[PATCH v2 0/2] i.MX6ULL: set engine software for Secure Boot on HABv4

[PATCH v2 0/2] i.MX6ULL: set engine software for Secure Boot on HABv4

[Maik Otto]

The i.MX6ULL has no CAAM engine for Secure Boot on HABv4. This patch series
set the engine software for i.MX6ULL and for the PHYTEC boards PCL-063 with
i.MX6ULL.

Changes in v2:
    - Rework in Patch 2 the file habv4-imx6-gencsf.h, because cst 3.3.1 fails 
      for engine software with parameter Feature.

Maik Otto (2):
  arch: arm: boards phytec: Split flash header for pcl063 with i.MX6Ul
    and i.MX6ULL
  arch: arm: mach-imx: Add habv4 config file for i.MX6ULL

 ...tec-pcl063-512mb.imxcfg => flash-header-phytec-pcl063-512mb.h} | 1 -
 .../phytec-som-imx6/flash-header-phytec-pcl063ul-512mb.imxcfg     | 3 +++
 ...63-256mb.imxcfg => flash-header-phytec-pcl063ull-256mb.imxcfg} | 2 +-
 .../phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg    | 3 +++
 arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h                | 8 ++++++++
 arch/arm/mach-imx/include/mach/habv4-imx6ull-gencsf.h             | 4 ++++
 images/Makefile.imx                                               | 8 ++++----
 7 files changed, 23 insertions(+), 6 deletions(-)
 rename arch/arm/boards/phytec-som-imx6/{flash-header-phytec-pcl063-512mb.imxcfg => flash-header-phytec-pcl063-512mb.h} (83%)
 create mode 100644 arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ul-512mb.imxcfg
 rename arch/arm/boards/phytec-som-imx6/{flash-header-phytec-pcl063-256mb.imxcfg => flash-header-phytec-pcl063ull-256mb.imxcfg} (82%)
 create mode 100644 arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg
 create mode 100644 arch/arm/mach-imx/include/mach/habv4-imx6ull-gencsf.h

-- 
2.7.4


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH v2 1/2] arch: arm: boards phytec: Split flash header for pcl063 with i.MX6Ul and i.MX6ULL

[Maik Otto]

i.MX6UL and i.MX6ULL have different engines for Secure Boot on HABv4.
For better differentiation rename existing pcl063 flash headers to
pcl063ul and pcl063ull.

Signed-off-by: Maik Otto <m.otto@phytec.de>
---
Changes in v2:
    - none
---
 ...tec-pcl063-512mb.imxcfg => flash-header-phytec-pcl063-512mb.h} | 1 -
 .../phytec-som-imx6/flash-header-phytec-pcl063ul-512mb.imxcfg     | 3 +++
 ...63-256mb.imxcfg => flash-header-phytec-pcl063ull-256mb.imxcfg} | 0
 .../phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg    | 3 +++
 images/Makefile.imx                                               | 8 ++++----
 5 files changed, 10 insertions(+), 5 deletions(-)
 rename arch/arm/boards/phytec-som-imx6/{flash-header-phytec-pcl063-512mb.imxcfg => flash-header-phytec-pcl063-512mb.h} (83%)
 create mode 100644 arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ul-512mb.imxcfg
 rename arch/arm/boards/phytec-som-imx6/{flash-header-phytec-pcl063-256mb.imxcfg => flash-header-phytec-pcl063ull-256mb.imxcfg} (100%)
 create mode 100644 arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg

diff --git a/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063-512mb.imxcfg b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063-512mb.h
similarity index 83%
rename from arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063-512mb.imxcfg
rename to arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063-512mb.h
index 26998c3..c4122d2 100644
--- a/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063-512mb.imxcfg
+++ b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063-512mb.h
@@ -7,4 +7,3 @@
 	wm 32 0x021B0000 0x84180000
 
