[PATCH 1/2] ARM: i.MX6: Enable PBL_VERIFY_PIGGY with HABV4 support

[PATCH 1/2] ARM: i.MX6: Enable PBL_VERIFY_PIGGY with HABV4 support

[Sascha Hauer]

Some i.MX6 configurations use the xload mechanism. With this the ROM
only loads and verifies the PBL. The PBL will then load barebox proper.
Without verification the barebox proper binary is untrusted and could be
modified. Select PBL_VERIFY_PIGGY when HABV4 is enabled to ensure the
barebox proper binary has not been tempered with.

boards not using the xload mechanism don't need this option, but there
is no good way to detect currently if the xload mechanism is used, so
these boards will have to live with a slightly increased binary size
for now.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 arch/arm/mach-imx/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 58b32b8e91..424c7d71a6 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -127,6 +127,7 @@ config ARCH_IMX6
 	select PINCTRL_IMX_IOMUX_V3
 	select COMMON_CLK_OF_PROVIDER
 	select HW_HAS_PCI
+	select PBL_VERIFY_PIGGY if HABV4
 
 config ARCH_IMX6SL
 	bool
-- 
2.39.5

[PATCH 2/2] ARM: i.MX9: Enable PBL_VERIFY_PIGGY with non INSECURE

[Sascha Hauer]

i.MX93 boards load barebox proper in the PBL. In a verified boot
scenario this binary must be verified before executing it, so
enable PBL_VERIFY_PIGGY when INSECURE is disabled.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 arch/arm/mach-imx/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 424c7d71a6..239ad674b5 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -190,6 +190,7 @@ config ARCH_IMX93
 	select PINCTRL_IMX_IOMUX_V3
 	select COMMON_CLK_OF_PROVIDER
 	select ARCH_HAS_FEC_IMX
+	select PBL_VERIFY_PIGGY if !INSECURE
 
 config ARCH_VF610
 	bool
-- 
2.39.5

Re: [PATCH 1/2] ARM: i.MX6: Enable PBL_VERIFY_PIGGY with HABV4 support

[Marco Felsch]

Hi Sascha,

On 25-02-18, Sascha Hauer wrote:
> Some i.MX6 configurations use the xload mechanism. With this the ROM
> only loads and verifies the PBL. The PBL will then load barebox proper.
> Without verification the barebox proper binary is untrusted and could be
> modified. Select PBL_VERIFY_PIGGY when HABV4 is enabled to ensure the
> barebox proper binary has not been tempered with.
> 
> boards not using the xload mechanism don't need this option, but there
> is no good way to detect currently if the xload mechanism is used, so
> these boards will have to live with a slightly increased binary size
> for now.

I hav no objections but do you have numbers? There are many i.MX6 based
systems which do use a spi-nor with limited amount of space already
facing size issues since barebox is becoming bigger and bigger.

Regards,
  Marco

Re: [PATCH 1/2] ARM: i.MX6: Enable PBL_VERIFY_PIGGY with HABV4 support

[Sascha Hauer]

On Wed, Feb 19, 2025 at 11:43:29AM +0100, Marco Felsch wrote:
> Hi Sascha,
> 
> On 25-02-18, Sascha Hauer wrote:
> > Some i.MX6 configurations use the xload mechanism. With this the ROM
> > only loads and verifies the PBL. The PBL will then load barebox proper.
> > Without verification the barebox proper binary is untrusted and could be
> > modified. Select PBL_VERIFY_PIGGY when HABV4 is enabled to ensure the
> > barebox proper binary has not been tempered with.
> > 
> > boards not using the xload mechanism don't need this option, but there
> > is no good way to detect currently if the xload mechanism is used, so
> > these boards will have to live with a slightly increased binary size
> > for now.
> 
> I hav no objections but do you have numbers? There are many i.MX6 based
> systems which do use a spi-nor with limited amount of space already
> facing size issues since barebox is becoming bigger and bigger.

Enabling PBL_VERIFY_PIGGY increases the PBL by about ~6k on ARM/ARM64.

We could add the select to MCI_IMX_ESDHC_PBL instead. The SPI xload
code doesn't have a corresponding Kconfig symbol though, so we would
have to add that first.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |