[PATCH 2/2] imx: hab: Use nxp_imx8mcst etype for i.MX8M flash.bin signing
Marek Vasut
marex at denx.de
Fri Apr 26 01:07:02 CEST 2024
Update documentation and use nxp_imx8mcst binman etype for signing
of flash.bin instead of previous horrible shell scripting.
Signed-off-by: Marek Vasut <marex at denx.de>
---
Cc: "NXP i.MX U-Boot Team" <uboot-imx at nxp.com>
Cc: Adam Ford <aford173 at gmail.com>
Cc: Alper Nebi Yasak <alpernebiyasak at gmail.com>
Cc: Andrejs Cainikovs <andrejs.cainikovs at toradex.com>
Cc: Angus Ainslie <angus at akkea.ca>
Cc: Emanuele Ghidoli <emanuele.ghidoli at toradex.com>
Cc: Fabio Estevam <festevam at gmail.com>
Cc: Francesco Dolcini <francesco.dolcini at toradex.com>
Cc: Marcel Ziswiler <marcel.ziswiler at toradex.com>
Cc: Rasmus Villemoes <rasmus.villemoes at prevas.dk>
Cc: Simon Glass <sjg at chromium.org>
Cc: Stefan Eichenberger <stefan.eichenberger at toradex.com>
Cc: Stefano Babic <sbabic at denx.de>
Cc: Tim Harvey <tharvey at gateworks.com>
Cc: Tom Rini <trini at konsulko.com>
Cc: kernel at puri.sm
Cc: u-boot at dh-electronics.com
Cc: u-boot at lists.denx.de
---
doc/imx/habv4/csf_examples/mx8m/csf.sh | 92 ------------
doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 30 ----
doc/imx/habv4/csf_examples/mx8m/csf_spl.txt | 33 ----
doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 141 +++++++-----------
4 files changed, 55 insertions(+), 241 deletions(-)
delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh
delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
delete mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh
deleted file mode 100644
index cd3b2614a2f..00000000000
--- a/doc/imx/habv4/csf_examples/mx8m/csf.sh
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/bin/sh
-
-# 0) Generate keys
-#
-# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e. i.MX8M Plus)
-#
-# cd /path/to/cst-3.3.1/keys/
-# ./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10 -num-srk 4 -srk-ca y
-# cd /path/to/cst-3.3.1/crts/
-# ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1
-
-# 1) Build U-Boot (e.g. for i.MX8MM)
-#
-# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin .
-# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* .
-# make -j imx8mm_board_defconfig
-# make -j`nproc` flash.bin
-
-# 2) Sign SPL and DRAM blobs
-
-cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp
-cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
-
-# update File Paths from env vars
-if ! [ -r $CSF_KEY ]; then
- echo "Error: \$CSF_KEY not found"
- exit 1
-fi
-if ! [ -r $IMG_KEY ]; then
- echo "Error: \$IMG_KEY not found"
- exit 1
-fi
-if ! [ -r $SRK_TABLE ]; then
- echo "Error: \$SRK_TABLE not found"
- exit 1
-fi
-sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_spl.tmp
-sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_spl.tmp
-sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_spl.tmp
-sed -i "s:\$CSF_KEY:$CSF_KEY:" csf_fit.tmp
-sed -i "s:\$IMG_KEY:$IMG_KEY:" csf_fit.tmp
-sed -i "s:\$SRK_TABLE:$SRK_TABLE:" csf_fit.tmp
-
-# update SPL Blocks
-spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s at .*=@@p" .config) - 0x40)) )
-spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
-sed -i "/Blocks = / s at .*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp
-
-# Generate CSF blob
-cst -i csf_spl.tmp -o csf_spl.bin
-
-# Patch CSF blob into flash.bin
-spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@")
-spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@")
-spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40))
-dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc
-
-# 3) Sign u-boot.itb
-
-# fitImage
-fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s at .*=@@p" .config) )
-fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset))
-fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) )
-sed -i "/Blocks = / s at .*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp
-
-# IVT
-ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
-ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
-csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
-ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20))
-csf_block_offset=$((${ivt_block_offset} + 0x20))
-
-echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin
-dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc
-
-# Generate CSF blob
-cst -i csf_fit.tmp -o csf_fit.bin
-
-# When loading flash.bin via USB, we must ensure that the file being
-# served is as large as the target expects (see
-# board_spl_fit_size_align()), otherwise the target will hang in
-# rom_api_download_image() waiting for the remaining bytes.
