Imx8mm secure boot support#254
Conversation
| # - ---------- -------------- -------------------- | ||
| # ^ ^ ^ ^ ^ | ||
| # | | | | | | ||
| # 0 | 1MiB 8MiB 16MiB + rootfs + IMAGE_EXTRA_SPACE (default 10MiB) |
There was a problem hiding this comment.
we can use the same layout not only for SD, but for eMMC also. This requires changes of both uuu scripts:
bootloader.uuu.in and full_image.uuu.
In bootloader.uuu.in we can write bootloader, but instead of flash cmd use something like:
FB: ucmd setenv fastboot_buffer ${loadaddr}
FB: download -f SPL
FB: ucmd mmc write ${fastboot_buffer} 0x800 ${fastboot_bytes}
FB: download -f u-boot.itb
FB: ucmd mmc write ${fastboot_buffer} 0x4000 ${fastboot_bytes}
FB: ucmd mmc partconf ${emmc_dev} ${emmc_ack} 7 0
There was a problem hiding this comment.
or we can just still use boot0/boot1 hw paritions for eMMC as before
@mike-scott @ricardosalveti @ldts please decide
There was a problem hiding this comment.
Such layout obviously requires different value for CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR in U-Boot
igoropaniuk
force-pushed
the
imx8mm
branch
2 times, most recently
from
23b84ea to
53ce911
Compare
| # - ---------- -------------- -------------------- | ||
| # ^ ^ ^ ^ ^ | ||
| # | | | | | | ||
| # 0 | 384KiB 8MiB 16MiB + rootfs + IMAGE_EXTRA_SPACE (default 10MiB) |
There was a problem hiding this comment.
384KiB corresponds to the current default value of CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR set for imx8mm
|
all comments addressed |
| do_install () { | ||
| install -d ${D}/boot | ||
| for target in ${IMXBOOT_TARGETS}; do | ||
| install -m 0644 ${S}/SPL-${BOOT_CONFIG_MACHINE}-${target} ${D}/boot/ |
There was a problem hiding this comment.
This will only work for imx8mm right? We also support building for imx8mq, which will use the same function and still using the old imx-boot mechanism (until we change it the same way you're now doing for imx8mm).
imx-boot from meta-freescale has:
do_install () {
install -d ${D}/boot
for target in ${IMXBOOT_TARGETS}; do
install -m 0644 ${S}/${BOOT_CONFIG_MACHINE}-${target} ${D}/boot/
done
}
So we need to cover both cases.
| echo "Set boot target as $IMAGE_IMXBOOT_TARGET" | ||
| fi | ||
| install -m 0644 ${S}/SPL-${BOOT_CONFIG_MACHINE}-${target} ${DEPLOYDIR} | ||
| install -m 0644 ${S}/u-boot.itb-${BOOT_CONFIG_MACHINE}-${target} ${DEPLOYDIR} |
| ln -sf u-boot.itb-${BOOT_CONFIG_MACHINE}-${IMAGE_IMXBOOT_TARGET} u-boot.itb | ||
| # Creating links for mfgtools scripts | ||
| ln -sf SPL-${BOOT_CONFIG_MACHINE}-${IMAGE_IMXBOOT_TARGET} SPL-${MACHINE} | ||
| ln -sf u-boot.itb-${BOOT_CONFIG_MACHINE}-${IMAGE_IMXBOOT_TARGET} u-boot-${MACHINE}.itb |
There was a problem hiding this comment.
And here.
So both install and deploy will have to cover both cases.
Really nice work, just some minor comments. Please make sure you also build lmp for imx8mqevk, as some of these changes might affect targets that are not following the same model (e.g. still requiring imx-boot). |
Signed-off-by: Jorge Ramirez-Ortiz <[email protected]>
1. Set flash_spl as default IMXBOOT_TARGET 2. Update the list of boot files Signed-off-by: Igor Opaniuk <[email protected]>
igoropaniuk
force-pushed
the
imx8mm
branch
2 times, most recently
from
5b9c897 to
79530ec
Compare
Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> Signed-off-by: Igor Opaniuk <[email protected]>
Install dt-spl.dtb and u-boot-spl-nodtb.bin, as we need to have both separate to able to add a FIT image signature to dt-spl.dtb after signing FIT image by imx-boot script. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> Signed-off-by: Igor Opaniuk <[email protected]>
Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> Signed-off-by: Igor Opaniuk <[email protected]>
igoropaniuk
force-pushed
the
imx8mm
branch
4 times, most recently
from
1c2cbd7 to
014b8f8
Compare
Flash separately SPL and U-Boot instead of old image format, where everything was packed into one imx boot image. Signed-off-by: Jorge Ramirez-Ortiz <[email protected]> Signed-off-by: Igor Opaniuk <[email protected]>
Enable FIT signature verification from SPL. Signed-off-by: Igor Opaniuk <[email protected]>
Introduce a separate image layout, taking into account new boot sequence. Signed-off-by: Igor Opaniuk <[email protected]>
Signed-off-by: Igor Opaniuk <[email protected]>
| PREFERRED_PROVIDER_virtual/kernel_mx8mm ?= "linux-lmp-fslc-imx" | ||
| MACHINE_FIRMWARE_mx8mm = "linux-firmware-imx-sdma-imx7d" | ||
| WKS_FILE_mx8mm_sota = "sdimage-imx8-sota.wks.in" | ||
| WKS_FILE_mx8mm_sota = "sdimage-imx8mm-sota.wks.in" |
There was a problem hiding this comment.
