[U-Boot] [PATCH 2/2] arm: mxs: Add support for generating signed BootStream

Marek Vasut marex at denx.de
Wed Mar 5 20:01:14 CET 2014 

This patch adds the groundwork for generating signed BootStream, which
can be used by the HAB library in i.MX28. We are adding a new target,
u-boot-signed.sb , since the process for generating regular non-signed
BootStream is much easier. Moreover, the signed bootstream depends on
external _proprietary_ _binary-only_ tool from Freescale called 'cst',
which is available only under NDA.

To make things even uglier, the CST or HAB mandates a kind-of circular
dependency. The problem is, unlike the regular IVT, which is generated
by mxsimage, the IVT for signed boot must be generated by hand here due
to special demands of the CST. The U-Boot binary (or SPL binary) and IVT
are then signed by the CST as a one block. But here is the problem. The
size of the entire image (U-Boot, IVT, CST blocks) must be appended at
the end of IVT. But the size of the entire image is not known until the
CST has finished signing the U-Boot and IVT. We solve this by expecting
the CST block to be always 3904B (which it is in case two files, U-Boot
and the hand-made IVT, are signed in the CST block).

Signed-off-by: Marek Vasut <marex at denx.de>
Cc: Stefano Babic <sbabic at denx.de>
---
 Makefile                                       |  2 +
 arch/arm/cpu/arm926ejs/mxs/Makefile            | 77 ++++++++++++++++++++++++++
 arch/arm/cpu/arm926ejs/mxs/mxsimage-signed.cfg | 10 ++++
 3 files changed, 89 insertions(+)
 create mode 100644 arch/arm/cpu/arm926ejs/mxs/mxsimage-signed.cfg

diff --git a/Makefile b/Makefile
index ecac292..01d4011 100644
--- a/Makefile
+++ b/Makefile
@@ -856,6 +856,8 @@ OBJCOPYFLAGS_u-boot.ais = -I binary -O binary --pad-to=$(CONFIG_SPL_MAX_SIZE)
 u-boot.ais: spl/u-boot-spl.ais u-boot.img FORCE
 	$(call if_changed,pad_cat)
 
+u-boot-signed.sb: u-boot.bin spl/u-boot-spl.bin
+	$(Q)$(MAKE) $(build)=arch/arm/cpu/arm926ejs/mxs $(objtree)/u-boot-signed.sb
 u-boot.sb: u-boot.bin spl/u-boot-spl.bin
 	$(Q)$(MAKE) $(build)=arch/arm/cpu/arm926ejs/mxs $(objtree)/u-boot.sb
 
diff --git a/arch/arm/cpu/arm926ejs/mxs/Makefile b/arch/arm/cpu/arm926ejs/mxs/Makefile
index 152546e..540e589 100644
--- a/arch/arm/cpu/arm926ejs/mxs/Makefile
+++ b/arch/arm/cpu/arm926ejs/mxs/Makefile
@@ -17,8 +17,85 @@ endif
 MKIMAGE_TARGET-$(CONFIG_MX23) = mx23
 MKIMAGE_TARGET-$(CONFIG_MX28) = mx28
 
+# Convert hexadecimal value to bytes
+define hex2bin
+$(shell echo -n "$1" | sed 's/0x//;s/\(..\)\(..\)\(..\)\(..\)/\4\3\2\1/;s/../\\\\x&/g')
+endef
+
+# Compute the post-IVT size field value for the U-Boot binary.
+# The value is the result of adding the following:
+#  -> The size of U-Boot binary aligned to 64B (u-boot.bin)
+#  -> The size of IVT block aligned to 64B (u-boot.ivt)
+#  -> The size of U-Boot signature (u-boot.sig), 3904 B
+#  -> The 64B hole in front of U-Boot binary for 'struct mxs_spl_data' passing
+define uboot_ivt_size
+$(shell expr `stat -c "%s" $1` + 64 + 3904 + 128 | xargs printf 0x%08x)
+endef
+
 $(OBJTREE)/mxsimage.cfg: $(SRCTREE)/$(CPUDIR)/$(SOC)/mxsimage.$(MKIMAGE_TARGET-y).cfg
 	sed "s at OBJTREE@$(OBJTREE)@g" $^ > $@
 
