HAB/SecureBoot on IMX8MN

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

* HAB/SecureBoot on IMX8MN
@ 2022-10-13  5:20 BAUER Bernd
  2022-10-13  7:32 ` Sascha Hauer
  0 siblings, 1 reply; 5+ messages in thread
From: BAUER Bernd @ 2022-10-13  5:20 UTC (permalink / raw)
  To: Barebox Mailingliste

Hi!

I have a question regarding SecureBoot/HAB and IMX8MN.
In barebox I can only enable HAB if the architecture is set to IMX8MQ.
My project is based on an IMX8MN.

Can I just extend the definition to IMX8MN and enable SecureBoot for the IMX8MN?
Does this work? Or are there differences in the registers that have to be implemented first?

Greets Bernd

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: HAB/SecureBoot on IMX8MN
  2022-10-13  5:20 HAB/SecureBoot on IMX8MN BAUER Bernd
@ 2022-10-13  7:32 ` Sascha Hauer
  2022-10-13  7:34   ` AW: " BAUER Bernd
  0 siblings, 1 reply; 5+ messages in thread
From: Sascha Hauer @ 2022-10-13  7:32 UTC (permalink / raw)
  To: BAUER Bernd; +Cc: Barebox Mailingliste

Hi Bernd,

On Thu, Oct 13, 2022 at 05:20:06AM +0000, BAUER Bernd wrote:
> Hi!
> 
> I have a question regarding SecureBoot/HAB and IMX8MN.
> In barebox I can only enable HAB if the architecture is set to IMX8MQ.
> My project is based on an IMX8MN.
> 
> Can I just extend the definition to IMX8MN and enable SecureBoot for the IMX8MN?
> Does this work? Or are there differences in the registers that have to be implemented first?

>From a quick glance at the corresponding U-Boot code I'd say that
HAB support is identical between the different i.MX8M variants, so
the following might indeed be a good start exploring it. I have no idea
though if there are any subtle differences between the SoCs.

Sascha

--------------------------------8<--------------------------

>From 0daeceb70f0dfe0d2fdb65c986a613fe2d3d6203 Mon Sep 17 00:00:00 2001
From: Sascha Hauer <s.hauer@pengutronix.de>
Date: Thu, 13 Oct 2022 09:30:23 +0200
Subject: [PATCH] Enable HAB on i.MX8M

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 arch/arm/mach-imx/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index dcb70c8c1a..8d3f75e3d1 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -902,7 +902,7 @@ config HABV4
 	select HAB
 	select NVMEM
 	select IMX_OCOTP
-	depends on ARCH_IMX6 || ARCH_IMX8MQ
+	depends on ARCH_IMX6 || ARCH_IMX8M
 	depends on OFDEVICE
 	help
 	  High Assurance Boot, as found on i.MX28/i.MX6/i.MX8MQ.
-- 
2.30.2


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |



^ permalink raw reply	[flat|nested] 5+ messages in thread

* AW: HAB/SecureBoot on IMX8MN
  2022-10-13  7:32 ` Sascha Hauer
@ 2022-10-13  7:34   ` BAUER Bernd
  2022-10-13  8:17     ` Sascha Hauer
  2022-10-13  8:32     ` AW: " Rouven Czerwinski
  0 siblings, 2 replies; 5+ messages in thread
From: BAUER Bernd @ 2022-10-13  7:34 UTC (permalink / raw)
  To: Sascha Hauer; +Cc: Barebox Mailingliste

Hi Sasha!

Thank you! I'll try it.

Greets Bernd

-----Ursprüngliche Nachricht-----
Von: Sascha Hauer <sha@pengutronix.de> 
Gesendet: Donnerstag, 13. Oktober 2022 09:32
An: BAUER Bernd <bernd.bauer@ses-imagotag.com>
Cc: Barebox Mailingliste <barebox@lists.infradead.org>
Betreff: Re: HAB/SecureBoot on IMX8MN

Hi Bernd,

On Thu, Oct 13, 2022 at 05:20:06AM +0000, BAUER Bernd wrote:
> Hi!
> 
> I have a question regarding SecureBoot/HAB and IMX8MN.
> In barebox I can only enable HAB if the architecture is set to IMX8MQ.
> My project is based on an IMX8MN.
> 
> Can I just extend the definition to IMX8MN and enable SecureBoot for the IMX8MN?
> Does this work? Or are there differences in the registers that have to be implemented first?

