[U-Boot] [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth

Bryan O'Donoghue bryan.odonoghue at linaro.org
Mon Mar 26 14:36:44 UTC 2018 

V3:
- Drop BOOTROM_IVT_HDR_OFFSET definition
  Fabio wants to see the usage of the define before adding to the header

V2:
- Dropped first patch setexpr does the same job - Lothar Waßmann

- IVT_PAD_SIZE -> BOOTROM_IVT_HDR_OFFSET
  The objective is to define the default offset of the IVT header in the
  BootROM version of the IMX image - not as was confusingly named
  IVT_PAD_SIZE - this is not a padding size ! - Breno Matheus Lima

- image_failover CMD_RET_USAGE on invalid parameters - Breno Matheus Lima

- image_failover added printf("error: secure boot disabled\n"); - Breno

- Added BOOTROM_IVT_HDR_OFFSET to imximage.h instead of to hab.h
  This define pertains to the image layout. - bod

V1:
Greetings.

This set adds some helper functions as a pre-cursor to an upcoming set of
changes to a BSP adding scripted HAB authentication.

Calculating a HAB IVT address based on a base address and a +/- offset is a
trivial but, useful function for HAB. It means you can have a load address
for a HAB image inside of your environment and specify the IVT offset
relative to that address. All you need to do then is to call the function
to obtain the correct IVT address to pass into hab_auth_img.

Two relatively minor changes then - one encasing the hab.h in ifndef
__ASSEMBLY__ which is required if you want to include hab.h in a board.h.

Specifying the IVT padding size is again properly done as a define as
opposed to a magic number in code.

The final patch then is wrappering up two common use-cases in the upcoming
BSP
- hab_auth_image ? continue-to-boot : drop-to-bootrom USB mode.

In other words if you fail to authenticate an image on the secure-boot path
the appropriate next step is typically to drop into USB recovery mode.

In USB recovery mode you need to provide a signed image on a secure-boot
(closed in the parlance) board. So hab_auth_img_or_fail() encapsulates that
behaviour in one place - again allowing for scripting to reuse instead of
replicate functionality over and over again.

These helper functions could all be buried in the board-port but, they are
made available here in the hopes they will be of use to others.

Bryan O'Donoghue (2):
  imximage: Encase majority of header in __ASSEMBLY__ declaration
  imx: hab: Provide hab_auth_img_or_fail command

 arch/arm/mach-imx/hab.c | 35 +++++++++++++++++++++++++++++++++++
 include/imximage.h      |  2 ++
 2 files changed, 37 insertions(+)

-- 
2.7.4

More information about the U-Boot mailing list