diff options
| author | Marek Vasut <marex@denx.de> | 2023-05-28 23:00:30 +0200 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2023-06-24 13:47:02 -0400 |
| commit | 6039e0edc8540bd2abee780549b260bdaf089168 (patch) | |
| tree | 4e179f7c6962564dd11fba3d6bb551603b368457 /doc | |
| parent | 6a412faea3dd0cb07c5fb19b9c01ab0bc73e3950 (diff) | |
| download | u-boot-6039e0edc8540bd2abee780549b260bdaf089168.zip u-boot-6039e0edc8540bd2abee780549b260bdaf089168.tar.gz u-boot-6039e0edc8540bd2abee780549b260bdaf089168.tar.bz2 | |
imx: hab: Simplify the mechanism
The current mechanism is unnecessarily complex. Simplify the whole mechanism
such that the entire fitImage is signed, IVT is placed at the end, followed
by CSF, and this entire bundle is also authenticated. This makes the signing
scripting far simpler.
Signed-off-by: Marek Vasut <marex@denx.de>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/imx/habv4/csf_examples/mx8m/csf.sh | 28 | ||||
| -rw-r--r-- | doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 10 | ||||
| -rw-r--r-- | doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 74 |
3 files changed, 22 insertions, 90 deletions
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh index 7a9a05e..5b383fa 100644 --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh +++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh @@ -37,29 +37,11 @@ dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc # 3) Sign u-boot.itb -# fitImage tree -fit_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_TEXT_BASE=/ s@.*=@@p" .config) - $(sed -n "/CONFIG_FIT_EXTERNAL_OFFSET=/ s@.*=@@p" .config) - 0x200 - 0x40)) ) +# fitImage +fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ($(fdtdump u-boot.itb 2>/dev/null | sed -n "/^...totalsize:/ s@.*\(0x[0-9a-f]\+\).*@\1@p") + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# U-Boot -uboot_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot load)) -uboot_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-position)) + ${fit_block_offset} ))) -uboot_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-size)) -sed -i "/0xuuuu/ s@.*@ $uboot_block_base $uboot_block_offset $uboot_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# ATF -atf_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf load)) -atf_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-position)) + ${fit_block_offset} ))) -atf_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-size)) -sed -i "/0xaaaa/ s@.*@ $atf_block_base $atf_block_offset $atf_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# DTB -dtb_block_base=$(printf "0x%x" $(( ${uboot_block_base} + ${uboot_block_size} ))) -dtb_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-position)) + ${fit_block_offset} ))) -dtb_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-size)) -sed -i "/0xdddd/ s@.*@ $dtb_block_base $dtb_block_offset $dtb_block_size \"flash.bin\"@" csf_fit.tmp +fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) +sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp # IVT ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") @@ -68,7 +50,7 @@ csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | se ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) csf_block_offset=$((${ivt_block_offset} + 0x20)) -echo "0xd1002041 ${ivt_ptr_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin +echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc # Generate CSF blob diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt index cd1d407..bbb82f6 100644 --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt +++ b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt @@ -26,11 +26,5 @@ [Authenticate Data] Verification index = 2 # FIXME: - # Line 1 -- fitImage tree - # Line 2 -- U-Boot u-boot-nodtb.bin blob - # Line 3 -- ATF BL31 blob - # Line 4 -- DT blob - Blocks = 0x401fcdc0 0x57c00 0xffff "flash.bin", \ - 0x40200000 0x62c00 0xuuuu "flash.bin", \ - 0x920000 0x00000 0xaaaa "flash.bin", \ - 0x40200000 0x00000 0xdddd "flash.bin" + # Line 1 -- fitImage + Blocks = 0x401fcdc0 0x57c00 0xffff "flash.bin" diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index 3e3d384..e79726b 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -79,18 +79,16 @@ code within it: The diagram below illustrate a signed U-Boot binary, DT blob and external ATF BL31 blob combined to