diff options
Diffstat (limited to 'doc/imx')
| -rw-r--r-- | doc/imx/habv4/csf_examples/mx8m/csf.sh | 28 | ||||
| -rw-r--r-- | doc/imx/habv4/csf_examples/mx8m/csf_fit.txt | 10 | ||||
| -rw-r--r-- | doc/imx/habv4/guides/mx6_mx7_secure_boot.txt | 2 | ||||
| -rw-r--r-- | doc/imx/habv4/guides/mx6_mx7_spl_secure_boot.txt | 2 | ||||
| -rw-r--r-- | doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 74 |
5 files changed, 24 insertions, 92 deletions
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh index 7a9a05e6339..5b383fa982f 100644 --- a/doc/imx/habv4/csf_examples/mx8m/csf.sh +++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh @@ -37,29 +37,11 @@ dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc # 3) Sign u-boot.itb -# fitImage tree -fit_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_TEXT_BASE=/ s@.*=@@p" .config) - $(sed -n "/CONFIG_FIT_EXTERNAL_OFFSET=/ s@.*=@@p" .config) - 0x200 - 0x40)) ) +# fitImage +fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( ($(fdtdump u-boot.itb 2>/dev/null | sed -n "/^...totalsize:/ s@.*\(0x[0-9a-f]\+\).*@\1@p") + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# U-Boot -uboot_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot load)) -uboot_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-position)) + ${fit_block_offset} ))) -uboot_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-size)) -sed -i "/0xuuuu/ s@.*@ $uboot_block_base $uboot_block_offset $uboot_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# ATF -atf_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf load)) -atf_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-position)) + ${fit_block_offset} ))) -atf_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-size)) -sed -i "/0xaaaa/ s@.*@ $atf_block_base $atf_block_offset $atf_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# DTB -dtb_block_base=$(printf "0x%x" $(( ${uboot_block_base} + ${uboot_block_size} ))) -dtb_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-position)) + ${fit_block_offset} ))) -dtb_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-size)) -sed -i "/0xdddd/ s@.*@ $dtb_block_base $dtb_block_offset $dtb_block_size \"flash.bin\"@" csf_fit.tmp +fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) +sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp # IVT ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@") @@ -68,7 +50,7 @@ csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | se ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) csf_block_offset=$((${ivt_block_offset} + 0x20)) -echo "0xd1002041 ${ivt_ptr_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin +echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc # Generate CSF blob diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt index cd1d4070a5e..bbb82f69448 100644 --- a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt +++ b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt @@ -26,11 +26,5 @@ [Authenticate Data] Verification index = 2 # FIXME: - # Line 1 -- fitImage tree - # Line 2 -- U-Boot u-boot-nodtb.bin blob - # Line 3 -- ATF BL31 blob - # Line 4 -- DT blob - Blocks = 0x401fcdc0 0x57c00 0xffff "flash.bin", \ - 0x40200000 0x62c00 0xuuuu "flash.bin", \ - 0x920000 0x00000 0xaaaa "flash.bin", \ - 0x40200000 0x00000 0xdddd "flash.bin" + # Line 1 -- fitImage + Blocks = 0x401fcdc0 0x57c00 0xffff "flash.bin" diff --git a/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt b/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt index 53f71fbc3e2..7fba84a3947 100644 --- a/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt +++ b/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt @@ -113,7 +113,7 @@ the U-Boot build, the example below is a log for mx7dsabresd_defconfig target: 1.4 Signing the U-Boot binary ------------------------------ -The CST tool is used for singing the U-Boot binary and generating a CSF binary, +The CST tool is used for signing the U-Boot binary and generating a CSF binary, users should input the CSF description file created in the step above and should receive a CSF binary, which contains the CSF commands, SRK table, signatures and certificates. diff --git a/doc/imx/habv4/guides/mx6_mx7_spl_secure_boot.txt b/doc/imx/habv4/guides/mx6_mx7_spl_secure_boot.txt index fde0f27efdc..56b8cd62cb6 100644 --- a/doc/imx/habv4/guides/mx6_mx7_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx6_mx7_spl_secure_boot.txt @@ -145,7 +145,7 @@ addresses, the csf_uboot.txt can be used as example: 1.4 Signing the images ----------------------- -The CST tool is used for singing the U-Boot binary and generating a CSF binary, +The CST tool is used for signing the U-Boot binary and generating a CSF binary, users should input the CSF description file created in the step above and receive a CSF binary, which contains the CSF commands, SRK table, signatures and certificates. diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt index 3e3d38440f9..e79726bf2c5 100644 --- a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt +++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt @@ -79,18 +79,16 @@ code within it: The diagram below illustrate a signed U-Boot binary, DT blob and external ATF BL31 blob combined to form fitImage part of flash.bin container layout. -The *load_address is derived from CONFIG_TEXT_BASE such that the U-Boot -binary *start is placed exactly at CONFIG_SPL_TEXT_BASE in DRAM, however the -SPL moves the fitImage tree further to location: - *load_address = CONFIG_SPL_TEXT_BASE - CONFIG_FIT_EXTERNAL_OFFSET (=12kiB) - - 512 Byte sector - sizeof(mkimage header) +The *load_address is CONFIG_SPL_LOAD_FIT_ADDRESS, the fitImage is loaded +including all of its embedded data, authenticated using IVT+CSF concatenated +at the end of the fitImage at offset aligned to 4 kiB. The fitImage with +external data is not supported. ------- +-----------------------------+ <-- *load_address ^ | | | | fitImage tree | - | | with external data at | - | | offset 12 kiB from tree | - | | (cca. 1 kiB) | + | | with embedded data | + | | (cca. 1 MiB) | Signed | | | .----- Tree | +-----------------------------+ | Data | | Padding to next 4k aligned | @@ -101,34 +99,9 @@ SPL moves the fitImage tree further to location: | ------- +-----------------------------+ <-- *csf | | Command Sequence File (CSF) | | | for all signed entries in | - >--------------->| the fitImage, tree and data | - | | (cca 6-7 kiB) | - | +-----------------------------+ - | | Padding to 12 kiB offset | - | | from *load_address | - | ------- +-----------------------------+ <-- *start - | ^ | | - | Signed | | | - |---- Payload | | U-Boot external data blob | - | Data | | | - | v | | - | ------- +-----------------------------+ - | | Padding to 4 Bytes | - | ------- +-----------------------------+ - | ^ | | - | Signed | | | - |---- Payload | | ATF external data blob | - | Data | | | - | v | | - | ------- +-----------------------------+ - | | Padding to 4 Bytes | - | ------- +-----------------------------+ - | ^ | | - | Signed | | | - '---- Payload | | DTB external data blob | - Data | | | - v | | - ------- +-----------------------------+ + '---------------->| the fitImage, tree and data | + | (cca 6-7 kiB) | + +-----------------------------+ The diagram below illustrate a combined flash.bin container layout: @@ -202,29 +175,11 @@ dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc CSF "Blocks" line for csf_fit.txt can be generated as follows: ``` -# fitImage tree -fit_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_TEXT_BASE=/ s@.*=@@p" .config) - $(sed -n "/CONFIG_FIT_EXTERNAL_OFFSET=/ s@.*=@@p" .config) - 0x200 - 0x40)) ) +# fitImage +fit_block_base=$(printf "0x%x" $(sed -n "/CONFIG_SPL_LOAD_FIT_ADDRESS=/ s@.*=@@p" .config) ) fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset)) -fit_block_size=$(printf "0x%x" $(( ( $(fdtdump u-boot.itb 2>/dev/null | sed -n "/^...totalsize:/ s@.*\(0x[0-9a-f]\+\).*@\1@p") + 0x1000 - 0x1 ) & ~(0x1000 - 0x1) + 0x20 )) ) -sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# U-Boot -uboot_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot load)) -uboot_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-position)) + ${fit_block_offset} ))) -uboot_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-size)) -sed -i "/0xuuuu/ s@.*@ $uboot_block_base $uboot_block_offset $uboot_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# ATF -atf_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf load)) -atf_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-position)) + ${fit_block_offset} ))) -atf_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-size)) -sed -i "/0xaaaa/ s@.*@ $atf_block_base $atf_block_offset $atf_block_size \"flash.bin\", \\\\@" csf_fit.tmp - -# DTB -dtb_block_base=$(printf "0x%x" $(( ${uboot_block_base} + ${uboot_block_size} ))) -dtb_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-position)) + ${fit_block_offset} ))) -dtb_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-size)) -sed -i "/0xdddd/ s@.*@ $dtb_block_base $dtb_block_offset $dtb_block_size \"flash.bin\"@" csf_fit.tmp +fit_block_size=$(printf "0x%x" $(( ( ( $(stat -tc %s u-boot.itb) + 0x1000 - 0x1 ) & ~(0x1000 - 0x1)) + 0x20 )) ) +sed -i "/Blocks = / s@.*@ Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\"@" csf_fit.tmp ``` The fitImage part of flash.bin requires separate IVT. Generate the IVT and @@ -237,8 +192,9 @@ csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | se ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20)) csf_block_offset=$((${ivt_block_offset} + 0x20)) -echo "0xd1002041 ${ivt_ptr_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin +echo "0xd1002041 ${ivt_block_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc +``` To generate CSF signature for the fitImage part of flash.bin container, use CST: ``` |