[PATCH v2] imx: spl: fix imx8m secure boot
Heiko Schocher
hs at denx.de
Thu Aug 19 06:29:48 CEST 2021
Hello Tim,
On 18.08.21 23:02, Tim Harvey wrote:
> On Mon, Aug 16, 2021 at 11:17 PM Heiko Schocher <hs at denx.de> wrote:
>>
>> cherry-picked from NXP code:
>> 719d665a87c6: ("MLK-20467 imx8m: Fix issue for booting signed image through uuu")
>>
>> which fixes secure boot on imx8m based boards. Problem was
>> that FIT header and so IVT header too, was loaded to
>> memallocated address. So the ivt header address coded
>> in IVT itself does not fit with the real position.
>>
>> Signed-off-by: Heiko Schocher <hs at denx.de>
>>
>>
>> ---
>> replaces Series:
>> https://lists.denx.de/pipermail/u-boot/2021-August/457308.html
>>
>> @Tim: could you please test this version on your hardware?
>>
>> azure build:
>> https://dev.azure.com/hs0298/hs/_build/results?buildId=72&view=results
>>
>> Works on sdcard and QSPI NOR boot on phycore-imx8mp board.
>>
>>
>> Changes in v2:
>> - use code from NXP commit 719d665 as Ye Li suggested.
>>
>> arch/arm/mach-imx/spl.c | 14 ++++++++++++++
>> common/spl/spl_fit.c | 7 ++++++-
>> 2 files changed, 20 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/arm/mach-imx/spl.c b/arch/arm/mach-imx/spl.c
>> index 36033d611c..59c6c3752d 100644
>> --- a/arch/arm/mach-imx/spl.c
>> +++ b/arch/arm/mach-imx/spl.c
>> @@ -334,6 +334,20 @@ void board_spl_fit_post_load(const void *fit)
>> }
>> #endif
>>
>> +void *board_spl_fit_buffer_addr(ulong fit_size, int sectors, int bl_len)
>> +{
>> + int align_len = ARCH_DMA_MINALIGN - 1;
>> +
>> + /* Some devices like SDP, NOR, NAND, SPI are using bl_len =1, so their fit address
>> + * is different with SD/MMC, this cause mismatch with signed address. Thus, adjust
>> + * the bl_len to align with SD/MMC.
>> + */
>> + if (bl_len < 512)
>> + bl_len = 512;
>> +
>> + return (void *)((CONFIG_SYS_TEXT_BASE - fit_size - bl_len -
>> + align_len) & ~align_len);
>> +}
>> #endif
>>
>> #if defined(CONFIG_MX6) && defined(CONFIG_SPL_OS_BOOT)
>> diff --git a/common/spl/spl_fit.c b/common/spl/spl_fit.c
>> index f41abca0cc..a4337d3c88 100644
>> --- a/common/spl/spl_fit.c
>> +++ b/common/spl/spl_fit.c
>> @@ -538,6 +538,11 @@ static void *spl_get_fit_load_buffer(size_t size)
>> return buf;
>> }
>>
>> +__weak void *board_spl_fit_buffer_addr(ulong fit_size, int sectors, int bl_len)
>> +{
>> + return spl_get_fit_load_buffer(sectors * bl_len);
>> +}
>> +
>> /*
>> * Weak default function to allow customizing SPL fit loading for load-only
>> * use cases by allowing to skip the parsing/processing of the FIT contents
>> @@ -631,7 +636,7 @@ static int spl_simple_fit_read(struct spl_fit_info *ctx,
>> * For FIT with external data, data is not loaded in this step.
>> */
>> sectors = get_aligned_image_size(info, size, 0);
>> - buf = spl_get_fit_load_buffer(sectors * info->bl_len);
>> + buf = board_spl_fit_buffer_addr(size, sectors, info->bl_len);
>>
>> count = info->read(info, sector, sectors, buf);
>> ctx->fit = buf;
>> --
>> 2.31.1
>>
>
> Heiko,
>
> Thanks - works great on imx8mm-venice boards with eMMC with both
> CONFIG_IMX_HAB=y and not.
>
> Tested-by: Tim Harvey <tharvey at gateworks.com>
Thanks for testing!
> I am still interested in using binman to generate signed images but
> have not had time to look into and probably won't for another couple
> of weeks at the earliest.
Me too, but may I do not find time in the near future, but if you have
some patches, I can test them!
bye,
Heiko
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-52 Fax: +49-8142-66989-80 Email: hs at denx.de
More information about the U-Boot
mailing list