[U-Boot] [PATCH v4 00/18] warp7: Enable automated OPTEE/HAB boot flow

Bryan O'Donoghue bryan.odonoghue at linaro.org
Tue Apr 24 17:46:29 UTC 2018 

This tree here is pullable

http://git.linaro.org/landing-teams/working/mbl/u-boot.git/log/?h=linaro-mbl%2bbod-nouart

v4:

- Add Tested-by and Reviewed-by from Fabio and Breno as indicated.
  Thanks very much guys for taking the time to do that :)

- Adds patch tools/imximage: Fix fruity lack of 0x prefix in DCD Blocks
  Previously sent this patch.
  Reviewed-by Fabio added for completeness.

v3:
- Reword commit message of patch #16 - Breno

- This patchset now relies on five in-flight patch-sets the first four of
  which should be applied first
 
1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial
   Already has a Reviewed-by from Fabio

2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth
   Has a Reviewed-by: from Breno

3. [PATCH v3 0/2] WaRP7 unify secure and non-secure defconfigs

4. Pierre-Jean's generic load patches

   [U-Boot] [PATCH v3 1/2] warp7: include/configs: use generic fs commands
   in CONFIG_EXTRA_ENV_SETTINGS

   [U-Boot] [PATCH v3 2/2] warp7: configs: enable CONFIG_CMD_FS_GENERIC

5. [PATCH] bootm: Align cache flush begin address
   This last patch can be applied in any order

v2:
- Ensure warp7_defconfig boots existing yocto with this change plus the
  automated HAB layer being added here following on from "[PATCH v3 0/2]
  WaRP7 unify secure and non-secure defconfigs"

- Fix reference to partition #1 versus partition #2 in select uuidpart
  patch

- Rebase on top of Pierre-Jean Texier generic load patches

- Drop my patch which did the same thing as Pierre-Jean's patch via
  ${loadcmd}

- Update example boot.scr from v1 to reflect use of generic 'load' command

- This patchset now relies on four in-flight patch-sets which all have the
  relevant Reviewed-by tags from the board Maintainer Fabio.
 
1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial
   Already has a Reviewed-by from Fabio

2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth
   Has a Reviewed-by: from Breno

3. [PATCH v3 0/2] WaRP7 unify secure and non-secure defconfigs

4. Pierre-Jean's generic load patches

   [U-Boot] [PATCH v3 1/2] warp7: include/configs: use generic fs commands
   in CONFIG_EXTRA_ENV_SETTINGS

   [U-Boot] [PATCH v3 2/2] warp7: configs: enable CONFIG_CMD_FS_GENERIC
 
v1:
This series enables an automated HAB verified secure boot which chain-loads
via OPTEE see `git show 5cf3251..c225e7c` for details.

This set depends on three in-flight patchsets

1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial
   Already has a Reviewed-by from Fabio

2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth
   Has a Reviewed-by: from Breno

3. [PATCH] configs: warp7: Fix CAAM on boot with tip-of-tree

I'm trying not to make this cover email too long. So - once this set is
applied it is possible to boot from the BootROM using HAB to verify

- u-boot
- boot.scr
- Kernel
- DTB

Chainload via OPTEE and boot up to Linux. If there is a HAB failure at any
stage of the process we force-drop down to the USB HID failover mode, from
which we can send up a recovery image to unblock.

I've run the WaRP7 default u-boot and this new version on NXP's reference
yocto image and verified that that yocto image boots with both versions of
the WaRP7 -> warp7_defconfig and warp7_secure_defconfig.

http://freescale.github.io/#download -> BoardsWaRPboard community - WaRP -
Wearable Reference PlatformFSL Community BSP 2.3fsl-image-multimediawayland

In addition the modifications targeting warp7_secure_defconfig mean it is
possible to chain-load via OPTEE using scripted HAB to verify images prior
to exiting the u-boot domain.

Here is an example of the scripting we are doing which shows further reuse
of shell functions introduced in previous patches.

#### Example secure-boot boot.scr.imx-signed ####

# This section is responsbile for loading a signed Linux kernel
setenv image_signed zImage.imx-signed
if test ${hab_enabled} -eq 1; then
	setexpr hab_ivt_addr ${loadaddr} - ${ivt_offset}
	load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${image_signed}
	run warp7_auth_or_fail
else
	run loadimage;
fi

# This section is responsbile for loading a signed FDT image
setenv fdt_file_signed imx7s-warp.dtb.imx-signed
if test ${hab_enabled} -eq 1; then
	setexpr hab_ivt_addr ${fdt_addr} - ${ivt_offset}
	load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr}
${fdt_file_signed}
	run warp7_auth_or_fail
else
	run loadfdt;
fi

# Boot from rootfs1 by default
setenv mmcpart 3

# But if the rootfs2 file exists in partition 2, boot from rootfs2
ext4size mmc 0:2 rootfs2 && setenv mmcpart 5

# This section is responsbile for loading a signed OPTEE image
setenv optee_file /lib/firmware/uTee.optee
setenv optee_file_signed /lib/firmware/uTee.optee.imx-signed
setenv loadoptee "load mmc ${mmcdev}:${mmcpart} ${optee_addr}
${optee_file}"
if test ${hab_enabled} -eq 1; then
	setexpr hab_ivt_addr ${optee_addr} - ${ivt_offset}
	load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr}
${optee_file_signed}
	run warp7_auth_or_fail
else
	run loadoptee;
fi

# Set UUID mmcpart will be used to pass root id to kernel
setenv rootpart ${mmcpart}
run finduuid;
run mmcargs;

# Now boot
echo Booting secure Linux/OPTEE OS from mmc ...;
bootm ${optee_addr} - ${fdt_addr};

# Failsafe if something goes wrong
hab_failsafe


Bryan O'Donoghue (18):
  tools/imximage: Fix fruity lack of 0x prefix in DCD Blocks
  imximage: Specify default IVT offset in IMX image
  warp7: hab: Add a CSF location definition
  warp7: hab: Set environment variable indicating HAB enable
  warp7: defconfig: Enable OPTEE for WaRP7
  warp7: Allocate specific region of memory to OPTEE
  warp7: Print out the OPTEE DRAM region
  warp7: Specify CONFIG_OPTEE_LOAD_ADDR
  warp7: defconfig: Enable CONFIG_SECURE_BOOT
  warp7: defconfig: Enable CONFIG_BOOTM_TEE
  warp7: Make CONFIG_SYS_FDT_ADDR a define
  warp7: Add Kconfig WARP7_ROOT_PART
  warp7: select uuid partition based on rootpart
  warp7: Define the name of a signed boot-script file
  warp7: add warp7_auth_or_fail
  warp7: hab: Set environment variable indicating IVT offset
  warp7: defconfig: Enable CMD_SETEXPR
  warp7: Add support for automated secure boot.scr verification

 board/warp7/Kconfig      | 14 ++++++++++++++
 board/warp7/imximage.cfg |  4 ++++
 board/warp7/warp7.c      | 23 +++++++++++++++++++++++
 configs/warp7_defconfig  |  6 +++++-
 include/configs/warp7.h  | 22 ++++++++++++++++++++--
 include/imximage.h       |  3 +++
 tools/imximage.c         |  2 +-
 7 files changed, 70 insertions(+), 4 deletions(-)

-- 
2.17.0

More information about the U-Boot mailing list