summaryrefslogtreecommitdiffstats
path: root/arch/arm/mach-imx/hab.c
Commit message (Collapse)AuthorAgeFilesLines
* imx :hab: Add hab version commandSjoerd Simons2019-10-141-0/+21
| | | | | | | THe RVT data includes a major and minor version in its header parameter. Add a new command to print this out. Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
* configs: Rename CONFIG_IMAGE_FORMAT_LEGACY to CONFIG_LEGACY_IMAGE_FORMATTom Rini2019-07-111-1/+1
| | | | | | | | | The name CONFIG_LEGACY_IMAGE_FORMAT reads slightly better along with allowing us to avoid a rather nasty Kbuild/Kconfig issue down the line with CONFIG_IS_ENABLED(IMAGE_FORMAT_LEGACY). In a few places outside of cmd/ switch to using CONFIG_IS_ENABLED() to test what is set. Signed-off-by: Tom Rini <trini@konsulko.com>
* mx6sl: hab: Fix pu_irom_mmu_enabled addressBreno Matheus Lima2019-06-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to hab.c code we have to notify the ROM code if the MMU is enabled or not. This is achieved by setting the "pu_irom_mmu_enabled" to 0x1. The current address in hab.c code is wrong for i.MX6SL, according to ROM map file the correct address is 0x00901c60. As we are writing in the wrong address the ROM code is not flushing the caches when needed, and the following HAB event is observed in certain scenarios: --------- HAB Event 1 ----------------- event data: 0xdb 0x00 0x14 0x41 0x33 0x18 0xc0 0x00 0xca 0x00 0x0c 0x00 0x01 0xc5 0x00 0x00 0x00 0x00 0x07 0xe4 STS = HAB_FAILURE (0x33) RSN = HAB_INV_SIGNATURE (0x18) CTX = HAB_CTX_COMMAND (0xC0) ENG = HAB_ENG_ANY (0x00) Update MX6SL_PU_IROM_MMU_EN_VAR to address this issue. Reported-by: Frank Zhang <frank.zhang@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Ye Li <ye.li@nxp.com> Reviewed-by: Fabio Estevam <festevam@gmail.com>
* imx: hab: Convert non-NULL IVT DCD pointer warning to an errorBreno Matheus Lima2019-01-281-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | The following NXP application notes and manual recommend to ensure the IVT DCD pointer is Null prior to calling HAB API authenticate_image() function: - AN12263: HABv4 RVT Guidelines and Recommendations - AN4581: Secure Boot on i.MX50, i.MX53, i.MX 6 and i.MX7 Series using HABv4 - CST docs: High Assurance Boot Version 4 Application Programming Interface Reference Manual Commit ca89df7dd46f ("imx: hab: Convert DCD non-NULL error to warning") converted DCD non-NULL error to warning due to the lack of documentation at the time of first patch submission. We have warned U-Boot users since v2018.03, and it makes sense now to follow the NXP recommendation to ensure the IVT DCD pointer is Null. DCD commands should only be present in the initial boot image loaded by the SoC ROM. Starting in HAB v4.3.7 the HAB code will generate an error if a DCD pointer is present in an image being authenticated by calling the HAB RVT API. Older versions of HAB will process and run DCD if it is present, and this could lead to an incorrect authentication boot flow. Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <festevam@gmail.com>
* imx: hab: extend hab_auth_img to calculate ivt_offsetParthiban Nallathambi2019-01-011-2/+27
| | | | | | | | | | | | | | | | | | | Current implementation of hab_auth_img command needs ivt_offset to authenticate the image. But ivt header is placed at the end of image date after padding. This leaves the usage of hab_auth_img command to fixed size or static offset for ivt header. New function "get_image_ivt_offset" is introduced to find the ivt offset during runtime. The case conditional check in this function is same as boot_get_kernel in common/bootm.c With this variable length image e.g. FIT image with any random size can have IVT at the end and ivt_offset option can be left optional Can be used as "hab_auth_img $loadaddr $filesize" from u-boot script Signed-off-by: Parthiban Nallathambi <pn@denx.de> Reviewed-by: Breno Lima <breno.lima@nxp.com>
* SPDX: Convert all of our single license tags to Linux Kernel styleTom Rini2018-05-071-2/+1