>From a quick glance at the corresponding U-Boot code I'd say that HAB support is identical between the different i.MX8M variants, so the following might indeed be a good start exploring it. I have no idea though if there are any subtle differences between the SoCs.

Sascha

--------------------------------8<--------------------------

>From 0daeceb70f0dfe0d2fdb65c986a613fe2d3d6203 Mon Sep 17 00:00:00 2001
From: Sascha Hauer <s.hauer@pengutronix.de>
Date: Thu, 13 Oct 2022 09:30:23 +0200
Subject: [PATCH] Enable HAB on i.MX8M

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 arch/arm/mach-imx/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig index dcb70c8c1a..8d3f75e3d1 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -902,7 +902,7 @@ config HABV4
 	select HAB
 	select NVMEM
 	select IMX_OCOTP
-	depends on ARCH_IMX6 || ARCH_IMX8MQ
+	depends on ARCH_IMX6 || ARCH_IMX8M
 	depends on OFDEVICE
 	help
 	  High Assurance Boot, as found on i.MX28/i.MX6/i.MX8MQ.
--
2.30.2


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.pengutronix.de%2F&amp;data=05%7C01%7Cbernd.bauer%40ses-imagotag.com%7C34e74f243dea4f0185bd08daaced0750%7C026f3f97f4634c41ba74bc156c3be494%7C0%7C0%7C638012431286975126%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=RykG7xxwLLJK87kdqhDTBHJmAEfS7EyaL0smddx4OZk%3D&amp;reserved=0  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: HAB/SecureBoot on IMX8MN
  2022-10-13  7:34   ` AW: " BAUER Bernd
@ 2022-10-13  8:17     ` Sascha Hauer
  2022-10-13  8:32     ` AW: " Rouven Czerwinski
  1 sibling, 0 replies; 5+ messages in thread
From: Sascha Hauer @ 2022-10-13  8:17 UTC (permalink / raw)
  To: BAUER Bernd; +Cc: Barebox Mailingliste

On Thu, Oct 13, 2022 at 07:34:36AM +0000, BAUER Bernd wrote:
> Hi Sasha!
> 
> Thank you! I'll try it.

HAB support is a bit tricky. Don't hesitate to ask if you have
questions.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: AW: HAB/SecureBoot on IMX8MN
  2022-10-13  7:34   ` AW: " BAUER Bernd
  2022-10-13  8:17     ` Sascha Hauer
@ 2022-10-13  8:32     ` Rouven Czerwinski
  1 sibling, 0 replies; 5+ messages in thread
From: Rouven Czerwinski @ 2022-10-13  8:32 UTC (permalink / raw)
  To: BAUER Bernd, Sascha Hauer; +Cc: Barebox Mailingliste

Hi Bernd,

One of the pitfalls we had when enabling HAB for i.MX8MQ was that the
SIP supported by the downstream TF-A to request the HAB event log was
stalling the SoC forever. I couldn't find a way to make this work, so
instead for i.MX8MQ we are parsing the HAB event log directly from
SRAM. The i.MX8MN address is probably different and you'll have to
check whether the same restrictions apply, i.e. if the HAB SIP is still
broken on i.MX8MN.

Best regards,
Rouven

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-10-13  8:33 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-13  5:20 HAB/SecureBoot on IMX8MN BAUER Bernd
2022-10-13  7:32 ` Sascha Hauer
2022-10-13  7:34   ` AW: " BAUER Bernd
2022-10-13  8:17     ` Sascha Hauer
2022-10-13  8:32     ` AW: " Rouven Czerwinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox