From patchwork Fri May 3 01:05:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Vasut X-Patchwork-Id: 1930902 X-Patchwork-Delegate: festevam@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=HyErJQqC; dkim=pass (2048-bit key) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=dfNh7Ggu; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VVt0P3WWcz20fb for ; Fri, 3 May 2024 11:05:57 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2483B88BB9; Fri, 3 May 2024 03:05:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=denx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1714698352; bh=kw52sS47d9n7tBHDa2WHAr8qVvjMHGYVrnssL16RLAI=; h=From:To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From; b=HyErJQqCJ/CVJVBn94rSyH96/poBXmdf9dXQCy/ydgZyX2XOGFnRXqDskwBUtXFGD 60/y7k/t4vLnLgvtYEnl/IbbpRcLHj5JUmHEGjk+0CsWAx+iBufNAuuwyaKSJdttG3 czOcg5eAV8gmptgnHOEGI01+WTGIiRCEpox1Kuw68ehaWMKXH6GPOMGlXZhYYDiYSg iRiWLC8CvaTMlj8mtWn3qkAmODZOJAn6b3KrM6ocXp1/L7E8Xqvm5tK5/iyqhK0A37 Wu+DiIvTGPqf9/6khnwypZoIFqmiejYd+tp5iZgEzSMb/aUyZDYfEYzX/TiEd0JInd DLGnZZ+z8ObuQ== Received: from tr.lan (ip-86-49-120-218.bb.vodafone.cz [86.49.120.218]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: marex@denx.de) by phobos.denx.de (Postfix) with ESMTPSA id 9E8BE88BAF; Fri, 3 May 2024 03:05:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1714698351; bh=kw52sS47d9n7tBHDa2WHAr8qVvjMHGYVrnssL16RLAI=; h=From:To:Cc:Subject:Date:From; b=dfNh7Ggur20MV9GR/oJNq7Wf5Ext85LEqIUnW+KVYnVazfzpQIkiDIz6djQeiZfHq 2YXhlbKvj6rFodqSOWCiV1BIcLOa11TR3ikkTXV6msLSuwdtyN3M9pwv2ZSgfcBkuX tD2Agh+0PNT+3TRigGXaVmtCgkvUvuL3o7L2y3ZJ3RvgCTnbAbeVlH4E9Pk9lG4L++ BLRETK6+FXL4PQE5O6BiEqUx8C9TcgMgq0WERJXda6piJZHYg2sjLmU3yxrFOmXP9G G6/qvgEVDXwlE0zx5FfEHvIhT07cIUGHyxeiepenH4uK8/0xJni9vbkY11nyzY4+S4 m1yFihXmkY6CQ== From: Marek Vasut To: u-boot@lists.denx.de Cc: anton.gres@ifm.com, ch@denx.de, Marek Vasut , "NXP i.MX U-Boot Team" , Adam Ford , Alper Nebi Yasak , Andrejs Cainikovs , Angus Ainslie , Emanuele Ghidoli , Fabio Estevam , Francesco Dolcini , Marcel Ziswiler , Rasmus Villemoes , Simon Glass , Stefan Eichenberger , Stefano Babic , Tim Harvey , Tom Rini , kernel@puri.sm, u-boot@dh-electronics.com Subject: [PATCH v2 1/4] binman: Add nxp_imx8mcst etype for i.MX8M flash.bin signing Date: Fri, 3 May 2024 03:05:09 +0200 Message-ID: <20240503010518.263458-1-marex@denx.de> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add new binman etype which allows signing both the SPL and fitImage sections of i.MX8M flash.bin using CST. There are multiple DT properties which govern the signing process, nxp,loader-address is the only mandatory one which sets the SPL signature start address without the imx8mimage header, this should be SPL text base. The key material can be configured using optional DT properties nxp,srk-table, nxp,csf-crt, nxp,img-crt, all of which default the key material names generated by CST tool scripts. The nxp,unlock property can be used to unlock CAAM access in SPL section. Signed-off-by: Marek Vasut --- Cc: "NXP i.MX U-Boot Team" Cc: Adam Ford Cc: Alper Nebi Yasak Cc: Andrejs Cainikovs Cc: Angus Ainslie Cc: Emanuele Ghidoli Cc: Fabio Estevam Cc: Francesco Dolcini Cc: Marcel Ziswiler Cc: Rasmus Villemoes Cc: Simon Glass Cc: Stefan Eichenberger Cc: Stefano Babic Cc: Tim Harvey Cc: Tom Rini Cc: kernel@puri.sm Cc: u-boot@dh-electronics.com Cc: u-boot@lists.denx.de --- V2: - Use configparser module for generating the configuration INI file - Use config template as an input, parse it, modify only keys of interest - Pull magic values into top level variables - Rename nxp,csf-key and nxp,img-key to nxp,csf-crt and nxp,img-crt - Return unmodified data if signing unrecognized (non-SPL/non-FIT) section --- tools/binman/btool/cst.py | 48 +++++++++ tools/binman/etype/nxp_imx8mcst.py | 163 +++++++++++++++++++++++++++++ 2 files changed, 211 insertions(+) create mode 100644 tools/binman/btool/cst.py create mode 100644 tools/binman/etype/nxp_imx8mcst.py diff --git a/tools/binman/btool/cst.py b/tools/binman/btool/cst.py new file mode 100644 index 00000000000..30e78bdbbd9 --- /dev/null +++ b/tools/binman/btool/cst.py @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright 2024 Marek Vasut +# +"""Bintool implementation for cst""" + +import re + +from binman import bintool + +class Bintoolcst(bintool.Bintool): + """Image generation for U-Boot + + This bintool supports running `cst` with some basic parameters as + needed by binman. + """ + def __init__(self, name): + super().__init__(name, 'Sign NXP i.MX image') + + # pylint: disable=R0913 + def run(self, output_fname=None): + """Run cst + + Args: + output_fname: Output filename to write to + """ + args = [] + if output_fname: + args += ['-o', output_fname] + return self.run_cmd(*args) + + def fetch(self, method): + """Fetch handler for cst + + This installs cst using the apt utility. + + Args: + method (FETCH_...): Method to use + + Returns: + True if the file was fetched and now installed, None if a method + other than FETCH_BIN was requested + + Raises: + Valuerror: Fetching could not be completed + """ + if method != bintool.FETCH_BIN: + return None + return self.apt_install('imx-code-signing-tool') diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py new file mode 100644 index 00000000000..132127ad482 --- /dev/null +++ b/tools/binman/etype/nxp_imx8mcst.py @@ -0,0 +1,163 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright 2023-2024 Marek Vasut +# Written with much help from Simon Glass +# +# Entry-type module for generating the i.MX8M code signing tool +# input configuration file and invocation of cst on generated +# input configuration file and input data to be signed. +# + +import configparser +import struct + +from collections import OrderedDict + +from binman.entry import Entry +from binman.etype.mkimage import Entry_mkimage +from binman.etype.section import Entry_section +from binman import elf +from dtoc import fdt_util +from u_boot_pylib import tools + +MAGIC_NXP_IMX_IVT = 0x412000d1 +MAGIC_FITIMAGE = 0xedfe0dd0 + +csf_config_template = """ +[Header] + Version = 4.3 + Hash Algorithm = sha256 + Engine = CAAM + Engine Configuration = 0 + Certificate Format = X509 + Signature Format = CMS + +[Install SRK] + File = "SRK_1_2_3_4_table.bin" + Source index = 0 + +[Install CSFK] + File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem" + +[Authenticate CSF] + +[Unlock] + Engine = CAAM + Features = MID + +[Install Key] + Verification index = 0 + Target Index = 2 + File = "IMG1_1_sha256_4096_65537_v3_usr_crt.pem" + +[Authenticate Data] + Verification index = 2 + Blocks = 0x1234 0x78 0xabcd "data.bin" +""" + +class Entry_nxp_imx8mcst(Entry_mkimage): + """NXP i.MX8M CST .cfg file generator and cst invoker + + Properties / Entry arguments: + - nxp,loader-address - loader address (SPL text base) + """ + + def __init__(self, section, etype, node): + super().