| | | | | | | | | | | | | | | | | | | | When U-Boot started using SPDX tags we were among the early adopters and there weren't a lot of other examples to borrow from. So we picked the area of the file that usually had a full license text and replaced it with an appropriate SPDX-License-Identifier: entry. Since then, the Linux Kernel has adopted SPDX tags and they place it as the very first line in a file (except where shebangs are used, then it's second line) and with slightly different comment styles than us. In part due to community overlap, in part due to better tag visibility and in part for other minor reasons, switch over to that style. This commit changes all instances where we have a single declared license in the tag as both the before and after are identical in tag contents. There's also a few places where I found we did not have a tag and have introduced one. Signed-off-by: Tom Rini <trini@konsulko.com>
* Merge git://git.denx.de/u-boot-imxTom Rini2018-04-151-0/+35
|\ | | | | | | Signed-off-by: Tom Rini <trini@konsulko.com>
| * imx: hab: Provide hab_auth_img_or_fail commandBryan O'Donoghue2018-04-151-0/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds hab_auth_img_or_fail() a command line function that encapsulates a common usage of authenticate and failover, namely if authenticate image fails, then drop to BootROM USB recovery mode. For secure-boot systems, this type of locked down behavior is important to ensure no unsigned images can be run. It's possible to script this logic but, when done over and over again the environment starts get very complex and repetitive, reducing that script repetition down to a command line function makes sense. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Utkarsh Gupta <utkarsh.gupta@nxp.com> Cc: Breno Lima <breno.lima@nxp.com> Cc: Fabio Estevam <fabio.estevam@nxp.com> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Tested-by: Breno Lima <breno.lima@nxp.com>
* | imx: hab: Convert DCD non-NULL error to warningBryan O'Donoghue2018-03-131-4/+2
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 8c4037a09a5c ("imx: hab: Ensure the IVT DCD pointer is Null prior to calling HAB authenticate function.") makes the DCD field being NULL a dependency. This change though will break loading and executing of existing pre-signed binaries on a u-boot update i.e. if this change is deployed on a board you will be forced to redo all images on that board to NULL out the DCD. There is no prior guidance from NXP that the DCD must be NULL similarly public guidance on usage of the HAB doesn't call out this NULL dependency (see boundary devices link). Since later SoCs will reject a non-NULL DCD there's no reason to make a NULL DCD a requirement, however if there is an actual dependency for later SoCs the appropriate fix would be to do SoC version checking. Earlier SoCs are capable (and happy) to authenticate images with non-NULL DCDs, we should not be forcing this change on downstream users - particularly if it means those users now must rewrite their build systems and/or redeploy signed images in the field. Fixes: 8c4037a09a5c ("imx: hab: Ensure the IVT DCD pointer is Null prior to calling HAB authenticate function.") Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Utkarsh Gupta <utkarsh.gupta@nxp.com> Cc: Breno Lima <breno.lima@nxp.com> Cc: Fabio Estevam <fabio.estevam@nxp.com> Link: https://boundarydevices.com/high-assurance-boot-hab-dummies Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Define HAB_RVT_BASE according to the processor versionBreno Lima2018-02-221-97/+9
| | | | | | | | | | | | | | | | | | | | | | | | | Currently the following devices are using a different definition for ROM Vector Table addresses: - i.MX6DQP = All rev - i.MX6DQ >= rev 1.5 - i.MX6SDL >= rev 1.2 There is no need to create a new RVT macros since the only update were the RVT base address. Remove HAB_RVT_*_NEW macros and define a new RVT base address. More details about RVT base address can be found on processors Reference Manual and in the following documents: EB803: i.MX 6Dual/6Quad Applications Processor Silicon Revision 1.2 to 1.3 Comparison EB804: i.MX 6Solo/6DualLite Application Processor Silicon Revision 1.1 to 1.2/1.3 Comparison Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* imx: hab: Check if CSF contains deprecated commandsUtkarsh Gupta2018-02-221-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | Write, Check and Set MID commands have been deprecated from the Code Signing Tool (CST) v2.3.3 and will not be implemented in newer versions of HAB, hence the following features are no longer available: - Write Data - Clear Mask - Set Mask - Check All Clear - Check All Set - Check Any Clear - Check Any Set - Set MID The inappropriate use of Write Data command may lead to an incorrect authentication boot flow. Since no specific application has been identified that requires the use of any of these features, it is highly recommended to add this check. Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* imx: hab: Check if CSF is valid before authenticating imageUtkarsh Gupta2018-02-221-0/+81
| | | | | | | | | | | | | | | | For proper authentication the HAB code must check if the CSF is valid. Users must call the csf_is_valid() function to parse the CSF prior to authenticating any additional images. The function will return a failure if any of the following invalid conditions are met: - CSF pointer is NULL - CSF Header does not exist - CSF does not lie within the image bounds - CSF command length zero Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* imx: hab: Ensure the IVT DCD pointer is Null prior to calling HAB ↵Utkarsh Gupta2018-02-221-0/+6
| | | | | | | | | | | | | | | | | | | authenticate function. DCD commands should only be present in the initial boot image loaded by the SoC ROM. DCD should not be present in images that will be verified by software using HAB RVT authentication APIs. Newer versions of HAB will generate an error if a DCD pointer is present in an image being authenticated by calling the HAB RVT API. Older versions of HAB will process and run DCD if it is present, and this could lead to an incorrect authentication boot flow. It is highly recommended this check is in place to ensure additional HAB verified images do not include a DCD table. Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* imx: hab: Keep CAAM clock enabled after authenticating additional imagesBreno Lima2018-02-221-4/+3
| | | | | | | | | | | | | | Currently it is not possible to run CMD_DEK on i.MX SPL targets: => dek_blob 0x12000000 0x12001000 128 The system hangs after running dek_blob because the CAAM clock is being disabled by the HAB code. There is no need to disable CAAM clock after authenticating additional boot images, thus keep CAAM clock enabled to address this issue. Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Add hab_failsafe console commandBryan O'Donoghue2018-01-141-0/+21
| | | | | | | | | | | | | | | | | | | | | | | hab_failsafe when called puts the part into BootROM recovery mode. This will allow u-boot scripts to script the dropping down into recovery mode. => hab_failsafe Shows the i.MX7 appear as "hiddev0,hidraw5: USB HID v1.10 Device [Freescale SemiConductor Inc SP Blank ULT1] " in a Linux dmesg thus allowing download of a new image via the BootROM USB download protocol routine. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Implement hab_rvt_failsafeBryan O'Donoghue2018-01-141-0/+15
| | | | | | | | | | | | | | | | | | | This patch implements the basic callback hooks for hab_rvt_check_failsafe for BootROM code using the older BootROM address layout - in my test case the i.MX7. Code based on new BootROM callbacks will just do nothing and there's definitely a TODO to implement that extra functionality on the alternative BootROM API. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Make imx_hab_is_enabled globalBryan O'Donoghue2018-01-141-3/+1
| | | | | | | | | | | | | | | | | It will be helpful to boot commands to know if the HAB is enabled. Export imx_hab_is_enabled() now to facilitate further work with this data-point in a secure-boot context. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Make authenticate_image() return zero on open boardsBryan O'Donoghue2018-01-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | The BootROM will not successfully process a HAB image passed by u-boot unless the board has been set into locked mode. Some of the existing usages of authenticate_image() expect and rely on unlocked boards doing the following 1. Not calling into the BootROM authenticate_image() callback 2. Returning a pass status for authenticate_image() calls anyway A previous patch removed the necessity to call into imx_hab_is_enabled() twice. This patch ensures the reliance on authenticate_image() returning zero is maintained. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Suggested-by: Breno Matheus Lima <brenomatheus@gmail.com> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com>
