[U-Boot] [PATCH 0/3] Add i.MX HAB encryption support

[U-Boot] [PATCH 0/3] Add i.MX HAB encryption support

[Gary Bisson]

Hi all,

This patch is actually a follow-up of the one from Peng Fan:
https://patchwork.ozlabs.org/patch/616568/

As he mentioned at the time, the current i.MX source code doesn't allow
to build a U-Boot that supports encryption features (dek commands).
The reason is that the commit 2bb01482 did some cleanup, removing usec2ticks
which is mandatory for the Freescale/NXP job ring code to build.

At the time of the original patch, Tom/Stefano said that a configuration
would need to leverage those options and some of the config should be
moved to Kconfig. The goal of this series is to enable it with the
nitrogen6x platform configuration.

As a first version, this series only adds the CONFIG_SECURE_BOOT to the
imx-common Kconfig so it can be enabled using menuconfig.

If this is not sufficient, the nitrogen6*_defconfig could be duplicated
into nitrogen6*_hab_defconfig but it sounds like a lot of copy just to
enable HAB features. No need to say that we would prefer keeping our
default defconfig without the HAB feature enabled.

Then I think the variables could actually be moved from nitrogen6x.h
to mx6_common.h and mx7_common.h. Maybe need to split it in 2 since
CONFIG_CSF_SIZE is sufficient to achieve binary signature. The other
options are only required if you want to encrypt the binary (which
requires the use of dek_blob command.

Let me know your thoughts.

Regards,
Gary


Gary Bisson (2):
  arm: imx-common: add SECURE_BOOT option to Kconfig
  nitrogen6x: add secure boot support

Peng Fan (1):
  arm: imx-common: introduce back usec2ticks

 arch/arm/imx-common/Kconfig                 |  9 +++++++++
 arch/arm/imx-common/timer.c                 | 16 ++++++++++++++++
 board/boundary/nitrogen6x/nitrogen6dl.cfg   |  3 +++
 board/boundary/nitrogen6x/nitrogen6dl2g.cfg |  3 +++
 board/boundary/nitrogen6x/nitrogen6q.cfg    |  3 +++
 board/boundary/nitrogen6x/nitrogen6q2g.cfg  |  3 +++
 board/boundary/nitrogen6x/nitrogen6s.cfg    |  3 +++
 board/boundary/nitrogen6x/nitrogen6s1g.cfg  |  3 +++
 include/configs/nitrogen6x.h                |  9 +++++++++
 9 files changed, 52 insertions(+)

-- 
2.8.1

[U-Boot] [PATCH 1/3] arm: imx-common: add SECURE_BOOT option to Kconfig

[Gary Bisson]

So the option can easily be selected through menuconfig.

Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
---
 arch/arm/imx-common/Kconfig | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig
index 1b7da5a..5ee230e 100644
--- a/arch/arm/imx-common/Kconfig
+++ b/arch/arm/imx-common/Kconfig
@@ -17,3 +17,12 @@ config IMX_BOOTAUX
 	depends on ARCH_MX7 || ARCH_MX6
 	help
 	  bootaux [addr] to boot auxiliary core.
+
+config SECURE_BOOT
+	bool "Support i.MX HAB features"
+	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
+	help
+	  This option enables the support for secure boot (HAB) which
+	  includes adding a CSF section to the final imx image and
+	  some security-related commands such as 'hab_status'.
+	  See doc/README.mxc_hab for more details.
-- 
2.8.1

[U-Boot] [PATCH 2/3] arm: imx-common: introduce back usec2ticks

[Gary Bisson]

From: Peng Fan <van.freenix@gmail.com>

This commit "2bb014820c49a63902103bac710bc86b5772e843"
do some clean up to use the code in lib/time.c.
But usec2ticks is still being used by security related job ring code.
Bring back the function to avoid build break when CONFIG_FSL_CAAM
is defined.
The computation logic has been changed, using 64-bit variable
to ease the process, making it work on older (MX5) platforms.

