[U-Boot] [PATCH 4/4] imx: hab: Provide hab_auth_img_or_fail command
Breno Matheus Lima
brenomatheus at gmail.com
Thu Mar 15 17:15:04 UTC 2018
Hi Bryan,
2018-03-09 14:35 GMT-03:00 Bryan O'Donoghue <bryan.odonoghue at linaro.org>:
> This patch adds hab_auth_img_or_fail() a command line function that
> encapsulates a common usage of authenticate and failover, namely if
> authenticate image fails, then drop to BootROM USB recovery mode.
>
> For secure-boot systems, this type of locked down behavior is important to
> ensure no unsigned images can be run.
>
> It's possible to script this logic but, when done over and over again the
> environment starts get very complex and repetitive, reducing that script
> repetition down to a command line function makes sense.
>
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue at linaro.org>
> Cc: Utkarsh Gupta <utkarsh.gupta at nxp.com>
> Cc: Breno Lima <breno.lima at nxp.com>
> Cc: Fabio Estevam <fabio.estevam at nxp.com>
> ---
> arch/arm/mach-imx/hab.c | 26 ++++++++++++++++++++++++++
> 1 file changed, 26 insertions(+)
>
> diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c
> index 0c18b2e..61ccdeb 100644
> --- a/arch/arm/mach-imx/hab.c
> +++ b/arch/arm/mach-imx/hab.c
> @@ -366,6 +366,22 @@ static int do_hab_get_ivt_addr(cmd_tbl_t *cmdtp, int flag, int argc,
> return CMD_RET_SUCCESS;
> }
>
> +static int do_authenticate_image_or_failover(cmd_tbl_t *cmdtp, int flag,
> + int argc, char * const argv[])
> +{
> + if (!imx_hab_is_enabled())
> + goto done;
It would be nice to return CMD_RET_USAGE on this case, or maybe print
something like "Secure boot disabled". If I run in a non HAB enabled
board I get the following output:
=> hab_auth_img_or_fail <addr> <length> <ivt_offset>
=>
We may also need to add the following here:
if (argc < 4)
return CMD_RET_USAGE;
If I run this command without any parameter the code is wrongly
executed, and the system goes to USB recovery mode.
Thanks,
Breno Lima
More information about the U-Boot
mailing list