[PATCH v2] imx: spl: fix imx8m secure boot
Tim Harvey
tharvey at gateworks.com
Wed Aug 18 23:02:25 CEST 2021
On Mon, Aug 16, 2021 at 11:17 PM Heiko Schocher <hs at denx.de> wrote:
>
> cherry-picked from NXP code:
> 719d665a87c6: ("MLK-20467 imx8m: Fix issue for booting signed image through uuu")
>
> which fixes secure boot on imx8m based boards. Problem was
> that FIT header and so IVT header too, was loaded to
> memallocated address. So the ivt header address coded
> in IVT itself does not fit with the real position.
>
> Signed-off-by: Heiko Schocher <hs at denx.de>
>
>
> ---
> replaces Series:
> https://lists.denx.de/pipermail/u-boot/2021-August/457308.html
>
> @Tim: could you please test this version on your hardware?
>
> azure build:
> https://dev.azure.com/hs0298/hs/_build/results?buildId=72&view=results
>
> Works on sdcard and QSPI NOR boot on phycore-imx8mp board.
>
>
> Changes in v2:
> - use code from NXP commit 719d665 as Ye Li suggested.
>
> arch/arm/mach-imx/spl.c | 14 ++++++++++++++
> common/spl/spl_fit.c | 7 ++++++-
> 2 files changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm/mach-imx/spl.c b/arch/arm/mach-imx/spl.c
> index 36033d611c..59c6c3752d 100644
> --- a/arch/arm/mach-imx/spl.c
> +++ b/arch/arm/mach-imx/spl.c
> @@ -334,6 +334,20 @@ void board_spl_fit_post_load(const void *fit)
> }
> #endif
>
> +void *board_spl_fit_buffer_addr(ulong fit_size, int sectors, int bl_len)
> +{
> + int align_len = ARCH_DMA_MINALIGN - 1;
> +
> + /* Some devices like SDP, NOR, NAND, SPI are using bl_len =1, so their fit address
> + * is different with SD/MMC, this cause mismatch with signed address. Thus, adjust
> + * the bl_len to align with SD/MMC.
> + */
> + if (bl_len < 512)
> + bl_len = 512;
> +
> + return (void *)((CONFIG_SYS_TEXT_BASE - fit_size - bl_len -
> + align_len) & ~align_len);
> +}
> #endif
>
> #if defined(CONFIG_MX6) && defined(CONFIG_SPL_OS_BOOT)
> diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c
> index f41abca0cc..a4337d3c88 100644
> --- a/common/spl/spl_fit.c
> +++ b/common/spl/spl_fit.c
> @@ -538,6 +538,11 @@ static void *spl_get_fit_load_buffer(size_t size)
> return buf;
> }
>
> +__weak void *board_spl_fit_buffer_addr(ulong fit_size, int sectors, int bl_len)
> +{
> + return spl_get_fit_load_buffer(sectors * bl_len);
> +}
> +
> /*
> * Weak default function to allow customizing SPL fit loading for load-only
> * use cases by allowing to skip the parsing/processing of the FIT contents
> @@ -631,7 +636,7 @@ static int spl_simple_fit_read(struct spl_fit_info *ctx,
> * For FIT with external data, data is not loaded in this step.
> */
> sectors = get_aligned_image_size(info, size, 0);
> - buf = spl_get_fit_load_buffer(sectors * info->bl_len);
> + buf = board_spl_fit_buffer_addr(size, sectors, info->bl_len);
>
> count = info->read(info, sector, sectors, buf);
> ctx->fit = buf;
> --
> 2.31.1
>
Heiko,
Thanks - works great on imx8mm-venice boards with eMMC with both
CONFIG_IMX_HAB=y and not.
Tested-by: Tim Harvey <tharvey at gateworks.com>
I am still interested in using binman to generate signed images but
have not had time to look into and probably won't for another couple
of weeks at the earliest.
Best regards,
Tim
More information about the U-Boot
mailing list