Skip to content

Imx8mm secure boot support (updated)#260

Merged
ricardosalveti merged 11 commits intofoundriesio:masterfrom
mike-scott:master-mx8mm-changes
Feb 17, 2021
Merged

Imx8mm secure boot support (updated)#260
ricardosalveti merged 11 commits intofoundriesio:masterfrom
mike-scott:master-mx8mm-changes

Conversation

@mike-scott
Copy link
Copy Markdown
Contributor

@mike-scott mike-scott commented Feb 12, 2021
edited
Loading

This PR supersedes:
#254
#227

Key changes from previous PRs:

  • uboot-fitimage is used for u-boot.itb generation (not imx-boot): this makes imx-boot changes much cleaner as well as keeps 1 copy of the u-boot.its to manage.
  • patch cleanup / reduction

Boot:

U-Boot SPL 2020.04 (Jan 01 1970 - 00:00:00 +0000)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO: DRAM rate 3000MTS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from MMC2
sha256,rsa2048:dev+ ## Checking hash(es) for Image atf ... sha256+ OK
## Checking hash(es) for Image uboot ... sha256+ OK
## Checking hash(es) for Image ubootfdt ... sha256+ OK
## Checking hash(es) for Image optee ... sha256+ OK
NOTICE:  BL31: v2.2(release):rel_imx_5.4.47_2.2.0-0-gc949a888e-dirty
NOTICE:  BL31: Built : 00:00:00, Jan  1 1970
I/TC: 
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 3.10.0-71-g9ca46e6b (gcc version 10.2.0 (GCC)) #1 Thu Jan  1 00:00:00 UTC 1970 aarch64
I/TC: Primary CPU initializing
I/TC: Primary CPU switching to normal world boot


U-Boot 2020.04 (Jan 01 1970 - 00:00:00 +0000)

CPU:   i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)
CPU:   Commercial temperature grade (0C to 95C) at 38C
Reset cause: POR
Model: NXP i.MX8MM EVK board
DRAM:  2 GiB
MMC:   FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from FAT... *** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial

 BuildInfo:
  - ATF c949a88
  - U-Boot 2020.04

Net:   
Warning: ethernet@30be0000 using MAC address from ROM
eth0: ethernet@30be0000
3007 bytes read in 8 ms (366.2 KiB/s)
## Executing script at 40480000
sha256,rsa2048:dev+ sha256+ Using freescale_imx8mm-evk.dtb
Saving Environment to FAT... OK
463 bytes read in 10 ms (44.9 KiB/s)
13886670 bytes read in 55 ms (240.8 MiB/s)
## Loading kernel from FIT Image at 43800000 ...
   Using 'conf@freescale_imx8mm-evk.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'kernel@1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x4380010c
     Data Size:    9832939 Bytes = 9.4 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x40480000
     Entry Point:  0x40480000
     Hash algo:    sha256
     Hash value:   6fbdaae939bbeb051b4d813c7d92046103c9aad29be40151aed19a35dfc301b7
   Verifying Hash Integrity ... sha256+ OK
## Loading ramdisk from FIT Image at 43800000 ...
   Using 'conf@freescale_imx8mm-evk.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'ramdisk@1' ramdisk subimage
     Description:  initramfs-ostree-lmp-image
     Type:         RAMDisk Image
     Compression:  uncompressed
     Data Start:   0x441f8114
     Data Size:    3418221 Bytes = 3.3 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    sha256
     Hash value:   4e1ec60386533ff384f1f7a8c9e464037e57ca86673067066fcad710c89376f5
   Verifying Hash Integrity ... sha256+ OK
## Loading fdt from FIT Image at 43800000 ...
   Using 'conf@freescale_imx8mm-evk.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'fdt@freescale_imx8mm-evk.dtb' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x441aec4c
     Data Size:    44632 Bytes = 43.6 KiB
     Architecture: AArch64
     Load Address: 0x43000000
     Hash algo:    sha256
     Hash value:   9bf4d2595049e7ab9c6fce8d8c46f0f91890aeab52096cc9064a674169479c03
   Verifying Hash Integrity ... sha256+ OK
   Loading fdt from 0x441aec4c to 0x43000000
   Booting using the fdt blob at 0x43000000
   Uncompressing Kernel Image
   Using Device Tree in place at 0000000043000000, end 000000004300de57

Starting kernel ...

