From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.3 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2433C12002 for ; Mon, 19 Jul 2021 04:01:48 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 098F8610C7 for ; Mon, 19 Jul 2021 04:01:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 098F8610C7 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=denx.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C1CB68033E; Mon, 19 Jul 2021 06:01:45 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=denx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1626667306; bh=JHcyJufEmRN5xwL6kG8sLMMCeOGPz387i4rMQoQnaAQ=; h=Subject:To:Cc:References:From:Date:In-Reply-To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Reply-To:From; b=cxPiiJghpaZOJhMYYc3crSM9mEuXkWp3cxKhR8EvGep9sfNvMgZOhdpTf7A1Ite/e +03p5seYvw02wiFfg2nnnqdvCBwKY341fZXmJ/yf8kjMI71vCkZ9KfEgqeasOjfcjp koxb+y8EhFNrz7rtvdZ0XsqmDm6sxF6HZ0wO4UKtZARELAkR0lt6vtf1Uv/miCoKNJ qaWctOhQ3ThxGCU7IJV4jmyzdfT3D0GtaaWnRoxJP74rHTHVWrLqjNMqGq3clS0VLU Hn30X54sLr0qSqdfMsahGKOlLDTZ9ujws4JgCMq/kIT1wt/yxieDiSL6Izu0ElCl/i for8A80R7luew== Received: from [192.168.1.107] (fibhost-66-234-106.fibernet.hu [85.66.234.106]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: hs@denx.de) by phobos.denx.de (Postfix) with ESMTPSA id 2975B80082; Mon, 19 Jul 2021 06:01:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denx.de; s=phobos-20191101; t=1626667304; bh=JHcyJufEmRN5xwL6kG8sLMMCeOGPz387i4rMQoQnaAQ=; h=Reply-To:Subject:To:Cc:References:From:Date:In-Reply-To:From; b=rzID30399Vv4vqekDS+ZmSVgAAVKvyM65r6maW87NC0IvfK0oOd02QCdrIhWmJ3uD f9DhgBEodTYjtbmBeW3QvTy7/RqYbUPmAgdx3cXLAZMimeYyxxekwrEFn/0u4yzlZE jBdDwQMH2bBK8PQnjsCoO51UWrlJ44yY+FVBG0ssq8v+Qu72voNRzGptyznDnChsjd p1dxIeINJG3TT5gh4yP3CLH88RebeAoMgKI+DQ8tEQagbzbdajvVVEqIygiROEsoLy DF+OxRFrpzVaHy00WATtt8cBNsqacYuNTZGiMnnqlFaAHcMj5s0Zn5CaVYCOghqFod 9efVwOQfdOwuw== Subject: Re: IMX8M Mini HAB secure boot - working? To: Tim Harvey Cc: Stefano Babic , Fabio Estevam , u-boot@lists.denx.de, uboot-imx@nxp.com, Peng Fan References: <6742d326-2daf-0480-cfb6-04e43a147b94@denx.de> <5d0fb30e-3658-e648-5e68-bf9be84bed63@denx.de> From: Heiko Schocher Message-ID: <3571d828-0bed-8b1f-a6e6-5bce45cd6340@denx.de> Date: Mon, 19 Jul 2021 06:01:47 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: hs@denx.de Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Hello Tim, On 12.07.21 18:06, Tim Harvey wrote: > On Sat, Jul 10, 2021 at 5:24 AM Heiko Schocher wrote: >> >> Hi Tim, Stefano, >> >> On 10.07.21 11:14, Stefano Babic wrote: >>> Hi Tim, >>> >>> On 10.07.21 02:05, Tim Harvey wrote: >>>> Greetings, >>>> >>>> Has anyone successfully used secure boot with IMX8M Mini or other >>>> IMX8M? Peng's recent series got merged with the exception of what >>>> looks like the addition of couple of 'caam' commands to blob/deblob >>>> DEK's. >>>> >>>> There are no guides yet however I'm following the guides for the >>>> downstream NXP U-Boot and thus far have been able to get the SPL to >>>> boot with no HAB events but when it tries to authenticate the FIT >>>> image it validate_ivt fails with 'Error: Invalid IVT structure'. >>> >>> Heiko tested this and found it, if I am not wrong he found the cause. Added him in CC. >>> >>> I have also planned to test this, it is on my TODO list... >> >> I am currently not in my office, the whole next week ... so I could not >> check my current state of the patches... but I found a problem, yes. >> >> The problem was that the ROM API loaded the IVT header to a >> memallocated address, which does of course not fit with the >> address you have in IVT header ... >> >> I have not full access to my development setup ,and found on my local >> some old state of the patches .... may you can try them? >> >> Of course they need a rework, other solution, but it shows the problem >> hopefully... >> > > Heiko, > > Thank you - that was indeed the issue and your patches resolve it. I Cool! Thanks for testing! > have not seen your patch posted to the list and your commit msg makes Yes, as they are WIP not posted yet ... and I thought, I make something wrong ... but if you have the same problem, it seems it is a real bug! > it seem like your not sure if you should make it SoC dependent. Do you > plan on submitting these to the mailing list? The question is: is my approach to fix it the way to go? If you think so, I can send them .. but give me please some time as I am just back from vacation... Fast look into it: spl_load_simple_fit_fix_load() must also check if there is at "fit" pointer an IVT header, if not, return simply fit pointer. Question: dependent on SoC ... as it is in common code, and I think we need this "fix" only for imx8m?, so yes, it should be SoC dependent or better only imx8m? code defines this function... if possible. Therefore the weak function approach. If you find time for looking at it, I am fine, if you use my patches as base and you can post them? bye, Heiko -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: +49-8142-66989-52 Fax: +49-8142-66989-80 Email: hs@denx.de