 #include "flash-header-phytec-pcl063.h"
-#include <mach/habv4-imx6-gencsf.h>
diff --git a/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ul-512mb.imxcfg b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ul-512mb.imxcfg
new file mode 100644
index 0000000..f629a8e
--- /dev/null
+++ b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ul-512mb.imxcfg
@@ -0,0 +1,3 @@
+
+#include "flash-header-phytec-pcl063-512mb.h"
+#include <mach/habv4-imx6-gencsf.h>
diff --git a/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063-256mb.imxcfg b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-256mb.imxcfg
similarity index 100%
rename from arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063-256mb.imxcfg
rename to arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-256mb.imxcfg
diff --git a/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg
new file mode 100644
index 0000000..f629a8e
--- /dev/null
+++ b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg
@@ -0,0 +1,3 @@
+
+#include "flash-header-phytec-pcl063-512mb.h"
+#include <mach/habv4-imx6-gencsf.h>
diff --git a/images/Makefile.imx b/images/Makefile.imx
index 7b24e5f..3434a10 100644
--- a/images/Makefile.imx
+++ b/images/Makefile.imx
@@ -346,13 +346,13 @@ $(call build_imx_habv4img, CONFIG_MACH_GRINN_LITEBOARD, start_imx6ul_liteboard_5
 
 $(call build_imx_habv4img, CONFIG_MACH_NXP_IMX6ULL_EVK, start_nxp_imx6ull_evk, nxp-imx6ull-evk/flash-header-nxp-imx6ull-evk, nxp-imx6ull-evk)
 
-$(call build_imx_habv4img, CONFIG_MACH_PHYTEC_SOM_IMX6, start_phytec_phycore_imx6ul_som_nand_512mb, phytec-som-imx6/flash-header-phytec-pcl063-512mb, phytec-phycore-imx6ul-nand-512mb)
+$(call build_imx_habv4img, CONFIG_MACH_PHYTEC_SOM_IMX6, start_phytec_phycore_imx6ul_som_nand_512mb, phytec-som-imx6/flash-header-phytec-pcl063ul-512mb, phytec-phycore-imx6ul-nand-512mb)
 
-$(call build_imx_habv4img, CONFIG_MACH_PHYTEC_SOM_IMX6, start_phytec_phycore_imx6ull_som_lc_nand_256mb, phytec-som-imx6/flash-header-phytec-pcl063-256mb, phytec-phycore-imx6ull-lc-nand-256mb)
+$(call build_imx_habv4img, CONFIG_MACH_PHYTEC_SOM_IMX6, start_phytec_phycore_imx6ull_som_lc_nand_256mb, phytec-som-imx6/flash-header-phytec-pcl063ull-256mb, phytec-phycore-imx6ull-lc-nand-256mb)
 
-$(call build_imx_habv4img, CONFIG_MACH_PHYTEC_SOM_IMX6, start_phytec_phycore_imx6ull_som_nand_512mb, phytec-som-imx6/flash-header-phytec-pcl063-512mb, phytec-phycore-imx6ull-nand-512mb)
+$(call build_imx_habv4img, CONFIG_MACH_PHYTEC_SOM_IMX6, start_phytec_phycore_imx6ull_som_nand_512mb, phytec-som-imx6/flash-header-phytec-pcl063ull-512mb, phytec-phycore-imx6ull-nand-512mb)
 
-$(call build_imx_habv4img, CONFIG_MACH_PHYTEC_SOM_IMX6, start_phytec_phycore_imx6ull_som_emmc_512mb, phytec-som-imx6/flash-header-phytec-pcl063-512mb, phytec-phycore-imx6ull-emmc-512mb)
+$(call build_imx_habv4img, CONFIG_MACH_PHYTEC_SOM_IMX6, start_phytec_phycore_imx6ull_som_emmc_512mb, phytec-som-imx6/flash-header-phytec-pcl063ull-512mb, phytec-phycore-imx6ull-emmc-512mb)
 
 $(call build_imx_habv4img, CONFIG_MACH_PROTONIC_IMX6, start_imx6ul_prti6g, protonic-imx6/flash-header-prti6g, protonic-prti6g)
 
-- 
2.7.4


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH v2 2/2] arch: arm: mach-imx: Add habv4 config file for i.MX6ULL

[Maik Otto]

The i.MX6ULL has no CAAM engine for Secure Boot on HABv4 (NXP AN4581).
For i.MX6ULL the engine Software (SW) must used for the image
validation.

