Imx8mm secure boot support #254

igoropaniuk · 2021-01-22T14:07:21Z

This is rebased version of initial version

Boot:

U-Boot SPL 2020.04 (Jan 01 1970 - 00:00:00 +0000)
No pmic
DDRINFO: start DRAM init
DDRINFO: DRAM rate 3000MTS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from MMC2
## Checking hash(es) for Image uboot@1 ... OK
## Checking hash(es) for Image fdt@1 ... OK
## Checking hash(es) for Image atf@1 ... OK
## Checking hash(es) for Image tee@1 ... OK
NOTICE:  BL31: v2.2(release):rel_imx_5.4.47_2.2.0-0-gc949a888e-dirty
NOTICE:  BL31: Built : 00:00:00, Jan  1 1970
I/TC: 
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 3.10.0-62-g896b1208 (gcc version 10.2.0 (GCC)) #1 Thu 01 Jan 1970 12:00:00 AM UTC aarch64
I/TC: Primary CPU initializing
I/TC: Primary CPU switching to normal world boot


U-Boot 2020.04 (Jan 01 1970 - 00:00:00 +0000)

CPU:   i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)
CPU:   Commercial temperature grade (0C to 95C) at 34C
Reset cause: POR
Model: NXP i.MX8MM EVK board
DRAM:  2 GiB
TCPC:  Vendor ID [0x1fc9], Product ID [0x5110], Addr [I2C1 0x52]
Power supply on USB2
TCPC:  Vendor ID [0x1fc9], Product ID [0x5110], Addr [I2C1 0x50]
MMC:   FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from FAT... OK
In:    serial
Out:   serial
Err:   serial

 BuildInfo:
  - ATF c949a88
  - U-Boot 2020.04

Net:   eth0: ethernet@30be0000
3007 bytes read in 8 ms (366.2 KiB/s)
## Executing script at 40480000
sha256,rsa2048:dev+ sha256+ Using freescale_imx8mm-evk.dtb
463 bytes read in 10 ms (44.9 KiB/s)
13879314 bytes read in 69 ms (191.8 MiB/s)
## Loading kernel from FIT Image at 43800000 ...
   Using 'conf@freescale_imx8mm-evk.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'kernel@1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x4380010c
     Data Size:    9827307 Bytes = 9.4 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x40480000
     Entry Point:  0x40480000
     Hash algo:    sha256
     Hash value:   90dd4b8f0d88251e35c5509b0a3e56a95194b6e321520fbd436836a35aec7e4c
   Verifying Hash Integrity ... sha256+ OK
## Loading ramdisk from FIT Image at 43800000 ...
   Using 'conf@freescale_imx8mm-evk.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'ramdisk@1' ramdisk subimage
     Description:  initramfs-ostree-lmp-image
     Type:         RAMDisk Image
     Compression:  uncompressed
     Data Start:   0x441f6b14
     Data Size:    3416497 Bytes = 3.3 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    sha256
     Hash value:   3d41e2efa9c0ef988c3a0191251b795491ee1dfc0480af2a6917bf432e7122d7
   Verifying Hash Integrity ... sha256+ OK
## Loading fdt from FIT Image at 43800000 ...
   Using 'conf@freescale_imx8mm-evk.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'fdt@freescale_imx8mm-evk.dtb' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x441ad64c
     Data Size:    44632 Bytes = 43.6 KiB
     Architecture: AArch64
     Load Address: 0x43000000
     Hash algo:    sha256
     Hash value:   9bf4d2595049e7ab9c6fce8d8c46f0f91890aeab52096cc9064a674169479c03
   Verifying Hash Integrity ... sha256+ OK
   Loading fdt from 0x441ad64c to 0x43000000
   Booting using the fdt blob at 0x43000000
   Uncompressing Kernel Image
   Using Device Tree in place at 0000000043000000, end 000000004300de57

Starting kernel ...