unable to select a mode
device_remove: Device '[email protected]' failed to remove, but children are gone
[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.4.93-lmp-standard (oe-user@oe-host) (gcc version 10.2.0 (GCC)) #1 SMP PREEMPT Fri Feb 12 22:57:16 UTC 2021
[    0.000000] Machine model: FSL i.MX8MM EVK board
[    0.000000] earlycon: ec_imx6q0 at MMIO 0x0000000030890000 (options '115200')
[    0.000000] printk: bootconsole [ec_imx6q0] enabled

@mike-scott mike-scott self-assigned this Feb 12, 2021
@mike-scott mike-scott mentioned this pull request Feb 12, 2021
Closed
igoropaniuk
igoropaniuk reviewed Feb 15, 2021
View reviewed changes
Comment thread meta-lmp-bsp/conf/machine/include/lmp-machine-custom.inc
Comment thread meta-lmp-bsp/conf/machine/include/lmp-machine-custom.inc
Comment thread meta-lmp-bsp/wic/sdimage-imx8-spl-sota.wks.in
Comment thread meta-lmp-bsp/recipes-bsp/u-boot/u-boot-fio-mfgtool/imx8mmevk/lmp.cfg
@igoropaniuk
Copy link
Copy Markdown
Contributor

igoropaniuk commented Feb 15, 2021

Besides bootloader/bootloader2 approach in mfgtools/uuu, LGTM

igoropaniuk
igoropaniuk reviewed Feb 15, 2021
View reviewed changes
Comment thread meta-lmp-bsp/recipes-bsp/u-boot/u-boot-fio-mfgtool/imx8mmevk/lmp.cfg Outdated
@mike-scott
Copy link
Copy Markdown
Contributor Author

mike-scott commented Feb 16, 2021

Rebased and addressed @igoropaniuk comments

@ricardosalveti
Copy link
Copy Markdown
Member

ricardosalveti commented Feb 16, 2021

LGTM, nice set of changes, will do some local testing and report back.

mike-scott and others added 11 commits February 16, 2021 15:59
@mike-scott
base: u-boot-fio: 2020.04: bump to f0e3fc69
d8a07d2 
Relevant changes:
- f0e3fc69 [FIO extras] fiovb: sync ta header for upgrade_available support
- 4b6ffe1e [FIO extras] fiovb: add support to delete persistent values
- b7229946 [FIO internal] imx8mmevk: drop hardcoded USB configuration
- 203c7679 [FIO internal] imx8mm_evk: fix build issues when SPL_DM=y
- c8bb7924 [FIO internal] usb hub: don't use env if it's not enabled
- 40403e6d [FIO internal] imx8m: don't enable CAAM if OP-TEE is used
- 81bd72c4 [FIO toup] rsa-verify: fix aligment issues for SPL
- a46a3140 [FIO toup] cmd: scp03: enable and provision command
- 8e27c188 [FIO toup] common: TEE SCP03 control

Signed-off-by: Michael Scott <[email protected]>
@ldts @mike-scott
bsp: imx-mkimage: imx8mm: support SPL-only build
99104d6 
Signed-off-by: Jorge Ramirez-Ortiz <[email protected]>
Signed-off-by: Michael Scott <[email protected]>
@ldts @mike-scott
bsp: u-boot-fio: install spl-nodtb and UBOOT_MACHINE artifacts
343fc9d 
There are 2 paths for making u-boot and imx8 is typically setup to use.
For example from imx8mmevk.conf:
UBOOT_CONFIG ??= "sd"
UBOOT_CONFIG[sd] = "imx8mm_evk_config,sdcard"
UBOOT_CONFIG[fspi] = "imx8mm_evk_fspi_defconfig"
UBOOT_CONFIG[mfgtool] = "imx8mm_evk_config"

When configured to build u-boot this way, we get artifacts placed in
the following build dirs:
(1 build for each index in the UBOOT_CONFIG array)
${B}/${config}/

The uboot-fitimage class which generates u-boot.itb does not work with
files in this extra "config" subdir.  It expects UBOOT_CONFIG not to
be set, instead using the UBOOT_MACHINE method of building u-boot which
places the artifacts directly under the build dir:
${B}/

Let's handle both deployments, but for now we'll be using the
UBOOT_MACHINE method for building u-boot.

Also, generate extra symlinks to account for the imx-boot recipe attempting
to use UBOOT_CONFIG as a suffix which ends up being empty.

