=amarulasolutions-com.20150623.gappssmtp.com header.i=@amarulasolutions-com.20150623.gappssmtp.com header.b="sdyyFU1I"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3yxR3C3xw4z9s4q for ; Wed, 13 Dec 2017 17:04:07 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 20AFDC21DA6; Wed, 13 Dec 2017 06:03:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id C6ECDC21DB5; Wed, 13 Dec 2017 06:03:47 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 3F76BC21DE7; Wed, 13 Dec 2017 06:03:19 +0000 (UTC) Received: from mail-pl0-f67.google.com (mail-pl0-f67.google.com [209.85.160.67]) by lists.denx.de (Postfix) with ESMTPS id 9760CC21DE6 for ; Wed, 13 Dec 2017 06:03:18 +0000 (UTC) Received: by mail-pl0-f67.google.com with SMTP id 1so428178pla.7 for ; Tue, 12 Dec 2017 22:03:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=sPAcRUz3mD60v5GUx4fMIOVQMbfz7lN3nNMx7aZ4vWc=; b=sdyyFU1I4+j4pRnpYXFwS156t4q2rQsAPyC8ZczsDbuwsdoxaTmQpLTOc8f6lDxT0f +/itpmztoByWKAit96yveXHf9wwRjH/okB7YWgMOe/6r9C2J7zA4V68Hftl1u4wdd9kJ H4MSZIUIzWrIEnGleE02evfDBzoN0W78/6C28h2YYn8cpC1z4hD16d2x1o1Znfnca2fa codgxKbLcyF84BcX12oJyVNPx81/vmZnnPndXEiZrvpUdZv07R5KpEROQdv0pK6pxvu9 tX4UqWXGUUx58s2RlFFHiBmMbcg3uKzeK+Bt5TfTNMlGviShGzLZ3UybcEZhSEqkiKJ9 LiJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=sPAcRUz3mD60v5GUx4fMIOVQMbfz7lN3nNMx7aZ4vWc=; b=ZZukD+KRftvwNbMlL7Y37lfa6YwTafXMpfXVHckzp8tLIj5sI6zoK3bZT6Hh8Y+hCJ fE6LGJKRxevjtR+jkfMC5qJRVJ9ku/NmXJa1WzZtD5M2cSS98ah9MwP+TUOAkWZinB5o NoVyZVOPPKxhip+/sxdKiryzm64uHdszT3BTonIbM7EJXxMZUZ26NQ3MU/9eOeJ6q56F 6ecQSc4zAGR7ZwUcXqPHu43eD1My+7q2krN8LqgjnHBQ+kWRg517qoJ2ohvkn3sxuvl3 IQVeOhSHF/vN6BKyVEH/Goik7Mv4Oa/158rIbIKOVG4SErPT1XigmPuTThYfbPO2T/OP X/nw== X-Gm-Message-State: AKGB3mILo2tu0mrDC9Ced7NHVPA7mBXCv04TuF7Y9Q5iAihrrDyaDShR HbhkshJ+YEW0XgeP0NF0DijC3g== X-Google-Smtp-Source: ACJfBoutkKNFPbF2S6YNYraNrs1VKOPt7foFb1XHeJEHQeaEvg1RKJYKCuXdiPf6dF0gstZ8C0G0Ug== X-Received: by 10.159.198.76 with SMTP id y12mr4851698plt.257.1513144997163; Tue, 12 Dec 2017 22:03:17 -0800 (PST) Received: from localhost.localdomain ([115.97.180.212]) by smtp.gmail.com with ESMTPSA id v25sm1136810pgc.78.2017.12.12.22.03.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 12 Dec 2017 22:03:16 -0800 (PST) From: Jagan Teki To: Maxime Ripard Date: Wed, 13 Dec 2017 11:33:02 +0530 Message-Id: <1513144986-13619-1-git-send-email-jagan@amarulasolutions.com> X-Mailer: git-send-email 2.7.4 Cc: u-boot@lists.denx.de, linux-sunxi@googlegroups.com Subject: [U-Boot] [PATCH v3 1/5] sunxi: a64: Enable FIT Signature X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" From: Jagan Teki Enable FIT_SIGNATURE for sunxi a64. Signed-off-by: Jagan Teki --- Changes for v3: - Move imply outside block Changes for v2: - Use imply instead of select arch/arm/mach-sunxi/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm/mach-sunxi/Kconfig b/arch/arm/mach-sunxi/Kconfig index 1fededd..05e2d47 100644 --- a/arch/arm/mach-sunxi/Kconfig +++ b/arch/arm/mach-sunxi/Kconfig @@ -179,6 +179,7 @@ config MACH_SUN50I select SUNXI_DRAM_DW_32BIT select FIT select SPL_LOAD_FIT + imply FIT_SIGNATURE config MACH_SUN50I_H5 bool "sun50i (Allwinner H5)" From patchwork Wed Dec 13 06:03:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jagan Teki X-Patchwork-Id: 847770 X-Patchwork-Delegate: jagannadh.teki@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=amarulasolutions-com.20150623.gappssmtp.com header.i=@amarulasolutions-com.20150623.gappssmtp.com header.b="grS5368S"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3yxR6M3NWfz9sBZ for ; Wed, 13 Dec 2017 17:06:51 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id AD4B3C21DDF; Wed, 13 Dec 2017 06:05:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id EFB9FC21DE5; Wed, 13 Dec 2017 06:03:55 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 8B279C21DDB; Wed, 13 Dec 2017 06:03:22 +0000 (UTC) Received: from mail-pg0-f65.google.com (mail-pg0-f65.google.com [74.125.83.65]) by lists.denx.de (Postfix) with ESMTPS id F0A59C21DDB for ; Wed, 13 Dec 2017 06:03:21 +0000 (UTC) Received: by mail-pg0-f65.google.com with SMTP id g7so860165pgs.0 for ; Tue, 12 Dec 2017 22:03:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Xl2OrFgUnUE2e2PgMulOsVs/hYLotQsrE4j6+Tk+BtQ=; b=grS5368SYdKsIUxLOVa0+snPlUmun+Ux1XMoPRfwEufMXC3IwoDQJzfvDZ6H9IwHFq pXYKKo8RVJ1dixo7J76oJEIaiMaE7q7zQ/UG7h56rN8kxmk4LUjz5p3zzNyGCJS/xqsx j9ENQpseK2SJ8hHi+ynT3F0190BBWk0p/PRpDKk3SDRQ6JJtpFtdoqX+Gpaz20EgiVcl I5vjMmNajWOPruGbmLZljGPHTnIotp+KAGs2cDpKi8AJDnGpTUKElU+KswZX5+1ZWVM6 6XSGXomoOm4DXMRmSWLD3vIAkkrjyUxQIKvHeOCYv2QXGY5TaU8val3o6TSQoOCMgMpi Z0LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Xl2OrFgUnUE2e2PgMulOsVs/hYLotQsrE4j6+Tk+BtQ=; b=cKD0XIcyeX4sNXa4juE6nRyhF3j6XQkpztTpsiOgJbRuAukzWTamyx5KAH6+xczhFs 5YSpXJJIwW9CJFnyPyXkSaPKZuUXpbI2KsBcXZ1+e/qbbf9Iv3l1T6Ol4QIPMtyiD2hH tkEN+qBVKgJyUO3ixxv9fVERsLrBziDN6wpqJOdu3BmFzhFxS/cacv25fp3uHXFPJoPC wMvuesl0IDWwiEkzkNXt92LnjEFWhu9bB1vF6EVvL2KgKNo6dtMoj2Lx12R/iKvNjJjZ WcC7f8vyhLMk+XGKb7cMnNGl/y86f1/Q2u7JBAy/Vo+GDi7tHeyHSxxRcNMrlwhBMR7w 7XzA== X-Gm-Message-State: AKGB3mLKYbHIEI4ZNvC/fqrKgfamf8IXlZgM3RPD8cihoM5khrqudBlW cRoWLQqyd5B3OSwQpExOEqdohg== X-Google-Smtp-Source: ACJfBouj7euUfPxL9ko5c3W+UBwNdfUWum9gyT5eTkzPbLrYR22sl/0UWAXlzN2zF5rsHG8UgaUhsA== X-Received: by 10.99.36.195 with SMTP id k186mr4235855pgk.171.1513145000558; Tue, 12 Dec 2017 22:03:20 -0800 (PST) Received: from localhost.localdomain ([115.97.180.212]) by smtp.gmail.com with ESMTPSA id v25sm1136810pgc.78.2017.12.12.22.03.