__init__(section, etype, node) + self.required_props = ['nxp,loader-address'] + + def ReadNode(self): + super().ReadNode() + self.loader_address = fdt_util.GetInt(self._node, 'nxp,loader-address') + self.srk_table = fdt_util.GetString(self._node, 'nxp,srk-table', 'SRK_1_2_3_4_table.bin') + self.csf_crt = fdt_util.GetString(self._node, 'nxp,csf-crt', 'CSF1_1_sha256_4096_65537_v3_usr_crt.pem') + self.img_crt = fdt_util.GetString(self._node, 'nxp,img-crt', 'IMG1_1_sha256_4096_65537_v3_usr_crt.pem') + self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock') + self.ReadEntries() + + def BuildSectionData(self, required): + data, input_fname, uniq = self.collect_contents_to_file( + self._entries.values(), 'input') + + # Parse the input data and figure out what it is that is being signed. + # - If it is mkimage'd imx8mimage, then extract to be signed data size + # from imx8mimage header, and calculate CSF blob offset right past + # the SPL from this information. + # - If it is fitImage, then pad the image to 4k, add generated IVT and + # sign the whole payload, then append CSF blob at the end right past + # the IVT. + signtype = struct.unpack(' X-Patchwork-Id: 1930903 X-Patchwork-Delegate: festevam@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=psseJpGO; dkim=pass (2048-bit key) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=JuA1E3W3; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VVt0d63lMz20fb for ; Fri, 3 May 2024 11:06:09 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B3BD088BF5; Fri, 3 May 2024 03:05:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=denx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1714698353; bh=GwbxQc0OvB977LJm2JMw8iiGgoj200lT/DtN27KkjYA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=psseJpGOebRoY61c/C/ujjXXetk82WI6E1SAjbHwVOxh3uBt7TjJTHrOmnjjDoFqs Cg8pEmXVuWxKyCJygbjiNmnTozaZJPD82kWRAzmnmLi9gZ/95a7gXQjM+WGs67wK/U O8VXlVdqTrwVvjBstE4eNJ5EyWTAryvMFPP06GiHULC1Ip4cc515cOdJFlNSKr7B8m IaetsauHf5VImLf4vwWCxIRjnSAQaHOwi3Mddio1C3QNGIE/XQDmeiVJI6w4Tjoyby fUYo2zcC42SQqZCBlVRhfYns9/VxEH2IL/3elI6LaOWzXIWWARsWKEC2vxWxnop2Ug il6RUlR4gbunw== Received: from tr.lan (ip-86-49-120-218.bb.vodafone.cz [86.49.120.218]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: marex@denx.de) by phobos.denx.de (Postfix) with ESMTPSA id 39CDA88282; Fri, 3 May 2024 03:05:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1714698351; bh=GwbxQc0OvB977LJm2JMw8iiGgoj200lT/DtN27KkjYA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JuA1E3W3kfxCkSN6njqSo4/HwQCrZ6O95ordiIBKSnVjGGQYkT8qDXzJ9u4eBntHl u+QzsXS9Ut9pnuN1CFg+P3z16QHwKoebXLYqESGUJVYN0TqNiLDYsnvRsJ/wErtGeZ t2MGWQ9LiiT4Sz/G2nV8ObE5TdnGadAQsTjZWcgSFKGaftXkYgdvGhhm1Xt75PaNC7 NUi8KjrNosSGJJ2+WJDcmza71Cr5jPebw5YHxI9OWDV9mBeI+oEqFTmBO0ZOVBPJRo iJVR+H/XIbCs2GGqqRAfH6B9CQ0t8LuffohwtdG3Ecd/zGZ5QS1ifU5qhAzpVlhDZD rolTL20h3fitQ== From: Marek Vasut To: u-boot@lists.denx.de Cc: anton.gres@ifm.com, ch@denx.de, Marek Vasut , "NXP i.MX U-Boot Team" , Adam Ford , Alper Nebi Yasak , Andrejs Cainikovs , Angus Ainslie , Emanuele Ghidoli , Fabio Estevam , Francesco Dolcini , Marcel Ziswiler , Rasmus Villemoes , Simon Glass , Stefan Eichenberger , Stefano Babic , Tim Harvey , Tom Rini , kernel@puri.sm, u-boot@dh-electronics.com Subject: [PATCH v2 2/4] ARM: dts: imx: Introduce SPL and FIT labels to i.MX8M DTs binman nodes Date: Fri, 3 May 2024 03:05:10 +0200 Message-ID: <20240503010518.263458-2-marex@denx.de> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240503010518.263458-1-marex@denx.de> References: <20240503010518.263458-1-marex@denx.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add binman_imx_spl and binman_imx_fit labels to nxp-imx8mimage {} and fit {} nodes respectively, so they can be referened in board DTs no matter how deep in the top level binman image description they are. Update current board DTs to use those labels. Signed-off-by: Marek Vasut --- Cc: "NXP i.MX U-Boot Team" Cc: Adam Ford Cc: Alper Nebi Yasak Cc: Andrejs Cainikovs Cc: Angus Ainslie Cc: Emanuele Ghidoli Cc: Fabio Estevam Cc: Francesco Dolcini Cc: Marcel Ziswiler Cc: Rasmus Villemoes Cc: Simon Glass Cc: Stefan Eichenberger Cc: Stefano Babic Cc: Tim Harvey Cc: Tom Rini Cc: kernel@puri.sm Cc: u-boot@dh-electronics.com Cc: u-boot@lists.denx.de --- V2: New patch --- arch/arm/dts/imx8mm-u-boot.dtsi | 4 +- .../dts/imx8mm-verdin-wifi-dev-u-boot.dtsi | 8 +- arch/arm/dts/imx8mn-u-boot.dtsi | 4 +- arch/arm/dts/imx8mp-dhcom-u-boot.dtsi | 124 +++++++++--------- arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi | 26 ++-- arch/arm/dts/imx8mp-u-boot.dtsi | 4 +- arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi | 10 +- arch/arm/dts/imx8mq-u-boot.dtsi | 4 +- 8 files changed, 84 insertions(+), 100 deletions(-) diff --git a/arch/arm/dts/imx8mm-u-boot.dtsi b/arch/arm/dts/imx8mm-u-boot.dtsi index 6ab8f66256e..b9b1193823a 100644 --- a/arch/arm/dts/imx8mm-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-u-boot.dtsi @@ -54,7 +54,7 @@ }; #endif - nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <1>; @@ -98,7 +98,7 @@ }; }; - fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = ; diff --git a/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi b/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi index 90183aff8bc..183de46f66a 100644 --- a/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-verdin-wifi-dev-u-boot.dtsi @@ -35,12 +35,8 @@ bootph-pre-ram; }; -&binman { - section { - fit { - offset = <0x5fc00>; - }; - }; +&binman_imx_fit { + offset = <0x5fc00>; }; &gpio1 { diff --git a/arch/arm/dts/imx8mn-u-boot.dtsi b/arch/arm/dts/imx8mn-u-boot.dtsi index ba9967dbe4a..c9fb33cfb73 100644 --- a/arch/arm/dts/imx8mn-u-boot.dtsi +++ b/arch/arm/dts/imx8mn-u-boot.dtsi @@ -103,7 +103,7 @@ }; #endif - nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <2>; @@ -169,7 +169,7 @@ }; }; - fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = ; diff --git a/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi b/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi index cb37e28f28f..c065fb82994 100644 --- a/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-dhcom-u-boot.dtsi @@ -135,73 +135,69 @@ bootph-pre-ram; }; -&binman { - section { - fit { - images { - fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast { - description = "imx8mp-dhcom-som-overlay-eth1xfast"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-som-overlay-eth1xfast.