-#
-# Note that in order for dd to actually extend the file, one must not
-# pass conv=notrunc here. With a non-zero seek= argument, dd is
-# documented to preserve the contents of the file seeked past; in
-# particular, dd does not open the file with O_TRUNC.
-CSF_SIZE=$(sed -n "/CONFIG_CSF_SIZE=/ s at .*=@@p" .config)
-dd if=/dev/null of=csf_fit.bin bs=1 seek=$((CSF_SIZE - 0x20)) count=0
-
-# Patch CSF blob into flash.bin
-dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
deleted file mode 100644
index 97f3eea573b..00000000000
--- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
+++ /dev/null
@@ -1,30 +0,0 @@
-[Header]
- Version = 4.3
- Hash Algorithm = sha256
- Engine = CAAM
- Engine Configuration = 0
- Certificate Format = X509
- Signature Format = CMS
-
-[Install SRK]
- # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
- File = "$SRK_TABLE"
- Source index = 0
-
-[Install CSFK]
- # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
- File = "$CSF_KEY"
-
-[Authenticate CSF]
-
-[Install Key]
- Verification index = 0
- Target Index = 2
- # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
- File = "$IMG_KEY"
-
-[Authenticate Data]
- Verification index = 2
- # FIXME:
- # Line 1 -- fitImage
- Blocks = CONFIG_SPL_LOAD_FIT_ADDRESS 0x57c00 0xffff "flash.bin"
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
deleted file mode 100644
index 88fa420a5fa..00000000000
--- a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
+++ /dev/null
@@ -1,33 +0,0 @@
-[Header]
- Version = 4.3
- Hash Algorithm = sha256
- Engine = CAAM
- Engine Configuration = 0
- Certificate Format = X509
- Signature Format = CMS
-
-[Install SRK]
- # SRK_TABLE is full path to SRK_1_2_3_4_table.bin
- File = "$SRK_TABLE"
- Source index = 0
-
-[Install CSFK]
- # CSF_KEY is full path to CSF1_1_sha256_4096_65537_v3_usr_crt.pem
- File = "$CSF_KEY"
-
-[Authenticate CSF]
-
-[Unlock]
- Engine = CAAM
- Features = MID
-
-[Install Key]
- Verification index = 0
- Target Index = 2
- # IMG_KEY is full path to IMG1_1_sha256_4096_65537_v3_usr_crt.pem
- File = "$IMG_KEY"
-
-[Authenticate Data]
- Verification index = 2
- # FIXME: Adjust start (first column) and size (third column) here
- Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin"
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
index e16e5410bd9..4b2fe08e1d1 100644
--- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
+++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
@@ -121,6 +121,9 @@ build configuration:
- Defconfig:
CONFIG_IMX_HAB=y
+ CONFIG_FSL_CAAM=y
+ CONFIG_ARCH_MISC_INIT=y
+ CONFIG_SPL_CRYPTO=y
- Kconfig:
@@ -131,92 +134,58 @@ build configuration:
The CSF contains all the commands that the HAB executes during the secure
boot. These commands instruct the HAB code on which memory areas of the image
-to authenticate, which keys to install, use and etc.
-
-CSF examples are available under doc/imx/habv4/csf_examples/ directory.
-
-CSF "Blocks" line for csf_spl.txt can be generated as follows:
-
-```
-spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s at .*=@@p" .config) - 0x40)) )
-spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
-sed -i "/Blocks = / s at .*@ Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.txt
-```
-
-The resulting line looks as follows:
-```
- Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin"
-```
-
-The columns mean:
- - CONFIG_SPL_TEXT_BASE - 0x40 -- Start address of signed data, in DRAM
- - 0x0 -- Start address of signed data, in "flash.bin"
- - 0x306f0 -- Length of signed data, in "flash.bin"
- - Filename -- "flash.bin"
-
-To generate signature for the SPL part of flash.bin container, use CST:
-```
-cst -i csf_spl.tmp -o csf_spl.bin
-```
-
-The newly generated CST blob has to be patched into existing flash.bin
-container. Conveniently, flash.bin IVT contains physical address of the
-CSF blob. Remember, the SPL part of flash.bin container is loaded by the
-BootROM at CONFIG_SPL_TEXT_BASE - 0x40 , so the offset of CSF blob in
-the fitImage can be calculated and inserted into the flash.bin in the
-correct location as follows:
-```
-# offset = IVT_HEADER[6 = CSF address] - CONFIG_SPL_TEXT_BASE - 0x40
-spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@")
-spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@")
-spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40))
-dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc
-```
-
-CSF "Blocks" line for csf_fit.txt can be generated as follows:
-```
-# fitImage
-fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s at .*=@@p" .config) )
-fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset))
-fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) )
-sed -i "/Blocks = / s at .*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp
-```
-
-The fitImage part of flash.bin requires separate IVT. Generate the IVT and
-patch it into the correct aligned location of flash.bin as follows:
-```
-# IVT
-ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
-ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
-csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
-ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20))
-csf_block_offset=$((${ivt_block_offset} + 0x20))
-
-echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin
-dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc
-```
-
-To generate CSF signature for the fitImage part of flash.bin container, use CST:
-```
-cst -i csf_fit.tmp -o csf_fit.bin
-```
-
-Finally, patch the CSF signature into the fitImage right past the IVT:
-```
-dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc
-```
-
-The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
-and can be used as follows to modify flash.bin to be signed
-(adjust paths as needed):
-```
-export CST_DIR=/usr/src/cst-3.3.1/
-export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
-export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
-export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
-export PATH=$CST_DIR/linux64/bin:$PATH
-/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
-```
+to authenticate, which keys to install, use and etc. The CSF is generated
+using the CST Code Signing Tool based on input configuration file. This tool
+input configuration file is generated using binman, and the tool is invoked
+from binman as well.
+
+The SPL and fitImage sections of the generated image are signed separately.
+The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst
+etype, by adding the following modification into the binman node:
+
+"
+ diff --git a/arch/arm/dts/imx8mp-u-boot.dtsi b/arch/arm/dts/imx8mp-u-boot.dtsi
+ index c4c1a177102..ccd44bf9d0b 100644
+ --- a/arch/arm/dts/imx8mp-u-boot.dtsi
+ +++ b/arch/arm/dts/imx8mp-u-boot.dtsi
+ @@ -86,6 +86,12 @@
+ section {
+ pad-byte = <0x00>;
+
+ + nxp-imx8mcst at 0 {
+ + filename = "u-boot-spl-mkimage.signed.bin";
+ + nxp,loader-address = <CONFIG_SPL_TEXT_BASE>;
+ + nxp,unlock;
+ + args; /* Needed by mkimage etype superclass */
+ +
+ nxp-imx8mimage {
+ filename = "u-boot-spl-mkimage.bin";
+ nxp,boot-from = "sd";
+ @@ -129,6 +135,14 @@
+ };
+ };
+
+ + };
+ +
+ + nxp-imx8mcst at 1 {
+ + filename = "u-boot-fit.signed.bin";
+ + nxp,loader-address = <CONFIG_SPL_LOAD_FIT_ADDRESS>;
+ + offset = <0x58000>;
+ + args; /* Needed by mkimage etype superclass */
+ +
+ fit {
+ description = "Configuration to load ATF before U-Boot";
+ #ifndef CONFIG_IMX_HAB
+ @@ -191,5 +205,6 @@
+ };
+ };
+ };
+ + };
+ };
+ };
+"
+
+Build of flash.bin target then produces a signed flash.bin automatically.
1.4 Closing the device
-----------------------
--
2.43.0
More information about the U-Boot
mailing list