CONFIG_SECURE_BOOT is too generic and forbids to use it for cross
architecture purposes. If Secure Boot is required for imx, this means to
enable and use the HAB processor in the soc.
Signed-off-by: Stefano Babic <sbabic@denx.de>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
commit ed286bc80e ("imx: hab: Check if CSF is valid before authenticating
image") makes use of "__packed" as a prefix to the "struct hab_hdr"
declaration.
With my compiler "gcc version 7.2.1 20171011 (Linaro GCC 7.2-2017.11)" we
get:
./arch/arm/include/asm/mach-imx/hab.h:42:25: error: expected ‘=’, ‘,’, ‘;’,
‘asm’ or ‘__attribute__’ before ‘{’ token
struct __packed hab_hdr {
Fix this problem by including <linux/compiler.h>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Cc: Breno Lima <breno.lima@nxp.com>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Currently the following devices are using a different definition for ROM
Vector Table addresses:
- i.MX6DQP = All rev
- i.MX6DQ >= rev 1.5
- i.MX6SDL >= rev 1.2
There is no need to create a new RVT macros since the only update were the
RVT base address. Remove HAB_RVT_*_NEW macros and define a new RVT base
address.
More details about RVT base address can be found on processors Reference
Manual and in the following documents:
EB803: i.MX 6Dual/6Quad Applications Processor Silicon Revision 1.2 to 1.3
Comparison
EB804: i.MX 6Solo/6DualLite Application Processor Silicon Revision 1.1
to 1.2/1.3 Comparison
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Write, Check and Set MID commands have been deprecated from the Code
Signing Tool (CST) v2.3.3 and will not be implemented in newer versions
of HAB, hence the following features are no longer available:
- Write Data
- Clear Mask
- Set Mask
- Check All Clear
- Check All Set
- Check Any Clear
- Check Any Set
- Set MID
The inappropriate use of Write Data command may lead to an incorrect
authentication boot flow. Since no specific application has been identified
that requires the use of any of these features, it is highly recommended to
add this check.
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
For proper authentication the HAB code must check if the CSF is valid.
Users must call the csf_is_valid() function to parse the CSF prior to
authenticating any additional images. The function will return a failure
if any of the following invalid conditions are met:
- CSF pointer is NULL
- CSF Header does not exist
- CSF does not lie within the image bounds
- CSF command length zero
Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The hab_rvt_failsafe() callback according to the HABv4 documentation:
"This function provides a safe path when image authentication has failed
and all possible boot paths have been exhausted. It is intended for use by
post-ROM boot stage components, via the ROM Vector Table."
Once invoked the part will drop down to its BootROM USB recovery mode.
Should it be the case that the part is in secure boot mode - only an
appropriately signed binary will be accepted by the ROM and subsequently
executed.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
It will be helpful to boot commands to know if the HAB is enabled. Export
imx_hab_is_enabled() now to facilitate further work with this data-point in
a secure-boot context.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Tidy up the HAB namespace a bit by prefixing external functions with
imx_hab. All external facing functions past this point will be prefixed in
the same way to make the fact we are doing IMX HAB activities clear from
reading the code. authenticate_image() could mean anything
imx_hab_authenticate_image() is on the other hand very explicit.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The hab_rvt_check_target() callback according to the HABv4 documentation:
"This function reports whether or not a given target region is allowed for
either peripheral configuration or image loading in memory. It is intended
for use by post-ROM boot stage components, via the ROM Vector Table, in
order to avoid configuring security-sensitive peripherals, or loading
images over sensitive memory regions or outside recognized memory devices
in the address map."
It is a useful function to support as a precursor to calling into
authenticate_image() to validate the target memory region is good.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The various i.MX BootROMs containing the High Assurance Boot (HAB) block
rely on a data structure called the Image Vector Table (IVT) to describe to
the BootROM where to locate various data-structures used by HAB during
authentication.
This patch adds a definition of the IVT header for use in later patches,
where we will break the current incorrect dependence on fixed offsets in
favour of an IVT described parsing of incoming binaries.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
u-boot command "hab_auth_img" tells a user that it takes
- addr - image hex address
- offset - hex offset of IVT in the image
but in fact the callback hab_auth_img makes to authenticate_image treats
the second 'offset' parameter as an image length.
Furthermore existing code requires the IVT header to be appended to the end
of the image which is not actually a requirement of HABv4.
This patch fixes this situation by
1: Adding a new parameter to hab_auth_img
- addr : image hex address
- length : total length of the image
- offset : offset of IVT from addr
2: Updates the existing call into authenticate_image() in
arch/arm/mach-imx/spl.c:jump_to_image_no_args() to pass
addr, length and IVT offset respectively.
This allows then hab_auth_img to actually operate the way it was specified
in the help text and should still allow existing code to work.
It has the added advantage that the IVT header doesn't have to be appended
to an image given to HAB - it can be prepended for example.
Note prepending the IVT is what u-boot will do when making an IVT for the
BootROM. It should be possible for u-boot properly authenticate images
made by mkimage via HAB.
