[U-Boot] [EXT] Re: [PATCH 4/6] spl: mmc: support loading i.MX container format file

Peng Fan peng.fan at nxp.com
Mon May 27 09:49:53 UTC 2019


Hi Marek, Lukasz,

> Subject: Re: [EXT] Re: [U-Boot] [PATCH 4/6] spl: mmc: support loading i.MX
> container format file
> 
> Hi Marek,
> 
> On 2019/5/22 19:41, Marek Vasut wrote:
> > Caution: EXT Email
> >
> > On 5/22/19 9:34 AM, Lukasz Majewski wrote:
> > [...]
> >>>>>>>> By using above approach we do have the NXP's "container"
> >>>>>>>> format only seen in the SPL (which is OK, as for example
> >>>>>>>> Samsung does similar thing with FBL/BL1). When SPL is "trused"
> >>>>>>>> we may use available facilities.
> >>>>>>>
> >>>>>>> The issue to me is that sc_seco_authenticate could not take a
> >>>>>>> FIT image as input.
> >>>>>>
> >>>>>> Is the sc_seco_authenticate an API accessible from SPL, U-Boot
> >>>>>> proper or Linux crypro engine driver?
> >>>>>
> >>>>> Yes, it is an API accessible in SPL/U-Boot stage. I do not know
> >>>>> about Linux crypto driver.
> >>>>
> >>>> Maybe it would be worth to check how Linux handle this? Maybe it
> >>>> would shed some more light on it?
> >>>
> >>> I am not familiar with that, so might be stupid question below.
> >>> Does it really matter?
> >>
> >> I would check it just out of curiosity.
> >
> > Yes, it matters, because there should be such API. How would Linux
> > authenticate e.g. userspace binaries if there wasn't one, surely not
> > by wrapping every single object into the custom vendor-specific container ?
> > And if there is one, you can use it to authenticate raw binaries from
> > U-Boot SPL too, e.g. fitImage blobs with an associated signature.
> >
> 
> iMX8 AHAB uses RSA key pair for authentication, the on-chip thing we called
> SRK is a array of public key hash which is dedicated for AHAB. It is not a real
> key. The real public key is in container.
> AHAB will check the public key with the on-chip SRK before using it to
> authenticate the image.
> Seco which contains the crypto engine on imx8 does not allow to use the SRK
> by user. No such API exported.
> And the fuse of SRK is locked, can't be read directly.
> 
> Actually on imx6/imx7/imx8m, the SPL and u-boot are already using ROM
> HAB to implement the trust chain, like SPL authenticates u-boot, u-boot
> authenticatse kernel. We just follow this same way on imx8, the difference is
> imx8 needs container format for signed image. We prefer directly loading
> container image than fit image.
> If we pack fit image into container, obviously this will cause one more copy.
> As a boot loader, isn't it better to have more image format supported? We
> don't force to use container, just set it as default. Users still can choose fit or
> raw image.


Do you have more comment?

Thanks,
Peng.

> 
> 
> > [...]
> >
> > --
> > Best regards,
> > Marek Vasut
> >
> 
> 



More information about the U-Boot mailing list