Signed-off-by: Maik Otto <m.otto@phytec.de>
---
Changes in v2:
    - Rework the file habv4-imx6-gencsf.h, because cst 3.3.1 fails for engine
      software with parameter Feature.
---
 .../phytec-som-imx6/flash-header-phytec-pcl063ull-256mb.imxcfg    | 2 +-
 .../phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg    | 2 +-
 arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h                | 8 ++++++++
 arch/arm/mach-imx/include/mach/habv4-imx6ull-gencsf.h             | 4 ++++
 4 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 arch/arm/mach-imx/include/mach/habv4-imx6ull-gencsf.h

diff --git a/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-256mb.imxcfg b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-256mb.imxcfg
index b93e81f..e6871d8 100644
--- a/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-256mb.imxcfg
+++ b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-256mb.imxcfg
@@ -7,4 +7,4 @@
 	wm 32 0x021B0000 0x83180000
 
 #include "flash-header-phytec-pcl063.h"
-#include <mach/habv4-imx6-gencsf.h>
+#include <mach/habv4-imx6ull-gencsf.h>
diff --git a/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg
index f629a8e..d2d7183 100644
--- a/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg
+++ b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg
@@ -1,3 +1,3 @@
 
 #include "flash-header-phytec-pcl063-512mb.h"
-#include <mach/habv4-imx6-gencsf.h>
+#include <mach/habv4-imx6ull-gencsf.h>
diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
index 17c4d79..ee21e0b 100644
--- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
+++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
@@ -14,7 +14,11 @@ hab Hash Algorithm = sha256
 hab Engine Configuration = 0
 hab Certificate Format = X509
 hab Signature Format = CMS
+#ifndef SETUP_HABV4_ENGINE
 hab Engine = CAAM
+#else
+hab Engine = SETUP_HABV4_ENGINE
+#endif
 
 hab [Install SRK]
 hab File = CONFIG_HABV4_TABLE_BIN
@@ -28,8 +32,12 @@ hab File = CONFIG_HABV4_CSF_CRT_PEM
 hab [Authenticate CSF]
 
 hab [Unlock]
+#ifndef SETUP_HABV4_ENGINE
 hab Engine = CAAM
 hab Features = RNG, MID
+#else
+hab Engine = SETUP_HABV4_ENGINE
+#endif
 
 hab [Install Key]
 /* verification key index in key store (0, 2...4) */
diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6ull-gencsf.h b/arch/arm/mach-imx/include/mach/habv4-imx6ull-gencsf.h
new file mode 100644
index 0000000..54c4915
--- /dev/null
+++ b/arch/arm/mach-imx/include/mach/habv4-imx6ull-gencsf.h
@@ -0,0 +1,4 @@
+
+#define SETUP_HABV4_ENGINE SW
+
+#include <mach/habv4-imx6-gencsf.h>
-- 
2.7.4


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH v2 2/2] arch: arm: mach-imx: Add habv4 config file for i.MX6ULL

[Sascha Hauer]

Hi Maik,

On Fri, Sep 11, 2020 at 09:37:37AM +0200, Maik Otto wrote:
> The i.MX6ULL has no CAAM engine for Secure Boot on HABv4 (NXP AN4581).
> For i.MX6ULL the engine Software (SW) must used for the image
> validation.
> 
> +++ b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg
> @@ -1,3 +1,3 @@
>  
>  #include "flash-header-phytec-pcl063-512mb.h"
> -#include <mach/habv4-imx6-gencsf.h>
> +#include <mach/habv4-imx6ull-gencsf.h>
> diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> index 17c4d79..ee21e0b 100644
> --- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> +++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h

I would prefer to rename this file to habv4-imx6-gencsf-template.h and
let it start with:

#ifndef SETUP_HABV4_ENGINE
#error "SETUP_HABV4_ENGINE undefined"
#endif

The habv4-imx6-gencsf.h would then only set the defines and include the
template file like you already did for the i.MX6ULL.

This makes it more clear what defines the file expects.

> @@ -14,7 +14,11 @@ hab Hash Algorithm = sha256
>  hab Engine Configuration = 0
>  hab Certificate Format = X509
>  hab Signature Format = CMS
> +#ifndef SETUP_HABV4_ENGINE
>  hab Engine = CAAM
> +#else
> +hab Engine = SETUP_HABV4_ENGINE
> +#endif
>  
>  hab [Install SRK]
>  hab File = CONFIG_HABV4_TABLE_BIN
> @@ -28,8 +32,12 @@ hab File = CONFIG_HABV4_CSF_CRT_PEM
>  hab [Authenticate CSF]
>  
>  hab [Unlock]
> +#ifndef SETUP_HABV4_ENGINE
>  hab Engine = CAAM
>  hab Features = RNG, MID
> +#else
> +hab Engine = SETUP_HABV4_ENGINE
> +#endif

Do we need this #ifdef here? Can't we instead have a
SETUP_HABV4_FEATURES macro and let the SoC specific files define it as

#define SETUP_HABV4_FEATURES RNG,MID

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH v2 2/2] arch: arm: mach-imx: Add habv4 config file for i.MX6ULL

[Maik Otto]

Hi Sascha,

Am 14.09.2020 um 10:44 schrieb Sascha Hauer:
> Hi Maik,
>
> On Fri, Sep 11, 2020 at 09:37:37AM +0200, Maik Otto wrote:
>> The i.MX6ULL has no CAAM engine for Secure Boot on HABv4 (NXP AN4581).
>> For i.MX6ULL the engine Software (SW) must used for the image
>> validation.
>>
>> +++ b/arch/arm/boards/phytec-som-imx6/flash-header-phytec-pcl063ull-512mb.imxcfg
>> @@ -1,3 +1,3 @@
>>  
>>  #include "flash-header-phytec-pcl063-512mb.h"
>> -#include <mach/habv4-imx6-gencsf.h>
>> +#include <mach/habv4-imx6ull-gencsf.h>
>> diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
>> index 17c4d79..ee21e0b 100644
>> --- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
>> +++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
> I would prefer to rename this file to habv4-imx6-gencsf-template.h and
> let it start with:
>
> #ifndef SETUP_HABV4_ENGINE
> #error "SETUP_HABV4_ENGINE undefined"
> #endif
>
> The habv4-imx6-gencsf.h would then only set the defines and include the
> template file like you already did for the i.MX6ULL.
>
> This makes it more clear what defines the file expects.
ok, is fine. I will change it
>> @@ -14,7 +14,11 @@ hab Hash Algorithm = sha256
>>  hab Engine Configuration = 0
>>  hab Certificate Format = X509
>>  hab Signature Format = CMS
>> +#ifndef SETUP_HABV4_ENGINE
>>  hab Engine = CAAM
>> +#else
>> +hab Engine = SETUP_HABV4_ENGINE
>> +#endif
>>  
>>  hab [Install SRK]
>>  hab File = CONFIG_HABV4_TABLE_BIN
>> @@ -28,8 +32,12 @@ hab File = CONFIG_HABV4_CSF_CRT_PEM
>>  hab [Authenticate CSF]
>>  
>>  hab [Unlock]
>> +#ifndef SETUP_HABV4_ENGINE
>>  hab Engine = CAAM
>>  hab Features = RNG, MID
>> +#else
>> +hab Engine = SETUP_HABV4_ENGINE
>> +#endif
> Do we need this #ifdef here? Can't we instead have a
> SETUP_HABV4_FEATURES macro and let the SoC specific files define it as
>
> #define SETUP_HABV4_FEATURES RNG,MID

yes we need it, because the cst tool in version 3.3.1 fails for hab
Engine = SW with hab Features =
The older versions of cst tool had no problem with it.

I rework it to
#ifdef SETUP_HABV4_FEATURES
hab FEATURES = SETUP_HABV4_FEATURES
#endif

>
> Sascha
>


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox