[U-Boot] [PATCH v2 00/17] warp7: Enable automated OPTEE/HAB boot flow

[U-Boot] [PATCH v2 00/17] warp7: Enable automated OPTEE/HAB boot flow

[Bryan O'Donoghue]

https://git.linaro.org/landing-teams/working/mbl/u-boot.git/log/?h=linaro-mbl%2bbod

v2:
- Ensure warp7_defconfig boots existing yocto with this change plus the
  automated HAB layer being added here following on from "[PATCH v3 0/2]
  WaRP7 unify secure and non-secure defconfigs"

- Fix reference to partition #1 versus partition #2 in select uuidpart
  patch

- Rebase on top of Pierre-Jean Texier generic load patches

- Drop my patch which did the same thing as Pierre-Jean's patch via
  ${loadcmd}

- Update example boot.scr from v1 to reflect use of generic 'load' command

- This patchset now relies on four in-flight patch-sets which all have the
  relevant Reviewed-by tags from the board Maintainer Fabio.
 
1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial
   Already has a Reviewed-by from Fabio

2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth
   Has a Reviewed-by: from Breno

3. [PATCH v3 0/2] WaRP7 unify secure and non-secure defconfigs

4. Pierre-Jean's generic load patches

   [U-Boot] [PATCH v3 1/2] warp7: include/configs: use generic fs commands
   in CONFIG_EXTRA_ENV_SETTINGS

   [U-Boot] [PATCH v3 2/2] warp7: configs: enable CONFIG_CMD_FS_GENERIC
 
v1:
This series enables an automated HAB verified secure boot which chain-loads
via OPTEE see `git show 5cf3251..c225e7c` for details.

This set depends on three in-flight patchsets

1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial
   Already has a Reviewed-by from Fabio

2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth
   Has a Reviewed-by: from Breno

3. [PATCH] configs: warp7: Fix CAAM on boot with tip-of-tree

I'm trying not to make this cover email too long. So - once this set is
applied it is possible to boot from the BootROM using HAB to verify

- u-boot
- boot.scr
- Kernel
- DTB

Chainload via OPTEE and boot up to Linux. If there is a HAB failure at any
stage of the process we force-drop down to the USB HID failover mode, from
which we can send up a recovery image to unblock.

I've run the WaRP7 default u-boot and this new version on NXP's reference
yocto image and verified that that yocto image boots with both versions of
the WaRP7 -> warp7_defconfig and warp7_secure_defconfig.

http://freescale.github.io/#download -> BoardsWaRPboard community - WaRP -
Wearable Reference PlatformFSL Community BSP 2.3fsl-image-multimediawayland

In addition the modifications targeting warp7_secure_defconfig mean it is
possible to chain-load via OPTEE using scripted HAB to verify images prior
to exiting the u-boot domain.

Here is an example of the scripting we are doing which shows further reuse
of shell functions introduced in previous patches.

#### Example secure-boot boot.scr.imx-signed ####

# This section is responsbile for loading a signed Linux kernel
setenv image_signed zImage.imx-signed
if test ${hab_enabled} -eq 1; then
	setexpr hab_ivt_addr ${loadaddr} - ${ivt_offset}
	load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${image_signed}
	run warp7_auth_or_fail
else
	run loadimage;
fi

# This section is responsbile for loading a signed FDT image
setenv fdt_file_signed imx7s-warp.dtb.imx-signed
if test ${hab_enabled} -eq 1; then
	setexpr hab_ivt_addr ${fdt_addr} - ${ivt_offset}
	load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr}
${fdt_file_signed}
	run warp7_auth_or_fail
else
	run loadfdt;
fi

# Boot from rootfs1 by default
setenv mmcpart 3

# But if the rootfs2 file exists in partition 2, boot from rootfs2
ext4size mmc 0:2 rootfs2 && setenv mmcpart 5

# This section is responsbile for loading a signed OPTEE image
setenv optee_file /lib/firmware/uTee.optee
setenv optee_file_signed /lib/firmware/uTee.optee.imx-signed
setenv loadoptee "load mmc ${mmcdev}:${mmcpart} ${optee_addr}
${optee_file}"
if test ${hab_enabled} -eq 1; then
	setexpr hab_ivt_addr ${optee_addr} - ${ivt_offset}
	load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr}
${optee_file_signed}
	run warp7_auth_or_fail
else
	run loadoptee;
fi