This patch is the first step in making that happen subsequent patches will
focus on removing hard-coded offsets to the IVT, which again is not
mandated to live at the end of a .imx image.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
CSF_PAD_SIZE should be defined in hab.h, move it to that location now.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
The size of the IVT header should be defined in hab.h move it there now.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Both usages of authenticate_image treat the result code as a simple binary.
The command line usage of authenticate_image directly returns the result
code of authenticate_image as a success/failure code.
Right now when calling hab_auth_img and test the result code in a shell a
passing hab_auth_img will appear to the shell as a fail.
The first step in fixing this behaviour is to fix-up the result code return
by authenticate_image() itself, subsequent patches fix the interpretation
of authenticate_image so that zero will return CMD_RET_SUCCESS and non-zero
will return CMD_RET_FAILURE.
The first step is fixing the return type in authenticate_image() so do that
now.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Change is consistent with other SOCs and it is in preparation
for adding SOMs. SOC's related files are moved from cpu/ to
mach-imx/<SOC>.
This change is also coherent with the structure in kernel.
Signed-off-by: Stefano Babic <sbabic@denx.de>
CC: Fabio Estevam <fabio.estevam@nxp.com>
CC: Akshay Bhat <akshaybhat@timesys.com>
CC: Ken Lin <Ken.Lin@advantech.com.tw>
CC: Marek Vasut <marek.vasut@gmail.com>
CC: Heiko Schocher <hs@denx.de>
CC: "Sébastien Szymanski" <sebastien.szymanski@armadeus.com>
CC: Christian Gmeiner <christian.gmeiner@gmail.com>
CC: Stefan Roese <sr@denx.de>
CC: Patrick Bruenn <p.bruenn@beckhoff.com>
CC: Troy Kisky <troy.kisky@boundarydevices.com>
CC: Nikita Kiryanov <nikita@compulab.co.il>
CC: Otavio Salvador <otavio@ossystems.com.br>
CC: "Eric Bénard" <eric@eukrea.com>
CC: Jagan Teki <jagan@amarulasolutions.com>
CC: Ye Li <ye.li@nxp.com>
CC: Peng Fan <peng.fan@nxp.com>
CC: Adrian Alonso <adrian.alonso@nxp.com>
CC: Alison Wang <b18965@freescale.com>
CC: Tim Harvey <tharvey@gateworks.com>
CC: Martin Donnelly <martin.donnelly@ge.com>
CC: Marcin Niestroj <m.niestroj@grinn-global.com>
CC: Lukasz Majewski <lukma@denx.de>
CC: Adam Ford <aford173@gmail.com>
CC: "Albert ARIBAUD (3ADEV)" <albert.aribaud@3adev.fr>
CC: Boris Brezillon <boris.brezillon@free-electrons.com>
CC: Soeren Moch <smoch@web.de>
CC: Richard Hu <richard.hu@technexion.com>
CC: Wig Cheng <wig.cheng@technexion.com>
CC: Vanessa Maegima <vanessa.maegima@nxp.com>
CC: Max Krummenacher <max.krummenacher@toradex.com>
CC: Stefan Agner <stefan.agner@toradex.com>
CC: Markus Niebel <Markus.Niebel@tq-group.com>
CC: Breno Lima <breno.lima@nxp.com>
CC: Francesco Montefoschi <francesco.montefoschi@udoo.org>
CC: Jaehoon Chung <jh80.chung@samsung.com>
CC: Scott Wood <oss@buserror.net>
CC: Joe Hershberger <joe.hershberger@ni.com>
CC: Anatolij Gustschin <agust@denx.de>
CC: Simon Glass <sjg@chromium.org>
CC: "Andrew F. Davis" <afd@ti.com>
CC: "Łukasz Majewski" <l.majewski@samsung.com>
CC: Patrice Chotard <patrice.chotard@st.com>
CC: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
CC: Hans de Goede <hdegoede@redhat.com>
CC: Masahiro Yamada <yamada.masahiro@socionext.com>
CC: Stephen Warren <swarren@nvidia.com>
CC: Andre Przywara <andre.przywara@arm.com>
CC: "Álvaro Fernández Rojas" <noltari@gmail.com>
CC: York Sun <york.sun@nxp.com>
CC: Xiaoliang Yang <xiaoliang.yang@nxp.com>
CC: Chen-Yu Tsai <wens@csie.org>
CC: George McCollister <george.mccollister@gmail.com>
CC: Sven Ebenfeld <sven.ebenfeld@gmail.com>
CC: Filip Brozovic <fbrozovic@gmail.com>
CC: Petr Kulhavy <brain@jikos.cz>
CC: Eric Nelson <eric@nelint.com>
CC: Bai Ping <ping.bai@nxp.com>
CC: Anson Huang <Anson.Huang@nxp.com>
CC: Sanchayan Maity <maitysanchayan@gmail.com>
CC: Lokesh Vutla <lokeshvutla@ti.com>
CC: Patrick Delaunay <patrick.delaunay@st.com>
CC: Gary Bisson <gary.bisson@boundarydevices.com>
CC: Alexander Graf <agraf@suse.de>
CC: u-boot@lists.denx.de
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
