From patchwork Wed Sep 25 08:11:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peng Fan X-Patchwork-Id: 1167038 X-Patchwork-Delegate: sbabic@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nxp.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=nxp.com header.i=@nxp.com header.b="VsorDeK4"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 46dW4J73X9z9sNx for ; Wed, 25 Sep 2019 18:12:00 +1000 (AEST) Received: by lists.denx.de (Postfix, from userid 105) id 9F44CC21EAE; Wed, 25 Sep 2019 08:11:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_HELO_PASS, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id E00EAC21EAE; Wed, 25 Sep 2019 08:11:21 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 75D1EC21C6A; Wed, 25 Sep 2019 08:11:19 +0000 (UTC) Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20069.outbound.protection.outlook.com [40.107.2.69]) by lists.denx.de (Postfix) with ESMTPS id 17DE7C21C3F for ; Wed, 25 Sep 2019 08:11:19 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FujnFb88QEzNZLn1TbQhakRU00GdXVVIj98wMz/dRJfrgsuqEjUjf31U9/jifP0crvgQq2fm53j7nIfMJBW0zOR2Ebd/JVTlOb1ZFhzKqUrNPn6q6GN2WcQbpSQ476yBFrkFiWuZSKiatb/IOUakce4bMCoP2z7N7iQQN/nKyIUQlmmN74iGakHafAWsZT+xa2DMuZPA9/pBs/ikZbEPiVbtI33gYYlmV1aEM0pbmbyayTvSKlRnALbK0X8IIT8v7t/Xh+qnLDI4+s4gnRb4GaDEKjYO/GrxMid197edF3jkuLh2PvOS9LKMgEtcdxcUX6KE3CcEAtn8jiOOPvyEiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lNzb3kMXpXFOG5NSOy9QO5g+NGQGtUtrBlTUk5gOBKY=; b=oD9kA6EAe4i9DbxKjNgI7Po3fIFqD7ti3Tbe/IKGhGIWhty/2R+I8T012T7RXr3llEhcpxqnxmpZLAAx0oPWI20Qh2k4S3mKbZU9ZXSO1+wxaxC690FS2q0oo/QqoRClQCLksNwnD3Oa+zzrSH0OELrd6dkgsg7lcIPPPi3FjanAs4ZT021kQH2mzmAEHnssRllouhAQDPlrIacYF0lk3Ph6H1GpbFsifFUNOPV85gSwrXqEk5eSU5Hwu4lLK5auj2QZ+qZvuIrlB+13/W2L/nXPKwPcYeg7aNmrfJmTATj8XSQobCVyKLlWyS8i85/i+Eu20BTQlBZS35EaLFS0bQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lNzb3kMXpXFOG5NSOy9QO5g+NGQGtUtrBlTUk5gOBKY=; b=VsorDeK4bvlk9JDf2/WinmGaTepgJBvb71YEhlO2LvXTu+83CZntcvdeJAb57zPcgqMli8P0yFt9a/i8V9c+sX0hCTtno9V9N8aESW9hQD/KPcxvPf6YxsH3GUG0SPYTtrZlMvSP2jbcv/eqgskasTgwamtD1YKrcPWxqQTJtik= Received: from AM0PR04MB4481.eurprd04.prod.outlook.com (52.135.147.15) by AM0PR04MB5332.eurprd04.prod.outlook.com (52.134.95.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.22; Wed, 25 Sep 2019 08:11:17 +0000 Received: from AM0PR04MB4481.eurprd04.prod.outlook.com ([fe80::6ca2:ec08:2b37:8ab8]) by AM0PR04MB4481.eurprd04.prod.outlook.com ([fe80::6ca2:ec08:2b37:8ab8%6]) with mapi id 15.20.2284.023; Wed, 25 Sep 2019 08:11:17 +0000 From: Peng Fan To: "sbabic@denx.de" , "festevam@gmail.com" Thread-Topic: [PATCH 2/3] imx8qm: mek: add secure boot script Thread-Index: AQHVc3jOiQZgGdREokuZ/umaZVL0dA== Date: Wed, 25 Sep 2019 08:11:17 +0000 Message-ID: <20190925082756.18015-2-peng.fan@nxp.com> References: <20190925082756.18015-1-peng.fan@nxp.com> In-Reply-To: <20190925082756.18015-1-peng.fan@nxp.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.16.4 x-clientproxiedby: HK0PR01CA0024.apcprd01.prod.exchangelabs.com (2603:1096:203:92::36) To AM0PR04MB4481.eurprd04.prod.outlook.com (2603:10a6:208:70::15) authentication-results: spf=none (sender IP is ) smtp.mailfrom=peng.fan@nxp.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [119.31.174.71] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 48e4f9ec-9a40-4ebc-858c-08d7418ff0ce x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:AM0PR04MB5332; x-ms-traffictypediagnostic: AM0PR04MB5332:|AM0PR04MB5332: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:5516; x-forefront-prvs: 01713B2841 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(39860400002)(396003)(136003)(366004)(189003)(199004)(76176011)(54906003)(14454004)(4326008)(316002)(44832011)(2616005)(64756008)(66446008)(66946007)(476003)(66476007)(66556008)(486006)(50226002)(71190400001)(71200400001)(186003)(26005)(66066001)(446003)(11346002)(5660300002)(1076003)(110136005)(478600001)(2501003)(36756003)(6436002)(2906002)(6486002)(6116002)(3846002)(7736002)(25786009)(305945005)(102836004)(8676002)(14444005)(256004)(86362001)(8936002)(6506007)(52116002)(6512007)(81156014)(81166006)(99286004)(386003)(32563001)(139555002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR04MB5332; H:AM0PR04MB4481.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: lPoWqxcplXJ2FMqmCkvbAazuOvr+/lxfv2uT2mbZ2ANsaKc67yebV0TTK6s7GfYovzn73mLHjE9sYen2Kq2fbhCG/e4XLFFmh7vso3QgXOmwKk1v9AxRiw92wnkLjD2tZ7oQDVlpXOMAL/GHYIpnVidBA2/K35PSNhRoUmmV+jp4T1Iix7bYA4ngaurZoX7AhHwMZ2ohZd/FscrzOWr7JVjBAVh0+X9LtDZXNSKu7JDL6NNTbIe/lg7LpmPCk39GfXRhsElY1wTA3/6P3TgDl75JcjuRFK3x2JBEjlU7K0lF/e0f6tlZ/MXex7+Zc/wPat7WMSh43KqQDBEolYEsgjpYgPuvC71s+MWWGzcHFoDryc45r8xbtUQM572kpXJSYfdZiVtG9J/uPPPRKzY3jjMn080iukzssXNqVoRIgGw= MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 48e4f9ec-9a40-4ebc-858c-08d7418ff0ce X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Sep 2019 08:11:17.4528 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: uNcdDmPRP3Bn202SuurPGUf/O5QbBXRfjNT8SHHodLYVPN/XWn3dppLjQ4q4I9c/+SN2yEytIFNXFiKPZtksYg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB5332 Cc: "u-boot@lists.denx.de" , dl-uboot-imx Subject: [U-Boot] [PATCH 2/3] imx8qm: mek: add secure boot script X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Add secure boot script, use ahab to verify image Signed-off-by: Peng Fan --- include/configs/imx8qm_mek.h | 64 +++++++++++++++++++++++++++++++++----------- 1 file changed, 49 insertions(+), 15 deletions(-) diff --git a/include/configs/imx8qm_mek.h b/include/configs/imx8qm_mek.h index 6f615a7220..2e89c5a0cb 100644 --- a/include/configs/imx8qm_mek.h +++ b/include/configs/imx8qm_mek.h @@ -56,8 +56,15 @@ #define CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG +#ifdef CONFIG_AHAB_BOOT +#define AHAB_ENV "sec_boot=yes\0" +#else +#define AHAB_ENV "sec_boot=no\0" +#endif + /* Initial environment variables */ #define CONFIG_EXTRA_ENV_SETTINGS \ + AHAB_ENV \ "script=boot.scr\0" \ "image=Image\0" \ "panel=NULL\0" \ @@ -78,16 +85,27 @@ "source\0" \ "loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}\0" \ "loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}\0" \ + "boot_os=booti ${loadaddr} - ${fdt_addr};\0" \ + "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \ + "auth_os=auth_cntr ${cntr_addr}\0" \ "mmcboot=echo Booting from mmc ...; " \ "run mmcargs; " \ - "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ - "if run loadfdt; then " \ - "booti ${loadaddr} - ${fdt_addr}; " \ + "if test ${sec_boot} = yes; then " \ + "if run auth_os; then " \ + "run boot_os; " \ "else " \ - "echo WARN: Cannot load the DT; " \ + "echo ERR: failed to authenticate; " \ "fi; " \ "else " \ - "echo wait for boot; " \ + "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ + "if run loadfdt; then " \ + "run boot_os; " \ + "else " \ + "echo WARN: Cannot load the DT; " \ + "fi; " \ + "else " \ + "echo wait for boot; " \ + "fi;" \ "fi;\0" \ "netargs=setenv bootargs console=${console} " \ "root=/dev/nfs " \ @@ -99,15 +117,24 @@ "else " \ "setenv get_cmd tftp; " \ "fi; " \ - "${get_cmd} ${loadaddr} ${image}; " \ - "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ - "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \ - "booti ${loadaddr} - ${fdt_addr}; " \ + "if test ${sec_boot} = yes; then " \ + "${get_cmd} ${cntr_addr} ${cntr_file}; " \ + "if run auth_os; then " \ + "run boot_os; " \ "else " \ - "echo WARN: Cannot load the DT; " \ + "echo ERR: failed to authenticate; " \ "fi; " \ "else " \ - "booti; " \ + "${get_cmd} ${loadaddr} ${image}; " \ + "if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \ + "if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \ + "booti ${loadaddr} - ${fdt_addr}; " \ + "else " \ + "echo WARN: Cannot load the DT; " \ + "fi; " \ + "else " \ + "booti; " \ + "fi;" \ "fi;\0" #define CONFIG_BOOTCOMMAND \ @@ -115,10 +142,17 @@ "if run loadbootscript; then " \ "run bootscript; " \ "else " \ - "if run loadimage; then " \ - "run mmcboot; " \ - "else run netboot; " \ - "fi; " \ + "if test ${sec_boot} = yes; then " \ + "if run loadcntr; then " \ + "run mmcboot; " \ + "else run netboot; " \ + "fi; " \ + "else " \ + "if run loadimage; then " \ + "run mmcboot; " \ + "else run netboot; " \ + "fi; " \ + "fi; " \ "fi; " \ "else booti ${loadaddr} - ${fdt_addr}; fi"