[U-Boot] [PATCH v2 0/11] Minor improvements to secure boot and enable on beaglebone
Belisko Marek
marek.belisko at gmail.com
Mon Apr 28 08:30:19 CEST 2014
Hi Simon,
On Wed, Apr 16, 2014 at 4:41 PM, Simon Glass <sjg at chromium.org> wrote:
> This series fixes a few problems that have come up since the secure boot
> series was merged:
>
> - A recent commit broken the assumption that u-boot.bin ends at a known
> address (thus making things appended to U-Boot inaccessible from the code).
> This is fixed for Beaglebone and also a new test is added to the Makefile
> to ensure that it does not break again. All boards have been tested.
>
> - A way is needed to provide an externally-build device tree binary for
> U-Boot. This allows signing to happen outside the U-Boot build system.
>
> - The .img files generated by an OMAP build need to include the FDT if one
> is appended.
>
> - Adding signatures to an FDT can cause the FDT to run out of space. The
> fix is to regenerate the FDT from scratch with different dtc parameters, so
> pretty painful. Instead, we automatically expand the FDT.
>
> The last two commits enable secure boot on Beaglebone (this will have no
> effect unless signed images are used). This could be moved to a separate
> configuration if required, or these patches could even be ignored:
I've tested this patch series and I found some issues. When I use dtb
build from latest 3.15-rc3 kernel
I got during signing this errors:
Couldn't create signature node: FDT_ERR_NOSPACE
Failed to add verification data for 'signature at 1' signature node in
'conf at 1' image node
which was fixed by those 2 small patches:
- this one doesn't overwrite return value because upper layer then
stop with no space error and doesn't allocate more space
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -405,7 +405,7 @@ int rsa_add_verify_data(struct image_sign_info
*info, void *keydest)
if (parent < 0) {
fprintf(stderr, "Couldn't create signature node: %s\n",
fdt_strerror(parent));
- return -EINVAL;
+ return parent;
}
}
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -612,7 +612,7 @@ static int fit_config_process_sig(const char
*keydir, void *keydest,
if (ret) {
printf("Failed to add verification data for
'%s' signature node in '%s' image node\n",
node_name, conf_name);
- return ret == FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
+ return ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
}
}
With this small changes I can create signed fit image. Other problem
appear during booting. I'm using simple uEnv.txt
to get fit image to ram and boot (setenv loadaddr '0x8050000'; run
loadimage; bootm). Booting of kernel fails with data abort:
Importing environment from mmc ...
Running uenvcmd ...
reading /uImage
4322274 bytes read in 585 ms (7 MiB/s)
## Loading kernel from FIT Image at 80500000 ...
Using 'conf at 1' configuration
Verifying Hash Integrity ... sha1,rsa2048:dev+ OK
Trying 'kernel at 1' kernel subimage
Description: Linux kernel
Type: Kernel Image
Compression: uncompressed
Data Start: 0x805000e4
Data Size: 4289584 Bytes = 4.1 MiB
Architecture: ARM
OS: Linux
Load Address: 0x80008000
Entry Point: 0x80008000
Hash algo: sha1
Hash value: 74d429a5c48d72ce3f569ba7eaa072c8c1eaab20
Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 80500000 ...
Using 'conf at 1' configuration
Trying 'fdt at 1' fdt subimage
Description: Flattened Device Tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x80917608
Data Size: 29802 Bytes = 29.1 KiB
Architecture: ARM
Hash algo: sha1
Hash value: e86cfd55c3e869c6b3014c758825b2a1ade3991e
Verifying Hash Integrity ... sha1+ OK
Booting using the fdt blob at 0x80917608
Loading Kernel Image ... OK
Using Device Tree in place at 80917608, end 80921a71
Starting kernel ...
data abort
pc : [<81a80020>] lr : [<80008008>]
sp : 8e71b528 ip : 0000000c fp : 00000400
r10: 8f7a3d60 r9 : 8e723f28 r8 : 00000000
r7 : 00000000 r6 : 00000ffc r5 : 0ffc0004 r4 : 000000f7
r3 : fc7391ff r2 : 80917608 r1 : 00000e05 r0 : 80917608
Flags: Nzcv IRQs off FIQs on Mode SVC_32
Resetting CPU ...
