[PATCH v2] imx: spl: fix imx8m secure boot

Heiko Schocher hs at denx.de
Wed Nov 3 07:00:26 CET 2021 

Hello Rasmus,

On 01.11.21 08:52, Rasmus Villemoes wrote:
> On 17/08/2021 08.17, Heiko Schocher wrote:
>> cherry-picked from NXP code:
>> 719d665a87c6: ("MLK-20467 imx8m: Fix issue for booting signed image through uuu")
>>
>> which fixes secure boot on imx8m based boards. 
>>
> [...]
> 
>> Works on sdcard and QSPI NOR boot on phycore-imx8mp board.
> 
> Hm, the subject of that patch mentions booting through uuu, and here you
> mention imx8mp. I'm quite interested in that combination, as it doesn't
> seem that the imx8mp_evk in mainline U-Boot (signed or not) can be
> booted via uuu. Does serial download work on phycore-imx8mp?

Yes, attached current log (with 2021.07 u-boot)

> As I mentioned in
> https://lore.kernel.org/u-boot/0996154d-774c-607f-8b5c-9cc0d268ecaa@prevas.dk/
> , I've bisected the start of it working in the NXP fork to a specific
> commit, but I can't figure out what part of that is really responsible
> (and if it's just that that commit enables some CONFIG_* symbols for
> imx8mp_evk, the real meat is likely in earlier commits adding the code
> that thus gets enabled).
> 
> Any ideas?

Puh... hard to say... I use imx-atf 2.5, there changed the loadaddress:

--- a/arch/arm/dts/imx8mp-phyboard-pollux-rdk-u-boot.dtsi
+++ b/arch/arm/dts/imx8mp-phyboard-pollux-rdk-u-boot.dtsi
@@ -246,8 +246,8 @@
                                        type = "firmware";
                                        arch = "arm64";
                                        compression = "none";
-                                       load = <0x960000>;
-                                       entry = <0x960000>;
+                                       load = <0x970000>;
+                                       entry = <0x970000>;


I try to find time to look into my state, may I have some
patches on top of 2021.07 ...

bye,
Heiko


[1] loading SPL/U-Boot with uuu tool
$ tbot @argsxxx-local-noethinit-uuu interactive_uboot
tbot starting ...
├─Flags:
│ 'local', 'noethinit', 'uuuloader', 'do_power'
├─Boardname:  xxx
├─Calling interactive_uboot ...
│   ├─[lab6] kermit /home/pi/kermrc_imx8mp
│   ├─POWERON (xxx)
│   ├─[lab6] sispmctl -D 01:01:4f:d4:b1 -o 2
│   │    ## Accessing Gembird #0 USB device 004
│   │    ## Switched outlet 2 on
│   ├─[lab6] sudo ls /home/pi/source/mfgtools/uuu/uuu
│   │    ## /home/pi/source/mfgtools/uuu/uuu
│   ├─[lab6] sudo /home/pi/source/mfgtools/uuu/uuu /srv/tftpboot/xxx/20210825-ml/imx-boot.signed
│   │    ## uuu (Universal Update Utility) for nxp imx chips -- libuuu_1.4.107-16-g19e2890
│   │    ##
│   │    ## Success 1    Failure 0

│   │    ##

│   │    ##

│   │    ## 1:1134   2/ 2 [Done                                  ] SDPS: done

│   │    ##
│   │    ##
│   ├─UBOOT (xxx-uboot)
│   │    <> 18
│   │    <>   OpenSSL versions prior to 1.0.0 must be the same.
│   │    <>   Set LD_LIBRARY_PATH for OpenSSL 1.0.2j  26 Sep 2016.
│   │    <>   Or rebuild C-Kermit from source on this computer to make versions agree.
│   │    <>   C-Kermit makefile target: linux+krb5+openssl
│   │    <>   Or if that is what you did then try to find out why
│   │    <>   the program loader (image activator) is choosing a
│   │    <>   different OpenSSL library than the one specified in the build.
│   │    <>
│   │    <>   All SSL/TLS features disabled.
│   │    <>
│   │    <> Connecting to
/dev/serial/by-id/usb-Prolific_Technology_Inc._USB-Serial_Controller-if00-port0, speed 115200
│   │    <>  Escape character: Ctrl-\ (ASCII 28, FS): enabled
│   │    <> Type the escape character followed by C to get back,
│   │    <> or followed by ? to see other options.
│   │    <> ----------------------------------------------------
│   │    <>
│   │    <> U-Boot SPL 2021.07 (Nov 03 2021 - 05:37:46 +0000)
│   │    <> Normal Boot
│   │    <> WDT:   Not starting
│   │    <> Find FIT header 0x&48025000, size 872
│   │    <> hab fuse not enabled
│   │    <>
│   │    <> Authenticate image from DDR location 0x401fcdc0...
│   │    <> Download 803692, total fit 804716
│   │    <> hab fuse not enabled
│   │    <>
│   │    <> Authenticate image from DDR location 0x401fcdc0...
│   │    <> ERROR:   mmap_add_region_check() failed. error -1
│   │    <> NOTICE:  BL31: v2.5(release):v2.5-90-g111debd22
│   │    <> NOTICE:  BL31: Built : 04:17:49, Jun 22 2021
│   │    <>
│   │    <>
│   │    <> U-Boot 2021.07 (Nov 03 2021 - 05:37:46 +0000)
│   │    <>
│   │    <> CPU:   Freescale i.MX8MP[8] rev1.1 at 1200 MHz
│   │    <> Reset cause: POR
│   │    <> Model: PHYTEC phyBOARD-Pollux i.MX8MP
│   │    <> DRAM:  2 GiB
│   │    <> WDT:   Started with servicing (60s timeout)
│   │    <> MMC:   FSL_SDHC: 1, FSL_SDHC: 2
│   │    <> Loading Environment from nowhere... OK
│   │    <> Loading Environment from SPIFlash... clk qspi_root_clk already disabled
│   │    <> clk qspi_root_clk already disabled
│   │    <> SF: Detected mt25qu512a with page size 256 Bytes, erase size 64 KiB, total 64 MiB
│   │    <> OK
│   │    <> In:    serial at 30890000
│   │    <> Out:   serial at 30890000
│   │    <> Err:   serial at 30890000
│   │    <> POR: reset bootcount
│   │    <> Net:   No ethernet found.
│   │    <> Hit any key to stop autoboot:  0
│   │    <> DEVEL: autoboot failed, go to cmdline
│   │    <> u-boot=>


-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-52   Fax: +49-8142-66989-80   Email: hs at denx.de

More information about the U-Boot mailing list