Signed-off-by: Peng Fan <van.freenix@gmail.com>
Signed-off-by: Troy Kisky <troy.kisky@boundarydevices.com>
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
---
 arch/arm/imx-common/timer.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/arch/arm/imx-common/timer.c b/arch/arm/imx-common/timer.c
index a01590c..a04c7ae 100644
--- a/arch/arm/imx-common/timer.c
+++ b/arch/arm/imx-common/timer.c
@@ -119,3 +119,19 @@ ulong get_tbclk(void)
 {
 	return gpt_get_clk();
 }
+
+/*
+ * This function is intended for SHORT delays only.
+ * It will overflow at around 10 seconds @ 400MHz,
+ * or 20 seconds @ 200MHz.
+ */
+unsigned long usec2ticks(unsigned long _usec)
+{
+	unsigned long long usec = _usec;
+
+	usec *= get_tbclk();
+	usec += 999999;
+	do_div(usec, 1000000);
+
+	return usec;
+}
-- 
2.8.1

[U-Boot] [PATCH 3/3] nitrogen6x: add secure boot support

[Gary Bisson]

Selecting the proper options to enable the build of the HAB tools.

Also adding a CSF section to the imx final image so it can contain
the signature information.

Note, this support is disabled by default, one will have to select
the SECURE_BOOT configuration through menuconfig to enable it.

Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
---
 board/boundary/nitrogen6x/nitrogen6dl.cfg   | 3 +++
 board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++
 board/boundary/nitrogen6x/nitrogen6q.cfg    | 3 +++
 board/boundary/nitrogen6x/nitrogen6q2g.cfg  | 3 +++
 board/boundary/nitrogen6x/nitrogen6s.cfg    | 3 +++
 board/boundary/nitrogen6x/nitrogen6s1g.cfg  | 3 +++
 include/configs/nitrogen6x.h                | 9 +++++++++
 7 files changed, 27 insertions(+)

diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg
index 1cdccad..5c3e961 100644
--- a/board/boundary/nitrogen6x/nitrogen6dl.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
index 516d67e..fe19ed0 100644
--- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg
index b6642e6..60e1885 100644
--- a/board/boundary/nitrogen6x/nitrogen6q.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6q.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
index fe6dfc1..7a3ee94 100644
--- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg
index ca30cd6..2540b7b 100644
--- a/board/boundary/nitrogen6x/nitrogen6s.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6s.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
index b1489fb..946af7b 100644
--- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/include/configs/nitrogen6x.h b/include/configs/nitrogen6x.h
index b651eb3..3281e42 100644
--- a/include/configs/nitrogen6x.h
+++ b/include/configs/nitrogen6x.h
@@ -35,6 +35,15 @@
 #define CONFIG_SF_DEFAULT_MODE (SPI_MODE_0)
 #endif
 
+/* Secure boot (HAB) support */
+#ifdef CONFIG_SECURE_BOOT
+#define CONFIG_CSF_SIZE			0x2000
+#define CONFIG_SYS_FSL_SEC_COMPAT	4
+#define CONFIG_FSL_CAAM
+#define CONFIG_CMD_DEKBLOB
+#define CONFIG_SYS_FSL_SEC_LE
+#endif
+
 /* I2C Configs */
 #define CONFIG_SYS_I2C
 #define CONFIG_SYS_I2C_MXC
-- 
2.8.1

[U-Boot] [PATCH 1/3] arm: imx-common: add SECURE_BOOT option to Kconfig

[Eric Nelson]

Nicely done Gary!

On 08/23/2016 02:55 PM, Gary Bisson wrote:
> So the option can easily be selected through menuconfig.
> 
> Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
> ---
>  arch/arm/imx-common/Kconfig | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig
> index 1b7da5a..5ee230e 100644
> --- a/arch/arm/imx-common/Kconfig
> +++ b/arch/arm/imx-common/Kconfig
> @@ -17,3 +17,12 @@ config IMX_BOOTAUX
>  	depends on ARCH_MX7 || ARCH_MX6
>  	help
>  	  bootaux [addr] to boot auxiliary core.
> +
> +config SECURE_BOOT
> +	bool "Support i.MX HAB features"
> +	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
> +	help
> +	  This option enables the support for secure boot (HAB) which
> +	  includes adding a CSF section to the final imx image and
                   ^^^
This doesn't add a CSF section.

Perhaps this should say "can enable a conditional section of an
i.MX configuration (.cfg) file when producing an imx image".

> +	  some security-related commands such as 'hab_status'.
> +	  See doc/README.mxc_hab for more details.
> 

You should probably include a note in README.mxc_hab about use
in .cfg files.

[U-Boot] [PATCH 2/3] arm: imx-common: introduce back usec2ticks

[Eric Nelson]

Hi Gary and Peng,

On 08/23/2016 02:55 PM, Gary Bisson wrote:
> From: Peng Fan <van.freenix@gmail.com>
> 
> This commit "2bb014820c49a63902103bac710bc86b5772e843"
> do some clean up to use the code in lib/time.c.
> But usec2ticks is still being used by security related job ring code.
> Bring back the function to avoid build break when CONFIG_FSL_CAAM
> is defined.
> The computation logic has been changed, using 64-bit variable
> to ease the process, making it work on older (MX5) platforms.
> 
> Signed-off-by: Peng Fan <van.freenix@gmail.com>
> Signed-off-by: Troy Kisky <troy.kisky@boundarydevices.com>
> Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
> ---
>  arch/arm/imx-common/timer.c | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/arch/arm/imx-common/timer.c b/arch/arm/imx-common/timer.c
> index a01590c..a04c7ae 100644
> --- a/arch/arm/imx-common/timer.c
> +++ b/arch/arm/imx-common/timer.c
> @@ -119,3 +119,19 @@ ulong get_tbclk(void)
>  {
>  	return gpt_get_clk();
>  }
> +
> +/*
> + * This function is intended for SHORT delays only.
> + * It will overflow at around 10 seconds @ 400MHz,
> + * or 20 seconds @ 200MHz.
> + */
> +unsigned long usec2ticks(unsigned long _usec)
> +{
> +	unsigned long long usec = _usec;
> +
> +	usec *= get_tbclk();
> +	usec += 999999;
> +	do_div(usec, 1000000);
> +
> +	return usec;
> +}
> 

What about the version in imx-common/syscounter.c?

It seems that only one should be needed.

[U-Boot] [PATCH 3/3] nitrogen6x: add secure boot support

[Eric Nelson]

Hi Gary,

On 08/23/2016 02:55 PM, Gary Bisson wrote:
> Selecting the proper options to enable the build of the HAB tools.
> 
> Also adding a CSF section to the imx final image so it can contain
> the signature information.
> 
> Note, this support is disabled by default, one will have to select
> the SECURE_BOOT configuration through menuconfig to enable it.
> 
> Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
> ---
>  board/boundary/nitrogen6x/nitrogen6dl.cfg   | 3 +++
>  board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++
>  board/boundary/nitrogen6x/nitrogen6q.cfg    | 3 +++
>  board/boundary/nitrogen6x/nitrogen6q2g.cfg  | 3 +++
>  board/boundary/nitrogen6x/nitrogen6s.cfg    | 3 +++
>  board/boundary/nitrogen6x/nitrogen6s1g.cfg  | 3 +++
>  include/configs/nitrogen6x.h                | 9 +++++++++
>  7 files changed, 27 insertions(+)
> 
> diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg
> index 1cdccad..5c3e961 100644
> --- a/board/boundary/nitrogen6x/nitrogen6dl.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> index 516d67e..fe19ed0 100644
> --- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg
> index b6642e6..60e1885 100644
> --- a/board/boundary/nitrogen6x/nitrogen6q.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6q.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> index fe6dfc1..7a3ee94 100644
> --- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg
> index ca30cd6..2540b7b 100644
> --- a/board/boundary/nitrogen6x/nitrogen6s.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6s.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> index b1489fb..946af7b 100644
> --- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/include/configs/nitrogen6x.h b/include/configs/nitrogen6x.h
> index b651eb3..3281e42 100644
> --- a/include/configs/nitrogen6x.h
> +++ b/include/configs/nitrogen6x.h
> @@ -35,6 +35,15 @@
>  #define CONFIG_SF_DEFAULT_MODE (SPI_MODE_0)
>  #endif
>  
> +/* Secure boot (HAB) support */
> +#ifdef CONFIG_SECURE_BOOT
> +#define CONFIG_CSF_SIZE			0x2000
> +#define CONFIG_SYS_FSL_SEC_COMPAT	4
> +#define CONFIG_FSL_CAAM
> +#define CONFIG_CMD_DEKBLOB
> +#define CONFIG_SYS_FSL_SEC_LE
> +#endif
> +

I agree with the comment in your cover letter, that this belongs
in a common place.

