From: Sven Ebenfeld Date: Sun, 6 Nov 2016 15:37:56 +0000 (+0100) Subject: tools: mkimage: add firmware-ivt image type for HAB verification X-Git-Tag: v2025.01-rc5-pxa1908~7798^2~19 X-Git-Url: http://git.dujemihanovic.xyz/html/static/%7B%7B%20%24.Site.BaseURL%20%7D%7Dposts/%7B%7B%20%24.Site.BaseURL%20%7D%7Dposts/index.xml?a=commitdiff_plain;h=d21bd69b6e95ca7824941e7f527871cd5c63c7f7;p=u-boot.git tools: mkimage: add firmware-ivt image type for HAB verification When we want to use Secure Boot with HAB from SPL over U-Boot.img, we need to append the IVT to the image and leave space for the CSF. Images generated as firmware_ivt can directly be signed using the Freescale code signing tool. For creation of a CSF, mkimage outputs the correct HAB Blocks for the image. The changes to the usual firmware image class are quite small, that is why I implemented that directly into the default_image. Cc: sbabic@denx.de v2-Changes: None Signed-off-by: Sven Ebenfeld Reviewed-by: George McCollister Tested-by: George McCollister --- diff --git a/Makefile b/Makefile index 08749644f4..ecd824da2b 100644 --- a/Makefile +++ b/Makefile @@ -763,7 +763,11 @@ ALL-$(CONFIG_RAMBOOT_PBL) += u-boot.pbl endif endif ALL-$(CONFIG_SPL) += spl/u-boot-spl.bin +ifeq ($(CONFIG_MX6)$(CONFIG_SECURE_BOOT), yy) +ALL-$(CONFIG_SPL_FRAMEWORK) += u-boot-ivt.img +else ALL-$(CONFIG_SPL_FRAMEWORK) += u-boot.img +endif ALL-$(CONFIG_TPL) += tpl/u-boot-tpl.bin ALL-$(CONFIG_OF_SEPARATE) += u-boot.dtb ifeq ($(CONFIG_SPL_FRAMEWORK),y) @@ -938,6 +942,9 @@ else MKIMAGEFLAGS_u-boot.img = -A $(ARCH) -T firmware -C none -O u-boot \ -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \ -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" +MKIMAGEFLAGS_u-boot-ivt.img = -A $(ARCH) -T firmware_ivt -C none -O u-boot \ + -a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \ + -n "U-Boot $(UBOOTRELEASE) for $(BOARD) board" endif MKIMAGEFLAGS_u-boot-dtb.img = $(MKIMAGEFLAGS_u-boot.img) @@ -951,7 +958,7 @@ MKIMAGEFLAGS_u-boot-spl.kwb = -n $(srctree)/$(CONFIG_SYS_KWD_CONFIG:"%"=%) \ MKIMAGEFLAGS_u-boot.pbl = -n $(srctree)/$(CONFIG_SYS_FSL_PBL_RCW:"%"=%) \ -R $(srctree)/$(CONFIG_SYS_FSL_PBL_PBI:"%"=%) -T pblimage -u-boot-dtb.img u-boot.img u-boot.kwb u-boot.pbl: \ +u-boot-dtb.img u-boot.img u-boot.kwb u-boot.pbl u-boot-ivt.img: \ $(if $(CONFIG_SPL_LOAD_FIT),u-boot-nodtb.bin dts/dt.dtb,u-boot.bin) FORCE $(call if_changed,mkimage) diff --git a/common/image.c b/common/image.c index 909dbed1f2..8c35327745 100644 --- a/common/image.c +++ b/common/image.c @@ -166,6 +166,7 @@ static const table_entry_t uimage_type[] = { { IH_TYPE_ZYNQMPIMAGE, "zynqmpimage", "Xilinx ZynqMP Boot Image" }, { IH_TYPE_FPGA, "fpga", "FPGA Image" }, { IH_TYPE_TEE, "tee", "Trusted Execution Environment Image",}, + { IH_TYPE_FIRMWARE_IVT, "firmware_ivt", "Firmware with HABv4 IVT" }, { -1, "", "", }, }; @@ -365,6 +366,11 @@ void image_print_contents(const void *ptr) printf("%s Offset = 0x%08lx\n", p, data); } } + } else if (image_check_type(hdr, IH_TYPE_FIRMWARE_IVT)) { + printf("HAB