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast { - description = "imx8mp-dhcom-som-overlay-eth2xfast"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-som-overlay-eth2xfast.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast { - description = "imx8mp-dhcom-pdk-overlay-eth2xfast"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-pdk-overlay-eth2xfast.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-som-overlay-rev100 { - description = "imx8mp-dhcom-som-overlay-rev100"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-som-overlay-rev100.dtbo"; - }; - }; - - fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100 { - description = "imx8mp-dhcom-pdk3-overlay-rev100"; - type = "flat_dt"; - compression = "none"; - - blob-ext { - filename = "imx8mp-dhcom-pdk3-overlay-rev100.dtbo"; - }; - }; +&binman_imx_fit { + images { + fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast { + description = "imx8mp-dhcom-som-overlay-eth1xfast"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-som-overlay-eth1xfast.dtbo"; }; + }; + + fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast { + description = "imx8mp-dhcom-som-overlay-eth2xfast"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-som-overlay-eth2xfast.dtbo"; + }; + }; + + fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast { + description = "imx8mp-dhcom-pdk-overlay-eth2xfast"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-pdk-overlay-eth2xfast.dtbo"; + }; + }; - configurations { - default = "@config-DEFAULT-SEQ"; - - @config-SEQ { - fdt = "fdt-1", - "fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast", - "fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast", - "fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast", - "fdt-dto-imx8mp-dhcom-som-overlay-rev100", - "fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100"; - }; + fdt-dto-imx8mp-dhcom-som-overlay-rev100 { + description = "imx8mp-dhcom-som-overlay-rev100"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-som-overlay-rev100.dtbo"; + }; + }; + + fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100 { + description = "imx8mp-dhcom-pdk3-overlay-rev100"; + type = "flat_dt"; + compression = "none"; + + blob-ext { + filename = "imx8mp-dhcom-pdk3-overlay-rev100.dtbo"; }; }; }; + + configurations { + default = "@config-DEFAULT-SEQ"; + + @config-SEQ { + fdt = "fdt-1", + "fdt-dto-imx8mp-dhcom-som-overlay-eth1xfast", + "fdt-dto-imx8mp-dhcom-som-overlay-eth2xfast", + "fdt-dto-imx8mp-dhcom-pdk-overlay-eth2xfast", + "fdt-dto-imx8mp-dhcom-som-overlay-rev100", + "fdt-dto-imx8mp-dhcom-pdk3-overlay-rev100"; + }; + }; }; diff --git a/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi b/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi index aff5dcf615d..21eff6d6ad4 100644 --- a/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-rsb3720-a1-u-boot.dtsi @@ -135,21 +135,17 @@ assigned-clock-parents = <&clk IMX8MP_SYS_PLL1_400M>; }; -&binman { - section { - fit { - images { - fip { - description = "Trusted Firmware FIP"; - type = "firmware"; - arch = "arm64"; - compression = "none"; - load = <0x40310000>; - - fip_blob: blob-ext{ - filename = "fip.bin"; - }; - }; +&binman_imx_fit { + images { + fip { + description = "Trusted Firmware FIP"; + type = "firmware"; + arch = "arm64"; + compression = "none"; + load = <0x40310000>; + + fip_blob: blob-ext{ + filename = "fip.bin"; }; }; }; diff --git a/arch/arm/dts/imx8mp-u-boot.dtsi b/arch/arm/dts/imx8mp-u-boot.dtsi index c4c1a177102..8b5ac3faf1c 100644 --- a/arch/arm/dts/imx8mp-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-u-boot.dtsi @@ -86,7 +86,7 @@ section { pad-byte = <0x00>; - nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <2>; @@ -129,7 +129,7 @@ }; }; - fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = ; diff --git a/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi b/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi index 1a4568dac65..98da015a444 100644 --- a/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi +++ b/arch/arm/dts/imx8mq-librem5-r4-u-boot.dtsi @@ -10,14 +10,10 @@ bootph-pre-ram; }; -&binman { +&binman_imx_spl { section { - nxp-imx8mimage { - section { - signed-hdmi-imx8m { - filename = "signed_dp_imx8m.bin"; - }; - }; + signed-hdmi-imx8m { + filename = "signed_dp_imx8m.bin"; }; }; }; diff --git a/arch/arm/dts/imx8mq-u-boot.dtsi b/arch/arm/dts/imx8mq-u-boot.dtsi index 48dbe94f0c4..72da674d245 100644 --- a/arch/arm/dts/imx8mq-u-boot.dtsi +++ b/arch/arm/dts/imx8mq-u-boot.dtsi @@ -38,7 +38,7 @@ section { pad-byte = <0x00>; - nxp-imx8mimage { + binman_imx_spl: nxp-imx8mimage { filename = "u-boot-spl-mkimage.bin"; nxp,boot-from = "sd"; nxp,rom-version = <1>; @@ -87,7 +87,7 @@ }; }; - fit { + binman_imx_fit: fit { description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB fit,external-offset = ; From patchwork Fri May 3 01:05:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Vasut X-Patchwork-Id: 1930904 X-Patchwork-Delegate: festevam@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=lQuQ4U9T; dkim=pass (2048-bit key) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=lM6VRURr; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VVt0q2Qv6z20fb for ; Fri, 3 May 2024 11:06:19 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2E84588BFF; Fri, 3 May 2024 03:05:54 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=denx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1714698354; bh=iq6q7a1Ce6eef7Hbmo0YXysNFlCqRgEKmHXJzw/9xoc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=lQuQ4U9TU9EnsoFtuUKhhWO3vMw9u+EXNGZDNUMPIQJibW6dbejnjNYgnmWYVE+Pg oqeiYOyi2GL0Na9cVtHXC6WMg6CGXbAN+XHOEAMR8sglg8ho77CPp/2ZBF4XwbzqqY HnFSfq3hVQmzGWqCJd5vi5SSGYwciBYgULIwxVU2KFDNG9OUwLpCZIlSLHJmZRv8qi rtzjdtuWZH8m1JmJgqgrOYg9LLGqp8uZYvoft2vEg+/g70HNs7QaMWHq4FF3cNGhHd