unable to select a mode
device_remove: Device '[email protected]' failed to remove, but children are gone
[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.4.76-lmp-standard (oe-user@oe-host) (gcc version 10.2.0 (GCC)) #1 SMP PREEMPT Tue Jan 12 12:34:35 UTC 2021
[    0.000000] Machine model: FSL i.MX8MM EVK board
[    0.000000] earlycon: ec_imx6q0 at MMIO 0x0000000030890000 (options '115200')

meta-lmp-bsp/recipes-bsp/u-boot/u-boot-fio-mfgtool/imx8mmevk/lmp.cfg

meta-lmp-bsp/recipes-bsp/u-boot/u-boot-fio/imx8mmevk/lmp.cfg

...ayers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot/0001-iMX8M-support-SPL-ddr-sign.patch

...rs/freescale-layer/recipes-bsp/imx-mkimage/imx-boot/0002-iMX8M-default-make-builds-SPL.patch

meta-lmp-bsp/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_%.bbappend

meta-lmp-bsp/recipes-bsp/u-boot/u-boot-fio_%.bbappend

meta-lmp-bsp/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_%.bbappend

meta-lmp-bsp/recipes-bsp/u-boot/u-boot-fio-mfgtool/imx8mmevk/lmp.cfg

igoropaniuk · 2021-01-27T19:04:20Z

meta-lmp-bsp/wic/sdimage-imx8-sota.wks.in

+#  - ---------- -------------- --------------------
+# ^ ^      ^         ^              ^
+# | |      |         |              |
+# 0 |      1MiB      8MiB           16MiB + rootfs + IMAGE_EXTRA_SPACE (default 10MiB)


we can use the same layout not only for SD, but for eMMC also. This requires changes of both uuu scripts:
bootloader.uuu.in and full_image.uuu.
In bootloader.uuu.in we can write bootloader, but instead of flash cmd use something like:

FB: ucmd setenv fastboot_buffer ${loadaddr} FB: download -f SPL FB: ucmd mmc write ${fastboot_buffer} 0x800 ${fastboot_bytes} FB: download -f u-boot.itb FB: ucmd mmc write ${fastboot_buffer} 0x4000 ${fastboot_bytes} FB: ucmd mmc partconf ${emmc_dev} ${emmc_ack} 7 0

or we can just still use boot0/boot1 hw paritions for eMMC as before
@mike-scott @ricardosalveti @ldts please decide

Such layout obviously requires different value for CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR in U-Boot

igoropaniuk · 2021-01-27T23:03:11Z

meta-lmp-bsp/wic/sdimage-imx8-sota.wks.in

+#  - ---------- -------------- --------------------
+# ^ ^      ^         ^              ^
+# | |      |         |              |
+# 0 |      384KiB    8MiB           16MiB + rootfs + IMAGE_EXTRA_SPACE (default 10MiB)


384KiB corresponds to the current default value of CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR set for imx8mm

igoropaniuk · 2021-01-27T23:20:13Z

all comments addressed
thanks @mike-scott @ricardosalveti for reviewing.
Could you please take a second look at newly pushed version

ricardosalveti · 2021-01-28T02:44:17Z

meta-lmp-bsp/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_%.bbappend

+do_install () {
+    install -d ${D}/boot
+    for target in ${IMXBOOT_TARGETS}; do
+        install -m 0644 ${S}/SPL-${BOOT_CONFIG_MACHINE}-${target} ${D}/boot/


This will only work for imx8mm right? We also support building for imx8mq, which will use the same function and still using the old imx-boot mechanism (until we change it the same way you're now doing for imx8mm).

imx-boot from meta-freescale has:

do_install () { install -d ${D}/boot for target in ${IMXBOOT_TARGETS}; do install -m 0644 ${S}/${BOOT_CONFIG_MACHINE}-${target} ${D}/boot/ done }

So we need to cover both cases.

ricardosalveti · 2021-01-28T02:45:07Z

meta-lmp-bsp/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_%.bbappend

+            echo "Set boot target as $IMAGE_IMXBOOT_TARGET"
+        fi
+        install -m 0644 ${S}/SPL-${BOOT_CONFIG_MACHINE}-${target} ${DEPLOYDIR}
+        install -m 0644 ${S}/u-boot.itb-${BOOT_CONFIG_MACHINE}-${target} ${DEPLOYDIR}