form fitImage part of flash.bin container layout. -The *load_address is derived from CONFIG_TEXT_BASE such that the U-Boot -binary *start is placed exactly at CONFIG_SPL_TEXT_BASE in DRAM, however the -SPL moves the fitImage tree further to location: - *load_address = CONFIG_SPL_TEXT_BASE - CONFIG_FIT_EXTERNAL_OFFSET (=12kiB) - - 512 Byte sector - sizeof(mkimage header) +The *load_address is CONFIG_SPL_LOAD_FIT_ADDRESS, the fitImage is loaded +including all of its embedded data, authenticated using IVT+CSF concatenated +at the end of the fitImage at offset aligned to 4 kiB. The fitImage with +external data is not supported. ------- +-----------------------------+ <-- *load_address ^ | | | | fitImage tree | - | | with external data at | - | | offset 12 kiB from tree | - | | (cca. 1 kiB) | + | | with embedded data | + | | (cca. 1 MiB) | Signed | | | .----- Tree | +-----------------------------+ | Data | | Padding to next 4k aligned | @@ -101,34 +99,9 @@ SPL moves the fitImage tree further to location: | ------- +-----------------------------+ <-- *csf | | Command Sequence File (CSF) | | | for all signed entries in | - >--------------->| the fitImage, tree and data | - | | (cca 6-7 kiB) | - | +-----------------------------+ - | | Padding to 12 kiB offset | - | | from *load_address | - | ------- +-----------------------------+ <-- *start - | ^ | | - | Signed | | | - |---- Payload | | U-Boot external data blob | - | Data | | | - | v | | - | ------- +-----------------------------+ - | | Padding to 4 Bytes | - | ------- +-----------------------------+ - | ^ | | - | Signed | | | - |---- Payload | | ATF external data blob | - | Data | | | - | v | | - | ------- +-----------------------------+ - | | Padding to 4 Bytes | - | ------- +-----------------------------+ - | ^ | | - | Signed | | | - '---- Payload | | DTB external data blob | - Data | | | - v | | - ------- +-----------------------------+ + '---------------->| the fitImage, tree and data | + | (cca 6-7 kiB) | + +-----------------------------+ The diagram below illustrate a combined flash.bin container layout: @@ -202,29 +175,11 @@ dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc CSF "Blocks" line for csf_fit.txt can be generated as follows: ``` -# fitImage tree -fit_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_TEXT_BASE=/ s@.*=@@p" .config) - $(sed -n "/CONFIG_FIT_EXTERNAL_OFFSET=/ s@.*=@@p" .config) - 0x200 - 0x40)) ) +# fitImage +fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( $(fdtdump u-boot.itb 2>/dev/null | sed -n "/^...totalsize:/ s@.*\(0x[0-9a-f]\+\).*@\1@p") + 0x1000 - 0x1 ) & ~(0x1000 - 0x1) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# U-Boot -uboot_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot load)) -uboot_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-position)) + ${fit_block_offset} ))) -uboot_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-size)) -sed -i "/0xuuuu/ s@.*@ $uboot_block_base $uboot_block_offset $uboot_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# ATF -atf_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf load)) -atf_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-position)) + ${fit_block_offset} ))) -atf_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-size)) -sed -i "/0xaaaa/ s@.*@ $atf_block_base $atf_block_offset $atf_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# DTB -dtb_block_base=$(printf "0x%x" $(( ${uboot_block_base} + ${uboot_block_size} ))) -dtb_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-position)) + ${fit_block_offset} ))) -dtb_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-size)) -sed -i "/0xdddd/ s@.*@ $dtb_block_base $dtb_block_offset $dtb_block_size \"flash.bin\"@" csf_fit.tmp +fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) +sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp ``` The fitImage part of flash.bin requires separate IVT. Generate the IVT and @@ -237,8 +192,9 @@ csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | se ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) csf_block_offset=$((${ivt_block_offset} + 0x20)) -echo "0xd1002041 ${ivt_ptr_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin +echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc +``` To generate CSF signature for the fitImage part of flash.bin container, use CST: ``` |