* arm: imx: hab: Rename is_hab_enabled imx_hab_is_enabledBryan O'Donoghue2018-01-141-4/+4
| | | | | | | | | | | | | | | | | | | | | Understanding if the HAB is enabled is something that we want to interrogate and report on outside of the HAB layer. First step to that is renaming the relevant function to match the previously introduced external naming convention imx_hab_function() The name imx_hab_is_hab_enabled() is a tautology. A more logical name is imx_hab_is_enabled(). Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Prefix authenticate_image with imx_habBryan O'Donoghue2018-01-141-3/+3
| | | | | | | | | | | | | | | | | | | Tidy up the HAB namespace a bit by prefixing external functions with imx_hab. All external facing functions past this point will be prefixed in the same way to make the fact we are doing IMX HAB activities clear from reading the code. authenticate_image() could mean anything imx_hab_authenticate_image() is on the other hand very explicit. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Make internal functions and data staticBryan O'Donoghue2018-01-141-75/+84
| | | | | | | | | | | | | | | | There is no need to export these functions and data structures externally. Make them all static now. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Print HAB event log only after calling ROMBryan O'Donoghue2018-01-141-5/+7
| | | | | | | | | | | | | | | | | | | | | The current flow of authenticate_image() will print the HAB event log even if we reject an element of the IVT header before ever calling into the ROM. This can be confusing. This patch changes the flow of the code so that the HAB event log is only printed out if we have called into the ROM and received some sort of status code. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Suggested-by: Cc: Breno Matheus Lima <brenomatheus@gmail.com> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Add a hab_rvt_check_target to image authBryan O'Donoghue2018-01-141-0/+9
| | | | | | | | | | | | | | | | | | | | Add a hab_rvt_check_target() step to authenticate_image() as a sanity check for the target memory region authenticate_image() will run over, prior to making the BootROM authentication callback itself. This check is recommended by the HAB documentation so it makes sense to adhere to the guidance and perform that check as directed. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Implement hab_rvt_check_targetBryan O'Donoghue2018-01-141-0/+18
| | | | | | | | | | | | | | | | | | This patch implements the basic callback hooks for hab_rvt_check_target() for BootROM code using the older BootROM address layout - in my test case the i.MX7. Code based on new BootROM callbacks will just have HAB_SUCCESS as a result code. Adding support for the new BootROM callbacks is a TODO. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Print additional IVT elements during debugBryan O'Donoghue2018-01-141-0/+2
| | | | | | | | | | | | | | | This patch enables printout of the IVT entry, dcd and csf data fields. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Print CSF based on IVT descriptorBryan O'Donoghue2018-01-141-2/+1
| | | | | | | | | | | | | | | | | | The IVT gives the absolute address of the CSF. There is no requirement for the CSF to be located adjacent to the IVT so lets use the address provided in the IVT header instead of the hard-coded fixed CSF offset currently in place. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Only call ROM once headers are verifiedBryan O'Donoghue2018-01-141-5/+6
| | | | | | | | | | | | | | | | | | | Previous patches added IVT header verification steps. We shouldn't call hab_rvt_entry() until we have done the basic header verification steps. This patch changes the time we make the hab_rvt_entry() call so that it only takes place if we are happy with the IVT header sanity checks. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Verify IVT self matches calculated addressBryan O'Donoghue2018-01-141-0/+7