# Set UUID mmcpart will be used to pass root id to kernel
setenv rootpart ${mmcpart}
run finduuid;
run mmcargs;

# Now boot
echo Booting secure Linux/OPTEE OS from mmc ...;
bootm ${optee_addr} - ${fdt_addr};

# Failsafe if something goes wrong
hab_failsafe

Bryan O'Donoghue (17):
  imximage: Specify default IVT offset in IMX image
  warp7: hab: Add a CSF location definition
  warp7: hab: Set environment variable indicating HAB enable
  warp7: defconfig: Enable OPTEE for WaRP7
  warp7: Allocate specific region of memory to OPTEE
  warp7: Print out the OPTEE DRAM region
  warp7: Specify CONFIG_OPTEE_LOAD_ADDR
  warp7: defconfig: Enable CONFIG_SECURE_BOOT
  warp7: defconfig: Enable CONFIG_BOOTM_TEE
  warp7: Make CONFIG_SYS_FDT_ADDR a define
  warp7: Add Kconfig WARP7_ROOT_PART
  warp7: select uuid partition based on rootpart
  warp7: Define the name of a signed boot-script file
  warp7: add warp7_auth_or_fail
  warp7: hab: Set environment variable indicating IVT offset
  warp7: defconfig: Enable CMD_SETEXPR
  warp7: Add support for automated secure boot.scr verification

 board/warp7/Kconfig      | 14 ++++++++++++++
 board/warp7/imximage.cfg |  4 ++++
 board/warp7/warp7.c      | 23 +++++++++++++++++++++++
 configs/warp7_defconfig  |  6 +++++-
 include/configs/warp7.h  | 22 ++++++++++++++++++++--
 include/imximage.h       |  3 +++
 6 files changed, 69 insertions(+), 3 deletions(-)

-- 
2.7.4

[U-Boot] [PATCH v2 01/17] imximage: Specify default IVT offset in IMX image

[Bryan O'Donoghue]

This patch adds BOOTROM_IVT_HDR_OFFSET at 0xC00. The BootROM expects to
find the IVT header at a particular offset in an i.MX image.

Defining the expected offset of the IVT header in the first-stage BootROM
image format is of use of later stage authentication routines where those
routines continue to follow the first-stage authentication layout.

This patch defines the first stage offset which later patch make use of.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Cc: Breno Lima <breno.lima@nxp.com>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
---
 include/imximage.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/imximage.h b/include/imximage.h
index 553b852..800fd63 100644
--- a/include/imximage.h
+++ b/include/imximage.h
@@ -14,6 +14,9 @@
 #define APP_CODE_BARKER	0xB1
 #define DCD_BARKER	0xB17219E9
 
+/* Specify the offset of the IVT in the IMX header as expected by BootROM */
+#define BOOTROM_IVT_HDR_OFFSET	0xC00
+
 /*
  * NOTE: This file must be kept in sync with arch/arm/include/asm/\
  *       mach-imx/imximage.cfg because tools/imximage.c can not
-- 
2.7.4

[U-Boot] [PATCH v2 02/17] warp7: hab: Add a CSF location definition

[Bryan O'Donoghue]

In order to correctly produce an image with a IVT/DCD header we need to
define a CSF in imximage.cfg. We just use the mx7 default here.

All we have to do with this option switched on is "make u-boot.imx" and we
then will get

- u-boot.imx
- u-boot.imx.log

The log file is really important because it gives the addresses for the HAB
that we will require to sign the u-boot image using the CST. Since the
addresses can change this logfile is a critical output.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 board/warp7/imximage.cfg | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/board/warp7/imximage.cfg b/board/warp7/imximage.cfg
index 5b42793..51a5bff 100644
--- a/board/warp7/imximage.cfg
+++ b/board/warp7/imximage.cfg
@@ -13,6 +13,10 @@
 #include <config.h>
 
 IMAGE_VERSION	2
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
+
 BOOT_FROM	sd
 
 /*
-- 
2.7.4

[U-Boot] [PATCH v2 03/17] warp7: hab: Set environment variable indicating HAB enable

[Bryan O'Donoghue]

This patch adds an environment variable called "hab_enabled" which gets set
to a boolean status indicating whether HAB is enabled or not.

Subsequent patches can use this environment variable to determine if its
necessary to run a given binary through the hab_auth_img console command.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 board/warp7/warp7.c     | 8 ++++++++
 include/configs/warp7.h | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/board/warp7/warp7.c b/board/warp7/warp7.c
index 327f656..0d3d324 100644
--- a/board/warp7/warp7.c
+++ b/board/warp7/warp7.c
@@ -10,6 +10,7 @@
 #include <asm/arch/mx7-pins.h>
 #include <asm/arch/sys_proto.h>
 #include <asm/gpio.h>
+#include <asm/mach-imx/hab.h>
 #include <asm/mach-imx/iomux-v3.h>
 #include <asm/mach-imx/mxc_i2c.h>
 #include <asm/io.h>
@@ -203,6 +204,13 @@ int board_late_init(void)
 	 */
 	clrsetbits_le16(&wdog->wcr, 0, 0x10);
 
+#ifdef CONFIG_SECURE_BOOT
+	/* Determine HAB state */
+	env_set_ulong(HAB_ENABLED_ENVNAME, imx_hab_is_enabled());
+#else
+	env_set_ulong(HAB_ENABLED_ENVNAME, 0);
+#endif
+
 #ifdef CONFIG_SERIAL_TAG
 	/* Set serial# standard environment variable based on OTP settings */
 	get_board_serial(&serialnr);
diff --git a/include/configs/warp7.h b/include/configs/warp7.h
index 98fedb8..10db716 100644
--- a/include/configs/warp7.h
+++ b/include/configs/warp7.h
@@ -139,4 +139,7 @@
 