[U-Boot] [PATCH 1/3] arm: imx-common: add SECURE_BOOT option to Kconfig

[Gary Bisson]

Hi Eric, all,

On Tue, Aug 23, 2016 at 05:24:48PM -0700, Eric Nelson wrote:
> Nicely done Gary!
> 
> On 08/23/2016 02:55 PM, Gary Bisson wrote:
> > So the option can easily be selected through menuconfig.
> > 
> > Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
> > ---
> >  arch/arm/imx-common/Kconfig | 9 +++++++++
> >  1 file changed, 9 insertions(+)
> > 
> > diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig
> > index 1b7da5a..5ee230e 100644
> > --- a/arch/arm/imx-common/Kconfig
> > +++ b/arch/arm/imx-common/Kconfig
> > @@ -17,3 +17,12 @@ config IMX_BOOTAUX
> >  	depends on ARCH_MX7 || ARCH_MX6
> >  	help
> >  	  bootaux [addr] to boot auxiliary core.
> > +
> > +config SECURE_BOOT
> > +	bool "Support i.MX HAB features"
> > +	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
> > +	help
> > +	  This option enables the support for secure boot (HAB) which
> > +	  includes adding a CSF section to the final imx image and
>                    ^^^
> This doesn't add a CSF section.
> 
> Perhaps this should say "can enable a conditional section of an
> i.MX configuration (.cfg) file when producing an imx image".

Well now that you pointed out this sentence, I realize that it doesn't
even "add" the section per say, it just declares it in the IVT header.
It is then up to you to create and concatenate the CSF binary to the
u-boot.imx image.

For those not familiar with HAB:
https://boundarydevices.com/high-assurance-boot-hab-dummies/

Maybe in V2 I should keep it simple and just point to the README:
This option enables the support for secure boot (HAB).
See doc/README.mxc_hab for more details.

> > +	  some security-related commands such as 'hab_status'.
> > +	  See doc/README.mxc_hab for more details.
> > 
> 
> You should probably include a note in README.mxc_hab about use
> in .cfg files.

Yes that is a good point, will do in V2.

Regards,
Gary

[U-Boot] [PATCH 2/3] arm: imx-common: introduce back usec2ticks

[Gary Bisson]

Hi Eric, all,

On Tue, Aug 23, 2016 at 05:30:36PM -0700, Eric Nelson wrote:
> Hi Gary and Peng,
> 
> On 08/23/2016 02:55 PM, Gary Bisson wrote:
> > From: Peng Fan <van.freenix@gmail.com>
> > 
> > This commit "2bb014820c49a63902103bac710bc86b5772e843"
> > do some clean up to use the code in lib/time.c.
> > But usec2ticks is still being used by security related job ring code.
> > Bring back the function to avoid build break when CONFIG_FSL_CAAM
> > is defined.
> > The computation logic has been changed, using 64-bit variable
> > to ease the process, making it work on older (MX5) platforms.
> > 
> > Signed-off-by: Peng Fan <van.freenix@gmail.com>
> > Signed-off-by: Troy Kisky <troy.kisky@boundarydevices.com>
> > Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
> > ---
> >  arch/arm/imx-common/timer.c | 16 ++++++++++++++++
> >  1 file changed, 16 insertions(+)
> > 
> > diff --git a/arch/arm/imx-common/timer.c b/arch/arm/imx-common/timer.c
> > index a01590c..a04c7ae 100644
> > --- a/arch/arm/imx-common/timer.c
> > +++ b/arch/arm/imx-common/timer.c
> > @@ -119,3 +119,19 @@ ulong get_tbclk(void)
> >  {
> >  	return gpt_get_clk();
> >  }
> > +
> > +/*
> > + * This function is intended for SHORT delays only.
> > + * It will overflow at around 10 seconds @ 400MHz,
> > + * or 20 seconds @ 200MHz.
> > + */
> > +unsigned long usec2ticks(unsigned long _usec)
> > +{
> > +	unsigned long long usec = _usec;
> > +
> > +	usec *= get_tbclk();
> > +	usec += 999999;
> > +	do_div(usec, 1000000);
> > +
> > +	return usec;
> > +}
> > 
> 
> What about the version in imx-common/syscounter.c?
> 
> It seems that only one should be needed.