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 12 Dec 2017 22:03:19 -0800 (PST) From: Jagan Teki To: Maxime Ripard Date: Wed, 13 Dec 2017 11:33:03 +0530 Message-Id: <1513144986-13619-2-git-send-email-jagan@amarulasolutions.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1513144986-13619-1-git-send-email-jagan@amarulasolutions.com> References: <1513144986-13619-1-git-send-email-jagan@amarulasolutions.com> Cc: u-boot@lists.denx.de, linux-sunxi@googlegroups.com Subject: [U-Boot] [PATCH v3 2/5] sunxi: arm64: Increase CONFIG_SYS_BOOTM_LEN to 32MB X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" From: Jagan Teki The default value of CONFIG_SYS_BOOTM_LEN, 0x800000, causes error when uncompressing Image.gz out of FIT image. Uncompressing Kernel Image ... Error: inflate() returned -5 Image too large: increase CONFIG_SYS_BOOTM_LEN and loading Image out of FIT image. Loading Kernel Image ... Image too large: increase CONFIG_SYS_BOOTM_LEN Must RESET board to recover Signed-off-by: Jagan Teki Acked-by: Maxime Ripard --- Changes for v3: - none Changes for v2: - Add in separate patch with proper commit message include/configs/sunxi-common.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/configs/sunxi-common.h b/include/configs/sunxi-common.h index 786155f..ee1cb39 100644 --- a/include/configs/sunxi-common.h +++ b/include/configs/sunxi-common.h @@ -34,6 +34,7 @@ #ifdef CONFIG_ARM64 #define CONFIG_BUILD_TARGET "u-boot.itb" +#define CONFIG_SYS_BOOTM_LEN (32 << 20) #endif /* Serial & console */ From patchwork Wed Dec 13 06:03:04 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jagan Teki X-Patchwork-Id: 847771 X-Patchwork-Delegate: jagannadh.teki@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=amarulasolutions-com.20150623.gappssmtp.com header.i=@amarulasolutions-com.20150623.gappssmtp.com header.b="0DFF65KF"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3yxR6Q1sKvz9sPm for ; Wed, 13 Dec 2017 17:06:54 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 32724C21DB1; Wed, 13 Dec 2017 06:05:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id BEE1AC21D9F; Wed, 13 Dec 2017 06:03:54 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 567F2C21DB2; Wed, 13 Dec 2017 06:03:25 +0000 (UTC) Received: from mail-pl0-f68.google.com (mail-pl0-f68.google.com [209.85.160.68]) by lists.denx.de (Postfix) with ESMTPS id 49BC3C21DF3 for ; Wed, 13 Dec 2017 06:03:25 +0000 (UTC) Received: by mail-pl0-f68.google.com with SMTP id g2so430908pli.8 for ; Tue, 12 Dec 2017 22:03:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=3Q2/i9Oqns2Mp2MKMTIxivi/M0Y2JpaIn7djoUiXodk=; b=0DFF65KF2+eXSLoSc81LGidc/gJOfJF7TU84Q6jtzMJGP6GqS3mjZSN1fK+lWAi0JW gmeQNaozucHCC1xVw1cyKiVbrUCYTVr2R9gI/VASn+t4hsUBmtPWjjspK7icNMFnDC/j f3jfLUJ9iXeYHUUgwWuyraiymtEa6uHfLYbN/GLQPlh5D5jpLo51rnC82Y0yQGa+R9OB wpkEKlFStfMrXGypO5H/LTUML6q/Zt9fD0l043GHN1UCQVptxLQg8mM/LutWiuiNx/Yn bHBM+7sJI++BEqAQ0CcFdGoNu0/zWl+ReMFqJ48hdtuIEsy3+eS5lhluWyF/seJaMloI q07Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=3Q2/i9Oqns2Mp2MKMTIxivi/M0Y2JpaIn7djoUiXodk=; b=bxwSznSORQKap2UD0Lu1xw/kzIJbnCp0crDqpJb+OZlacUq0Z1qr4rzs0EDaqoHKrG GICSFwHpgZ9WjEQZLBp3EaiTq111TuXisayAXEPTS4+DjrSNphauWROc0SYHw+x2Xecz r6EFLNKEGjocntOSHpBTAahNd/6HvtgpyOfgQi87Gq9IDZF13Yt9PQiBsKu6FMcZu3zu 4D1jEB2YZj6YNo6atxPIhwkx98piiF7U5T+XTL9H3dAzdNQLlkFr5v4xc53rrL11bE7R F/A7CYah/GJBgURQzxM0qSpsW8+mDICOi4RjYB7+E1id8+gYR+VHrH6cOcU/jik+B6lV ficA== X-Gm-Message-State: AKGB3mIZlPFItqo6BzAOQVvt1SXZJFQxLqbXyJyD50ooWDE++EgvtQvh 5P8vUbRUnZkTZ4jcqrYVmTfGUw== X-Google-Smtp-Source: ACJfBou0ZQ84EiuTCIg4+m6j2Wl1NY81nj8qZxZfIu1eXCQ4Fjr6ChllvcRF/rA/fOr/HBLnLQNz9A== X-Received: by 10.159.242.13 with SMTP id t13mr4684731plr.188.1513145003746; Tue, 12 Dec 2017 22:03:23 -0800 (PST) Received: from localhost.localdomain ([115.97.180.212]) by smtp.gmail.com with ESMTPSA id v25sm1136810pgc.78.2017.12.12.22.03.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 12 Dec 2017 22:03:23 -0800 (PST) From: Jagan Teki To: Maxime Ripard Date: Wed, 13 Dec 2017 11:33:04 +0530 Message-Id: <1513144986-13619-3-git-send-email-jagan@amarulasolutions.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1513144986-13619-1-git-send-email-jagan@amarulasolutions.com> References: <1513144986-13619-1-git-send-email-jagan@amarulasolutions.com> Cc: u-boot@lists.denx.de, linux-sunxi@googlegroups.com Subject: [U-Boot] [PATCH v3 3/5] docs: Document verified-boot for sunxi a64 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Add verified-boot documentation for sunxi a64 platform. Signed-off-by: Jagan Teki --- Changes for v3: - Create separate document file Changes for v2: - New patch doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 doc/README.sunxi diff --git a/doc/README.sunxi b/doc/README.sunxi new file mode 100644 index 0000000..ef4f735 --- /dev/null +++ b/doc/README.sunxi @@ -0,0 +1,193 @@ +# +# Copyright (C) 2017 Amarula Solutions +# +# SPDX-License-Identifier: GPL-2.0+ +# + +U-Boot on SunXi +============== + +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform. + + 1. Verified Boot + +1. Verified Boot +================ + +U-Boot supports an image verification method called "Verified Boot". +This is a brief tutorial to utilize this feature for the Sunxi A64 platform. +You will find details documents in the doc/uImage.FIT directory. + +Here, we take Orangepi Win board for example, but it should work for any +other boards including 32 bit SoCs. + +1. Generate RSA key to sign + + $ mkdir keys + $ openssl genpkey -algorithm RSA -out keys/dev.key \ + -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 + $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt + +Two files "dev.key" and "dev.crt" will be created. The base name is arbitrary, +but need to match to the "key-name-hint" property described below. + +2. FIT Input + +---------------------------------------->8---------------------------------------- +/dts-v1/; +/ { + description = "FIT image with single Linux kernel, FDT blob"; + #address-cells = <1>; + + images { + kernel@0 { + description = "ARM64 Linux kernel"; + data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz"); + type = "kernel"; + arch = "arm64"; + os = "linux"; + compression = "gzip"; + load = <0x50080000>; + entry = <0x50080000>; + hash@1 { + algo = "sha256"; + }; + }; + + fdt@0 { + description = "Orangepi Win/Win+ Devicetree blob"; + data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb"); + type = "flat_dt"; + arch = "arm64"; + compression = "none"; + hash@1 { + algo = "sha256"; + }; + }; + }; + + configurations { + default = "conf@0"; + + conf@0 { + description = "Boot Linux kernel, FDT blob"; + kernel = "kernel@0"; + fdt = "fdt@0"; + signature@0 { + algo = "sha256,rsa2048"; + key-name-hint = "dev"; + sign-images = "kernel", "fdt"; + }; + }; + }; +}; +---------------------------------------->8---------------------------------------- + +You need to change the two '/incbin/' lines, depending on the location of +your kernel image and devicetree blob. The "load" and "entry" properties also +need to be adjusted if you want to change the physical placement of the kernel. + +The "key-name-hint" must specify the key name you have created in the step 1. + +The FIT file name is arbitrary. Let's say you saved it into "fit.its". + +3. Compile U-Boot with FIT and signature enabled + +To use the Verified Boot, you need to enable the following two options: + CONFIG_FIT + CONFIG_FIT_SIGNATURE + + $ make orangepi_win_defconfig + $ make CROSS_COMPILE=aarch64-linux-gnu- + +4. FIT Output + +After building U-Boot, you will see tools/mkimage. With this tool, you can +create an image tree blob as follows: + + $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage + +The -k option must specify the key directory you have created in step 1. + +A file "fitImage" will be created. This includes kernel, DTB, +hash data for each of the three, and signature data. + +The public key needed for the run-time verification is stored in "dts/dt.dtb". + +5. Compile Verified U-Boot + +Since the "dt.dtb" has been updated in step 4, you need to re-compile the +U-Boot. + + $ make CROSS_COMPILE=aarch64-linux-gnu- + +The re-compiled "u-boot.bin" is appended with DTB that contains the public key. + +6. Flash the image + +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your +board. + +7. Boot verified kernel + +Load the fitImage to memory and run the following from the U-Boot command line. + + > bootm + +Here, is the base address of the fitImage. + +If it is successful, you will see messages like follows: + +---------------------------------------->8---------------------------------------- +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage +16321738 bytes read in 1049 ms (14.8 MiB/s) +=> bootm $kernel_addr_r +## Loading kernel from FIT Image at 40080000 ... + Using 'conf@0' configuration + Verifying Hash Integrity ... OK + Trying 'kernel@0' kernel subimage + Description: ARM64 Linux kernel + Type: Kernel Image + Compression: gzip compressed + Data Start: 0x400800e4 + Data Size: 6884659 Bytes = 6.6 MiB + Architecture: AArch64 + OS: Linux + Load Address: 0x50080000 + Entry Point: 0x50080000 + Hash algo: sha256 + Hash value: 6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a + Verifying Hash Integrity ... sha256+ OK +## Loading fdt from FIT Image at 40080000 ... + Using 'conf@0' configuration + Trying 'fdt@0' fdt subimage + Description: Orangepi Win/Win+ Devicetree blob + Type: Flat Device Tree + Compression: uncompressed + Data Start: 0x40710f24 + Data Size: 9032 Bytes = 8.8 KiB + Architecture: AArch64 + Hash algo: sha256 + Hash value: ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1 + Verifying Hash Integrity ... sha256+ OK + Booting using the fdt blob at 0x40710f24 + Uncompressing Kernel Image ... OK + Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK + +Starting kernel ... +---------------------------------------->8---------------------------------------- + +Please pay attention to the lines that start with "Verifying Hash Integrity". + +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check +passed. + +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed +for kernel and DTB. + +If they are not displayed, the Verified Boot is not working. + +-- +Jagan Teki +13 Dec 2017 From patchwork Wed Dec 13 06:03:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jagan Teki X-Patchwork-Id: 847769 X-Patchwork-Delegate: jagannadh.teki@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=amarulasolutions-com.20150623.gappssmtp.com header.i=@amarulasolutions-com.20150623.gappssmtp.com header.b="V70aVs6D"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3yxR5N10R3z9sBZ for ; Wed, 13 Dec 2017 17:06:00 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id C6D64C21DA3; Wed, 13 Dec 2017 06:04:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 0EFCFC21DBA; Wed, 13 Dec 2017 06:03:53 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id E755FC21DAA; Wed, 13 Dec 2017 06:03:29 +0000 (UTC) Received: from mail-pl0-f65.google.com (mail-pl0-f65.google.com [209.85.160.65]) by lists.denx.de (Postfix) with ESMTPS id CB3E1C21DDB for ; Wed, 13 Dec 2017 06:03:28 +0000 (UTC) Received: by