[U-Boot] [PATCH 2/2] arm: mxs: Add support for generating signed BootStream

Marek Vasut marex at denx.de
Fri Apr 4 13:54:17 CEST 2014 

On Friday, April 04, 2014 at 11:52:09 AM, Stefano Babic wrote:
> Hi Marek,
> 
> On 03/04/2014 19:12, Marek Vasut wrote:
> > This patch adds the groundwork for generating signed BootStream, which
> > can be used by the HAB library in i.MX28. We are adding a new target,
> > u-boot-signed.sb , since the process for generating regular non-signed
> > BootStream is much easier. Moreover, the signed bootstream depends on
> > external _proprietary_ _binary-only_ tool from Freescale called 'cst',
> > which is available only under NDA.
> > 
> > To make things even uglier, the CST or HAB mandates a kind-of circular
> > dependency. The problem is, unlike the regular IVT, which is generated
> > by mxsimage, the IVT for signed boot must be generated by hand here due
> > to special demands of the CST. The U-Boot binary (or SPL binary) and IVT
> > are then signed by the CST as a one block. But here is the problem. The
> > size of the entire image (U-Boot, IVT, CST blocks) must be appended at
> > the end of IVT. But the size of the entire image is not known until the
> > CST has finished signing the U-Boot and IVT. We solve this by expecting
> > the CST block to be always 3904B (which it is in case two files, U-Boot
> > and the hand-made IVT, are signed in the CST block).
> > 
> > Signed-off-by: Marek Vasut <marex at denx.de>
> > Cc: Stefano Babic <sbabic at denx.de>
> > ---
> > 
> >  Makefile                                       |  2 +
> >  arch/arm/cpu/arm926ejs/mxs/Makefile            | 60
> >  ++++++++++++++++++++++++++
> >  arch/arm/cpu/arm926ejs/mxs/mxsimage-signed.cfg | 10 +++++
> >  3 files changed, 72 insertions(+)
> >  create mode 100644 arch/arm/cpu/arm926ejs/mxs/mxsimage-signed.cfg
> > 
> > NOTE: Stefano, I had to tweak this to play well with kbuild.
> 
> ok - only to track what we have already discussed via IIRC.
> 
> The patch was already accepted, but it conflicts with current
> u-boot-arm. I revert it on u-boot-imx, and Marek rebased it.
> 
> Marek, I could not apply it directly after merging u-boot-arm - maybe
> because we set on different commit id. Never mind, I merge it again and
> it looks ok.
> 
> I have pushed a -test branch on u-boot-imx after merging u-boot-arm and
> your patches. It looks ok, and if you do not complain, I will send it to
> Albert for inclusion in u-boot-arm.

All good, thank you !

Best regards,
Marek Vasut

More information about the U-Boot mailing list