I wasn't able yet track down what is causing this issue but it
happened when jumping to kernel
image (kernel_entry(0, machid, r2);). Any ideas what to check? Thanks
in advance.
>
> am33xx/omap: Enable FIT support
> am33xx/omap: Enable secure boot with CONFIG_FIT_SIGNATURE
>
> This series has been run through buildman:
>
> /tools/buildman/buildman -b talk2 -s
> Summary of 12 commits for 1210 boards (32 threads, 1 job per thread)
> 01: Prepare v2014.04
> blackfin: + bf609-ezkit
> m68k: + M54455EVB_a66 M5329AFEE M5249EVB M5208EVBE eb_cpu5282
> M54451EVB astro_mcf5373l M54418TWR_serial_rmii M54455EVB_intel M5475FFE
> M5282EVB M54455EVB_i66 M5475GFE M5253DEMO M54455EVB_stm33 M5485BFE M5485DFE
> TASREG M5329BFEE M52277EVB M5475EFE M5475CFE cobra5272 M5485AFE M53017EVB
> M5485HFE M5235EVB M5253EVBE M54418TWR_nand_mii M54418TWR_nand_rmii_lowfreq
> M5475BFE M54418TWR_nand_rmii M5475DFE M5275EVB M52277EVB_stmicro
> eb_cpu5282_internal M54451EVB_stmicro M5485GFE M5373EVB M5485EFE M5485FFE
> M54418TWR M5235EVB_Flash32 M54418TWR_serial_mii M5485CFE M54455EVB M5475AFE
> M5272C3
> powerpc: + SIMPC8313_SP P1023RDS_NAND MPC8569MDS_NAND P2020RDB_NAND
> MPC8536DS_NAND P1020RDB_NAND MPC8315ERDB_NAND P1011RDB_NAND SIMPC8313_LP
> MPC8572DS_NAND P2010RDB_NAND
> sparc: + grsim grsim_leon2 gr_cpci_ax2000 gr_xc3s_1500 gr_ep2s60
> sh: + rsk7269 rsk7264 rsk7203
> nios2: + nios2-generic PK1C20
> microblaze: + microblaze-generic
> openrisc: + openrisc-generic
> arm: + tricorder tricorder_flash
> 02: Check that u-boot.bin size looks correct
> arm: + am335x_evm_uart5 am335x_evm_uart4 am335x_evm_uart1
> am335x_evm_uart3 am335x_boneblack am335x_evm_usbspl am335x_evm_nor
> cm_t335 am335x_evm_norboot am335x_evm_spiboot am335x_evm am335x_evm_uart2
> mx31ads
> 03: ti: am335x: Fix the U-Boot binary output
> arm: am335x_evm_uart5 am335x_evm_uart4 am335x_evm_uart1
> am335x_evm_uart3 am335x_boneblack am335x_evm_usbspl am335x_evm_nor
> am335x_evm_norboot am335x_evm_spiboot am335x_evm am335x_evm_uart2
> 04: am33xx/omap: Allow cache enable for all Sitara/OMAP
> 05: hash: Export functions to find and show hash
> 06: fdt: Add DEV_TREE_BIN option to specify a device tree binary file
> 07: fdt: Update functions which write to an FDT to return -ENOSPC
> 08: mkimage: Automatically make space in FDT when full
> 09: arm: ti: Increase malloc size to 16MB for armv7 boards
> 10: am33xx/omap: Enable CONFIG_OF_CONTROL
> 11: am33xx/omap: Enable FIT support
> 12: am33xx/omap: Enable secure boot with CONFIG_FIT_SIGNATURE
>
> The breakage in 02 is because I add the check before fixing the problem, in
> order to verify what is affected. The order can be changed when applying if
> required.
