[U-Boot] [PATCH v6 00/25] Fix and extend i.MX HAB layer
Breno Matheus Lima
brenomatheus at gmail.com
Thu Feb 8 15:05:39 UTC 2018
Hi Jagan,
2018-02-08 10:43 GMT-02:00 Jagan Teki <jagan at amarulasolutions.com>:
> On Fri, Jan 12, 2018 at 6:09 PM, Bryan O'Donoghue
> <bryan.odonoghue at linaro.org> wrote:
>> v6:
>> - Added patch 21/25 return zero on open (unlocked) board when
>> calling authenticate_image() - Breno
>>
>> - Added Tested-by: Breno Matheus Lima <brenomatheus at gmail.com>
>> as indicated for remainder 24/25 patches
>>
>> - Added Reviewed-by: Fabio Estevam <fabio.estevam at nxp.com>
>> as indicated for remainder 24/25 patches
>>
>> v5:
>> - Drop dcache disable across HAB call.
>> We can't replicate this error on the current codebase and the available
>> images. We'll have to wait for the error to crop up again before pushing
>> that patch any further.
>>
>> v4:
>> - No change mixed extra patches @ v3 unnoticed with previous
>> git-send
>>
>> v3:
>> - Only call into ROM if headers are verified. - Bryan
>>
>> - Print HAB event log if and only if a call was made to HAB
>> and a meaningful status code has been obtained. - Breno
>>
>> v2:
>> - Fix compilation warnings and errors in SPL highlighted by
>> Breno Matheus Lima
>>
>> - Add CC: Breno Matheus Lima <brenomatheus at gmail.com> to all patches
>>
>> v1:
>> This patchset updates the i.MX HAB layer in u-boot to fix a list of
>> identified issues and then to add and extend existing functionality.
>>
>> The first block of patches 0001-0006 deal with fixing existing code,
>>
>> - Fixes indentation
>> - Fixes the treatment of input parameters to hab_auth_image.
>>
>> The second block of patches 0007-0013 are about tidying up the HAB code
>>
>> - Remove reliance on hard-coding to specific offsets
>> - IVT header drives locating CSF
>> - Continue to support existing boards
>>
>> Patches 0014 onwards extend out the HAB functionality.
>>
>> - hab_rvt_check_target is a recommended check in the NXP documents to
>> perform prior to hab_rvt_authenticate_image
>> - hab_rvt_failsafe is a useful function to set the board into BootROM
>> USB recovery mode.
>>
>>
>>
>> Bryan O'Donoghue (25):
>> arm: imx: hab: Make authenticate_image return int
>> arm: imx: hab: Fix authenticate_image result code
>> arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail
>> arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail
>> arm: imx: hab: Move IVT_SIZE to hab.h
>> arm: imx: hab: Move CSF_PAD_SIZE to hab.h
>> arm: imx: hab: Fix authenticate_image input parameters
>> arm: imx: hab: Add IVT header definitions
>> arm: imx: hab: Add IVT header verification
>> arm: imx: hab: Verify IVT self matches calculated address
>> arm: imx: hab: Only call ROM once headers are verified
>> arm: imx: hab: Print CSF based on IVT descriptor
>> arm: imx: hab: Print additional IVT elements during debug
>> arm: imx: hab: Define rvt_check_target()
>> arm: imx: hab: Implement hab_rvt_check_target
>> arm: imx: hab: Add a hab_rvt_check_target to image auth
>> arm: imx: hab: Print HAB event log only after calling ROM
>> arm: imx: hab: Make internal functions and data static
>> arm: imx: hab: Prefix authenticate_image with imx_hab
>> arm: imx: hab: Rename is_hab_enabled imx_hab_is_enabled
>> arm: imx: hab: Make authenticate_image() return zero on open boards
>> arm: imx: hab: Make imx_hab_is_enabled global
>> arm: imx: hab: Define rvt_failsafe()
>> arm: imx: hab: Implement hab_rvt_failsafe
>> arm: imx: hab: Add hab_failsafe console command
>>
>> arch/arm/include/asm/mach-imx/hab.h | 46 +++-
>> arch/arm/mach-imx/hab.c | 461 +++++++++++++++++++++---------------
>> arch/arm/mach-imx/spl.c | 38 ++-
>> 3 files changed, 354 insertions(+), 191 deletions(-)
>
> I tried Secure boot before[1] with SPL and U-Boot proper and work well.
>
> I'm observing authentication issue while loading U-Boot proper, U-Boot
> proper now have features like SPL DM and SPL FIT etc
>
> U-Boot SPL 2018.03-rc1-00182-gb81f7c9 (Feb 08 2018 - 17:19:03 +0530)
> Trying to boot from MMC1
> Expected Linux image is not found. Trying to start U-boot
>
> Authenticate image from DDR location 0x17800000...
> bad magic magic=0xb8 length=0x841b version=0x17
> bad length magic=0xb8 length=0x841b version=0x17
> bad version magic=0xb8 length=0x841b version=0x17
> spl: ERROR: image authentication unsuccessful
> ### ERROR ### Please RESET the board ###
>
> Please let me know where I missed, I'm authenticating SPL and
> u-boot-dtb.img now.
Can you please check if the generated u-boot-dtb.img contains a IVT
table appended in the end of the image?
The mx6slevk_spl_defconfig target also generates SPL + u-boot-dtb.img
but I have to use the u-boot-ivt.img binary instead. In my case
u-boot-dtb.img does not includes a IVT table.
Best Regards,
Breno Lima
More information about the U-Boot
mailing list