+# HAB signature is i.MX28 only
+$(OBJTREE)/mxsimage-signed.cfg: $(SRCTREE)/$(CPUDIR)/$(SOC)/mxsimage-signed.cfg
+	sed "s at OBJTREE@$(OBJTREE)@g" $^ > $@
+
+$(OBJTREE)/spl/u-boot-spl.ivt: $(OBJTREE)/spl/u-boot-spl.bin
+	# Align U-Boot SPL binary to 64B
+	dd if=$^ of=$@ ibs=64 conv=sync 2>/dev/null
+	mv $@ $^
+	# Assemble IVT, append size field and align it to 64B.
+	(echo -ne "$(call hex2bin,0x402000d1)" ;		\
+	 echo -ne "$(call hex2bin,$(CONFIG_SPL_TEXT_BASE))" ;	\
+	 echo -ne "$(call hex2bin,0x00000000)" ;		\
+	 echo -ne "$(call hex2bin,0x00000000)" ;		\
+	 echo -ne "$(call hex2bin,0x00000000)" ;		\
+	 echo -ne "$(call hex2bin,0x00008000)" ; 		\
+	 echo -ne "$(call hex2bin,0x00008040)" ;		\
+	 echo -ne "$(call hex2bin,0x00000000)" ;		\
+	 echo -ne "$(call hex2bin,$(call uboot_ivt_size,$^))"	\
+	) | dd of=$@ ibs=64 count=1 conv=sync 2>/dev/null
+
+$(OBJTREE)/u-boot.ivt: $(OBJTREE)/u-boot.bin
+	# Align U-Boot binary to 64B
+	dd if=$^ of=$@ ibs=64 conv=sync 2>/dev/null
+	mv $@ $^
+	# Assemble IVT, append size field and align it to 64B.
+	(echo -ne "$(call hex2bin,0x402000d1)" ;		\
+	 echo -ne "$(call hex2bin,$(CONFIG_SYS_TEXT_BASE))" ;	\
+	 echo -ne "$(call hex2bin,0x00000000)" ;		\
+	 echo -ne "$(call hex2bin,0x00000000)" ;		\
+	 echo -ne "$(call hex2bin,0x00000000)" ;		\
+	 echo -ne "$(call hex2bin,0x40001000)" ; 		\
+	 echo -ne "$(call hex2bin,0x40001040)" ;		\
+	 echo -ne "$(call hex2bin,0x00000000)" ;		\
+	 echo -ne "$(call hex2bin,$(call uboot_ivt_size,$^))"	\
+	) | dd of=$@ ibs=64 count=1 conv=sync 2>/dev/null
+
+$(OBJTREE)/spl/u-boot-spl.csf: $(OBJTREE)/spl/u-boot-spl.ivt $(OBJTREE)/spl/u-boot-spl.bin $(TOPDIR)/board/$(VENDOR)/$(BOARD)/sign/u-boot-spl.csf
+	# Assemble the CSF file
+	sed "s at TOPDIR@$(TOPDIR)@g;s at VENDOR@$(VENDOR)@g;s at BOARD@$(BOARD)@g" \
+		$(word 3,$^) > $@
+	sed -i "/^##Blocks.*/ d" $@
+	echo "  Blocks = $(CONFIG_SPL_TEXT_BASE) 0x0 "			\
+		"`stat -c '%s' $(word 2,$^)` \"$(word 2,$^)\" , \\"	\
+		>> $@
+	echo "           0x8000 0x0 0x40 \"$(word 1,$^)\"" >> $@
+
+$(OBJTREE)/u-boot.csf: $(OBJTREE)/u-boot.ivt $(OBJTREE)/u-boot.bin $(TOPDIR)/board/$(VENDOR)/$(BOARD)/sign/u-boot.csf
+	# Assemble the CSF file
+	sed "s at TOPDIR@$(TOPDIR)@g;s at VENDOR@$(VENDOR)@g;s at BOARD@$(BOARD)@g" \
+		$(word 3,$^) > $@
+	sed -i "/^##Blocks.*/ d" $@
+	echo "  Blocks = $(CONFIG_SYS_TEXT_BASE) 0x0 "			\
+		"`stat -c '%s' $(word 2,$^)` \"$(word 2,$^)\" , \\"	\
+		>> $@
+	echo "           0x40001000 0x0 0x40 \"$(word 1,$^)\"" >> $@
+
+%.sig: %.csf
+	cst -o $@ < $^
+
+$(OBJTREE)/u-boot-signed.sb: $(OBJTREE)/u-boot.ivt $(OBJTREE)/u-boot.sig $(OBJTREE)/spl/u-boot-spl.ivt $(OBJTREE)/spl/u-boot-spl.sig $(OBJTREE)/mxsimage-signed.cfg
+	$(OBJTREE)/tools/mkimage -n $(OBJTREE)/mxsimage-signed.cfg -T mxsimage $@
+
 $(OBJTREE)/u-boot.sb: $(OBJTREE)/u-boot.bin $(OBJTREE)/spl/u-boot-spl.bin $(OBJTREE)/mxsimage.cfg
 	$(OBJTREE)/tools/mkimage -n $(OBJTREE)/mxsimage.cfg -T mxsimage $@
diff --git a/arch/arm/cpu/arm926ejs/mxs/mxsimage-signed.cfg b/arch/arm/cpu/arm926ejs/mxs/mxsimage-signed.cfg
new file mode 100644
index 0000000..903b6b2
--- /dev/null
+++ b/arch/arm/cpu/arm926ejs/mxs/mxsimage-signed.cfg
@@ -0,0 +1,10 @@
+SECTION 0x0 BOOTABLE
+ TAG LAST
+ LOAD     0x1000     OBJTREE/spl/u-boot-spl.bin
+ LOAD     0x8000     OBJTREE/spl/u-boot-spl.ivt
+ LOAD     0x8040     OBJTREE/spl/u-boot-spl.sig
+ CALL HAB 0x8000     0x0
+ LOAD     0x40002000 OBJTREE/u-boot.bin
+ LOAD     0x40001000 OBJTREE/u-boot.ivt
+ LOAD     0x40001040 OBJTREE/u-boot.sig
+ CALL HAB 0x40001000 0x0
-- 
1.8.5.2

More information about the U-Boot mailing list