QUvH29bh4yLnZ5PKyE/TyGIcgidIJGVuuUCAy42YZEElX0dkKMr8UeFG0pb2SUVSwX JFvpQoZ2kJksA== Received: from tr.lan (ip-86-49-120-218.bb.vodafone.cz [86.49.120.218]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: marex@denx.de) by phobos.denx.de (Postfix) with ESMTPSA id 086C888AB5; Fri, 3 May 2024 03:05:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1714698352; bh=iq6q7a1Ce6eef7Hbmo0YXysNFlCqRgEKmHXJzw/9xoc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lM6VRURrpJN0Ebzpr8Egg+H/VmR9QJS+6lm8xTLUv6fS9LKbsc69EHJeBny7Ok1H3 jk/XzGS//QxXcqTUiozTP6i1i76b9CMJFDKu5wSPnsyV0nmUNlgOV5Mh+nm7rMpsxU 5CJsokZoZ2/+dFw4MEUgnt+w+4S/FiBxRLZd1AoRDYNMXiQD/hvRk+LyU2SVu1c7Ib KwtqR5Wp5gNO6vl2hjmMoXpi665f6krlvtvmjZZBbJjmtZLDi//L1q1PRMD6ZPAlbh SPbqVnOB6Ap8Uk8jvcsbECXuXya/1ewuABNaDvTpSjhsdRaVkqgGbw36XbR3BTSnyX eDDB3x1tqvGUg== From: Marek Vasut To: u-boot@lists.denx.de Cc: anton.gres@ifm.com, ch@denx.de, Marek Vasut , "NXP i.MX U-Boot Team" , Adam Ford , Alper Nebi Yasak , Andrejs Cainikovs , Angus Ainslie , Emanuele Ghidoli , Fabio Estevam , Francesco Dolcini , Marcel Ziswiler , Rasmus Villemoes , Simon Glass , Stefan Eichenberger , Stefano Babic , Tim Harvey , Tom Rini , kernel@puri.sm, u-boot@dh-electronics.com Subject: [PATCH v2 3/4] ARM: dts: imx: Wrap i.MX8M binman SPL and FIT nodes in CST node if IMX_HAB enabled Date: Fri, 3 May 2024 03:05:11 +0200 Message-ID: <20240503010518.263458-3-marex@denx.de> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240503010518.263458-1-marex@denx.de> References: <20240503010518.263458-1-marex@denx.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean In case CONFIG_IMX_HAB is enabled, extend the binman image description for all of i.MX8M{Q,M,N,P} with CST wrapper node. This way, if CONFIG_IMX_HAB is enabled, binman will be automatically used to sign SPL and fitImage. Signed-off-by: Marek Vasut --- Cc: "NXP i.MX U-Boot Team" Cc: Adam Ford Cc: Alper Nebi Yasak Cc: Andrejs Cainikovs Cc: Angus Ainslie Cc: Emanuele Ghidoli Cc: Fabio Estevam Cc: Francesco Dolcini Cc: Marcel Ziswiler Cc: Rasmus Villemoes Cc: Simon Glass Cc: Stefan Eichenberger Cc: Stefano Babic Cc: Tim Harvey Cc: Tom Rini Cc: kernel@puri.sm Cc: u-boot@dh-electronics.com Cc: u-boot@lists.denx.de --- V2: New patch --- arch/arm/dts/imx8mm-u-boot.dtsi | 195 ++++++++++++++++------------- arch/arm/dts/imx8mn-u-boot.dtsi | 209 ++++++++++++++++++-------------- arch/arm/dts/imx8mp-u-boot.dtsi | 172 ++++++++++++++------------ arch/arm/dts/imx8mq-u-boot.dtsi | 182 ++++++++++++++------------- 4 files changed, 424 insertions(+), 334 deletions(-) diff --git a/arch/arm/dts/imx8mm-u-boot.dtsi b/arch/arm/dts/imx8mm-u-boot.dtsi index b9b1193823a..c02e11def5f 100644 --- a/arch/arm/dts/imx8mm-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-u-boot.dtsi @@ -54,126 +54,151 @@ }; #endif - binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <1>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = ; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif - section { - align = <4>; - align-size = <4>; - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; - - u-boot-spl { - align-end = <4>; - filename = "u-boot-spl.bin"; - }; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <1>; + nxp,loader-address = ; + args; /* Needed by mkimage etype superclass */ + + section { + align = <4>; + align-size = <4>; + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; + + u-boot-spl { + align-end = <4>; + filename = "u-boot-spl.bin"; + }; - ddr-1d-imem-fw { - filename = "lpddr4_pmu_train_1d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-imem-fw { + filename = "lpddr4_pmu_train_1d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - ddr-1d-dmem-fw { - filename = "lpddr4_pmu_train_1d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-dmem-fw { + filename = "lpddr4_pmu_train_1d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - ddr-2d-imem-fw { - filename = "lpddr4_pmu_train_2d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-2d-imem-fw { + filename = "lpddr4_pmu_train_2d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - ddr-2d-dmem-fw { - filename = "lpddr4_pmu_train_2d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; + ddr-2d-dmem-fw { + filename = "lpddr4_pmu_train_2d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + }; }; }; +#ifdef CONFIG_IMX_HAB }; - binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; -#ifndef CONFIG_IMX_HAB - fit,external-offset = ; -#endif - fit,fdt-list = "of-list"; - #address-cells = <1>; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = ; #ifdef CONFIG_FSPI_CONF_HEADER offset = <0x58C00>; #else offset = <0x57c00>; #endif - images { - uboot { - arch = "arm64"; - compression = "none"; - description = "U-Boot (64-bit)"; - load = ; - type = "standalone"; + args; /* Needed by mkimage etype superclass */ +#endif - uboot-blob { - filename = "u-boot-nodtb.bin"; - type = "blob-ext"; + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; +#ifndef CONFIG_IMX_HAB + fit,external-offset = ; +#endif + fit,fdt-list = "of-list"; + #address-cells = <1>; +#ifdef CONFIG_FSPI_CONF_HEADER + offset = <0x58C00>; +#else + offset = <0x57c00>; +#endif + + images { + uboot { + arch = "arm64"; + compression = "none"; + description = "U-Boot (64-bit)"; + load = ; + type = "standalone"; + + uboot-blob { + filename = "u-boot-nodtb.bin"; + type = "blob-ext"; + }; }; - }; #ifndef CONFIG_ARMV8_PSCI - atf { - arch = "arm64"; - compression = "none"; - description = "ARM Trusted Firmware"; - entry = <0x920000>; - load = <0x920000>; - type = "firmware"; - - atf-blob { - filename = "bl31.bin"; - type = "atf-bl31"; + atf { + arch = "arm64"; + compression = "none"; + description = "ARM Trusted Firmware"; + entry = <0x920000>; + load = <0x920000>; + type = "firmware"; + + atf-blob { + filename = "bl31.bin"; + type = "atf-bl31"; + }; }; - }; #endif - binman_fip: fip { - arch = "arm64"; - compression = "none"; - description = "Trusted Firmware FIP"; - load = <0x40310000>; - type = "firmware"; - }; + binman_fip: fip { + arch = "arm64"; + compression = "none"; + description = "Trusted Firmware FIP"; + load = <0x40310000>; + type = "firmware"; + }; - @fdt-SEQ { - compression = "none"; - description = "NAME"; - type = "flat_dt"; + @fdt-SEQ { + compression = "none"; + description = "NAME"; + type = "flat_dt"; - uboot-fdt-blob { - filename = "u-boot.dtb"; - type = "blob-ext"; + uboot-fdt-blob { + filename = "u-boot.dtb"; + type = "blob-ext"; + }; }; }; - }; - configurations { - default = "@config-DEFAULT-SEQ"; + configurations { + default = "@config-DEFAULT-SEQ"; - @config-SEQ { - description = "NAME"; - fdt = "fdt-SEQ"; - firmware = "uboot"; + @config-SEQ { + description = "NAME"; + fdt = "fdt-SEQ"; + firmware = "uboot"; #ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; + loadables = "atf"; #endif + }; }; }; +#ifdef CONFIG_IMX_HAB }; +#endif }; }; diff --git a/arch/arm/dts/imx8mn-u-boot.dtsi b/arch/arm/dts/imx8mn-u-boot.dtsi index c9fb33cfb73..732191f5205 100644 --- a/arch/arm/dts/imx8mn-u-boot.dtsi +++ b/arch/arm/dts/imx8mn-u-boot.dtsi @@ -103,147 +103,172 @@ }; #endif - binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <2>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = ; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif - section { - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; - align-size = <4>; - align = <4>; - - u-boot-spl { - align-end = <4>; - filename = "u-boot-spl.bin"; - }; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <2>; + nxp,loader-address = ; + args; /* Needed by mkimage etype superclass */ + + section { + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; + align-size = <4>; + align = <4>; + + u-boot-spl { + align-end = <4>; + filename = "u-boot-spl.bin"; + }; - ddr-1d-imem-fw { + ddr-1d-imem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_1d_imem.bin"; + filename = "lpddr4_pmu_train_1d_imem.bin"; #elif CONFIG_IMX8M_DDR4 - filename = "ddr4_imem_1d_201810.bin"; + filename = "ddr4_imem_1d_201810.bin"; #else - filename = "ddr3_imem_1d.bin"; + filename = "ddr3_imem_1d.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; + type = "blob-ext"; + align-end = <4>; + }; - ddr-1d-dmem-fw { + ddr-1d-dmem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_1d_dmem.bin"; + filename = "lpddr4_pmu_train_1d_dmem.bin"; #elif CONFIG_IMX8M_DDR4 - filename = "ddr4_dmem_1d_201810.bin"; + filename = "ddr4_dmem_1d_201810.bin"; #else - filename = "ddr3_dmem_1d.bin"; + filename = "ddr3_dmem_1d.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; + type = "blob-ext"; + align-end = <4>; + }; #if defined(CONFIG_IMX8M_LPDDR4) || defined(CONFIG_IMX8M_DDR4) - ddr-2d-imem-fw { + ddr-2d-imem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_2d_imem.bin"; + filename = "lpddr4_pmu_train_2d_imem.bin"; #else - filename = "ddr4_imem_2d_201810.bin"; + filename = "ddr4_imem_2d_201810.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; + type = "blob-ext"; + align-end = <4>; + }; - ddr-2d-dmem-fw { + ddr-2d-dmem-fw { #ifdef CONFIG_IMX8M_LPDDR4 - filename = "lpddr4_pmu_train_2d_dmem.bin"; + filename = "lpddr4_pmu_train_2d_dmem.bin"; #else - filename = "ddr4_dmem_2d_201810.bin"; + filename = "ddr4_dmem_2d_201810.bin"; #endif - type = "blob-ext"; - align-end = <4>; - }; + type = "blob-ext"; + align-end = <4>; + }; #endif + }; }; + +#ifdef CONFIG_IMX_HAB }; - binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; -#ifndef CONFIG_IMX_HAB - fit,external-offset = ; -#endif - fit,fdt-list = "of-list"; - #address-cells = <1>; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = ; #ifdef CONFIG_FSPI_CONF_HEADER offset = <0x59000>; #else offset = <0x58000>; #endif + args; /* Needed by mkimage etype superclass */ +#endif - images { - uboot { - arch = "arm64"; - compression = "none"; - description = "U-Boot (64-bit)"; - load = ; - type = "standalone"; + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; +#ifndef CONFIG_IMX_HAB + fit,external-offset = ; +#endif + fit,fdt-list = "of-list"; + #address-cells = <1>; +#ifdef CONFIG_FSPI_CONF_HEADER + offset = <0x59000>; +#else + offset = <0x58000>; +#endif - uboot-blob { - filename = "u-boot-nodtb.bin"; - type = "blob-ext"; + images { + uboot { + arch = "arm64"; + compression = "none"; + description = "U-Boot (64-bit)"; + load = ; + type = "standalone"; + + uboot-blob { + filename = "u-boot-nodtb.bin"; + type = "blob-ext"; + }; }; - }; #ifndef CONFIG_ARMV8_PSCI - atf { - arch = "arm64"; - compression = "none"; - description = "ARM Trusted Firmware"; - entry = <0x960000>; - load = <0x960000>; - type = "firmware"; - - atf-blob { - filename = "bl31.bin"; - type = "atf-bl31"; + atf { + arch = "arm64"; + compression = "none"; + description = "ARM Trusted Firmware"; + entry = <0x960000>; + load = <0x960000>; + type = "firmware"; + + atf-blob { + filename = "bl31.bin"; + type = "atf-bl31"; + }; }; - }; #endif - binman_fip: fip { - arch = "arm64"; - compression = "none"; - description = "Trusted Firmware FIP"; - load = <0x40310000>; - type = "firmware"; - }; + binman_fip: fip { + arch = "arm64"; + compression = "none"; + description = "Trusted Firmware FIP"; + load = <0x40310000>; + type = "firmware"; + }; - @fdt-SEQ { - compression = "none"; - description = "NAME"; - type = "flat_dt"; + @fdt-SEQ { + compression = "none"; + description = "NAME"; + type = "flat_dt"; - uboot-fdt-blob { - filename = "u-boot.dtb"; - type = "blob-ext"; + uboot-fdt-blob { + filename = "u-boot.dtb"; + type = "blob-ext"; + }; }; }; - }; - configurations { - default = "@config-DEFAULT-SEQ"; + configurations { + default = "@config-DEFAULT-SEQ"; - @config-SEQ { - description = "NAME"; - fdt = "fdt-SEQ"; - firmware = "uboot"; + @config-SEQ { + description = "NAME"; + fdt = "fdt-SEQ"; + firmware = "uboot"; #ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; + loadables = "atf"; #endif + }; }; }; +#ifdef CONFIG_IMX_HAB }; +#endif }; }; diff --git a/arch/arm/dts/imx8mp-u-boot.dtsi b/arch/arm/dts/imx8mp-u-boot.dtsi index 8b5ac3faf1c..f2655a4d0c8 100644 --- a/arch/arm/dts/imx8mp-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-u-boot.dtsi @@ -86,110 +86,130 @@ section { pad-byte = <0x00>; - binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <2>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = ; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif - section { - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; - align-size = <4>; - align = <4>; - - u-boot-spl { - align-end = <4>; - }; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <2>; + nxp,loader-address = ; + args; /* Needed by mkimage etype superclass */ + + section { + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; + align-size = <4>; + align = <4>; + + u-boot-spl { + align-end = <4>; + }; - ddr-1d-imem-fw { - filename = "lpddr4_pmu_train_1d_imem_202006.bin"; - type = "blob-ext"; - align-end = <4>; - }; + ddr-1d-imem-fw { + filename = "lpddr4_pmu_train_1d_imem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + }; - ddr-1d-dmem-fw { - filename = "lpddr4_pmu_train_1d_dmem_202006.bin"; - type = "blob-ext"; - align-end = <4>; - }; + ddr-1d-dmem-fw { + filename = "lpddr4_pmu_train_1d_dmem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + }; - ddr-2d-imem-fw { - filename = "lpddr4_pmu_train_2d_imem_202006.bin"; - type = "blob-ext"; - align-end = <4>; - }; + ddr-2d-imem-fw { + filename = "lpddr4_pmu_train_2d_imem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + }; - ddr-2d-dmem-fw { - filename = "lpddr4_pmu_train_2d_dmem_202006.bin"; - type = "blob-ext"; - align-end = <4>; + ddr-2d-dmem-fw { + filename = "lpddr4_pmu_train_2d_dmem_202006.bin"; + type = "blob-ext"; + align-end = <4>; + }; }; }; +#ifdef CONFIG_IMX_HAB }; - binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; -#ifndef CONFIG_IMX_HAB - fit,external-offset = ; -#endif - fit,fdt-list = "of-list"; - #address-cells = <1>; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = ; offset = <0x58000>; + args; /* Needed by mkimage etype superclass */ +#endif - images { - uboot { - description = "U-Boot (64-bit)"; - type = "standalone"; - arch = "arm64"; - compression = "none"; - load = ; - - uboot_blob: blob-ext { - filename = "u-boot-nodtb.bin"; + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; +#ifndef CONFIG_IMX_HAB + fit,external-offset = ; +#endif + fit,fdt-list = "of-list"; + #address-cells = <1>; + offset = <0x58000>; + + images { + uboot { + description = "U-Boot (64-bit)"; + type = "standalone"; + arch = "arm64"; + compression = "none"; + load = ; + + uboot_blob: blob-ext { + filename = "u-boot-nodtb.bin"; + }; }; - }; #ifndef CONFIG_ARMV8_PSCI - atf { - description = "ARM Trusted Firmware"; - type = "firmware"; - arch = "arm64"; - compression = "none"; - load = <0x970000>; - entry = <0x970000>; - - atf_blob: atf-blob { - filename = "bl31.bin"; - type = "atf-bl31"; + atf { + description = "ARM Trusted Firmware"; + type = "firmware"; + arch = "arm64"; + compression = "none"; + load = <0x970000>; + entry = <0x970000>; + + atf_blob: atf-blob { + filename = "bl31.bin"; + type = "atf-bl31"; + }; }; - }; #endif - @fdt-SEQ { - description = "NAME"; - type = "flat_dt"; - compression = "none"; + @fdt-SEQ { + description = "NAME"; + type = "flat_dt"; + compression = "none"; - blob-ext { - filename = "u-boot.dtb"; + blob-ext { + filename = "u-boot.dtb"; + }; }; }; - }; - configurations { - default = "@config-DEFAULT-SEQ"; + configurations { + default = "@config-DEFAULT-SEQ"; - @config-SEQ { - description = "NAME"; - fdt = "fdt-SEQ"; - firmware = "uboot"; + @config-SEQ { + description = "NAME"; + fdt = "fdt-SEQ"; + firmware = "uboot"; #ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; + loadables = "atf"; #endif + }; }; }; +#ifdef CONFIG_IMX_HAB }; +#endif }; }; diff --git a/arch/arm/dts/imx8mq-u-boot.dtsi b/arch/arm/dts/imx8mq-u-boot.dtsi index 72da674d245..e1cd6f8996d 100644 --- a/arch/arm/dts/imx8mq-u-boot.dtsi +++ b/arch/arm/dts/imx8mq-u-boot.dtsi @@ -38,116 +38,136 @@ section { pad-byte = <0x00>; - binman_imx_spl: nxp-imx8mimage { - filename = "u-boot-spl-mkimage.bin"; - nxp,boot-from = "sd"; - nxp,rom-version = <1>; +#ifdef CONFIG_IMX_HAB + nxp-imx8mcst@0 { + filename = "u-boot-spl-mkimage.signed.bin"; nxp,loader-address = ; + nxp,unlock; args; /* Needed by mkimage etype superclass */ +#endif - section { - align = <4>; - align-size = <4>; - filename = "u-boot-spl-ddr.bin"; - pad-byte = <0xff>; - - u-boot-spl { - align-end = <4>; - filename = "u-boot-spl.bin"; - }; + binman_imx_spl: nxp-imx8mimage { + filename = "u-boot-spl-mkimage.bin"; + nxp,boot-from = "sd"; + nxp,rom-version = <1>; + nxp,loader-address = ; + args; /* Needed by mkimage etype superclass */ + + section { + align = <4>; + align-size = <4>; + filename = "u-boot-spl-ddr.bin"; + pad-byte = <0xff>; + + u-boot-spl { + align-end = <4>; + filename = "u-boot-spl.bin"; + }; - ddr-1d-imem-fw { - filename = "lpddr4_pmu_train_1d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-imem-fw { + filename = "lpddr4_pmu_train_1d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - ddr-1d-dmem-fw { - filename = "lpddr4_pmu_train_1d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-1d-dmem-fw { + filename = "lpddr4_pmu_train_1d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - ddr-2d-imem-fw { - filename = "lpddr4_pmu_train_2d_imem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-2d-imem-fw { + filename = "lpddr4_pmu_train_2d_imem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - ddr-2d-dmem-fw { - filename = "lpddr4_pmu_train_2d_dmem.bin"; - align-end = <4>; - type = "blob-ext"; - }; + ddr-2d-dmem-fw { + filename = "lpddr4_pmu_train_2d_dmem.bin"; + align-end = <4>; + type = "blob-ext"; + }; - signed-hdmi-imx8m { - filename = "signed_hdmi_imx8m.bin"; - type = "blob-ext"; + signed-hdmi-imx8m { + filename = "signed_hdmi_imx8m.bin"; + type = "blob-ext"; + }; }; }; +#ifdef CONFIG_IMX_HAB }; - binman_imx_fit: fit { - description = "Configuration to load ATF before U-Boot"; + nxp-imx8mcst@1 { + filename = "u-boot-fit.signed.bin"; + nxp,loader-address = ; + offset = <0x58000>; + args; /* Needed by mkimage etype superclass */ +#endif + + binman_imx_fit: fit { + description = "Configuration to load ATF before U-Boot"; #ifndef CONFIG_IMX_HAB - fit,external-offset = ; + fit,external-offset = ; #endif - #address-cells = <1>; - - images { - uboot { - arch = "arm64"; - compression = "none"; - description = "U-Boot (64-bit)"; - load = ; - type = "standalone"; - - uboot-blob { - filename = "u-boot-nodtb.bin"; - type = "blob-ext"; + #address-cells = <1>; + + images { + uboot { + arch = "arm64"; + compression = "none"; + description = "U-Boot (64-bit)"; + load = ; + type = "standalone"; + + uboot-blob { + filename = "u-boot-nodtb.bin"; + type = "blob-ext"; + }; }; - }; #ifndef CONFIG_ARMV8_PSCI - atf { - arch = "arm64"; - compression = "none"; - description = "ARM Trusted Firmware"; - entry = <0x910000>; - load = <0x910000>; - type = "firmware"; - - atf-blob { - filename = "bl31.bin"; - type = "blob-ext"; + atf { + arch = "arm64"; + compression = "none"; + description = "ARM Trusted Firmware"; + entry = <0x910000>; + load = <0x910000>; + type = "firmware"; + + atf-blob { + filename = "bl31.bin"; + type = "blob-ext"; + }; }; - }; #endif - fdt { - compression = "none"; - description = "NAME"; - type = "flat_dt"; + fdt { + compression = "none"; + description = "NAME"; + type = "flat_dt"; - uboot-fdt-blob { - filename = "u-boot.dtb"; - type = "blob-ext"; + uboot-fdt-blob { + filename = "u-boot.dtb"; + type = "blob-ext"; + }; }; }; - }; - configurations { - default = "conf"; + configurations { + default = "conf"; - conf { - description = "NAME"; - fdt = "fdt"; - firmware = "uboot"; + conf { + description = "NAME"; + fdt = "fdt"; + firmware = "uboot"; #ifndef CONFIG_ARMV8_PSCI - loadables = "atf"; + loadables = "atf"; #endif + }; }; }; +#ifdef CONFIG_IMX_HAB }; +#endif }; }; From patchwork Fri May 3 01:05:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Vasut X-Patchwork-Id: 1930905 X-Patchwork-Delegate: festevam@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=Sdw2qSar; dkim=pass (2048-bit key) header.d=denx.de header.i=@denx.de header.a=rsa-sha256 header.s=phobos-20191101 header.b=tpYzLi6q; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VVt1840jzz20fb for ; Fri, 3 May 2024 11:06:36 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9FA7388C0B; Fri, 3 May 2024 03:05:54 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=denx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1714698354; bh=egQOYOLYYzUYSJfUxtkYptFIaHrKaajb3zr1MWXO/F8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=Sdw2qSarLh7igxvETG9zJ2bdCfTDQd1xvGkQ7b1H68X1QWMpYUEcqaaxa0hOeSSnk dMbUEEZ1/aOVdsD42QlTrkVJ6qB9oDjtEh5Wp0a+9+T7MRMKHUd1b2tweH2VZKivo1 Sf7khBjJUW08Ma01wcjh0cotVKHh2FGsRYZ+u8Jd4QwdydKLr8HnA6D9P+OFjtYF+O 7GtbsfDlC3iCiND9HsR2b9JFxKFLfnOMlqJrqLALsHvnswtTR4Q0erxbh2yTp4K2XO PT3kaLTvVH6mMZv3nLElxxFHg/ld6hrFYfWI5vL5aTEDDYgZhRJb02+SJDjNmh2FOo ZeI+nHW1T2Nkw== Received: from tr.lan (ip-86-49-120-218.bb.vodafone.cz [86.49.120.218]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: marex@denx.de) by phobos.denx.de (Postfix) with ESMTPSA id D8CD888BE3; Fri, 3 May 2024 03:05:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1714698353; bh=egQOYOLYYzUYSJfUxtkYptFIaHrKaajb3zr1MWXO/F8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tpYzLi6q0me1EQlrX2Flgz8YK0hBgs433gsBnZTSmSNpJpw1+a4ssHjmG6w8ISrCm Yw4PsbW7m+2m970i+B0ZrEk0JNUIbr9/jEjpmfIqbd//NmGOYkLnnDKeCI+h5+LrqO pYJbtgjBb9n7ZO+3fs8JA7LD8QKnX9zTjgBbj3Jud/dOG+Qi2t10bV21E/AktCvCMf xbkSenz1NUebNKzbpEkBhU1ou2m7Mfp1HYDy/ThfZKow6QU+Mg4/S5npzWDlcb9G0J V3UIzf4hwmPT5cHB9lSd4vWS3Gn3c3Hwrsp+mAtTiG67/UrbpiCWhiE5Dcop3d9OrF 5XJpWGjgJbL5g== From: Marek Vasut To: u-boot@lists.denx.de Cc: anton.gres@ifm.com, ch@denx.de, Marek Vasut , "NXP i.MX U-Boot Team" , Adam Ford , Alper Nebi Yasak , Andrejs Cainikovs , Angus Ainslie , Emanuele Ghidoli , Fabio Estevam , Francesco Dolcini , Marcel Ziswiler , Rasmus Villemoes , Simon Glass , Stefan Eichenberger , Stefano Babic , Tim Harvey , Tom Rini , kernel@puri.sm, u-boot@dh-electronics.com Subject: [PATCH v2 4/4] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing Date: Fri, 3 May 2024 03:05:12 +0200 Message-ID: <20240503010518.263458-4-marex@denx.de> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240503010518.263458-1-marex@denx.de> References: <20240503010518.263458-1-marex@denx.de> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Update documentation and use nxp_imx8mcst binman etype for signing of flash.bin instead of previous horrible shell scripting. Signed-off-by: Marek Vasut --- Cc: "NXP i.MX U-Boot Team" Cc: Adam Ford Cc: Alper Nebi Yasak Cc: Andrejs Cainikovs Cc: Angus Ainslie Cc: Emanuele Ghidoli Cc: Fabio Estevam Cc: Francesco Dolcini Cc: Marcel Ziswiler Cc: Rasmus Villemoes Cc: Simon Glass Cc: Stefan Eichenberger Cc: Stefano Babic Cc: Tim Harvey Cc: Tom Rini Cc: kernel@puri.sm Cc: u-boot@dh-electronics.com Cc: u-boot@lists.denx.de --- V2: Document the automatic signing in case CONFIG_IMX_HAB is enabled --- doc/imx/habv4/csf_examples/mx8m/csf.sh | 92 ---------------- doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 30 ------ doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 33 ------ doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 100 +++--------------- 4 files changed, 14 insertions(+), 241 deletions(-) delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh deleted file mode 100644 index cd3b2614a2f..00000000000 --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/sh - -# 0) Generate keys -# -# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e. i.MX8M Plus) -# -# cd /path/to/cst-3.3.1/keys/ -# ./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10 -num-srk 4 -srk-ca y -# cd /path/to/cst-3.3.1/crts/ -# ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1 - -# 1) Build U-Boot (e.g. for i.MX8MM) -# -# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin . -# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* . -# make -j imx8mm_board_defconfig -# make -j`nproc` flash.bin - -# 2) Sign SPL and DRAM blobs - -cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp -cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp - -# update File Paths from env vars -if ! [ -r $CSF_KEY ]; then - echo "Error: \$CSF_KEY not found" - exit 1 -fi -if ! [ -r $IMG_KEY ]; then - echo "Error: \$IMG_KEY not found" - exit 1 -fi -if ! [ -r $SRK_TABLE ]; then - echo "Error: \$SRK_TABLE not found" - exit 1 -fi -sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp -sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp -sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp -sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp -sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp -sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp - -# update SPL Blocks -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp - -# Generate CSF blob -cst -i csf_spl.tmp -o csf_spl.bin - -# Patch CSF blob into flash.bin -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40)) -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc - -# 3) Sign u-boot.itb - -# fitImage -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp - -# IVT -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) -csf_block_offset=$((${ivt_block_offset} + 0x20)) - -echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin -dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc - -# Generate CSF blob -cst -i csf_fit.tmp -o csf_fit.bin - -# When loading flash.bin via USB, we must ensure that the file being -# served is as large as the target expects (see -# board_spl_fit_size_align()), otherwise the target will hang in -# rom_api_download_image() waiting for the remaining bytes. -# -# Note that in order for dd to actually extend the file, one must not -# pass conv=notrunc here. With a non-zero seek= argument, dd is -# documented to preserve the contents of the file seeked past; in -# particular, dd does not open the file with O_TRUNC. -CSF_SIZE=$(sed -n "/CONFIG_CSF_SIZE=/ s@.