mail-pl0-f65.google.com with SMTP id s10so430356plj.5 for ; Tue, 12 Dec 2017 22:03:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=LXdTLKGHZ2B/GKAbjEsZy1Mlwe1RtFpvYWhb+WKFp7g=; b=V70aVs6DLOJVX+aXYU0aFD3fQZOEGXSWFTbLrYLrqLj5ftHYVA8hZTwBqnIMZ6zklk zDAO6O9Vb6ib/YioVjpvNB1wNRYc5PooJqsToT5HWMlhw7Ak8IYv5xzp8AD7r/7/Ts34 jEv1Rmtw6nRRc36Sg8aS1coqND1r72XYlYfcPuV47+c04yA5XuA3RtaREoRdl3G8x5ET n8uqmSY7N4+ueOo0POnGiI3A96YXQLUMSXKnSYijAD5eoZMIxSS74YHvOI/k4WR8RdfU pt0x1AnJQ64xBP1yrpljf9tY2fb6OwGnKIWqTG3pnuIWtYynRoxHmKSVCkDpPDqkdN8V w35w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=LXdTLKGHZ2B/GKAbjEsZy1Mlwe1RtFpvYWhb+WKFp7g=; b=fws/M13Y7nvvD70C8DQRguC/Kgyg8G8sArRwdnuUzhgPr4JCUnsOIcCW2l7qB1Cbrn IjnoQ8spCkMJyf9XWFwpiGv6zPN20wlLNjuNWEVP2fl4qBZGD3n7h9GyO4OWX7yC1c/j iMuT+9Ktb+NCqA0iic8PIS6JzMD6pHVuq4eYLUswbioYPBURRDzRjtVBsPvdpBmbVCA0 nu04nvUjiak4U+EtBnML+FfxB8BShQU8jPo7Edym93jJZDlWFE3z4/WYH+5Argi75a67 m5a9i48jfwBclXYe4cF4Jn10OlC1Yr0V238y9/s5iyE7k1Te0usf8l2Lh5bCxXpTg5lN rFsg== X-Gm-Message-State: AKGB3mIoTU/fDugrH33DjMrcpKtH+h9exX7nvSL6+qTclHHpnMwttMHQ Wdpv9uQoP8PA+T8joC36DVfQBQ== X-Google-Smtp-Source: ACJfBotoYY1aRjoVe0V6AoK7+FvOxIQwWJimB0cJ70krB/9S6dfd5u9H9Z2AiImfTm4hCti5tTpBEw== X-Received: by 10.159.246.7 with SMTP id b7mr4629817pls.81.1513145006974; Tue, 12 Dec 2017 22:03:26 -0800 (PST) Received: from localhost.localdomain ([115.97.180.212]) by smtp.gmail.com with ESMTPSA id v25sm1136810pgc.78.2017.12.12.22.03.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 12 Dec 2017 22:03:26 -0800 (PST) From: Jagan Teki To: Maxime Ripard Date: Wed, 13 Dec 2017 11:33:05 +0530 Message-Id: <1513144986-13619-4-git-send-email-jagan@amarulasolutions.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1513144986-13619-1-git-send-email-jagan@amarulasolutions.com> References: <1513144986-13619-1-git-send-email-jagan@amarulasolutions.com> Cc: u-boot@lists.denx.de, linux-sunxi@googlegroups.com Subject: [U-Boot] [PATCH v3 4/5] docs: README.sunxi: Move sunxi64 documentation X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Move documentation of README.sunxi64 from board files into docs/README.sunxi Signed-off-by: Jagan Teki --- Changes for v3: - New patch board/sunxi/README.sunxi64 | 165 ------------------------------------------ doc/README.sunxi | 173 ++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 170 insertions(+), 168 deletions(-) delete mode 100644 board/sunxi/README.sunxi64 diff --git a/board/sunxi/README.sunxi64 b/board/sunxi/README.sunxi64 deleted file mode 100644 index c492f74..0000000 --- a/board/sunxi/README.sunxi64 +++ /dev/null @@ -1,165 +0,0 @@ -Allwinner 64-bit boards README -============================== - -Newer Allwinner SoCs feature ARMv8 cores (ARM Cortex-A53) with support for -both the 64-bit AArch64 mode and the ARMv7 compatible 32-bit AArch32 mode. -Examples are the Allwinner A64 (used for instance on the Pine64 board) or -the Allwinner H5 SoC (as used on the OrangePi PC 2). -These SoCs are wired to start in AArch32 mode on reset and execute 32-bit -code from the Boot ROM (BROM). As this has some implications on U-Boot, this -file describes how to make full use of the 64-bit capabilities. - -Quick Start / Overview -====================== -- Build the ARM Trusted Firmware binary (see "ARM Trusted Firmware (ATF)" below) -- Build U-Boot (see "SPL/U-Boot" below) -- Transfer to an uSD card (see "microSD card" below) -- Boot and enjoy! - -Building the firmware -===================== - -The Allwinner A64/H5 firmware consists of three parts: U-Boot's SPL, an -ARM Trusted Firmware (ATF) build and the U-Boot proper. -The SPL will load both ATF and U-Boot proper along with the right device -tree blob (.dtb) and will pass execution to ATF (in EL3), which in turn will -drop into the U-Boot proper (in EL2). -As the ATF binary will become part of the U-Boot image file, you will need -to build it first. - - ARM Trusted Firmware (ATF) ----------------------------- -Checkout the "allwinner" branch from the github repository [1] and build it: -$ export CROSS_COMPILE=aarch64-linux-gnu- -$ make PLAT=sun50iw1p1 DEBUG=1 bl31 -The resulting binary is build/sun50iw1p1/debug/bl31.bin. Either put the -location of this file into the BL31 environment variable or copy this to -the root of your U-Boot build directory (or create a symbolic link). -$ export BL31=/src/arm-trusted-firmware/build/sun50iw1p1/debug/bl31.bin - (adjust the actual path accordingly) - - SPL/U-Boot ------------- -Both U-Boot proper and the SPL are using the 64-bit mode. As the boot ROM -enters the SPL still in AArch32 secure SVC mode, there is some shim code to -enter AArch64 very early. The rest of the SPL runs in AArch64 EL3. -U-Boot proper runs in EL2 and can load any AArch64 code (using the "go" -command), EFI applications (with "bootefi") or arm64 Linux kernel images -(often named "Image"), using the "booti" command. - -$ make clean -$ export CROSS_COMPILE=aarch64-linux-gnu- -$ make pine64_plus_defconfig -$ make - -This will build the SPL in spl/sunxi-spl.bin and a FIT image called u-boot.itb, -which contains the rest of the firmware. - - -Boot process -============ -The on-die BROM code will try several methods to load and execute the firmware. -On a typical board like the Pine64 this will result in the following boot order: - -1) Reading 32KB from sector 16 (@8K) of the microSD card to SRAM A1. If the -BROM finds the magic "eGON" header in the first bytes, it will execute that -code. If not (no SD card at all or invalid magic), it will: -2) Try to read 32KB from sector 16 (@8K) of memory connected to the