>
> Changes in v2:
> - Add new patch to check u-boot.bin size against symbol table
> - Add new patch to ensure the hash section is inside the image for am335x
> - Update to cover all omap devices
> - Adjust for kbuild changes
> - Fix line over 80cols
> - Move device tree files into arch/arm/dts
>
> Simon Glass (11):
> Check that u-boot.bin size looks correct
> ti: am335x: Fix the U-Boot binary output
> am33xx/omap: Allow cache enable for all Sitara/OMAP
> hash: Export functions to find and show hash
> fdt: Add DEV_TREE_BIN option to specify a device tree binary file
> fdt: Update functions which write to an FDT to return -ENOSPC
> mkimage: Automatically make space in FDT when full
> arm: ti: Increase malloc size to 16MB for armv7 boards
> am33xx/omap: Enable CONFIG_OF_CONTROL
> am33xx/omap: Enable FIT support
> am33xx/omap: Enable secure boot with CONFIG_FIT_SIGNATURE
>
> Makefile | 16 +-
> arch/arm/cpu/armv7/am33xx/board.c | 8 -
> arch/arm/cpu/armv7/omap-common/Makefile | 4 +
> arch/arm/cpu/armv7/omap-common/hwinit-common.c | 42 --
> arch/arm/cpu/armv7/omap-common/omap-cache.c | 56 +++
> arch/arm/cpu/armv7/omap3/board.c | 8 -
> arch/arm/dts/Makefile | 1 +
> arch/arm/dts/am335x-bone-common.dtsi | 262 ++++++++++
> arch/arm/dts/am335x-boneblack.dts | 17 +
> arch/arm/dts/am33xx.dtsi | 649 +++++++++++++++++++++++++
> arch/arm/dts/dt-bindings/gpio/gpio.h | 15 +
> arch/arm/dts/dt-bindings/pinctrl/am33xx.h | 42 ++
> arch/arm/dts/dt-bindings/pinctrl/omap.h | 55 +++
> arch/arm/dts/tps65217.dtsi | 56 +++
> board/ti/am335x/u-boot.lds | 3 +-
> common/hash.c | 13 +-
> common/image-fit.c | 4 +-
> doc/README.fdt-control | 16 +-
> dts/Makefile | 4 +
> include/configs/am335x_evm.h | 9 +
> include/configs/ti_armv7_common.h | 2 +-
> include/hash.h | 22 +
> include/rsa.h | 3 +-
> lib/rsa/rsa-sign.c | 28 +-
> tools/fit_image.c | 165 +++++--
> tools/image-host.c | 26 +-
> 26 files changed, 1381 insertions(+), 145 deletions(-)
> create mode 100644 arch/arm/cpu/armv7/omap-common/omap-cache.c
> create mode 100644 arch/arm/dts/am335x-bone-common.dtsi
> create mode 100644 arch/arm/dts/am335x-boneblack.dts
> create mode 100644 arch/arm/dts/am33xx.dtsi
> create mode 100644 arch/arm/dts/dt-bindings/gpio/gpio.h
> create mode 100644 arch/arm/dts/dt-bindings/pinctrl/am33xx.h
> create mode 100644 arch/arm/dts/dt-bindings/pinctrl/omap.h
> create mode 100644 arch/arm/dts/tps65217.dtsi
>
> --
> 1.9.1.423.g4596e3a
>
--
as simple and primitive as possible
-------------------------------------------------
Marek Belisko - OPEN-NANDRA
Freelance Developer
Ruska Nova Ves 219 | Presov, 08005 Slovak Republic
Tel: +421 915 052 184
skype: marekwhite
twitter: #opennandra
web: http://open-nandra.com
More information about the U-Boot
mailing list