[U-Boot] [PATCH 4/6] spl: mmc: support loading i.MX container format file

Peng Fan peng.fan at nxp.com
Tue May 21 02:55:27 UTC 2019


Hi Marek,
> Subject: Re: [U-Boot] [PATCH 4/6] spl: mmc: support loading i.MX container
> format file
> 
> On 5/21/19 4:31 AM, Peng Fan wrote:
> > Hi Marek,
> >
> >> Subject: Re: [U-Boot] [PATCH 4/6] spl: mmc: support loading i.MX
> >> container format file
> >>
> >> On 5/20/19 3:54 AM, Peng Fan wrote:
> >>> Hi Marek,
> >>>
> >>>> Subject: Re: [U-Boot] [PATCH 4/6] spl: mmc: support loading i.MX
> >>>> container format file
> >>>>
> >>>> On 5/20/19 3:30 AM, Peng Fan wrote:
> >>>>> Hi Simon,
> >>>>>
> >>>>>> Subject: Re: [PATCH 4/6] spl: mmc: support loading i.MX container
> >>>>>> format file
> >>>>>>
> >>>>>> Hi Peng,
> >>>>>>
> >>>>>> On Tue, 7 May 2019 at 06:52, Peng Fan <peng.fan at nxp.com> wrote:
> >>>>>>>
> >>>>>>> i.MX8 only support AHAB secure boot with Container format image,
> >>>>>>> we could not use FIT to support secure boot, so introduce
> >>>>>>> container
> >>>>>>
> >>>>>> Why not FIT?
> >>>>>
> >>>>> Actually before we implement secure boot, we use FIT image,
> >>>>> however
> >>>>> i.MX8 only support i.MX container format image for secure boot,
> >>>>> The chip will verify the container image when secure boot. It
> >>>>> could not recognize FIT image. So we have to drop FIT image.
> >>>>>
> >>>>>>
> >>>>>>> support to let SPL could load container images.
> >>>>>>
> >>>>>> What is a container image? Can you please point to documentation?
> >>>>>
> >>>>> Sadly, there is no public reference manual. There is a doc that
> >>>>> has a bit of information.
> >>>>>
> >>>>
> >>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcom
> >>>> m
> >>>>>
> >>>>
> >>
> unity.nxp.com%2Fdocs%2FDOC-343178&data=02%7C01%7Cpeng.fan%4
> >>>> 0nxp.co
> >>>>>
> >>>>
> >>
> m%7C8626e7a1d20c44b8715408d6dcc4d866%7C686ea1d3bc2b4c6fa92cd9
> >>>> 9c5c30163
> >>>>>
> >>>>
> >>
> 5%7C0%7C0%7C636939135344595378&sdata=vmIaO78XmuL1tQJufqf7
> >>>> HCGdWHTCJ
> >>>>> bEpmGBio15j46U%3D&reserved=0
> >>>>
> >>>> Shouldn't it suffice for the SPL to be in this custom format ,
> >>>> while the rest of the binaries can be in fitImage ?
> >>>
> >>> The issue is the SoC only support i.MX container format for secure
> >>> boot(AHAB boot), if we not use secure boot, FIT image do work and
> >>> could
> >> work well.
> >>>
> >>> We investigated using FIT for i.MX8 secure boot, but it does not
> >>> make sense we did a FIT wrapper for container. Container itself is
> >>> also an image format, it contains image load/entry/size and etc
> information.
> >>>
> >>> I add a kconfig entry in SPL code, it does not hurt others if the
> >>> Kconfig entry
> >> not chosen.
> >>>
> >>> I do not know how other SoC vendor did FIT hardware secure boot,
> >>> please share you have any information.
> >>
> >> The SPL can be in the custom format, but then can load fitImage with
> >> the next stage(s), right ?
> >
> > I am not able to follow you, could you share more details?
> 
> Wrap the SPL into this custom format and then have the SPL
> load/authenticate fitImage with the rest (U-Boot, Linux, DTB etc).
> Would that work ?

It not work.
We already wrap SPL in i.MX container format, this patchset
is to let SPL could load the 2nd container file which contains
U-Boot/DTB/OP-TEE/ATF.  If we let SPL load a fitimage which contains
(U-Boot/DTB and etc), it could not pass secure boot authentication,
because ROM not know fitimage, it only know i.MX container format.

For authentication, we always let ROM to authenticate including
SPL authenticating U-Boot, so we need pass an image to ROM that ROM
could recognize when SPL booting 2nd image.

Thanks,
Peng.


> 
> --
> Best regards,
> Marek Vasut


More information about the U-Boot mailing list