[U-Boot] [PATCH v3 2/2] imx: hab: Provide hab_auth_img_or_fail command

Sun Apr 15 10:17:14 UTC 2018


On 26/03/2018 16:36, Bryan O'Donoghue wrote:
> This patch adds hab_auth_img_or_fail() a command line function that
> encapsulates a common usage of authenticate and failover, namely if
> authenticate image fails, then drop to BootROM USB recovery mode.
> 
> For secure-boot systems, this type of locked down behavior is important to
> ensure no unsigned images can be run.
> 
> It's possible to script this logic but, when done over and over again the
> environment starts get very complex and repetitive, reducing that script
> repetition down to a command line function makes sense.
> 
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue at linaro.org>
> Cc: Utkarsh Gupta <utkarsh.gupta at nxp.com>
> Cc: Breno Lima <breno.lima at nxp.com>
> Cc: Fabio Estevam <fabio.estevam at nxp.com>
> ---
>  arch/arm/mach-imx/hab.c | 35 +++++++++++++++++++++++++++++++++++
>  1 file changed, 35 insertions(+)
> 
> diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c
> index c730c8f..9ca7bad 100644
> --- a/arch/arm/mach-imx/hab.c
> +++ b/arch/arm/mach-imx/hab.c
> @@ -341,6 +341,31 @@ static int do_hab_failsafe(cmd_tbl_t *cmdtp, int flag, int argc,
>  	return 0;
>  }
>  
> +static int do_authenticate_image_or_failover(cmd_tbl_t *cmdtp, int flag,
> +					     int argc, char * const argv[])
> +{
> +	int ret = CMD_RET_FAILURE;
> +
> +	if (argc != 4) {
> +		ret = CMD_RET_USAGE;
> +		goto error;
> +	}
> +
> +	if (!imx_hab_is_enabled()) {
> +		printf("error: secure boot disabled\n");
> +		goto error;
> +	}
> +
> +	if (do_authenticate_image(NULL, flag, argc, argv) != CMD_RET_SUCCESS) {
> +		fprintf(stderr, "authentication fail -> %s %s %s %s\n",
> +			argv[0], argv[1], argv[2], argv[3]);
> +		do_hab_failsafe(0, 0, 1, NULL);
> +	};
> +	ret = CMD_RET_SUCCESS;
> +error:
> +	return ret;
> +}
> +
>  U_BOOT_CMD(
>  		hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,
>  		"display HAB status",
> @@ -362,6 +387,16 @@ U_BOOT_CMD(
>  		""
>  	  );
>  
> +U_BOOT_CMD(
> +		hab_auth_img_or_fail, 4, 0,
> +		do_authenticate_image_or_failover,
> +		"authenticate image via HAB on failure drop to USB BootROM mode",
> +		"addr length ivt_offset\n"
> +		"addr - image hex address\n"
> +		"length - image hex length\n"
> +		"ivt_offset - hex offset of IVT in the image"
> +	  );
> +
>  #endif /* !defined(CONFIG_SPL_BUILD) */
>  
>  /* Get CSF Header length */
> 
Applied to u-boot-imx, thanks !

Best regards,
Stefano Babic

-- 
=====================================================================
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
=====================================================================