This might be more generically named as: sdimage-imx8-spl-sota.wks.in
There was a problem hiding this comment.
not really, because I've updated the layout for imx8mm (please take a look at wks.in changes for imx8mm)
| FB: ucmd setenv mmcdev ${emmc_dev} | ||
| FB: ucmd mmc dev ${emmc_dev} | ||
| FB: flash bootloader ../imx-boot-@@MACHINE@@ | ||
| FB: ucmd setenv set_blkcnt 'setexpr blkcnt 0x${filesize} + 0x1ff && setexpr blkcnt ${blkcnt} / 0x200' |
There was a problem hiding this comment.
This logic can be replaced with 2 commands:
FB: flash bootloader ../SPL-@@MACHINE@@
FB: flash bootloader2 ../u-boot-@@MACHINE@@
We need to set this in the standard lmp.cfg:
CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x300
And set this in the mfgtool lmp.cfg:
CONFIG_FSL_FASTBOOT_BOOTLOADER2=y
CONFIG_FSL_FASTBOOT_BOOTLOADER2_OFFSET=0x300
There was a problem hiding this comment.
Now I got it how it works, looks like bootloader/bootloader2 is not boot0/boot1 (what I assumed initially), but just some defined for the offsets, nice.
But how did that work before, when we were using boot0 for imx-boot?
| FB: ucmd run set_blkcnt && mmc write ${loadaddr} 0x300 ${blkcnt} | ||
| FB: ucmd if env exists emmc_ack; then ; else setenv emmc_ack 0; fi; | ||
| FB: ucmd mmc partconf ${emmc_dev} ${emmc_ack} 1 0 | ||
| FB: ucmd mmc partconf ${emmc_dev} ${emmc_ack} 7 0 |
There was a problem hiding this comment.
set user partition (with ack) as bootable
| FB: ucmd setenv mmcdev ${emmc_dev} | ||
| FB: ucmd mmc dev ${emmc_dev} | ||
| FB: flash -raw2sparse all ../@@MFGTOOL_FLASH_IMAGE@@-@@MACHINE@@.wic | ||
| FB: flash bootloader ../imx-boot-@@MACHINE@@ |
There was a problem hiding this comment.
We still need to flash bootloaders in the full_image.uuu file.
There was a problem hiding this comment.
yes, in case we use boot0 parition.
If you check wks file for the wic image creation, you'll see that in the current setup I used user hw partition for everything, including SPL and U-Boot FIT
| WKS_FILE_mx8mm_sota = "sdimage-imx8-sota.wks.in" | ||
| ## iMX8MM EVK | ||
| MACHINE_FEATURES_remove_imx8mmevk = "qca9377 qca6174" | ||
| IMXBOOT_TARGETS_mx8mm = "flash_spl_signed" |
There was a problem hiding this comment.
Can we move this setting up under the *_mx8mm settings?
| +################################ | ||
| +# spl.bin + dtb + pad + ddr_fw # | ||
| +################################ | ||
| +u-boot-signed-spl-ddr.bin: u-boot-spl.bin $(lpddr4_imem_1d) $(lpddr4_dmem_1d) $(lpddr4_imem_2d) $(lpddr4_dmem_2d) |
There was a problem hiding this comment.
I'm going to explore adding the right dependencies to imx-boot recipe so that the build order is like this:
- atf compile / deploy
- op-tee compile / deploy
- u-boot compile: generates SPL and u-boot.bin
- use uboot-fitimage class to create u-boot.itb (signing the u-boot-spl.dtb in the process)
- build imx-boot for SPL only using deployed SPL.bin (signed dtb)
If we can do that then we can drop all of the u-boot.itb handling / u-boot.its patches here. This ensures as we make changes to the uboot-fitimage class in the future, they are still being used by imx8*.
|
Superseded by: #260 |
4 participants
This is rebased version of initial version
#227
Boot: