[U-Boot] [PATCH v2 0/11] Minor improvements to secure boot and enable on beaglebone

Belisko Marek marek.belisko at gmail.com
Mon Apr 28 08:30:19 CEST 2014


Hi Simon,

On Wed, Apr 16, 2014 at 4:41 PM, Simon Glass <sjg at chromium.org> wrote:
> This series fixes a few problems that have come up since the secure boot
> series was merged:
>
> - A recent commit broken the assumption that u-boot.bin ends at a known
> address (thus making things appended to U-Boot inaccessible from the code).
> This is fixed for Beaglebone and also a new test is added to the Makefile
> to ensure that it does not break again. All boards have been tested.
>
> - A way is needed to provide an externally-build device tree binary for
> U-Boot. This allows signing to happen outside the U-Boot build system.
>
> - The .img files generated by an OMAP build need to include the FDT if one
> is appended.
>
> - Adding signatures to an FDT can cause the FDT to run out of space. The
> fix is to regenerate the FDT from scratch with different dtc parameters, so
> pretty painful. Instead, we automatically expand the FDT.
>
> The last two commits enable secure boot on Beaglebone (this will have no
> effect unless signed images are used). This could be moved to a separate
> configuration if required, or these patches could even be ignored:
I've tested this patch series and I found some issues. When I use dtb
build from latest 3.15-rc3 kernel
I got during signing this errors:
Couldn't create signature node: FDT_ERR_NOSPACE
Failed to add verification data for 'signature at 1' signature node in
'conf at 1' image node

which was fixed by those 2 small patches:
- this one doesn't overwrite return value because upper layer then
stop with no space error and doesn't allocate more space
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -405,7 +405,7 @@ int rsa_add_verify_data(struct image_sign_info
*info, void *keydest)
                if (parent < 0) {
                        fprintf(stderr, "Couldn't create signature node: %s\n",
                                fdt_strerror(parent));
-                       return -EINVAL;
+                       return parent;
                }
        }

--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -612,7 +612,7 @@ static int fit_config_process_sig(const char
*keydir, void *keydest,
                if (ret) {
                        printf("Failed to add verification data for
'%s' signature node in '%s' image node\n",
                               node_name, conf_name);
-                       return ret == FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
+                       return ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
                }
        }

With this small changes I can create signed fit image. Other problem
appear during booting. I'm using simple uEnv.txt
to get fit image to ram and boot (setenv loadaddr '0x8050000'; run
loadimage; bootm). Booting of kernel fails with data abort:

Importing environment from mmc ...
Running uenvcmd ...
reading /uImage
4322274 bytes read in 585 ms (7 MiB/s)
## Loading kernel from FIT Image at 80500000 ...
   Using 'conf at 1' configuration
   Verifying Hash Integrity ... sha1,rsa2048:dev+ OK
   Trying 'kernel at 1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x805000e4
     Data Size:    4289584 Bytes = 4.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x80008000
     Entry Point:  0x80008000
     Hash algo:    sha1
     Hash value:   74d429a5c48d72ce3f569ba7eaa072c8c1eaab20
   Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 80500000 ...
   Using 'conf at 1' configuration
   Trying 'fdt at 1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x80917608
     Data Size:    29802 Bytes = 29.1 KiB
     Architecture: ARM
     Hash algo:    sha1
     Hash value:   e86cfd55c3e869c6b3014c758825b2a1ade3991e
   Verifying Hash Integrity ... sha1+ OK
   Booting using the fdt blob at 0x80917608
   Loading Kernel Image ... OK
   Using Device Tree in place at 80917608, end 80921a71

Starting kernel ...

data abort
pc : [<81a80020>]          lr : [<80008008>]
sp : 8e71b528  ip : 0000000c     fp : 00000400
r10: 8f7a3d60  r9 : 8e723f28     r8 : 00000000
r7 : 00000000  r6 : 00000ffc     r5 : 0ffc0004  r4 : 000000f7
r3 : fc7391ff  r2 : 80917608     r1 : 00000e05  r0 : 80917608
Flags: Nzcv  IRQs off  FIQs on  Mode SVC_32
Resetting CPU ...

I wasn't able yet track down what is causing this issue but it
happened when jumping to kernel
image (kernel_entry(0, machid, r2);). Any ideas what to check? Thanks
in advance.

>
>    am33xx/omap: Enable FIT support
>    am33xx/omap: Enable secure boot with CONFIG_FIT_SIGNATURE
>
> This series has been run through buildman:
>
> /tools/buildman/buildman -b talk2 -s
> Summary of 12 commits for 1210 boards (32 threads, 1 job per thread)
> 01: Prepare v2014.04
>   blackfin: +   bf609-ezkit
>       m68k: +   M54455EVB_a66 M5329AFEE M5249EVB M5208EVBE eb_cpu5282
>  M54451EVB astro_mcf5373l M54418TWR_serial_rmii M54455EVB_intel M5475FFE
>  M5282EVB M54455EVB_i66 M5475GFE M5253DEMO M54455EVB_stm33 M5485BFE M5485DFE
>  TASREG M5329BFEE M52277EVB M5475EFE M5475CFE cobra5272 M5485AFE M53017EVB
>  M5485HFE M5235EVB M5253EVBE M54418TWR_nand_mii M54418TWR_nand_rmii_lowfreq
>  M5475BFE M54418TWR_nand_rmii M5475DFE M5275EVB M52277EVB_stmicro
>  eb_cpu5282_internal M54451EVB_stmicro M5485GFE M5373EVB M5485EFE M5485FFE
>  M54418TWR M5235EVB_Flash32 M54418TWR_serial_mii M5485CFE M54455EVB M5475AFE
>  M5272C3
>    powerpc: +   SIMPC8313_SP P1023RDS_NAND MPC8569MDS_NAND P2020RDB_NAND
>  MPC8536DS_NAND P1020RDB_NAND MPC8315ERDB_NAND P1011RDB_NAND SIMPC8313_LP
>  MPC8572DS_NAND P2010RDB_NAND
>      sparc: +   grsim grsim_leon2 gr_cpci_ax2000 gr_xc3s_1500 gr_ep2s60
>         sh: +   rsk7269 rsk7264 rsk7203
>      nios2: +   nios2-generic PK1C20
> microblaze: +   microblaze-generic
>   openrisc: +   openrisc-generic
>        arm: +   tricorder tricorder_flash
> 02: Check that u-boot.bin size looks correct
>        arm: +   am335x_evm_uart5 am335x_evm_uart4 am335x_evm_uart1
>  am335x_evm_uart3 am335x_boneblack am335x_evm_usbspl am335x_evm_nor
>  cm_t335 am335x_evm_norboot am335x_evm_spiboot am335x_evm am335x_evm_uart2
>  mx31ads
> 03: ti: am335x: Fix the U-Boot binary output
>        arm:    am335x_evm_uart5 am335x_evm_uart4 am335x_evm_uart1
>  am335x_evm_uart3 am335x_boneblack am335x_evm_usbspl am335x_evm_nor
>  am335x_evm_norboot am335x_evm_spiboot am335x_evm am335x_evm_uart2
> 04: am33xx/omap: Allow cache enable for all Sitara/OMAP
> 05: hash: Export functions to find and show hash
> 06: fdt: Add DEV_TREE_BIN option to specify a device tree binary file
> 07: fdt: Update functions which write to an FDT to return -ENOSPC
> 08: mkimage: Automatically make space in FDT when full
> 09: arm: ti: Increase malloc size to 16MB for armv7 boards
> 10: am33xx/omap: Enable CONFIG_OF_CONTROL
> 11: am33xx/omap: Enable FIT support
> 12: am33xx/omap: Enable secure boot with CONFIG_FIT_SIGNATURE
>
> The breakage in 02 is because I add the check before fixing the problem, in
> order to verify what is affected. The order can be changed when applying if
> required.
>
> Changes in v2:
> - Add new patch to check u-boot.bin size against symbol table
> - Add new patch to ensure the hash section is inside the image for am335x
> - Update to cover all omap devices
> - Adjust for kbuild changes
> - Fix line over 80cols
> - Move device tree files into arch/arm/dts