 #define CONFIG_USBNET_DEV_ADDR		"de:ad:be:af:00:01"
 
+/* Environment variable name to represent HAB enable state */
+#define HAB_ENABLED_ENVNAME		"hab_enabled"
+
 #endif
-- 
2.7.4

[U-Boot] [PATCH v2 04/17] warp7: defconfig: Enable OPTEE for WaRP7

[Bryan O'Donoghue]

Requires setting CONFIG_OPTEE=y and setting an OPTEE TrustZone DRAM base in
include/configs/warp7.h.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 configs/warp7_defconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configs/warp7_defconfig b/configs/warp7_defconfig
index d720bac..3dbcd69 100644
--- a/configs/warp7_defconfig
+++ b/configs/warp7_defconfig
@@ -44,3 +44,4 @@ CONFIG_USB_ETHER=y
 CONFIG_USB_ETH_CDC=y
 CONFIG_USBNET_HOST_ADDR="de:ad:be:af:00:00"
 CONFIG_OF_LIBFDT=y
+CONFIG_OPTEE=y
-- 
2.7.4

[U-Boot] [PATCH v2 05/17] warp7: Allocate specific region of memory to OPTEE

[Bryan O'Donoghue]

Subtracts CONFIG_OPTEE_TZDRAM_SIZE from the available DRAM size.

On WaRP7 we simply define the OPTEE region as from the maximum DRAM address
minus CONFIG_OPTEE_TZDRAM_SIZE bytes.

Note the OPTEE boot process will itself subtract the DRAM region it lives
in from the memory map passed to Linux.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 board/warp7/warp7.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/board/warp7/warp7.c b/board/warp7/warp7.c
index 0d3d324..56f0cdd 100644
--- a/board/warp7/warp7.c
+++ b/board/warp7/warp7.c
@@ -58,6 +58,11 @@ int dram_init(void)
 {
 	gd->ram_size = PHYS_SDRAM_SIZE;
 
+	/* Subtract the defined OPTEE runtime firmware length */
+#ifdef CONFIG_OPTEE_TZDRAM_SIZE
+		gd->ram_size -= CONFIG_OPTEE_TZDRAM_SIZE;
+#endif
+
 	return 0;
 }
 
-- 
2.7.4

[U-Boot] [PATCH v2 06/17] warp7: Print out the OPTEE DRAM region

[Bryan O'Donoghue]

Right now a region of 0x300000 bytes is allocated at the end of DRAM for
the purposes of loading an OPTEE firmware inside of it. This patch adds the
printout of the relevant address ranges.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 board/warp7/warp7.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/board/warp7/warp7.c b/board/warp7/warp7.c
index 56f0cdd..da52b18 100644
--- a/board/warp7/warp7.c
+++ b/board/warp7/warp7.c
@@ -181,7 +181,17 @@ int checkboard(void)
 	else
 		mode = "non-secure";
 
+#ifdef CONFIG_OPTEE_TZDRAM_SIZE
+	unsigned long optee_start, optee_end;
+
+	optee_end = PHYS_SDRAM + PHYS_SDRAM_SIZE;
+	optee_start = optee_end - CONFIG_OPTEE_TZDRAM_SIZE;
+
+	printf("Board: WARP7 in %s mode OPTEE DRAM 0x%08lx-0x%08lx\n",
+	       mode, optee_start, optee_end);
+#else
 	printf("Board: WARP7 in %s mode\n", mode);
+#endif
 
 	return 0;
 }
-- 
2.7.4

[U-Boot] [PATCH v2 06/17] warp7: Print out the OPTEE DRAM region

[Breno Matheus Lima]

Hi Bryan,

2018-04-02 19:42 GMT-03:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
> Right now a region of 0x300000 bytes is allocated at the end of DRAM for
> the purposes of loading an OPTEE firmware inside of it. This patch adds the
> printout of the relevant address ranges.
>
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

Just a quick question here, It was your intention to do not add
CONFIG_OPTEE_TZDRAM_SIZE=0x300000 in your series? So users can setup
according their requirements?

Thanks,
Breno Lima

[U-Boot] [PATCH v2 06/17] warp7: Print out the OPTEE DRAM region

[Bryan O'Donoghue]

On 07/04/18 13:36, Breno Matheus Lima wrote:
> Hi Bryan,
> 
> 2018-04-02 19:42 GMT-03:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
>> Right now a region of 0x300000 bytes is allocated at the end of DRAM for
>> the purposes of loading an OPTEE firmware inside of it. This patch adds the
>> printout of the relevant address ranges.
>>
>> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> 
> Just a quick question here, It was your intention to do not add
> CONFIG_OPTEE_TZDRAM_SIZE=0x300000 in your series? So users can setup
> according their requirements?

d89a5aa6d086e4b3242dbdbe97183f5b25468299 ("optee: Add 
CONFIG_OPTEE_TZDRAM_SIZE") defaults to 0x300000 but you can set the size 
to whatever you like in your defconfig.