MMC2 -controller, typically an on-board eMMC chip. If there is no eMMC or it does -not contain a valid boot header, it will: -3) Initialize the SPI0 controller and try to access a NOR flash connected to -it (using the CS0 pin). If a flash chip is found, the BROM will load the -first 32KB (from offset 0) into SRAM A1. Now it checks for the magic eGON -header and checksum and will execute the code upon finding it. If not, it will: -4) Initialize the USB OTG controller and will wait for a host to connect to -it, speaking the Allwinner proprietary (but deciphered) "FEL" USB protocol. - - -To boot the Pine64 board, you can use U-Boot and any of the described methods. - -FEL boot (USB OTG) ------------------- -FEL is the name of the Allwinner defined USB boot protocol built in the -mask ROM of most Allwinner SoCs. It allows to bootstrap a board solely -by using the USB-OTG interface and a host port on another computer. -As the FEL mode is controlled by the boot ROM, it expects to be running in -AArch32. For now the AArch64 SPL cannot properly return into FEL mode, so the -feature is disabled in the configuration at the moment. - -microSD card ------------- -Transfer the SPL and the U-Boot FIT image directly to an uSD card: -# dd if=spl/sunxi-spl.bin of=/dev/sdx bs=8k seek=1 -# dd if=u-boot.itb of=/dev/sdx bs=8k seek=5 -# sync -(replace /dev/sdx with you SD card device file name, which could be -/dev/mmcblk[x] as well). - -Alternatively you can concatenate the SPL and the U-Boot FIT image into a -single file and transfer that instead: -$ cat spl/sunxi-spl.bin u-boot.itb > u-boot-sunxi-with-spl.bin -# dd if=u-boot-sunxi-with-spl.bin of=/dev/sdx bs=8k seek=1 - -You can partition the microSD card, but leave the first MB unallocated (most -partitioning tools will do this anyway). - -NOR flash ---------- -Some boards (like the SoPine, Pinebook or the OrangePi PC2) come with a -soldered SPI NOR flash chip. On other boards like the Pine64 such a chip -can be connected to the SPI0/CS0 pins on the PI-2 headers. -Create the SPL and FIT image like described above for the SD card. -Now connect either an "A to A" USB cable to the upper USB port on the Pine64 -or get an adaptor and use a regular A-microB cable connected to it. Other -boards often have a proper micro-B USB socket connected to the USB OTB port. -Remove a microSD card from the slot and power on the board. -On your host computer download and build the sunxi-tools package[2], then -use "sunxi-fel" to access the board: -$ ./sunxi-fel ver -v -p -This should give you an output starting with: AWUSBFEX soc=00001689(A64) ... -Now use the sunxi-fel tool to write to the NOR flash: -$ ./sunxi-fel spiflash-write 0 spl/sunxi-spl.bin -$ ./sunxi-fel spiflash-write 32768 u-boot.itb -Now boot the board without an SD card inserted and you should see the -U-Boot prompt on the serial console. - -(Legacy) boot0 method ---------------------- -boot0 is Allwiner's secondary program loader and it can be used as some kind -of SPL replacement to get U-Boot up and running from an microSD card. -For some time using boot0 was the only option to get the Pine64 booted. -With working DRAM init code in U-Boot's SPL this is no longer necessary, -but this method is described here for the sake of completeness. -Please note that this method works only with the boot0 files shipped with -A64 based boards, the H5 uses an incompatible layout which is not supported -by this method. - -The boot0 binary is a 32 KByte blob and contained in the official Pine64 images -distributed by Pine64 or Allwinner. It can be easily extracted from a micro -SD card or an image file: -# dd if=/dev/sd of=boot0.bin bs=8k skip=1 count=4 -where /dev/sd is the device name of the uSD card or the name of the image -file. Apparently Allwinner allows re-distribution of this proprietary code -"as-is". -This boot0 blob takes care of DRAM initialisation and loads the remaining -firmware parts, then switches the core into AArch64 mode. -The original boot0 code looks for U-Boot at a certain place on an uSD card -(at 19096 KB), also it expects a header with magic bytes and a checksum. -There is a tool called boot0img[3] which takes a boot0.bin image and a compiled -U-Boot binary (plus other binaries) and will populate that header accordingly. -To make space for the magic header, the pine64_plus_defconfig will make sure -there is sufficient space at the beginning of the U-Boot binary. -boot0img will also take care of putting the different binaries at the right -places on the uSD card and works around unused, but mandatory parts by using -trampoline code. See the output of "boot0img -h" for more information. -boot0img can also patch boot0 to avoid loading U-Boot from 19MB, instead -fetching it from just behind the boot0 binary (-B option). -$ ./boot0img -o firmware.img -B boot0.img -u u-boot-dtb.bin -e -s bl31.bin \ --a 0x44008 -d trampoline64:0x44000 -Then write this image to a microSD card, replacing /dev/sdx with the right -device file (see above): -$ dd if=firmware.img of=/dev/sdx bs=8k seek=1 - -[1] https://github.com/apritzel/arm-trusted-firmware.git -[2] git://github.com/linux-sunxi/sunxi-tools.git -[3] https://github.com/apritzel/pine64/ diff --git a/doc/README.sunxi b/doc/README.sunxi index ef4f735..48f82cb 100644 --- a/doc/README.sunxi +++ b/doc/README.sunxi @@ -9,9 +9,170 @@ U-Boot on SunXi Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform. - 1. Verified Boot - -1. Verified Boot + 1. Allwinner 64-bit boards + 2. Verified Boot + +1. Allwinner 64-bit boards +========================== + +Newer Allwinner SoCs feature ARMv8 cores (ARM Cortex-A53) with support for +both the 64-bit AArch64 mode and the ARMv7 compatible 32-bit AArch32 mode. +Examples are the Allwinner A64 (used for instance on the Pine64 board) or +the Allwinner H5 SoC (as used on the OrangePi PC 2). +These SoCs are wired to start in AArch32 mode on reset and execute 32-bit +code from the Boot ROM (BROM). As this has some implications on U-Boot, this +file describes how to make full use of the 64-bit capabilities. + +Quick Start / Overview +====================== +- Build the ARM Trusted Firmware binary (see "ARM Trusted Firmware (ATF)" below) +- Build U-Boot (see "SPL/U-Boot" below) +- Transfer to an uSD card (see "microSD card" below) +- Boot and enjoy! + +Building the firmware +===================== + +The Allwinner A64/H5 firmware consists of three parts: U-Boot's SPL, an +ARM Trusted Firmware (ATF) build and the U-Boot proper. +The SPL will load both ATF and U-Boot proper along with the right device +tree blob (.dtb) and will pass execution to ATF (in EL3), which in turn will +drop into the U-Boot proper (in EL2). +As the ATF binary will become part of the U-Boot image file, you will need +to build it first. + + ARM Trusted Firmware (ATF) +---------------------------- +Checkout the "allwinner" branch from the github repository [1] and build it: +$ export CROSS_COMPILE=aarch64-linux-gnu- +$ make PLAT=sun50iw1p1 DEBUG=1 bl31 +The resulting binary is build/sun50iw1p1/debug/bl31.bin. Either put the +location of this file into the BL31 environment variable or copy this to +the root of your U-Boot build directory (or create a symbolic link). +$ export BL31=/src/arm-trusted-firmware/build/sun50iw1p1/debug/bl31.bin + (adjust the actual path accordingly) + +SPL/U-Boot +---------- +Both U-Boot proper and the SPL are using the 64-bit mode. As the boot ROM +enters the SPL still in AArch32 secure SVC mode, there is some shim code to +enter AArch64 very early. The rest of the SPL runs in AArch64 EL3. +U-Boot proper runs in EL2 and can load any AArch64 code (using the "go" +command), EFI applications (with "bootefi") or arm64 Linux kernel images +(often named "Image"), using the "booti" command. + +$ make clean +$ export CROSS_COMPILE=aarch64-linux-gnu- +$ make pine64_plus_defconfig +$ make + +This will build the SPL in spl/sunxi-spl.bin and a FIT image called u-boot.itb, +which contains the rest of the firmware. + +Boot process +============ +The on-die BROM code will try several methods to load and execute the firmware. +On a typical board like the Pine64 this will result in the following boot order: + +1) Reading 32KB from sector 16 (@8K) of the microSD card to SRAM A1. If the +BROM finds the magic "eGON" header in the first bytes, it will execute that +code. If not (no SD card at all or invalid magic), it will: +2) Try to read 32KB from sector 16 (@8K) of memory connected to the MMC2 +controller, typically an on-board eMMC chip. If there is no eMMC or it does +not contain a valid boot header, it will: +3) Initialize the SPI0 controller and try to access a NOR flash connected to +it (using the CS0 pin). If a flash chip is found, the BROM will load the +first 32KB (from offset 0) into SRAM A1. Now it checks for the magic eGON +header and checksum and will execute the code upon finding it. If not, it will: +4) Initialize the USB OTG controller and will wait for a host to connect to +it, speaking the Allwinner proprietary (but deciphered) "FEL" USB protocol. + +To boot the Pine64 board, you can use U-Boot and any of the described methods. + +FEL boot (USB OTG) +------------------ +FEL is the name of the Allwinner defined USB boot protocol built in the +mask ROM of most Allwinner SoCs. It allows to bootstrap a board solely +by using the USB-OTG interface and a host port on another computer. +As the FEL mode is controlled by the boot ROM, it expects to be running in +AArch32. For now the AArch64 SPL cannot properly return into FEL mode, so the +feature is disabled in the configuration at the moment. + +microSD card +------------ +Transfer the SPL and the U-Boot FIT image directly to an uSD card: +# dd if=spl/sunxi-spl.bin of=/dev/sdx bs=8k seek=1 +# dd if=u-boot.itb of=/dev/sdx bs=8k seek=5 +# sync +(replace /dev/sdx with you SD card device file name, which could be +/dev/mmcblk[x] as well). + +Alternatively you can concatenate the SPL and the U-Boot FIT image into a +single file and transfer that instead: +$ cat spl/sunxi-spl.bin u-boot.itb > u-boot-sunxi-with-spl.bin +# dd if=u-boot-sunxi-with-spl.bin of=/dev/sdx bs=8k seek=1 + +You can partition the microSD card, but leave the first MB unallocated (most +partitioning tools will do this anyway). + +NOR flash +--------- +Some boards (like the SoPine, Pinebook or the OrangePi PC2) come with a +soldered SPI NOR flash chip. On other boards like the Pine64 such a chip +can be connected to the SPI0/CS0 pins on the PI-2 headers. +Create the SPL and FIT image like described above for the SD card. +Now connect either an "A to A" USB cable to the upper USB port on the Pine64 +or get an adaptor and use a regular A-microB cable connected to it. Other +boards often have a proper micro-B USB socket connected to the USB OTB port. +Remove a microSD card from the slot and power on the board. +On your host computer download and build the sunxi-tools package[2], then +use "sunxi-fel" to access the board: +$ ./sunxi-fel ver -v -p +This should give you an output starting with: AWUSBFEX soc=00001689(A64) ... +Now use the sunxi-fel tool to write to the NOR flash: +$ ./sunxi-fel spiflash-write 0 spl/sunxi-spl.bin +$ ./sunxi-fel spiflash-write 32768 u-boot.itb +Now boot the board without an SD card inserted and you should see the +U-Boot prompt on the serial console. + +(Legacy) boot0 method +--------------------- +boot0 is Allwiner's secondary program loader and it can be used as some kind +of SPL replacement to get U-Boot up and running from an microSD card. +For some time using boot0 was the only option to get the Pine64 booted. +With working DRAM init code in U-Boot's SPL this is no longer necessary, +but this method is described here for the sake of completeness. +Please note that this method works only with the boot0 files shipped with +A64 based boards, the H5 uses an incompatible layout which is not supported +by this method. + +The boot0 binary is a 32 KByte blob and contained in the official Pine64 images +distributed by Pine64 or Allwinner. It can be easily extracted from a micro +SD card or an image file: +# dd if=/dev/sd of=boot0.bin bs=8k skip=1 count=4 +where /dev/sd is the device name of the uSD card or the name of the image +file. Apparently Allwinner allows re-distribution of this proprietary code +"as-is". +This boot0 blob takes care of DRAM initialisation and loads the remaining +firmware parts, then switches the core into AArch64 mode. +The original boot0 code looks for U-Boot at a certain place on an uSD card +(at 19096 KB), also it expects a header with magic bytes and a checksum. +There is a tool called boot0img[3] which takes a boot0.bin image and a compiled +U-Boot binary (plus other binaries) and will populate that header accordingly. +To make space for the magic header, the pine64_plus_defconfig will make sure +there is sufficient space at the beginning of the U-Boot binary. +boot0img will also take care of putting the different binaries at the right +places on the uSD card and works around unused, but mandatory parts by using +trampoline code. See the output of "boot0img -h" for more information. +boot0img can also patch boot0 to avoid loading U-Boot from 19MB, instead +fetching it from just behind the boot0 binary (-B option). +$ ./boot0img -o firmware.img -B boot0.img -u u-boot-dtb.bin -e -s bl31.bin \ +-a 0x44008 -d trampoline64:0x44000 +Then write this image to a microSD card, replacing /dev/sdx with the right +device file (see above): +$ dd if=firmware.img of=/dev/sdx bs=8k seek=1 + +2. Verified Boot ================ U-Boot supports an image verification method called "Verified Boot". @@ -188,6 +349,12 @@ for kernel and DTB. If they are not displayed, the Verified Boot is not working. +References +========== +[1] https://github.com/apritzel/arm-trusted-firmware.git +[2] git://github.com/linux-sunxi/sunxi-tools.git +[3] https://github.com/apritzel/pine64/ + -- Jagan Teki 13 Dec 2017 From patchwork Wed Dec 13 06:03:06 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jagan Teki X-Patchwork-Id: 847768 X-Patchwork-Delegate: jagannadh.teki@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=amarulasolutions-com.20150623.gappssmtp.com header.i=@amarulasolutions-com.20150623.gappssmtp.com header.b="UEv6Uiyw"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3yxR4q460vz9sCZ for ; Wed, 13 Dec 2017 17:05:31 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 6D45DC21DAA; Wed, 13 Dec 2017 06:04:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id AB7CFC21DE8; Wed, 13 Dec 2017 06:03:51 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 632BEC21DA6; Wed, 13 Dec 2017 06:03:32 +0000 (UTC) Received: from mail-pl0-f65.google.com (mail-pl0-f65.google.com [209.85.160.65]) by lists.denx.de (Postfix) with ESMTPS id BE5C1C21DE6 for ; Wed, 13 Dec 2017 06:03:31 +0000 (UTC) Received: by mail-pl0-f65.google.com with SMTP id 1so428445pla.7 for ; Tue, 12 Dec 2017 22:03:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=da+q8k1sDxKENmhm0e0j52XW9132XZsL7uirmOq7dQs=; b=UEv6Uiyw5/koAdZzzwyp4YSNtYdZOiEblG+DVlg0s8sk5B/kBq8ke2sJx4AryZeO7X v5wo4j4SgsZRp+rPO4/N/Q73FhF6wL0F2tWL1OpavIrNkVCrCbHQ5E9dVK9PcRFGBhG8 BUo919YQUAt955pxGtXbUGi3nuDLHD9K9ko1RQpmgwKUtDwdtYhEUh9ItN1SZ+brSqc5 TX+AwYN1sDs7RFqsISaEAzL36WDJ96OEoYMDLjXzc8Si7uOLRv+dMPdXZ+65ZB3T4fTq 3LnZhM5AVKztNppG8NiIjbB5pnZqoHf1iX05oFoLTCREppfC+FtQIYytCcOIF09IlDpy E4AQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=da+q8k1sDxKENmhm0e0j52XW9132XZsL7uirmOq7dQs=; b=qJrVSg1nNRKA7Aagan5PlO7iyQiKZvmk2jrq/7gJ9rVLFZVV9ajmeGHsiVurDmqGgG z9qLfcO8sz9hGGD+PH24oNGQE1gP7I+dT/ErnLp8GZq87Ix6okwEwCegMoBo+ZHZ1r5r 8Liow4M63M8wXj653WZn4RU6sV2QqiLLCcLBQA6P4KQ60/QOWtOqHdbQFxUfJu47ukeT Qxfy1lP21IxyUp1j6OQ1OzGWU8GviYn/6/DmR3quadDTbIZCjLRbGlQH3kEGxaw9EW1m vKvdOyiH4FUMuM4zX3ffNFSGTMu6kpY1P2NrOLRMpqhGXd58h20ewzISnwfZoWbCJXXN 5ukQ== X-Gm-Message-State: AKGB3mIJLviDPu2lixox5I0ISiWbpM9UEaKFw+3ywKeZ19bEXeRl+7j+ zBtkC6crPHpuvlje94RWxBFkQw== X-Google-Smtp-Source: ACJfBou0TKruOabRH/Z5NHVSUbmisdqGafACILJCuaODvR2kW7PCEBVMdDja5J8bAos/tKFMr5X1+Q== X-Received: by 10.84.130.104 with SMTP id 95mr4835304plc.151.1513145010258; Tue, 12 Dec 2017 22:03:30 -0800 (PST) Received: from localhost.localdomain ([115.97.180.212]) by smtp.gmail.com with ESMTPSA id v25sm1136810pgc.78.2017.12.12.22.03.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 12 Dec 2017 22:03:29 -0800 (PST) From: Jagan Teki To: Maxime Ripard Date: Wed, 13 Dec 2017 11:33:06 +0530 Message-Id: <1513144986-13619-5-git-send-email-jagan@amarulasolutions.