[U-Boot] [PATCH v6 00/25] Fix and extend i.MX HAB layer

Jagan Teki jagan at amarulasolutions.com
Thu Feb 8 12:43:33 UTC 2018 

On Fri, Jan 12, 2018 at 6:09 PM, Bryan O'Donoghue
<bryan.odonoghue at linaro.org> wrote:
> v6:
> - Added patch 21/25 return zero on open (unlocked) board when
>   calling authenticate_image() - Breno
>
> - Added Tested-by: Breno Matheus Lima <brenomatheus at gmail.com>
>   as indicated for remainder 24/25 patches
>
> - Added Reviewed-by: Fabio Estevam <fabio.estevam at nxp.com>
>   as indicated for remainder 24/25 patches
>
> v5:
> - Drop dcache disable across HAB call.
>   We can't replicate this error on the current codebase and the available
>   images. We'll have to wait for the error to crop up again before pushing
>   that patch any further.
>
> v4:
> - No change mixed extra patches @ v3 unnoticed with previous
>   git-send
>
> v3:
> - Only call into ROM if headers are verified. - Bryan
>
> - Print HAB event log if and only if a call was made to HAB
>   and a meaningful status code has been obtained. - Breno
>
> v2:
> - Fix compilation warnings and errors in SPL highlighted by
>   Breno Matheus Lima
>
> - Add CC: Breno Matheus Lima <brenomatheus at gmail.com> to all patches
>
> v1:
> This patchset updates the i.MX HAB layer in u-boot to fix a list of
> identified issues and then to add and extend existing functionality.
>
> The first block of patches 0001-0006 deal with fixing existing code,
>
> - Fixes indentation
> - Fixes the treatment of input parameters to hab_auth_image.
>
> The second block of patches 0007-0013 are about tidying up the HAB code
>
> - Remove reliance on hard-coding to specific offsets
> - IVT header drives locating CSF
> - Continue to support existing boards
>
> Patches 0014 onwards extend out the HAB functionality.
>
> - hab_rvt_check_target is a recommended check in the NXP documents to
>   perform prior to hab_rvt_authenticate_image
> - hab_rvt_failsafe is a useful function to set the board into BootROM
>   USB recovery mode.
>
>
>
> Bryan O'Donoghue (25):
>   arm: imx: hab: Make authenticate_image return int
>   arm: imx: hab: Fix authenticate_image result code
>   arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail
>   arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail
>   arm: imx: hab: Move IVT_SIZE to hab.h
>   arm: imx: hab: Move CSF_PAD_SIZE to hab.h
>   arm: imx: hab: Fix authenticate_image input parameters
>   arm: imx: hab: Add IVT header definitions
>   arm: imx: hab: Add IVT header verification
>   arm: imx: hab: Verify IVT self matches calculated address
>   arm: imx: hab: Only call ROM once headers are verified
>   arm: imx: hab: Print CSF based on IVT descriptor
>   arm: imx: hab: Print additional IVT elements during debug
>   arm: imx: hab: Define rvt_check_target()
>   arm: imx: hab: Implement hab_rvt_check_target
>   arm: imx: hab: Add a hab_rvt_check_target to image auth
>   arm: imx: hab: Print HAB event log only after calling ROM
>   arm: imx: hab: Make internal functions and data static
>   arm: imx: hab: Prefix authenticate_image with imx_hab
>   arm: imx: hab: Rename is_hab_enabled imx_hab_is_enabled
>   arm: imx: hab: Make authenticate_image() return zero on open boards
>   arm: imx: hab: Make imx_hab_is_enabled global
>   arm: imx: hab: Define rvt_failsafe()
>   arm: imx: hab: Implement hab_rvt_failsafe
>   arm: imx: hab: Add hab_failsafe console command
>
>  arch/arm/include/asm/mach-imx/hab.h |  46 +++-
>  arch/arm/mach-imx/hab.c             | 461 +++++++++++++++++++++---------------
>  arch/arm/mach-imx/spl.c             |  38 ++-
>  3 files changed, 354 insertions(+), 191 deletions(-)

I tried Secure boot before[1] with SPL and U-Boot proper and work well.

I'm observing authentication issue while loading U-Boot proper, U-Boot
proper now have features like SPL DM and SPL FIT etc

U-Boot SPL 2018.03-rc1-00182-gb81f7c9 (Feb 08 2018 - 17:19:03 +0530)
Trying to boot from MMC1
Expected Linux image is not found. Trying to start U-boot

Authenticate image from DDR location 0x17800000...
bad magic magic=0xb8 length=0x841b version=0x17
bad length magic=0xb8 length=0x841b version=0x17
bad version magic=0xb8 length=0x841b version=0x17
spl: ERROR:  image authentication unsuccessful
### ERROR ### Please RESET the board ###

Please let me know where I missed, I'm authenticating SPL and
u-boot-dtb.img now.

[1] https://openedev.amarulasolutions.com/display/ODUBOOT/SPL+HABv4

More information about the U-Boot mailing list