The important thing is to make sure u-boot and optee agree what the size 
of the eaten chunk is.

[U-Boot] [PATCH v2 07/17] warp7: Specify CONFIG_OPTEE_LOAD_ADDR

[Bryan O'Donoghue]

In order to sign images with the IMX code-signing-tool (CST) we need to
know the load address of a given image. The best way to derive this load
address is to make it into a define - so that u-boot.cfg contains the
address - which we can then parse when generating the IMX CST headers.

This patch makes the OPTEE_LOAD_ADDR available via u-boot.cfg for further
parsing by external tools.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
---
 configs/warp7_defconfig | 1 +
 include/configs/warp7.h | 1 +
 2 files changed, 2 insertions(+)

diff --git a/configs/warp7_defconfig b/configs/warp7_defconfig
index 3dbcd69..c647cd0 100644
--- a/configs/warp7_defconfig
+++ b/configs/warp7_defconfig
@@ -45,3 +45,4 @@ CONFIG_USB_ETH_CDC=y
 CONFIG_USBNET_HOST_ADDR="de:ad:be:af:00:00"
 CONFIG_OF_LIBFDT=y
 CONFIG_OPTEE=y
+CONFIG_OPTEE_LOAD_ADDR=0x84000000
diff --git a/include/configs/warp7.h b/include/configs/warp7.h
index 10db716..e12b90b 100644
--- a/include/configs/warp7.h
+++ b/include/configs/warp7.h
@@ -40,6 +40,7 @@
 	"initrd_high=0xffffffff\0" \
 	"fdt_file=imx7s-warp.dtb\0" \
 	"fdt_addr=0x83000000\0" \
+	"optee_addr=" __stringify(CONFIG_OPTEE_LOAD_ADDR)"\0" \
 	"boot_fdt=try\0" \
 	"ip_dyn=yes\0" \
 	"mmcdev="__stringify(CONFIG_SYS_MMC_ENV_DEV)"\0" \
-- 
2.7.4

[U-Boot] [PATCH v2 07/17] warp7: Specify CONFIG_OPTEE_LOAD_ADDR

[Breno Matheus Lima]

Hi Bryan,

2018-04-02 19:42 GMT-03:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
> In order to sign images with the IMX code-signing-tool (CST) we need to
> know the load address of a given image. The best way to derive this load
> address is to make it into a define - so that u-boot.cfg contains the
> address - which we can then parse when generating the IMX CST headers.
>
> This patch makes the OPTEE_LOAD_ADDR available via u-boot.cfg for further
> parsing by external tools.
>
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
> ---
>  configs/warp7_defconfig | 1 +
>  include/configs/warp7.h | 1 +
>  2 files changed, 2 insertions(+)
>
> diff --git a/configs/warp7_defconfig b/configs/warp7_defconfig
> index 3dbcd69..c647cd0 100644
> --- a/configs/warp7_defconfig
> +++ b/configs/warp7_defconfig
> @@ -45,3 +45,4 @@ CONFIG_USB_ETH_CDC=y
>  CONFIG_USBNET_HOST_ADDR="de:ad:be:af:00:00"
>  CONFIG_OF_LIBFDT=y
>  CONFIG_OPTEE=y
> +CONFIG_OPTEE_LOAD_ADDR=0x84000000


I'm seeing the following in my U-Boot environment variables, seems
that CONFIG_OPTEE_LOAD_ADDR it's not being correctly defined:
...
mmcpart=1
optee_addr=CONFIG_OPTEE_LOAD_ADDR
rootpart=2
...

Moving CONFIG_OPTEE_LOAD_ADDR to Kconfig address this issue, can you
please check if the same is happening in your side?

--- a/board/warp7/Kconfig
+++ b/board/warp7/Kconfig
@@ -20,4 +20,10 @@ config SYS_FDT_ADDR
     help
       The address the FDT file should be loaded to.

+config OPTEE_LOAD_ADDR
+    hex "OPTEE load address"
+    default 0x84000000
+    help
+      The address the OPTEE binary should be loaded to.
+
 endif

--- a/scripts/config_whitelist.txt
+++ b/scripts/config_whitelist.txt
@@ -1469,6 +1469,7 @@ CONFIG_OMAP_EHCI_PHY2_RESET_GPIO
 CONFIG_OMAP_EHCI_PHY3_RESET_GPIO
 CONFIG_OMAP_USB2PHY2_HOST
 CONFIG_OMAP_USB3PHY1_HOST
+CONFIG_OPTEE_LOAD_ADDR
 CONFIG_ORIGEN

U-Boot environment variables after applying the patch above:
...
mmcpart=1
optee_addr=0x84000000
rootpart=2
...

Thanks,
Breno Lima

[U-Boot] [PATCH v2 07/17] warp7: Specify CONFIG_OPTEE_LOAD_ADDR

[Bryan O'Donoghue]

On 07/04/18 13:23, Breno Matheus Lima wrote:
> Hi Bryan,
> 
> 2018-04-02 19:42 GMT-03:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
>> In order to sign images with the IMX code-signing-tool (CST) we need to
>> know the load address of a given image. The best way to derive this load
>> address is to make it into a define - so that u-boot.cfg contains the
>> address - which we can then parse when generating the IMX CST headers.
>>
>> This patch makes the OPTEE_LOAD_ADDR available via u-boot.cfg for further
>> parsing by external tools.
>>
>> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
>> Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
>> ---
>>   configs/warp7_defconfig | 1 +
>>   include/configs/warp7.h | 1 +
>>   2 files changed, 2 insertions(+)
>>
>> diff --git a/configs/warp7_defconfig b/configs/warp7_defconfig
>> index 3dbcd69..c647cd0 100644
>> --- a/configs/warp7_defconfig
>> +++ b/configs/warp7_defconfig
>> @@ -45,3 +45,4 @@ CONFIG_USB_ETH_CDC=y
>>   CONFIG_USBNET_HOST_ADDR="de:ad:be:af:00:00"
>>   CONFIG_OF_LIBFDT=y
>>   CONFIG_OPTEE=y
>> +CONFIG_OPTEE_LOAD_ADDR=0x84000000
> 
> 
> I'm seeing the following in my U-Boot environment variables, seems
> that CONFIG_OPTEE_LOAD_ADDR it's not being correctly defined:

Can you try again after doing this

make clean; make mrproper; make warp7_config;make u-boot.imx arch=ARM 
CROSS_COMPILE=/opt/linaro/gcc-linaro-7.2.1-2017.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf-

works for me

[U-Boot] [PATCH v2 08/17] warp7: defconfig: Enable CONFIG_SECURE_BOOT

[Bryan O'Donoghue]

Various function associated with booting the WaRP7 in High Assurance Boot
(HAB) mode are enabled by switching on CONFIG_SECURE_BOOT.

This patch enables CONFIG_SECURE_BOOT for the WaRP7 defconfig.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 configs/warp7_defconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configs/warp7_defconfig b/configs/warp7_defconfig
index c647cd0..efb6f51 100644
--- a/configs/warp7_defconfig
+++ b/configs/warp7_defconfig
@@ -1,5 +1,6 @@
 CONFIG_ARM=y
 CONFIG_ARCH_MX7=y
+CONFIG_SECURE_BOOT=y
 CONFIG_SYS_TEXT_BASE=0x87800000
 CONFIG_TARGET_WARP7=y
 CONFIG_ARMV7_BOOT_SEC_DEFAULT=y
-- 
2.7.4

[U-Boot] [PATCH v2 09/17] warp7: defconfig: Enable CONFIG_BOOTM_TEE

[Bryan O'Donoghue]

This patch enables CONFIG_BOOTM_TEE. Once enabled its possible to
chain-load Linux through OPTEE.

Loading kernel to 0x80800000
=> run loadimage

Load FDT to 0x83000000
=> run loadfdt

Load OPTEE to 0x84000000
=> fatload mmc 0:5 0x84000000 /lib/firmware/uTee.optee

Then chain-load to the kernel via OPTEE

=> bootm 0x84000000 - 0x83000000

   Image Name:
   Image Type:   ARM Trusted Execution Environment Kernel Image (uncompressed)
   Data Size:    249844 Bytes = 244 KiB
   Load Address: 9dffffe4
   Entry Point:  9e000000
   Verifying Checksum ... OK
   Loading Kernel Image ... OK

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 configs/warp7_defconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configs/warp7_defconfig b/configs/warp7_defconfig
index efb6f51..d5dc009 100644
--- a/configs/warp7_defconfig
+++ b/configs/warp7_defconfig
@@ -47,3 +47,4 @@ CONFIG_USBNET_HOST_ADDR="de:ad:be:af:00:00"
 CONFIG_OF_LIBFDT=y
 CONFIG_OPTEE=y
 CONFIG_OPTEE_LOAD_ADDR=0x84000000
+CONFIG_BOOTM_OPTEE=y
-- 
2.7.4

[U-Boot] [PATCH v2 09/17] warp7: defconfig: Enable CONFIG_BOOTM_TEE

[Breno Matheus Lima]

Hi Bryan,

2018-04-02 19:42 GMT-03:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
> This patch enables CONFIG_BOOTM_TEE. Once enabled its possible to
> chain-load Linux through OPTEE.
>
> Loading kernel to 0x80800000
> => run loadimage
>
> Load FDT to 0x83000000
> => run loadfdt
>
> Load OPTEE to 0x84000000
> => fatload mmc 0:5 0x84000000 /lib/firmware/uTee.optee
>
> Then chain-load to the kernel via OPTEE
>
> => bootm 0x84000000 - 0x83000000
>
>    Image Name:
>    Image Type:   ARM Trusted Execution Environment Kernel Image (uncompressed)
>    Data Size:    249844 Bytes = 244 KiB
>    Load Address: 9dffffe4
>    Entry Point:  9e000000
>    Verifying Checksum ... OK
>    Loading Kernel Image ... OK


I'm seeing the following cache misaligned operation warning in my
environment, did I miss something on my OPTEE build?

=> bootm 0x84000000 - 0x83000000
## Booting kernel from Legacy Image at 84000000 ...
   Image Name:
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    274844 Bytes = 268.4 KiB
   Load Address: 9dffffe4
   Entry Point:  9e000000
   Verifying Checksum ... OK
## Flattened Device Tree blob at 83000000
   Booting using the fdt blob at 0x83000000
   Loading Kernel Image ... OK
CACHE: Misaligned operation at range [9dffffe4, 9e0431a4]
   Using Device Tree in place at 83000000, end 830095b6

Thanks,
Breno Lima

[U-Boot] [PATCH v2 09/17] warp7: defconfig: Enable CONFIG_BOOTM_TEE

[Bryan O'Donoghue]

On 07/04/18 13:32, Breno Matheus Lima wrote:
> Hi Bryan,
> 
> 2018-04-02 19:42 GMT-03:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
>> This patch enables CONFIG_BOOTM_TEE. Once enabled its possible to
>> chain-load Linux through OPTEE.
>>
>> Loading kernel to 0x80800000
>> => run loadimage
>>
>> Load FDT to 0x83000000
>> => run loadfdt
>>
>> Load OPTEE to 0x84000000
>> => fatload mmc 0:5 0x84000000 /lib/firmware/uTee.optee
>>
>> Then chain-load to the kernel via OPTEE
>>
>> => bootm 0x84000000 - 0x83000000
>>
>>     Image Name:
>>     Image Type:   ARM Trusted Execution Environment Kernel Image (uncompressed)
>>     Data Size:    249844 Bytes = 244 KiB
>>     Load Address: 9dffffe4
>>     Entry Point:  9e000000
>>     Verifying Checksum ... OK
>>     Loading Kernel Image ... OK
> 
> 
> I'm seeing the following cache misaligned operation warning in my
> environment, did I miss something on my OPTEE build?
> 
> => bootm 0x84000000 - 0x83000000
> ## Booting kernel from Legacy Image at 84000000 ...
>     Image Name:
>     Image Type:   ARM Linux Kernel Image (uncompressed)
>     Data Size:    274844 Bytes = 268.4 KiB
>     Load Address: 9dffffe4
>     Entry Point:  9e000000
>     Verifying Checksum ... OK
> ## Flattened Device Tree blob at 83000000
>     Booting using the fdt blob at 0x83000000
>     Loading Kernel Image ... OK
> CACHE: Misaligned operation at range [9dffffe4, 9e0431a4]
>     Using Device Tree in place at 83000000, end 830095b6

No.

I hadn't paid too much attention to this but - yeah, I'll add something 
to this series to flush the range starting at (9e000000 - cache_line_size).

The alternative is to change the entry point address which requires an 
OPTEE change

[U-Boot] [PATCH v2 10/17] warp7: Make CONFIG_SYS_FDT_ADDR a define

[Bryan O'Donoghue]

In order to sign images with the IMX code-signing-tool (CST) we need to
know the load address of a given image. The best way to derive this load
address is to make it into a define - so that u-boot.cfg contains the
address - which we can then parse when generating the IMX CST headers.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
---
 board/warp7/Kconfig     | 6 ++++++
 include/configs/warp7.h | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/board/warp7/Kconfig b/board/warp7/Kconfig
index 61c33fb..00df19d 100644
--- a/board/warp7/Kconfig
+++ b/board/warp7/Kconfig
@@ -6,4 +6,10 @@ config SYS_BOARD
 config SYS_CONFIG_NAME
 	default "warp7"
 
+config SYS_FDT_ADDR
+	hex "FDT load address"
+	default 0x83000000
+	help
+	  The address the FDT file should be loaded to.
+
 endif
diff --git a/include/configs/warp7.h b/include/configs/warp7.h
index e12b90b..344042c 100644
--- a/include/configs/warp7.h
+++ b/include/configs/warp7.h
@@ -39,7 +39,7 @@
 	"fdt_high=0xffffffff\0" \
 	"initrd_high=0xffffffff\0" \
 	"fdt_file=imx7s-warp.dtb\0" \
-	"fdt_addr=0x83000000\0" \
+	"fdt_addr=" __stringify(CONFIG_SYS_FDT_ADDR)"\0" \
 	"optee_addr=" __stringify(CONFIG_OPTEE_LOAD_ADDR)"\0" \
 	"boot_fdt=try\0" \
 	"ip_dyn=yes\0" \
-- 
2.7.4

