bsp: mfgtool-files: add scripts for imx8qm-mek-sec

Add fuse/close/flash UUU scripts for imx8qm-mek-sec machine. Signed-off-by: Igor Opaniuk <[email protected]>
foundriesio · Oct 13, 2022 · 5f05b72 · 5f05b72
1 parent 1fcd32b
commit 5f05b72
Show file tree

Hide file tree

Showing 5 changed files with 179 additions and 0 deletions.
diff --git a/meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8qm-mek-sec/close.uuu b/meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8qm-mek-sec/close.uuu
@@ -0,0 +1,44 @@
+uuu_version 1.3.102
+
+SDPS: boot -f imx-boot-mfgtool.signed
+CFG: FB: -vid 0x0525 -pid 0x4000
+CFG: FB: -vid 0x0525 -pid 0x4025
+CFG: FB: -vid 0x0525 -pid 0x402F
+CFG: FB: -vid 0x0525 -pid 0x4030
+CFG: FB: -vid 0x0525 -pid 0x4031
+
+SDPU: delay 1000
+SDPU: write -f u-boot-mfgtool.itb
+SDPU: jump
+
+# These commands will be run when use SPL and will be skipped if no spl
+# if (SPL support SDPV)
+# {
+SDPV: delay 1000
+SDPV: write -f u-boot-mfgtool.itb
+SDPV: jump
+# }
+
+FB: ucmd if mmc dev 0; then setenv fiohab_dev 0; else setenv fiohab_dev 1; fi;
+
+FB: ucmd setenv srk_0 0x7E90F8D6
+FB: ucmd setenv srk_1 0xE1020512
+FB: ucmd setenv srk_2 0x4FF77EB2
+FB: ucmd setenv srk_3 0x1D964702
+FB: ucmd setenv srk_4 0x5ED61C06
+FB: ucmd setenv srk_5 0x14139AB9
+FB: ucmd setenv srk_6 0x0A57872C
+FB: ucmd setenv srk_7 0xF367F432
+FB: ucmd setenv srk_8 0xE8153815
+FB: ucmd setenv srk_9 0xA804967A
+FB: ucmd setenv srk_10 0xDC14638B
+FB: ucmd setenv srk_11 0xB3A914F7
+FB: ucmd setenv srk_12 0x211FD529
+FB: ucmd setenv srk_13 0x8273EBD2
+FB: ucmd setenv srk_14 0x6E0B791C
+FB: ucmd setenv srk_15 0x6A558134
+
+FB[-t 1000]: ucmd if fiohab_close; then echo Platform Secured; else echo Error, Can Not Secure the Platform; sleep 2; fi
+FB: acmd reboot
+
+FB: done
diff --git a/meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8qm-mek-sec/full_image.uuu.in b/meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8qm-mek-sec/full_image.uuu.in
@@ -0,0 +1,43 @@
+uuu_version 1.3.102
+
+SDPS: boot -f imx-boot-mfgtool.signed
+CFG: FB: -vid 0x0525 -pid 0x4000
+CFG: FB: -vid 0x0525 -pid 0x4025
+CFG: FB: -vid 0x0525 -pid 0x402F
+CFG: FB: -vid 0x0525 -pid 0x4030
+CFG: FB: -vid 0x0525 -pid 0x4031
+
+SDPU: delay 1000
+SDPU: write -f u-boot-mfgtool.itb
+SDPU: jump
+
+# These commands will be run when use SPL and will be skipped if no spl
+# if (SPL support SDPV)
+# {
+SDPV: delay 1000
+SDPV: write -f u-boot-mfgtool.itb
+SDPV: jump
+# }
+
+FB: ucmd setenv fastboot_dev mmc
+FB: ucmd setenv emmc_dev 0
+FB: ucmd mmc dev ${emmc_dev} 1; mmc erase 0 0x3C00
+
+# Clear fiovb vars
+FB: ucmd imx_is_closed || true
+FB: ucmd if fiovb init ${emmc_dev} && test -n "${board_is_closed}"; then setenv fiovb_rpmb 1; else true; fi
+FB[-t 50000]: ucmd if test -n "${fiovb_rpmb}"; then fiovb write_pvalue bootcount 0; else true; fi
+FB[-t 50000]: ucmd if test -n "${fiovb_rpmb}"; then fiovb write_pvalue rollback 0; else true; fi
+FB[-t 50000]: ucmd if test -n "${fiovb_rpmb}"; then fiovb write_pvalue upgrade_available 0; else true; fi
+FB[-t 50000]: ucmd if test -n "${fiovb_rpmb}"; then fiovb write_pvalue bootupgrade_available 0; else true; fi
+FB[-t 50000]: ucmd if test -n "${fiovb_rpmb}"; then fiovb delete_pvalue bootfirmware_version || true; else true; fi
+FB[-t 50000]: ucmd if test -n "${fiovb_rpmb}"; then fiovb write_pvalue debug 0; else true; fi
+FB[-t 50000]: ucmd if test -n "${fiovb_rpmb}"; then fiovb write_pvalue is_secondary_boot 0; else true; fi
+
+FB: flash -raw2sparse all ../@@MFGTOOL_FLASH_IMAGE@@-@@MACHINE@@.wic
+FB: flash bootloader ../imx-boot-@@MACHINE@@.signed
+FB: flash bootloader_s ../imx-boot-@@MACHINE@@.signed
+FB: flash bootloader2 ../u-boot-@@MACHINE@@.itb
+FB: flash bootloader2_s ../u-boot-@@MACHINE@@.itb
+FB: ucmd mmc partconf 0 0 1 0
+FB: done
diff --git a/meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8qm-mek-sec/fuse.uuu b/meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8qm-mek-sec/fuse.uuu
@@ -0,0 +1,40 @@
+uuu_version 1.3.102
+
+SDPS: boot -f imx-boot-mfgtool.signed
+CFG: FB: -vid 0x0525 -pid 0x4000
+CFG: FB: -vid 0x0525 -pid 0x4025
+CFG: FB: -vid 0x0525 -pid 0x402F
+CFG: FB: -vid 0x0525 -pid 0x4030
+CFG: FB: -vid 0x0525 -pid 0x4031
+
+SDPU: delay 1000
+SDPU: write -f u-boot-mfgtool.itb
+SDPU: jump
+
+# These commands will be run when use SPL and will be skipped if no spl
+# if (SPL support SDPV)
+# {
+SDPV: delay 1000
+SDPV: write -f u-boot-mfgtool.itb
+SDPV: jump
+# }
+
+FB: ucmd fuse prog -y 0 722 0x7E90F8D6
+FB: ucmd fuse prog -y 0 723 0xE1020512
+FB: ucmd fuse prog -y 0 724 0x4FF77EB2
+FB: ucmd fuse prog -y 0 725 0x1D964702
+FB: ucmd fuse prog -y 0 726 0x5ED61C06
+FB: ucmd fuse prog -y 0 727 0x14139AB9
+FB: ucmd fuse prog -y 0 728 0x0A57872C
+FB: ucmd fuse prog -y 0 729 0xF367F432
+FB: ucmd fuse prog -y 0 730 0xE8153815
+FB: ucmd fuse prog -y 0 731 0xA804967A
+FB: ucmd fuse prog -y 0 732 0xDC14638B
+FB: ucmd fuse prog -y 0 733 0xB3A914F7
+FB: ucmd fuse prog -y 0 734 0x211FD529
+FB: ucmd fuse prog -y 0 735 0x8273EBD2
+FB: ucmd fuse prog -y 0 736 0x6E0B791C
+FB: ucmd fuse prog -y 0 737 0x6A558134
+
+FB: acmd reboot
+fb: done
diff --git a/meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8qm-mek-sec/readme.md b/meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8qm-mek-sec/readme.md
@@ -0,0 +1,35 @@
+# How to enable secure boot for imx8qm-mek
+
+Download and extract CST from nxp.com: https://www.nxp.com/webapp/sps/download/license.jsp?colCode=IMX_CST_TOOL_NEW&appType=file2&location=null&DOWNLOAD_ID=null
+
+Start exporting the needed variables
+
+   export CST_PATH=/path_to_cst/cst-3.3.1/linux64/bin/cst
+   export SPL_PATH=/path_to_spl/
+   export KEY_PATH=/path_to_key/
+
+Download the `lmp-tools`
+
+   git clone https://github.com/foundriesio/lmp-tools.git
+   cd lmp-tools/security/imx_ahab
+
+Sign the MFGTool SPL file
+
+   ./sign-file.sh --key-dir $KEY_PATH --cst $CST_PATH --spl $SPL_PATH/mfgtool-files-imx8qm-mek-sec/imx-boot-mfgtool
+
+Sign the SPL file
+
+   ./sign-file.sh --key-dir $KEY_PATH --cst $CST_PATH --spl $SPL_PATH/imx-boot-imx8qm-mek-sec
+
+Fuse the key to the board
+
+   cd $SPL_PATH
+   sudo ./mfgtool-files-imx8qm-mek-sec/uuu -pp 1 ./mfgtool-files-imx8qm-mek-sec/fuse.uuu
+
+Close the board
+
+   sudo ./mfgtool-files-imx8qm-mek-sec/uuu -pp 1 ./mfgtool-files-imx8qm-mek-sec/close.uuu
+
+Flash the system to the board
+
+   sudo ./mfgtool-files-imx8qm-mek-sec/uuu -pp 1 ./mfgtool-files-imx8qm-mek-sec/full_image.uuu
diff --git a/meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files_%.bbappend b/meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files_%.bbappend
@@ -18,6 +18,12 @@ SRC_URI:append:apalis-imx8-sec = " \
     file://readme.md \
 "
 
+SRC_URI:append:imx8qm-mek-sec = " \
+    file://fuse.uuu \
+    file://close.uuu \
+    file://readme.md \
+"
+
 SRC_URI:append:imx8mm-lpddr4-evk-sec = " \
     file://fuse.uuu \
     file://close.uuu \
@@ -106,6 +112,17 @@ do_deploy:prepend:apalis-imx8-sec() {
     install -m 0644 ${WORKDIR}/readme.md ${DEPLOYDIR}/${PN}/readme.md
 }
 
+do_compile:append:imx8qm-mek-sec() {
+    sed -i 's/imx-boot.*/&.signed/g' bootloader.uuu
+}
+
+do_deploy:prepend:imx8qm-mek-sec() {
+    install -d ${DEPLOYDIR}/${PN}
+    install -m 0644 ${WORKDIR}/fuse.uuu ${DEPLOYDIR}/${PN}/fuse.uuu
+    install -m 0644 ${WORKDIR}/close.uuu ${DEPLOYDIR}/${PN}/close.uuu
+    install -m 0644 ${WORKDIR}/readme.md ${DEPLOYDIR}/${PN}/readme.md
+}
+
 do_compile:append:imx8mm-lpddr4-evk-sec() {
     sed -i 's/imx-boot.*/&.signed/g' bootloader.uuu
 }