[U-Boot] [PATCH v4 00/18] warp7: Enable automated OPTEE/HAB boot flow
Bryan O'Donoghue
bryan.odonoghue at linaro.org
Tue Apr 24 17:46:29 UTC 2018
This tree here is pullable
http://git.linaro.org/landing-teams/working/mbl/u-boot.git/log/?h=linaro-mbl%2bbod-nouart
v4:
- Add Tested-by and Reviewed-by from Fabio and Breno as indicated.
Thanks very much guys for taking the time to do that :)
- Adds patch tools/imximage: Fix fruity lack of 0x prefix in DCD Blocks
Previously sent this patch.
Reviewed-by Fabio added for completeness.
v3:
- Reword commit message of patch #16 - Breno
- This patchset now relies on five in-flight patch-sets the first four of
which should be applied first
1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial
Already has a Reviewed-by from Fabio
2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth
Has a Reviewed-by: from Breno
3. [PATCH v3 0/2] WaRP7 unify secure and non-secure defconfigs
4. Pierre-Jean's generic load patches
[U-Boot] [PATCH v3 1/2] warp7: include/configs: use generic fs commands
in CONFIG_EXTRA_ENV_SETTINGS
[U-Boot] [PATCH v3 2/2] warp7: configs: enable CONFIG_CMD_FS_GENERIC
5. [PATCH] bootm: Align cache flush begin address
This last patch can be applied in any order
v2:
- Ensure warp7_defconfig boots existing yocto with this change plus the
automated HAB layer being added here following on from "[PATCH v3 0/2]
WaRP7 unify secure and non-secure defconfigs"
- Fix reference to partition #1 versus partition #2 in select uuidpart
patch
- Rebase on top of Pierre-Jean Texier generic load patches
- Drop my patch which did the same thing as Pierre-Jean's patch via
${loadcmd}
- Update example boot.scr from v1 to reflect use of generic 'load' command
- This patchset now relies on four in-flight patch-sets which all have the
relevant Reviewed-by tags from the board Maintainer Fabio.
1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial
Already has a Reviewed-by from Fabio
2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth
Has a Reviewed-by: from Breno
3. [PATCH v3 0/2] WaRP7 unify secure and non-secure defconfigs
4. Pierre-Jean's generic load patches
[U-Boot] [PATCH v3 1/2] warp7: include/configs: use generic fs commands
in CONFIG_EXTRA_ENV_SETTINGS
[U-Boot] [PATCH v3 2/2] warp7: configs: enable CONFIG_CMD_FS_GENERIC
v1:
This series enables an automated HAB verified secure boot which chain-loads
via OPTEE see `git show 5cf3251..c225e7c` for details.
This set depends on three in-flight patchsets
1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial
Already has a Reviewed-by from Fabio
2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth
Has a Reviewed-by: from Breno
3. [PATCH] configs: warp7: Fix CAAM on boot with tip-of-tree
I'm trying not to make this cover email too long. So - once this set is
applied it is possible to boot from the BootROM using HAB to verify
- u-boot
- boot.scr
- Kernel
- DTB
Chainload via OPTEE and boot up to Linux. If there is a HAB failure at any
stage of the process we force-drop down to the USB HID failover mode, from
which we can send up a recovery image to unblock.
I've run the WaRP7 default u-boot and this new version on NXP's reference
yocto image and verified that that yocto image boots with both versions of
the WaRP7 -> warp7_defconfig and warp7_secure_defconfig.
http://freescale.github.io/#download -> BoardsWaRPboard community - WaRP -
Wearable Reference PlatformFSL Community BSP 2.3fsl-image-multimediawayland
In addition the modifications targeting warp7_secure_defconfig mean it is
possible to chain-load via OPTEE using scripted HAB to verify images prior
to exiting the u-boot domain.
Here is an example of the scripting we are doing which shows further reuse
of shell functions introduced in previous patches.
#### Example secure-boot boot.scr.imx-signed ####
# This section is responsbile for loading a signed Linux kernel
setenv image_signed zImage.imx-signed
if test ${hab_enabled} -eq 1; then
setexpr hab_ivt_addr ${loadaddr} - ${ivt_offset}
load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${image_signed}
run warp7_auth_or_fail
else
run loadimage;
fi
# This section is responsbile for loading a signed FDT image
setenv fdt_file_signed imx7s-warp.dtb.imx-signed
if test ${hab_enabled} -eq 1; then
setexpr hab_ivt_addr ${fdt_addr} - ${ivt_offset}
load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr}
${fdt_file_signed}
run warp7_auth_or_fail
else
run loadfdt;
fi
# Boot from rootfs1 by default
setenv mmcpart 3
# But if the rootfs2 file exists in partition 2, boot from rootfs2
ext4size mmc 0:2 rootfs2 && setenv mmcpart 5
# This section is responsbile for loading a signed OPTEE image
setenv optee_file /lib/firmware/uTee.optee
setenv optee_file_signed /lib/firmware/uTee.optee.imx-signed
setenv loadoptee "load mmc ${mmcdev}:${mmcpart} ${optee_addr}
${optee_file}"
if test ${hab_enabled} -eq 1; then
setexpr hab_ivt_addr ${optee_addr} - ${ivt_offset}
load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr}
${optee_file_signed}
run warp7_auth_or_fail
else
run loadoptee;
fi
# Set UUID mmcpart will be used to pass root id to kernel
setenv rootpart ${mmcpart}
run finduuid;
run mmcargs;
# Now boot
echo Booting secure Linux/OPTEE OS from mmc ...;
bootm ${optee_addr} - ${fdt_addr};
# Failsafe if something goes wrong
hab_failsafe
Bryan O'Donoghue (18):
tools/imximage: Fix fruity lack of 0x prefix in DCD Blocks
imximage: Specify default IVT offset in IMX image
warp7: hab: Add a CSF location definition
warp7: hab: Set environment variable indicating HAB enable
warp7: defconfig: Enable OPTEE for WaRP7
warp7: Allocate specific region of memory to OPTEE
warp7: Print out the OPTEE DRAM region
warp7: Specify CONFIG_OPTEE_LOAD_ADDR
warp7: defconfig: Enable CONFIG_SECURE_BOOT
warp7: defconfig: Enable CONFIG_BOOTM_TEE
warp7: Make CONFIG_SYS_FDT_ADDR a define
warp7: Add Kconfig WARP7_ROOT_PART
warp7: select uuid partition based on rootpart
warp7: Define the name of a signed boot-script file
warp7: add warp7_auth_or_fail
warp7: hab: Set environment variable indicating IVT offset
warp7: defconfig: Enable CMD_SETEXPR
warp7: Add support for automated secure boot.scr verification
board/warp7/Kconfig | 14 ++++++++++++++
board/warp7/imximage.cfg | 4 ++++
board/warp7/warp7.c | 23 +++++++++++++++++++++++
configs/warp7_defconfig | 6 +++++-
include/configs/warp7.h | 22 ++++++++++++++++++++--
include/imximage.h | 3 +++
tools/imximage.c | 2 +-
7 files changed, 70 insertions(+), 4 deletions(-)
--
2.17.0
More information about the U-Boot
mailing list