Blocks: 0x%08x 0x0000 0x%08x\n", + image_get_load(hdr) - image_get_header_size(), + image_get_size(hdr) + image_get_header_size() + - 0x1FE0); } } diff --git a/include/image.h b/include/image.h index 575f5927f7..05376783fb 100644 --- a/include/image.h +++ b/include/image.h @@ -280,6 +280,7 @@ enum { IH_TYPE_FPGA, /* FPGA Image */ IH_TYPE_VYBRIDIMAGE, /* VYBRID .vyb Image */ IH_TYPE_TEE, /* Trusted Execution Environment OS Image */ + IH_TYPE_FIRMWARE_IVT, /* Firmware Image with HABv4 IVT */ IH_TYPE_COUNT, /* Number of image types */ }; diff --git a/tools/default_image.c b/tools/default_image.c index 6e4ae14ec7..4e5568e06a 100644 --- a/tools/default_image.c +++ b/tools/default_image.c @@ -25,7 +25,7 @@ static image_header_t header; static int image_check_image_types(uint8_t type) { if (((type > IH_TYPE_INVALID) && (type < IH_TYPE_FLATDT)) || - (type == IH_TYPE_KERNEL_NOLOAD)) + (type == IH_TYPE_KERNEL_NOLOAD) || (type == IH_TYPE_FIRMWARE_IVT)) return EXIT_SUCCESS; else return EXIT_FAILURE; @@ -89,6 +89,7 @@ static void image_set_header(void *ptr, struct stat *sbuf, int ifd, { uint32_t checksum; time_t time; + uint32_t imagesize; image_header_t * hdr = (image_header_t *)ptr; @@ -98,11 +99,16 @@ static void image_set_header(void *ptr, struct stat *sbuf, int ifd, sbuf->st_size - sizeof(image_header_t)); time = imagetool_get_source_date(params, sbuf->st_mtime); + if (params->type == IH_TYPE_FIRMWARE_IVT) + /* Add size of CSF minus IVT */ + imagesize = sbuf->st_size - sizeof(image_header_t) + 0x1FE0; + else + imagesize = sbuf->st_size - sizeof(image_header_t); /* Build new header */ image_set_magic(hdr, IH_MAGIC); image_set_time(hdr, time); - image_set_size(hdr, sbuf->st_size - sizeof(image_header_t)); + image_set_size(hdr, imagesize); image_set_load(hdr, params->addr); image_set_ep(hdr, params->ep); image_set_dcrc(hdr, checksum); diff --git a/tools/mkimage.c b/tools/mkimage.c index 49d5d1ed70..f48135ff79 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -9,6 +9,7 @@ */ #include "mkimage.h" +#include "imximage.h" #include #include @@ -508,6 +509,37 @@ int main(int argc, char **argv) } else { copy_file(ifd, params.datafile, pad_len); } + if (params.type == IH_TYPE_FIRMWARE_IVT) { + /* Add alignment and IVT */ + uint32_t aligned_filesize = (params.file_size + 0x1000 + - 1) & ~(0x1000 - 1); + flash_header_v2_t ivt_header = { { 0xd1, 0x2000, 0x40 }, + params.addr, 0, 0, 0, params.addr + + aligned_filesize + - tparams->header_size, + params.addr + aligned_filesize + - tparams->header_size + + 0x20, 0 }; + int i = params.file_size; + for (; i < aligned_filesize; i++) { + if (write(ifd, &i, 1) != 1) { + fprintf(stderr, + "%s: Write error on %s: %s\n", + params.cmdname, + params.imagefile, + strerror(errno)); + exit(EXIT_FAILURE); + } + } + if (write(ifd, &ivt_header, sizeof(flash_header_v2_t)) + != sizeof(flash_header_v2_t)) { + fprintf(stderr, "%s: Write error on %s: %s\n", + params.cmdname, + params.imagefile, + strerror(errno)); + exit(EXIT_FAILURE); + } + } } /* We're a bit of paranoid */