[PATCH] arm: imx: Add command to get offset of first image in AHAB OS container

Mon Nov 10 13:41:00 CET 2025

With current mainline it is possible to check with AHAB if system OS image
can be trusted (with 'auth_cntr' command).
However, after the validation one needs to use the image (fitImage in this
case) itself. Such operation requires getting the offset in the image
eligible for AHAB validation to start execution of the fitImage.

Command in this patch allows it, so with:
auth_cntr_offset ${addr} auth_cntr_os_offset;
setexpr addr ${kernel_addr_r} + ${auth_cntr_os_offset};

it is possible to boot the fitImage after AHAB IP block vaidation.

Signed-off-by: Lukasz Majewski <lukma at nabladev.com>
---
 arch/arm/mach-imx/imx8/ahab.c | 50 +++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/arch/arm/mach-imx/imx8/ahab.c b/arch/arm/mach-imx/imx8/ahab.c
index f13baa871cc..da0e1f3382b 100644
--- a/arch/arm/mach-imx/imx8/ahab.c
+++ b/arch/arm/mach-imx/imx8/ahab.c
@@ -7,6 +7,7 @@
 #include <errno.h>
 #include <imx_container.h>
 #include <log.h>
+#include <env.h>
 #include <asm/global_data.h>
 #include <asm/io.h>
 #include <firmware/imx/sci/sci.h>
@@ -424,6 +425,55 @@ static int do_ahab_commit(struct cmd_tbl *cmdtp, int flag, int argc,
 	return CMD_RET_SUCCESS;
 }
 
+static int do_ahab_get_offset(struct cmd_tbl *cmdtp, int flag, int argc,
+			      char *const argv[])
+{
+	struct container_hdr *phdr;
+	const char *name = argv[2];
+	struct boot_img_t *img;
+	u16 length;
+	ulong cntr;
+	int err;
+
+	if (argc != 3)
+		return CMD_RET_USAGE;
+
+	if (!name)
+		return CMD_RET_USAGE;
+
+	cntr = hextoul(argv[1], NULL);
+
+	phdr = (struct container_hdr *)cntr;
+	length = phdr->length_lsb + (phdr->length_msb << 8);
+
+	err = ahab_auth_cntr_hdr(phdr, length);
+	if (err) {
+		printf("Authenticate OS container header has failed!\n");
+		return 1;
+	}
+
+	ahab_auth_release();
+
+	/*
+	 * Get the offset for first image (Image0Offset at Fitgure 1.
+	 * of AN12312)
+	 */
+	img = (struct boot_img_t *)
+		((ulong)phdr + sizeof(struct container_hdr));
+
+	debug("%s=0x%x\n", name, img->offset);
+
+	return env_set_hex(name, img->offset);
+}
+
+U_BOOT_CMD(auth_cntr_offset, CONFIG_SYS_MAXARGS, 1, do_ahab_get_offset,
+	   "provide first image offset from AHAB OS container",
+	   "addr name\n"
+	   "addr - OS container hex address\n"
+	   "name - name of the env variable to store offset of the first\n"
+	   "       image from AHAB OS container\n"
+);
+
 U_BOOT_CMD(auth_cntr, CONFIG_SYS_MAXARGS, 1, do_authenticate,
 	   "autenticate OS container via AHAB",
 	   "addr\n"
-- 
2.39.5