Signed-off-by: Jorge Ramirez-Ortiz <[email protected]>
Signed-off-by: Igor Opaniuk <[email protected]>
Signed-off-by: Michael Scott <[email protected]>
@ldts @mike-scott
bsp: u-boot: mfgtool-files: install spl-nodtb and UBOOT_MACHINE artif…
606336d 
…acts

There are 2 paths for making u-boot and imx8 is typically setup to use.
For example from imx8mmevk.conf:
UBOOT_CONFIG ??= "sd"
UBOOT_CONFIG[sd] = "imx8mm_evk_config,sdcard"
UBOOT_CONFIG[fspi] = "imx8mm_evk_fspi_defconfig"
UBOOT_CONFIG[mfgtool] = "imx8mm_evk_config"

When configured to build u-boot this way, we get artifacts placed in
the following build dirs:
(1 build for each index in the UBOOT_CONFIG array)
${B}/${config}/

The uboot-fitimage class which generates u-boot.itb does not work with
files in this extra "config" subdir.  It expects UBOOT_CONFIG not to
be set, instead using the UBOOT_MACHINE method of building u-boot which
places the artifacts directly under the build dir:
${B}/

Let's handle both deployments, but for now we'll be using the
UBOOT_MACHINE method for building u-boot.

Also, generate extra symlinks to account for the imx-boot recipe attempting
to use UBOOT_CONFIG as a suffix which ends up being empty.

Signed-off-by: Jorge Ramirez-Ortiz <[email protected]>
Signed-off-by: Igor Opaniuk <[email protected]>
Signed-off-by: Michael Scott <[email protected]>
@igoropaniuk @mike-scott
bsp: u-boot-fio: imx8mmevk: lmp.cfg: enable signature verification in…
5733c8a 
… SPL

- Enable FIT signature verification from SPL
- Adjust offset for 2nd stage bootloader (0x300)
- Enable flashing bootloader2 in u-boot
- Disable CONFIG_SPL_FIT_IMAGE_TINY

Signed-off-by: Igor Opaniuk <[email protected]>
Signed-off-by: Michael Scott <[email protected]>
@igoropaniuk @mike-scott
bsp: wic: imx8: introduce a separate SPL image layout
020fa1d 
Introduce a separate SPL image layout, taking into account new boot sequence.

Signed-off-by: Igor Opaniuk <[email protected]>
@mike-scott
bsp: wic: sdimage-imx8-sota: fix comment to match reality
dbeef1d 
boot partition is 64MB

Signed-off-by: Michael Scott <[email protected]>
@mike-scott
bsp: mfgtool-files: mx8mm: deploy u-boot.itb and kernel fit-image
f6c2e94 
Signed-off-by: Michael Scott <[email protected]>
@ldts @mike-scott
bsp: mfgtool-files: flash separated imx-boot and U-Boot FIT
d833f59 
Flash separated imx-boot(SPL) and U-Boot instead of old image format,
where everything was packed into one imx boot image.

Signed-off-by: Jorge Ramirez-Ortiz <[email protected]>
Signed-off-by: Igor Opaniuk <[email protected]>
Signed-off-by: Michael Scott <[email protected]>
@mike-scott
bsp: imx-atf: add compatibility and deployment to use uboot-fitimage …
77349ff 
…generation

To use uboot-fitimage with mx8m we require changes to the imx-atf recipe:
- provide virtual/virtual/trusted-firmware-a
- deploy firmware to ${DEPLOYDIR}

Signed-off-by: Michael Scott <[email protected]>
@mike-scott
bsp: lmp-machine-custom: mx8mm: changes for imx-boot and uboot-fitmag…
f2475a3 
…e class

Additional cleanups:
- re-group imx8mmevk settings under the mx8mm settings
- mfgtool: fix u-boot-default-script setting

Signed-off-by: Michael Scott <[email protected]>
ricardosalveti
ricardosalveti approved these changes Feb 17, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@ricardosalveti ricardosalveti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All good, working as expected.

@ricardosalveti ricardosalveti merged commit e9f4da9 into foundriesio:master Feb 17, 2021
@mike-scott mike-scott deleted the master-mx8mm-changes branch March 9, 2021 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@igoropaniuk igoropaniuk igoropaniuk left review comments

@ricardosalveti ricardosalveti ricardosalveti approved these changes

@ldts ldts Awaiting requested review from ldts

Assignees

@mike-scott mike-scott

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mike-scott @igoropaniuk @ricardosalveti @ldts