[U-Boot] [PATCH 3/4] imx6: spl: Reduce SPL limit size in case CONFIG_SECURE_BOOT is enabled

Breno Matheus Lima brenomatheus at gmail.com
Mon Sep 23 18:48:18 UTC 2019


Hi Stefano and Jagan,


Em qui, 19 de set de 2019 às 05:27, Stefano Babic <sbabic at denx.de> escreveu:
>
> On 19/09/19 07:37, Jagan Teki wrote:
> > Hi Stefano,
> >
> > On Wed, Sep 18, 2019 at 1:29 PM Stefano Babic <sbabic at denx.de> wrote:
> >>
> >> Hi Jagan, Breno,
> >>
> >> On 17/09/19 09:13, Jagan Teki wrote:
> >>> Hi Breno,
> >>>
> >>> On Thu, Jul 18, 2019 at 6:06 PM Breno Matheus Lima <breno.lima at nxp.com> wrote:
> >>>>
> >>>> In case CONFIG_SECURE_BOOT is enabled we need to limit the SPL size to
> >>>> avoid a possible HAB failure event:
> >>>>
> >>>> --------- HAB Event 1 -----------------
> >>>> event data:
> >>>>         0xdb 0x00 0x14 0x42 0x33 0x22 0x33 0x00
> >>>>         0x00 0x00 0x00 0x0f 0x00 0x90 0x70 0x00
> >>>>         0x00 0x01 0x10 0x00
> >>>> STS = HAB_FAILURE (0x33)
> >>>> RSN = HAB_INV_ADDRESS (0x22)
> >>>> CTX = HAB_CTX_TARGET (0x33)
> >>>> ENG = HAB_ENG_ANY (0x00)
> >>>>
> >>>> As explained in Commit 23612534fe0f ("spl: imx6: Provide a SPL_SIZE_LIMIT
> >>>> default") the i.MX6 SPL size limit is 68KB.
> >>>>
> >>>> The ROM code is copying the image size defined in boot data to its
> >>>> respective load address, in case we exceed the OCRAM free region a
> >>>> HAB invalid address failure event is generated.
> >>>>
> >>>> The maximum CSF size is defined in CONFIG_CSF_SIZE, reduce SPL size
> >>>> limit based on this configuration.
> >>>>
> >>>> Signed-off-by: Breno Lima <breno.lima at nxp.com>
> >>>> ---
> >>>>  tools/spl_size_limit.c | 3 +++
> >>>>  1 file changed, 3 insertions(+)
> >>>>
> >>>> diff --git a/tools/spl_size_limit.c b/tools/spl_size_limit.c
> >>>> index 98ff491867..8902e30129 100644
> >>>> --- a/tools/spl_size_limit.c
> >>>> +++ b/tools/spl_size_limit.c
> >>>> @@ -14,6 +14,9 @@ int main(int argc, char *argv[])
> >>>>
> >>>>  #ifdef CONFIG_SPL_SIZE_LIMIT
> >>>>         spl_size_limit = CONFIG_SPL_SIZE_LIMIT;
> >>>> +#if defined(CONFIG_SECURE_BOOT) && defined(CONFIG_CSF_SIZE)
> >>>> +       spl_size_limit -= CONFIG_CSF_SIZE;
> >>>> +#endif
> >>>
> >>> But, if the target enable HAB on SPL the size would be part of SPL
> >>> limit, isn't ?
> >>
> >> Indeed - it is not clear to me, too, if it is correct, even if CSF is
> >> added later by the NXP signing tools. The patch reduces significantly
> >> the available space for SPL, I just wondering why just mamoj is
> >> affected. Jagan, does it work without this patch applied ?
> >
> > mamoj is affected since the board enables SPL_DM, SPL_OF_CONTROL. Yes,
> > the build look fine without this patch.
>
> Anyway, SPL size does not seem to much. But dropping 0x4000 to the
> available size is really a lot, and I hope we can reduce this.
>

Thanks for submitting a fix for mamoj board.

We should also reduce CSF_SIZE in default_image.c and image.c to avoid
a U-Boot proper authentication failure in HAB closed devices. The
current U-Boot tools code is hardcoding CSF_SIZE as 0x2000 and
mx6ul_14x14_defconfig target is failing to boot with error below:

Authenticate image from DDR location 0x877fffc0...
bad magic magic=0x32 length=0x6131 version=0x38
bad length magic=0x32 length=0x6131 version=0x38
bad version magic=0x32 length=0x6131 version=0x38
spl: ERROR:  image authentication fail

The intent of "habv4: tools: Avoid hardcoded CSF size for SPL targets"
is to avoid such issue. I tried to apply this patch back but I'm
seeing gunzip related errors as reported by Igor Opaniuk. We may need
to understand better this dependency.

I have just submitted a patch reducing default CSF_SIZE to 0x2060,
this patch is also modifying default_image.c and image.c but CSF_SIZE
still hardcoded in U-Boot tools code.

Thanks,
Breno Lima


More information about the U-Boot mailing list