Well syscounter.c is only built for mx7 platforms whereas timer.c only
applies to mx6|mx5 (see Makefile).

Regards,
Gary

[U-Boot] [PATCH 3/3] nitrogen6x: add secure boot support

[Gary Bisson]

Hi Eric, all,

On Tue, Aug 23, 2016 at 05:35:14PM -0700, Eric Nelson wrote:
> Hi Gary,
> 
> On 08/23/2016 02:55 PM, Gary Bisson wrote:
> > Selecting the proper options to enable the build of the HAB tools.
> > 
> > Also adding a CSF section to the imx final image so it can contain
> > the signature information.
> > 
> > Note, this support is disabled by default, one will have to select
> > the SECURE_BOOT configuration through menuconfig to enable it.
> > 
> > Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
> > ---
> >  board/boundary/nitrogen6x/nitrogen6dl.cfg   | 3 +++
> >  board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++
> >  board/boundary/nitrogen6x/nitrogen6q.cfg    | 3 +++
> >  board/boundary/nitrogen6x/nitrogen6q2g.cfg  | 3 +++
> >  board/boundary/nitrogen6x/nitrogen6s.cfg    | 3 +++
> >  board/boundary/nitrogen6x/nitrogen6s1g.cfg  | 3 +++
> >  include/configs/nitrogen6x.h                | 9 +++++++++
> >  7 files changed, 27 insertions(+)
> > 
> > diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg
> > index 1cdccad..5c3e961 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6dl.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> > index 516d67e..fe19ed0 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg
> > index b6642e6..60e1885 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6q.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6q.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> > index fe6dfc1..7a3ee94 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg
> > index ca30cd6..2540b7b 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6s.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6s.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> > index b1489fb..946af7b 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/include/configs/nitrogen6x.h b/include/configs/nitrogen6x.h
> > index b651eb3..3281e42 100644
> > --- a/include/configs/nitrogen6x.h
> > +++ b/include/configs/nitrogen6x.h
> > @@ -35,6 +35,15 @@
> >  #define CONFIG_SF_DEFAULT_MODE (SPI_MODE_0)
> >  #endif
> >  
> > +/* Secure boot (HAB) support */
> > +#ifdef CONFIG_SECURE_BOOT
> > +#define CONFIG_CSF_SIZE			0x2000
> > +#define CONFIG_SYS_FSL_SEC_COMPAT	4
> > +#define CONFIG_FSL_CAAM
> > +#define CONFIG_CMD_DEKBLOB
> > +#define CONFIG_SYS_FSL_SEC_LE
> > +#endif
> > +
> 
> I agree with the comment in your cover letter, that this belongs
> in a common place.

Does Fabio agree with that? Also, should we differenciate the options
needed for signature only (SECURE_BOOT and CSF_SIZE) to the other that
are only useful when encryption is needed.

Regards,
Gary

[U-Boot] [PATCH 1/3] arm: imx-common: add SECURE_BOOT option to Kconfig

[Eric Nelson]

Hi Gary,

On 08/24/2016 03:12 AM, Gary Bisson wrote:
> Hi Eric, all,
> 
> On Tue, Aug 23, 2016 at 05:24:48PM -0700, Eric Nelson wrote:
>> Nicely done Gary!
>>
>> On 08/23/2016 02:55 PM, Gary Bisson wrote:
>>> So the option can easily be selected through menuconfig.
>>>
>>> Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
>>> ---
>>>  arch/arm/imx-common/Kconfig | 9 +++++++++
>>>  1 file changed, 9 insertions(+)
>>>
>>> diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig
>>> index 1b7da5a..5ee230e 100644
>>> --- a/arch/arm/imx-common/Kconfig
>>> +++ b/arch/arm/imx-common/Kconfig
>>> @@ -17,3 +17,12 @@ config IMX_BOOTAUX
>>>  	depends on ARCH_MX7 || ARCH_MX6
>>>  	help
>>>  	  bootaux [addr] to boot auxiliary core.
>>> +
>>> +config SECURE_BOOT
>>> +	bool "Support i.MX HAB features"
>>> +	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
>>> +	help
>>> +	  This option enables the support for secure boot (HAB) which
>>> +	  includes adding a CSF section to the final imx image and
>>                    ^^^
>> This doesn't add a CSF section.
>>
>> Perhaps this should say "can enable a conditional section of an
>> i.MX configuration (.cfg) file when producing an imx image".
> 
> Well now that you pointed out this sentence, I realize that it doesn't
> even "add" the section per say, it just declares it in the IVT header.
> It is then up to you to create and concatenate the CSF binary to the
> u-boot.imx image.
> 
> For those not familiar with HAB:
> https://boundarydevices.com/high-assurance-boot-hab-dummies/
> 