>
> Simon Glass (11):
>   Check that u-boot.bin size looks correct
>   ti: am335x: Fix the U-Boot binary output
>   am33xx/omap: Allow cache enable for all Sitara/OMAP
>   hash: Export functions to find and show hash
>   fdt: Add DEV_TREE_BIN option to specify a device tree binary file
>   fdt: Update functions which write to an FDT to return -ENOSPC
>   mkimage: Automatically make space in FDT when full
>   arm: ti: Increase malloc size to 16MB for armv7 boards
>   am33xx/omap: Enable CONFIG_OF_CONTROL
>   am33xx/omap: Enable FIT support
>   am33xx/omap: Enable secure boot with CONFIG_FIT_SIGNATURE
>
>  Makefile                                       |  16 +-
>  arch/arm/cpu/armv7/am33xx/board.c              |   8 -
>  arch/arm/cpu/armv7/omap-common/Makefile        |   4 +
>  arch/arm/cpu/armv7/omap-common/hwinit-common.c |  42 --
>  arch/arm/cpu/armv7/omap-common/omap-cache.c    |  56 +++
>  arch/arm/cpu/armv7/omap3/board.c               |   8 -
>  arch/arm/dts/Makefile                          |   1 +
>  arch/arm/dts/am335x-bone-common.dtsi           | 262 ++++++++++
>  arch/arm/dts/am335x-boneblack.dts              |  17 +
>  arch/arm/dts/am33xx.dtsi                       | 649 +++++++++++++++++++++++++
>  arch/arm/dts/dt-bindings/gpio/gpio.h           |  15 +
>  arch/arm/dts/dt-bindings/pinctrl/am33xx.h      |  42 ++
>  arch/arm/dts/dt-bindings/pinctrl/omap.h        |  55 +++
>  arch/arm/dts/tps65217.dtsi                     |  56 +++
>  board/ti/am335x/u-boot.lds                     |   3 +-
>  common/hash.c                                  |  13 +-
>  common/image-fit.c                             |   4 +-
>  doc/README.fdt-control                         |  16 +-
>  dts/Makefile                                   |   4 +
>  include/configs/am335x_evm.h                   |   9 +
>  include/configs/ti_armv7_common.h              |   2 +-
>  include/hash.h                                 |  22 +
>  include/rsa.h                                  |   3 +-
>  lib/rsa/rsa-sign.c                             |  28 +-
>  tools/fit_image.c                              | 165 +++++--
>  tools/image-host.c                             |  26 +-
>  26 files changed, 1381 insertions(+), 145 deletions(-)
>  create mode 100644 arch/arm/cpu/armv7/omap-common/omap-cache.c
>  create mode 100644 arch/arm/dts/am335x-bone-common.dtsi
>  create mode 100644 arch/arm/dts/am335x-boneblack.dts
>  create mode 100644 arch/arm/dts/am33xx.dtsi
>  create mode 100644 arch/arm/dts/dt-bindings/gpio/gpio.h
>  create mode 100644 arch/arm/dts/dt-bindings/pinctrl/am33xx.h
>  create mode 100644 arch/arm/dts/dt-bindings/pinctrl/omap.h
>  create mode 100644 arch/arm/dts/tps65217.dtsi
>
> --
> 1.9.1.423.g4596e3a
>



-- 
as simple and primitive as possible
-------------------------------------------------
Marek Belisko - OPEN-NANDRA
Freelance Developer

Ruska Nova Ves 219 | Presov, 08005 Slovak Republic
Tel: +421 915 052 184
skype: marekwhite
twitter: #opennandra
web: http://open-nandra.com


More information about the U-Boot mailing list