Same applies here.

ricardosalveti · 2021-01-28T02:45:34Z

meta-lmp-bsp/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_%.bbappend

+    ln -sf u-boot.itb-${BOOT_CONFIG_MACHINE}-${IMAGE_IMXBOOT_TARGET} u-boot.itb
+    # Creating links for mfgtools scripts
+    ln -sf SPL-${BOOT_CONFIG_MACHINE}-${IMAGE_IMXBOOT_TARGET} SPL-${MACHINE}
+    ln -sf u-boot.itb-${BOOT_CONFIG_MACHINE}-${IMAGE_IMXBOOT_TARGET} u-boot-${MACHINE}.itb


And here.

So both install and deploy will have to cover both cases.

ricardosalveti · 2021-01-28T02:47:38Z

all comments addressed
thanks @mike-scott @ricardosalveti for reviewing.
Could you please take a second look at newly pushed version

Really nice work, just some minor comments.

Please make sure you also build lmp for imx8mqevk, as some of these changes might affect targets that are not following the same model (e.g. still requiring imx-boot).

Signed-off-by: Jorge Ramirez-Ortiz <[email protected]>

1. Set flash_spl as default IMXBOOT_TARGET 2. Update the list of boot files Signed-off-by: Igor Opaniuk <[email protected]>

Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> Signed-off-by: Igor Opaniuk <[email protected]>

Install dt-spl.dtb and u-boot-spl-nodtb.bin, as we need to have both separate to able to add a FIT image signature to dt-spl.dtb after signing FIT image by imx-boot script. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> Signed-off-by: Igor Opaniuk <[email protected]>

Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> Signed-off-by: Igor Opaniuk <[email protected]>

Flash separately SPL and U-Boot instead of old image format, where everything was packed into one imx boot image. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> Signed-off-by: Igor Opaniuk <[email protected]>

Enable FIT signature verification from SPL. Signed-off-by: Igor Opaniuk <[email protected]>

Introduce a separate image layout, taking into account new boot sequence. Signed-off-by: Igor Opaniuk <[email protected]>

Signed-off-by: Igor Opaniuk <[email protected]>

mike-scott · 2021-01-30T21:41:45Z

meta-lmp-bsp/conf/machine/include/lmp-machine-custom.inc

@@ -309,7 +309,7 @@ PREFERRED_PROVIDER_virtual/dtb_imx8mmevk ?= "lmp-device-tree"
 ## iMX8: Use latest NXP BSP downstream kernel
 PREFERRED_PROVIDER_virtual/kernel_mx8mm ?= "linux-lmp-fslc-imx"
 MACHINE_FIRMWARE_mx8mm = "linux-firmware-imx-sdma-imx7d"
-WKS_FILE_mx8mm_sota = "sdimage-imx8-sota.wks.in"
+WKS_FILE_mx8mm_sota = "sdimage-imx8mm-sota.wks.in"


This might be more generically named as: sdimage-imx8-spl-sota.wks.in

not really, because I've updated the layout for imx8mm (please take a look at wks.in changes for imx8mm)

mike-scott · 2021-02-10T01:01:09Z

meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8mmevk/bootloader.uuu.in

 SDPV: jump

 FB: ucmd setenv fastboot_dev mmc
 FB: ucmd setenv mmcdev ${emmc_dev}
 FB: ucmd mmc dev ${emmc_dev}
-FB: flash bootloader ../imx-boot-@@MACHINE@@
+FB: ucmd setenv set_blkcnt 'setexpr blkcnt 0x${filesize} + 0x1ff && setexpr blkcnt ${blkcnt} / 0x200'


This logic can be replaced with 2 commands:

FB: flash bootloader ../SPL-@@MACHINE@@ FB: flash bootloader2 ../u-boot-@@MACHINE@@

We need to set this in the standard lmp.cfg:

CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x300

And set this in the mfgtool lmp.cfg:

CONFIG_FSL_FASTBOOT_BOOTLOADER2=y CONFIG_FSL_FASTBOOT_BOOTLOADER2_OFFSET=0x300

Now I got it how it works, looks like bootloader/bootloader2 is not boot0/boot1 (what I assumed initially), but just some defined for the offsets, nice.