[U-Boot] [PATCH v2 11/17] warp7: Add Kconfig WARP7_ROOT_PART

[Bryan O'Donoghue]

Adding CONFIG_WARP7_ROOT_PART allows a defconfig to specify which partition
is use as the root partition on WaRP7, this is a desirable change in order
to support a different partitioning schemes. The default is the current
partition #2.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 board/warp7/Kconfig | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/board/warp7/Kconfig b/board/warp7/Kconfig
index 00df19d..c089bca 100644
--- a/board/warp7/Kconfig
+++ b/board/warp7/Kconfig
@@ -6,6 +6,14 @@ config SYS_BOARD
 config SYS_CONFIG_NAME
 	default "warp7"
 
+config WARP7_ROOT_PART
+	int "Partition number to use for root filesystem"
+	default 2
+	help
+	  The partition number to use for root filesystem this is the
+	  partition that is typically specified with root=/dev/sdaX or
+	  which gets converted into a root=PARTUUID=some_uuid.
+
 config SYS_FDT_ADDR
 	hex "FDT load address"
 	default 0x83000000
-- 
2.7.4

[U-Boot] [PATCH v2 12/17] warp7: select uuid partition based on rootpart

[Bryan O'Donoghue]

Assigning the UUID discovery path to a tweakable environment variable means
that later steps in the boot process - particularly a boot script can
change the target root partition of a particular Linux boot.

Retargeting the rootfs is an important feature when doing ping/pong
upgrades allowing a boot script to select ping or pong as necessary without
reprogramming the bootloader.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 include/configs/warp7.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/configs/warp7.h b/include/configs/warp7.h
index 344042c..54b3b31 100644
--- a/include/configs/warp7.h
+++ b/include/configs/warp7.h
@@ -45,7 +45,8 @@
 	"ip_dyn=yes\0" \
 	"mmcdev="__stringify(CONFIG_SYS_MMC_ENV_DEV)"\0" \
 	"mmcpart=" __stringify(CONFIG_SYS_MMC_IMG_LOAD_PART) "\0" \
-	"finduuid=part uuid mmc 0:2 uuid\0" \
+	"rootpart=" __stringify(CONFIG_WARP7_ROOT_PART) "\0" \
+	"finduuid=part uuid mmc 0:${rootpart} uuid\0" \
 	"mmcargs=setenv bootargs console=${console},${baudrate} " \
 		"root=PARTUUID=${uuid} rootwait rw\0" \
 	"loadbootscript=" \
-- 
2.7.4

[U-Boot] [PATCH v2 13/17] warp7: Define the name of a signed boot-script file

[Bryan O'Donoghue]

We need to know the name of a signed boot-script, its better to have a
separate variable for this then to simply append some fixed string to an
existing image name.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 include/configs/warp7.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/configs/warp7.h b/include/configs/warp7.h
index 54b3b31..0ed95d8 100644
--- a/include/configs/warp7.h
+++ b/include/configs/warp7.h
@@ -33,6 +33,7 @@
 #define CONFIG_EXTRA_ENV_SETTINGS \
 	CONFIG_DFU_ENV_SETTINGS \
 	"script=boot.scr\0" \
+	"script_signed=boot.scr.imx-signed\0" \
 	"image=zImage\0" \
 	"console=ttymxc0\0" \
 	"ethact=usb_ether\0" \
-- 
2.7.4

[U-Boot] [PATCH v2 14/17] warp7: add warp7_auth_or_fail

[Bryan O'Donoghue]

Doing secure boot on the WaRP7 using a common image format and the same
variable to represent the base address for each call means we can reduce
down the command to a single environment command.

This patch adds warp7_auth_or_fail as a wrapper around
"hab_auth_img_or_fail ${hab_ivt_addr} ${filesize} 0".

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 include/configs/warp7.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/configs/warp7.h b/include/configs/warp7.h
index 0ed95d8..454bc1c 100644
--- a/include/configs/warp7.h
+++ b/include/configs/warp7.h
@@ -50,6 +50,7 @@
 	"finduuid=part uuid mmc 0:${rootpart} uuid\0" \
 	"mmcargs=setenv bootargs console=${console},${baudrate} " \
 		"root=PARTUUID=${uuid} rootwait rw\0" \
+	"warp7_auth_or_fail=hab_auth_img_or_fail ${hab_ivt_addr} ${filesize} 0;\0" \
 	"loadbootscript=" \
 		"load mmc ${mmcdev}:${mmcpart} ${loadaddr} ${script};\0" \
 	"bootscript=echo Running bootscript from mmc ...; " \
-- 
2.7.4

[U-Boot] [PATCH v2 15/17] warp7: hab: Set environment variable indicating IVT offset

[Bryan O'Donoghue]