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1513144986-13619-1-git-send-email-jagan@amarulasolutions.com> References: <1513144986-13619-1-git-send-email-jagan@amarulasolutions.com> Cc: u-boot@lists.denx.de, linux-sunxi@googlegroups.com Subject: [U-Boot] [PATCH v3 5/5] docs: README.sunxi: Move nand documentation X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Move documentation of README.nand from board files into docs/README.sunxi Signed-off-by: Jagan Teki --- Changes for v3: - New patch board/sunxi/README.nand | 54 -------------------------------------------- doc/README.sunxi | 60 +++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 58 insertions(+), 56 deletions(-) delete mode 100644 board/sunxi/README.nand diff --git a/board/sunxi/README.nand b/board/sunxi/README.nand deleted file mode 100644 index a5d4ff0..0000000 --- a/board/sunxi/README.nand +++ /dev/null @@ -1,54 +0,0 @@ -Allwinner NAND flashing -======================= - -A lot of Allwinner devices, especially the older ones (pre-H3 era), -comes with a NAND. NANDs storages are a pretty weak choice when it -comes to the reliability, and it comes with a number of flaws like -read and write disturbs, data retention issues, bloks becoming -unusable, etc. - -In order to mitigate that, various strategies have been found to be -able to recover from those issues like ECC, hardware randomization, -and of course, redundancy for the critical parts. - -This is obviously something that we will take into account when -creating our images. However, the BROM will use a quite weird pattern -when accessing the NAND, and will access only at most 4kB per page, -which means that we also have to split that binary accross several -pages. - -In order to accomodate that, we create a tool that will generate an -SPL image that is ready to be programmed directly embedding the ECCs, -randomized, and with the necessary bits needed to reduce the number of -bitflips. The U-Boot build system, when configured for the NAND will -also generate the image sunxi-spl-with-ecc.bin that will have been -generated by that tool. - -In order to flash your U-Boot image onto a board, assuming that the -board is in FEL mode, you'll need the sunxi-tools that you can find at -this repository: https://github.com/linux-sunxi/sunxi-tools - -Then, you'll need to first load an SPL to initialise the RAM: -sunxi-fel spl spl/sunxi-spl.bin - -Load the binaries we'll flash into RAM: -sunxi-fel write 0x4a000000 u-boot-dtb.bin -sunxi-fel write 0x43000000 spl/sunxi-spl-with-ecc.bin - -And execute U-Boot -sunxi-fel exe 0x4a000000 - -On your board, you'll now have all the needed binaries into RAM, so -you only need to erase the NAND... - -nand erase.chip - -Then write the SPL and its backup: - -nand write.raw.noverify 0x43000000 0 40 -nand write.raw.noverify 0x43000000 0x400000 40 - -And finally write the U-Boot binary: -nand write 0x4a000000 0x800000 0xc0000 - -You can now reboot and enjoy your NAND. \ No newline at end of file diff --git a/doc/README.sunxi b/doc/README.sunxi index 48f82cb..c682606 100644 --- a/doc/README.sunxi +++ b/doc/README.sunxi @@ -10,7 +10,8 @@ U-Boot on SunXi Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform. 1. Allwinner 64-bit boards - 2. Verified Boot + 2. Allwinner NAND flashing + 3. Verified Boot 1. Allwinner 64-bit boards ========================== @@ -172,7 +173,62 @@ Then write this image to a microSD card, replacing /dev/sdx with the right device file (see above): $ dd if=firmware.img of=/dev/sdx bs=8k seek=1 -2. Verified Boot +2. Allwinner NAND flashing +========================== + +A lot of Allwinner devices, especially the older ones (pre-H3 era), +comes with a NAND. NANDs storages are a pretty weak choice when it +comes to the reliability, and it comes with a number of flaws like +read and write disturbs, data retention issues, bloks becoming +unusable, etc. + +In order to mitigate that, various strategies have been found to be +able to recover from those issues like ECC, hardware randomization, +and of course, redundancy for the critical parts. + +This is obviously something that we will take into account when +creating our images. However, the BROM will use a quite weird pattern +when accessing the NAND, and will access only at most 4kB per page, +which means that we also have to split that binary accross several +pages. + +In order to accomodate that, we create a tool that will generate an +SPL image that is ready to be programmed directly embedding the ECCs, +randomized, and with the necessary bits needed to reduce the number of +bitflips. The U-Boot build system, when configured for the NAND will +also generate the image sunxi-spl-with-ecc.bin that will have been +generated by that tool. + +In order to flash your U-Boot image onto a board, assuming that the +board is in FEL mode, you'll need the sunxi-tools that you can find at +this repository: https://github.com/linux-sunxi/sunxi-tools + +Then, you'll need to first load an SPL to initialise the RAM: +sunxi-fel spl spl/sunxi-spl.bin + +Load the binaries we'll flash into RAM: +sunxi-fel write 0x4a000000 u-boot-dtb.bin +sunxi-fel write 0x43000000 spl/sunxi-spl-with-ecc.bin + +And execute U-Boot +sunxi-fel exe 0x4a000000 + +On your board, you'll now have all the needed binaries into RAM, so +you only need to erase the NAND... + +nand erase.chip + +Then write the SPL and its backup: + +nand write.raw.noverify 0x43000000 0 40 +nand write.raw.noverify 0x43000000 0x400000 40 + +And finally write the U-Boot binary: +nand write 0x4a000000 0x800000 0xc0000 + +You can now reboot and enjoy your NAND. + +3. Verified Boot ================ U-Boot supports an image verification method called "Verified Boot".