But how did that work before, when we were using boot0 for imx-boot?

mike-scott · 2021-02-10T01:01:26Z

meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8mmevk/bootloader.uuu.in

 FB: ucmd if env exists emmc_ack; then ; else setenv emmc_ack 0; fi;
-FB: ucmd mmc partconf ${emmc_dev} ${emmc_ack} 1 0
+FB: ucmd mmc partconf ${emmc_dev} ${emmc_ack} 7 0


What is 7 here?

set user partition (with ack) as bootable

mike-scott · 2021-02-10T01:02:01Z

meta-lmp-bsp/recipes-support/mfgtool-files/mfgtool-files/imx8mmevk/full_image.uuu.in

 SDPV: jump

 FB: ucmd setenv fastboot_dev mmc
 FB: ucmd setenv mmcdev ${emmc_dev}
 FB: ucmd mmc dev ${emmc_dev}
 FB: flash -raw2sparse all ../@@MFGTOOL_FLASH_IMAGE@@-@@MACHINE@@.wic
-FB: flash bootloader ../imx-boot-@@MACHINE@@


We still need to flash bootloaders in the full_image.uuu file.

yes, in case we use boot0 parition.
If you check wks file for the wic image creation, you'll see that in the current setup I used user hw partition for everything, including SPL and U-Boot FIT

mike-scott · 2021-02-10T01:05:10Z

meta-lmp-bsp/conf/machine/include/lmp-machine-custom.inc

@@ -312,6 +312,7 @@ MACHINE_FIRMWARE_mx8mm = "linux-firmware-imx-sdma-imx7d"
 WKS_FILE_mx8mm_sota = "sdimage-imx8-sota.wks.in"
 ## iMX8MM EVK
 MACHINE_FEATURES_remove_imx8mmevk = "qca9377 qca6174"
+IMXBOOT_TARGETS_mx8mm = "flash_spl_signed"


Can we move this setting up under the *_mx8mm settings?

mike-scott · 2021-02-10T01:17:05Z

...rs/freescale-layer/recipes-bsp/imx-mkimage/imx-boot/0002-iMX8M-default-make-builds-SPL.patch

+################################
+# spl.bin + dtb + pad + ddr_fw #
+################################
+u-boot-signed-spl-ddr.bin: u-boot-spl.bin $(lpddr4_imem_1d) $(lpddr4_dmem_1d) $(lpddr4_imem_2d) $(lpddr4_dmem_2d)


I'm going to explore adding the right dependencies to imx-boot recipe so that the build order is like this:

atf compile / deploy

op-tee compile / deploy

u-boot compile: generates SPL and u-boot.bin

use uboot-fitimage class to create u-boot.itb (signing the u-boot-spl.dtb in the process)

build imx-boot for SPL only using deployed SPL.bin (signed dtb)

If we can do that then we can drop all of the u-boot.itb handling / u-boot.its patches here. This ensures as we make changes to the uboot-fitimage class in the future, they are still being used by imx8*.

mike-scott · 2021-02-12T23:00:59Z

Superseded by: #260

ricardosalveti mentioned this pull request Jan 25, 2021

iMX8mm: support Foundries.io secure boot #227

Closed

mike-scott requested review from ricardosalveti, mike-scott and ldts January 25, 2021 19:47

mike-scott requested changes Jan 25, 2021

View reviewed changes

meta-lmp-bsp/recipes-bsp/u-boot/u-boot-fio-mfgtool/imx8mmevk/lmp.cfg Show resolved Hide resolved

meta-lmp-bsp/recipes-bsp/u-boot/u-boot-fio/imx8mmevk/lmp.cfg Show resolved Hide resolved