This patch introduces the environment variable ivt_offset. When we define a
load address for Linux or DTB or any file the IVT associated with that file
is prepended. We extract the actual load addresses from u-boot.cfg and feed
these values into the code-signing process - hence we want u-boot to have
the real load addresses exported in uboot.cfg.

ivt_offset represents the addition or subtraction from the load address
that must happen to find an IVT header.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 include/configs/warp7.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/configs/warp7.h b/include/configs/warp7.h
index 454bc1c..fe9b7d5 100644
--- a/include/configs/warp7.h
+++ b/include/configs/warp7.h
@@ -10,6 +10,7 @@
 #define __WARP7_CONFIG_H
 
 #include "mx7_common.h"
+#include <imximage.h>
 
 #define PHYS_SDRAM_SIZE			SZ_512M
 
@@ -50,6 +51,7 @@
 	"finduuid=part uuid mmc 0:${rootpart} uuid\0" \
 	"mmcargs=setenv bootargs console=${console},${baudrate} " \
 		"root=PARTUUID=${uuid} rootwait rw\0" \
+	"ivt_offset=" __stringify(BOOTROM_IVT_HDR_OFFSET)"\0"\
 	"warp7_auth_or_fail=hab_auth_img_or_fail ${hab_ivt_addr} ${filesize} 0;\0" \
 	"loadbootscript=" \
 		"load mmc ${mmcdev}:${mmcpart} ${loadaddr} ${script};\0" \
-- 
2.7.4

[U-Boot] [PATCH v2 16/17] warp7: defconfig: Enable CMD_SETEXPR

[Bryan O'Donoghue]

setexpr allows us to do arithmetic for env variables - something that is
both useful and required when doing HAB authentication without hard-coding
HAB load addresses.

Enable setexpr in the secure defconfig - it's not required for the unsecure
version.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 configs/warp7_defconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configs/warp7_defconfig b/configs/warp7_defconfig
index d5dc009..13c760d 100644
--- a/configs/warp7_defconfig
+++ b/configs/warp7_defconfig
@@ -21,7 +21,7 @@ CONFIG_CMD_MMC=y
 CONFIG_CMD_PART=y
 CONFIG_CMD_USB=y
 CONFIG_CMD_USB_MASS_STORAGE=y
-# CONFIG_CMD_SETEXPR is not set
+CONFIG_CMD_SETEXPR=y
 CONFIG_CMD_DHCP=y
 CONFIG_CMD_CACHE=y
 CONFIG_CMD_EXT2=y
-- 
2.7.4

[U-Boot] [PATCH v2 16/17] warp7: defconfig: Enable CMD_SETEXPR

[Breno Matheus Lima]

Hi Bryan,

2018-04-02 19:42 GMT-03:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
> setexpr allows us to do arithmetic for env variables - something that is
> both useful and required when doing HAB authentication without hard-coding
> HAB load addresses.
>
> Enable setexpr in the secure defconfig - it's not required for the unsecure
> version.

I believe we can reword this sentence since the warp7_secure_defconfig
were removed :)

Thanks,
Breno Lima

[U-Boot] [PATCH v2 17/17] warp7: Add support for automated secure boot.scr verification

[Bryan O'Donoghue]

This patch adds support for verifying a signed boot.scr. With this in place
it's possible for run-time Linux to update boot.scr to set different
variables such as switching between different boot partitions, pointing to
different kernels etc and for u-boot to verify these changes via the HAB
prior to executing the commands contained in boot.scr.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
 include/configs/warp7.h | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/include/configs/warp7.h b/include/configs/warp7.h
index fe9b7d5..f340bff 100644
--- a/include/configs/warp7.h
+++ b/include/configs/warp7.h
@@ -53,6 +53,14 @@
 		"root=PARTUUID=${uuid} rootwait rw\0" \
 	"ivt_offset=" __stringify(BOOTROM_IVT_HDR_OFFSET)"\0"\
 	"warp7_auth_or_fail=hab_auth_img_or_fail ${hab_ivt_addr} ${filesize} 0;\0" \
+	"do_bootscript_hab=" \
+		"if test ${hab_enabled} -eq 1; then " \
+			"setexpr hab_ivt_addr ${loadaddr} - ${ivt_offset}; " \
+			"setenv script ${script_signed}; " \
+			"load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${script}; " \
+			"run warp7_auth_or_fail; " \
+			"run bootscript; "\
+		"fi;\0" \
 	"loadbootscript=" \
 		"load mmc ${mmcdev}:${mmcpart} ${loadaddr} ${script};\0" \
 	"bootscript=echo Running bootscript from mmc ...; " \
@@ -79,6 +87,7 @@
 #define CONFIG_BOOTCOMMAND \
 	   "mmc dev ${mmcdev};" \
 	   "mmc dev ${mmcdev}; if mmc rescan; then " \
+		   "run do_bootscript_hab;" \
 		   "if run loadbootscript; then " \
 			   "run bootscript; " \
 		   "else " \
-- 
2.7.4