*=@@p" .config) -dd if=/dev/null of=csf_fit.bin bs=1 seek=$((CSF_SIZE - 0x20)) count=0 - -# Patch CSF blob into flash.bin -dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt deleted file mode 100644 index 97f3eea573b..00000000000 --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt +++ /dev/null @@ -1,30 +0,0 @@ -[Header] - Version = 4.3 - Hash Algorithm = sha256 - Engine = CAAM - Engine Configuration = 0 - Certificate Format = X509 - Signature Format = CMS - -[Install SRK] - # SRK_TABLE is full path to SRK_1_2_3_4_table.bin - File = "$SRK_TABLE" - Source index = 0 - -[Install CSFK] - # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$CSF_KEY" - -[Authenticate CSF] - -[Install Key] - Verification index = 0 - Target Index = 2 - # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$IMG_KEY" - -[Authenticate Data] - Verification index = 2 - # FIXME: - # Line 1 -- fitImage - Blocks = CONFIG_SPL_LOAD_FIT_ADDRESS 0x57c00 0xffff "flash.bin" diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt deleted file mode 100644 index 88fa420a5fa..00000000000 --- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt +++ /dev/null @@ -1,33 +0,0 @@ -[Header] - Version = 4.3 - Hash Algorithm = sha256 - Engine = CAAM - Engine Configuration = 0 - Certificate Format = X509 - Signature Format = CMS - -[Install SRK] - # SRK_TABLE is full path to SRK_1_2_3_4_table.bin - File = "$SRK_TABLE" - Source index = 0 - -[Install CSFK] - # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$CSF_KEY" - -[Authenticate CSF] - -[Unlock] - Engine = CAAM - Features = MID - -[Install Key] - Verification index = 0 - Target Index = 2 - # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem - File = "$IMG_KEY" - -[Authenticate Data] - Verification index = 2 - # FIXME: Adjust start (first column) and size (third column) here - Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin" diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index e16e5410bd9..ce1de659d8c 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -121,6 +121,9 @@ build configuration: - Defconfig: CONFIG_IMX_HAB=y + CONFIG_FSL_CAAM=y + CONFIG_ARCH_MISC_INIT=y + CONFIG_SPL_CRYPTO=y - Kconfig: @@ -131,92 +134,17 @@ build configuration: The CSF contains all the commands that the HAB executes during the secure boot. These commands instruct the HAB code on which memory areas of the image -to authenticate, which keys to install, use and etc. - -CSF examples are available under doc/imx/habv4/csf_examples/ directory. - -CSF "Blocks" line for csf_spl.txt can be generated as follows: - -``` -spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) ) -spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin)) -sed -i "/Blocks = / s@.*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.txt -``` - -The resulting line looks as follows: -``` - Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin" -``` - -The columns mean: - - CONFIG_SPL_TEXT_BASE - 0x40 -- Start address of signed data, in DRAM - - 0x0 -- Start address of signed data, in "flash.bin" - - 0x306f0 -- Length of signed data, in "flash.bin" - - Filename -- "flash.bin" - -To generate signature for the SPL part of flash.bin container, use CST: -``` -cst -i csf_spl.tmp -o csf_spl.bin -``` - -The newly generated CST blob has to be patched into existing flash.bin -container. Conveniently, flash.bin IVT contains physical address of the -CSF blob. Remember, the SPL part of flash.bin container is loaded by the -BootROM at CONFIG_SPL_TEXT_BASE - 0x40 , so the offset of CSF blob in -the fitImage can be calculated and inserted into the flash.bin in the -correct location as follows: -``` -# offset = IVT_HEADER[6 = CSF address] - CONFIG_SPL_TEXT_BASE - 0x40 -spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@") -spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40)) -dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc -``` - -CSF "Blocks" line for csf_fit.txt can be generated as follows: -``` -# fitImage -fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) -fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp -``` - -The fitImage part of flash.bin requires separate IVT. Generate the IVT and -patch it into the correct aligned location of flash.bin as follows: -``` -# IVT -ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") -ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) -csf_block_offset=$((${ivt_block_offset} + 0x20)) - -echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin -dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc -``` - -To generate CSF signature for the fitImage part of flash.bin container, use CST: -``` -cst -i csf_fit.tmp -o csf_fit.bin -``` - -Finally, patch the CSF signature into the fitImage right past the IVT: -``` -dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc -``` - -The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh -and can be used as follows to modify flash.bin to be signed -(adjust paths as needed): -``` -export CST_DIR=/usr/src/cst-3.3.1/ -export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem -export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem -export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin -export PATH=$CST_DIR/linux64/bin:$PATH -/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh -``` +to authenticate, which keys to install, use and etc. The CSF is generated +using the CST Code Signing Tool based on input configuration file. This tool +input configuration file is generated using binman, and the tool is invoked +from binman as well. + +The SPL and fitImage sections of the generated image are signed separately. +The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst +etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi +in case CONFIG_IMX_HAB Kconfig symbol is enabled. + +Build of flash.bin target then produces a signed flash.bin automatically. 1.4 Closing the device -----------------------