[U-Boot] [PATCH v2] imx: mx6: Add support for MX6 plugin images

[Stefano Babic]

Hi Bill,

On 05/11/2014 17:06, Bill Pringlemeir wrote:

> 
> This seems true that the SPL is another way to implement the 'plug-in'
> features as they relate to DCD.

Right.

> I think a portion not taken care of by SPL is 2nd and subsequent image
> verification.

Not for subsequent images, if the second image is U-Boot. U-Boot
supports secure boot via FIT images. Kernel and, generally, other images
can be authenticated. This is done without HAB.

If we are talking about SPL, that is true. SPL does not *yet* support to
authenticate the u-boot image.

>  The HAB ROM loader will use the 'plug-in' to initialize
> and load to alternate media.  However, when control returns, I think
> that the 2nd image is authenticated.  In order to do the same in the
> SPL, you need to restrict the IRAM locations used and make calls to the
> ROM code or implement some other 2nd image authentication.

commit 36c1ca4d46ef11ac7b3c0afb5c42dadb4e8773f3 is supposed to do what
you are looking for. The authenticate_image() function is called to
verify an image via HAB.

> For non-secure boots, the SPL seems equivalent.  With secondary image
> verification in the SPL, then I think it would be equivalent to the
> 'plug-in'.  The SPL would be supported in all HAB versions.  I don't
> know if the 'plug-in' is supported with earlier iMx series like the
> iMx2/3x series using HABv3.

It is not, as far as I know, and even not in MX51.

>  So an SPL with image verification seems
> superior, even for the iMx series by itself.

Yes, fully agree.

Best regards,
Stefano Babic

-- 
=====================================================================
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
=====================================================================