| | | | | | | | | | | | | | | | | | The IVT is a self-describing structure which contains a self field. The self field is the absolute physical base address the IVT ought to be at in memory. Use the IVT self field to validate the calculated ivt_addr bugging out if the two values differ. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Add IVT header verificationBryan O'Donoghue2018-01-141-2/+34
| | | | | | | | | | | | | | | | | The IVT header contains a magic number, fixed length and one of two version identifiers. Validate these settings before doing anything with a putative IVT binary. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Fix authenticate_image input parametersBryan O'Donoghue2018-01-141-52/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | u-boot command "hab_auth_img" tells a user that it takes - addr - image hex address - offset - hex offset of IVT in the image but in fact the callback hab_auth_img makes to authenticate_image treats the second 'offset' parameter as an image length. Furthermore existing code requires the IVT header to be appended to the end of the image which is not actually a requirement of HABv4. This patch fixes this situation by 1: Adding a new parameter to hab_auth_img - addr : image hex address - length : total length of the image - offset : offset of IVT from addr 2: Updates the existing call into authenticate_image() in arch/arm/mach-imx/spl.c:jump_to_image_no_args() to pass addr, length and IVT offset respectively. This allows then hab_auth_img to actually operate the way it was specified in the help text and should still allow existing code to work. It has the added advantage that the IVT header doesn't have to be appended to an image given to HAB - it can be prepended for example. Note prepending the IVT is what u-boot will do when making an IVT for the BootROM. It should be possible for u-boot properly authenticate images made by mkimage via HAB. This patch is the first step in making that happen subsequent patches will focus on removing hard-coded offsets to the IVT, which again is not mandated to live at the end of a .imx image. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Move CSF_PAD_SIZE to hab.hBryan O'Donoghue2018-01-141-1/+0
| | | | | | | | | | | | | | | CSF_PAD_SIZE should be defined in hab.h, move it to that location now. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Move IVT_SIZE to hab.hBryan O'Donoghue2018-01-141-1/+0
| | | | | | | | | | | | | | | The size of the IVT header should be defined in hab.h move it there now. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Optimise flow of authenticate_image on hab_entry failBryan O'Donoghue2018-01-141-58/+60
| | | | | | | | | | | | | | | | | | | The current code disjoins an entire block of code on hab_entry pass/fail resulting in a large chunk of authenticate_image being offset to the right. Fix this by checking hab_entry() pass/failure and exiting the function directly if in an error state. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Optimise flow of authenticate_image on is_enabled failBryan O'Donoghue2018-01-141-69/+69
| | | | | | | | | | | | | | | | | | | There is no need to call is_enabled() twice in authenticate_image - it does nothing but add an additional layer of indentation. We can check for is_enabled() at the start of the function and return the result code directly. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Fix authenticate_image result codeBryan O'Donoghue2018-01-141-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | authenticate_image returns 1 for success and 0 for failure. That result code is mapped directly to the result code for the command line function hab_auth_img - which means when hab_auth_img succeeds it is returning CMD_RET_FAILURE (1) instead of CMD_RET_SUCCESS (0). This patch fixes this behaviour by making authenticate_image() return 0 for success and 1 for failure. Both users of authenticate_image() as a result have some minimal churn. The upshot is once done when hab_auth_img is called from the command line we set $? in the standard way for scripting functions to act on. Fixes: 36c1ca4d46ef ("imx: Support i.MX6 High Assurance Boot authentication") Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* arm: imx: hab: Make authenticate_image return intBryan O'Donoghue2018-01-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Both usages of authenticate_image treat the result code as a simple binary. The command line usage of authenticate_image directly returns the result code of authenticate_image as a success/failure code. Right now when calling hab_auth_img and test the result code in a shell a passing hab_auth_img will appear to the shell as a fail. The first step in fixing this behaviour is to fix-up the result code return by authenticate_image() itself, subsequent patches fix the interpretation of authenticate_image so that zero will return CMD_RET_SUCCESS and non-zero will return CMD_RET_FAILURE. The first step is fixing the return type in authenticate_image() so do that now. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Stefano Babic <sbabic@denx.de> Cc: Fabio Estevam <fabio.estevam@nxp.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com> Cc: George McCollister <george.mccollister@gmail.com> Cc: Breno Matheus Lima <brenomatheus@gmail.com> Tested-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
* imx: reorganize IMX code as other SOCsStefano Babic2017-07-121-0/+516
Change is consistent with other SOCs and it is in preparation for adding SOMs. SOC's related files are moved from cpu/ to mach-imx/<SOC>. This change is also coherent with the structure in kernel. Signed-off-by: Stefano Babic <sbabic@denx.de> CC: Fabio Estevam <fabio.estevam@nxp.com> CC: Akshay Bhat <akshaybhat@timesys.com> CC: Ken Lin <Ken.Lin@advantech.com.tw> CC: Marek Vasut <marek.vasut@gmail.com> CC: Heiko Schocher <hs@denx.de> CC: "Sébastien Szymanski" <sebastien.szymanski@armadeus.com> CC: Christian Gmeiner <christian.gmeiner@gmail.com> CC: Stefan Roese <sr@denx.de> CC: Patrick Bruenn <p.bruenn@beckhoff.com> CC: Troy Kisky <troy.kisky@boundarydevices.com> CC: Nikita Kiryanov <nikita@compulab.co.il> CC: Otavio Salvador <otavio@ossystems.com.br> CC: "Eric Bénard" <eric@eukrea.com> CC: Jagan Teki <jagan@amarulasolutions.com> CC: Ye Li <ye.li@nxp.com> CC: Peng Fan <peng.fan@nxp.com> CC: Adrian Alonso <adrian.alonso@nxp.com> CC: Alison Wang <b18965@freescale.com> CC: Tim Harvey <tharvey@gateworks.com> CC: Martin Donnelly <martin.donnelly@ge.com> CC: Marcin Niestroj <m.niestroj@grinn-global.com> CC: Lukasz Majewski <lukma@denx.de> CC: Adam Ford <aford173@gmail.com> CC: "Albert ARIBAUD (3ADEV)" <albert.aribaud@3adev.fr> CC: Boris Brezillon <boris.brezillon@free-electrons.com> CC: Soeren Moch <smoch@web.de> CC: Richard Hu <richard.hu@technexion.com> CC: Wig Cheng <wig.cheng@technexion.com> CC: Vanessa Maegima <vanessa.maegima@nxp.com> CC: Max Krummenacher <max.krummenacher@toradex.com> CC: Stefan Agner <stefan.agner@toradex.com> CC: Markus Niebel <Markus.Niebel@tq-group.com> CC: Breno Lima <breno.lima@nxp.com> CC: Francesco Montefoschi <francesco.montefoschi@udoo.org> CC: Jaehoon Chung <jh80.chung@samsung.com> CC: Scott Wood <oss@buserror.net> CC: Joe Hershberger <joe.hershberger@ni.com> CC: Anatolij Gustschin <agust@denx.de> CC: Simon Glass <sjg@chromium.org> CC: "Andrew F. Davis" <afd@ti.com> CC: "Łukasz Majewski" <l.majewski@samsung.com> CC: Patrice Chotard <patrice.chotard@st.com> CC: Nobuhiro Iwamatsu <iwamatsu@nigauri.org> CC: Hans de Goede <hdegoede@redhat.com> CC: Masahiro Yamada <yamada.masahiro@socionext.com> CC: Stephen Warren <swarren@nvidia.com> CC: Andre Przywara <andre.przywara@arm.com> CC: "Álvaro Fernández Rojas" <noltari@gmail.com> CC: York Sun <york.sun@nxp.com> CC: Xiaoliang Yang <xiaoliang.yang@nxp.com> CC: Chen-Yu Tsai <wens@csie.org> CC: George McCollister <george.mccollister@gmail.com> CC: Sven Ebenfeld <sven.ebenfeld@gmail.com> CC: Filip Brozovic <fbrozovic@gmail.com> CC: Petr Kulhavy <brain@jikos.cz> CC: Eric Nelson <eric@nelint.com> CC: Bai Ping <ping.bai@nxp.com> CC: Anson Huang <Anson.Huang@nxp.com> CC: Sanchayan Maity <maitysanchayan@gmail.com> CC: Lokesh Vutla <lokeshvutla@ti.com> CC: Patrick Delaunay <patrick.delaunay@st.com> CC: Gary Bisson <gary.bisson@boundarydevices.com> CC: Alexander Graf <agraf@suse.de> CC: u-boot@lists.denx.de Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com> Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>