Nice!

> Maybe in V2 I should keep it simple and just point to the README:
>
> 	This option enables the support for secure boot (HAB).
> 	See doc/README.mxc_hab for more details.
>

Perfect.

I think most folks only glance at the help while in menuconfig
and README.mxc_hab is a better place for background.

>>> +	  some security-related commands such as 'hab_status'.
>>> +	  See doc/README.mxc_hab for more details.
>>>
>>
>> You should probably include a note in README.mxc_hab about use
>> in .cfg files.
> 
> Yes that is a good point, will do in V2.
> 
> Regards,
> Gary
> 

[U-Boot] [PATCH 3/3] nitrogen6x: add secure boot support

[Fabio Estevam]

Hi Gary,

On Wed, Aug 24, 2016 at 7:17 AM, Gary Bisson
<gary.bisson@boundarydevices.com> wrote:

>> I agree with the comment in your cover letter, that this belongs
>> in a common place.
>
> Does Fabio agree with that? Also, should we differenciate the options

What about placing the options below:

+/* Secure boot (HAB) support */
+#ifdef CONFIG_SECURE_BOOT
+#define CONFIG_CSF_SIZE                        0x2000
+#define CONFIG_SYS_FSL_SEC_COMPAT      4
+#define CONFIG_FSL_CAAM
+#define CONFIG_CMD_DEKBLOB
+#define CONFIG_SYS_FSL_SEC_LE
+#endif

,into include/configs/mx6_common.h ?

Thanks

[U-Boot] [PATCH v2 0/5] Add i.MX HAB encryption support

[Gary Bisson]

Hi all,

This patch is actually a follow-up of the one from Peng Fan:
https://patchwork.ozlabs.org/patch/616568/

As he mentioned at the time, the current i.MX source code doesn't allow
to build a U-Boot that supports encryption features (dek commands).
The reason is that the commit 2bb01482 did some cleanup, removing usec2ticks
which is mandatory for the Freescale/NXP job ring code to build.

At the time of the original patch, Tom/Stefano said that a configuration
would need to leverage those options and some of the config should be
moved to Kconfig. The goal of this series is to enable it in the common
mx6/7 configuration files.

The series also adds the missing CSF declaration in nitrogen6* cfg files.

Changes v1->v2:
- Simplified the help comment of the SECURE_BOOT config option
- Moved SECURE_BOOT options to mx6/7_common.h

Let me know your thoughts.

Regards,
Gary

Gary Bisson (4):
  arm: imx-common: add SECURE_BOOT option to Kconfig
  mx6_common: add secure boot support
  mx7_common: add secure boot support
  nitrogen6x: add secure boot support

Peng Fan (1):
  arm: imx-common: introduce back usec2ticks

 arch/arm/imx-common/Kconfig                 |  7 +++++++
 arch/arm/imx-common/timer.c                 | 16 ++++++++++++++++
 board/boundary/nitrogen6x/nitrogen6dl.cfg   |  3 +++
 board/boundary/nitrogen6x/nitrogen6dl2g.cfg |  3 +++
 board/boundary/nitrogen6x/nitrogen6q.cfg    |  3 +++
 board/boundary/nitrogen6x/nitrogen6q2g.cfg  |  3 +++
 board/boundary/nitrogen6x/nitrogen6s.cfg    |  3 +++
 board/boundary/nitrogen6x/nitrogen6s1g.cfg  |  3 +++
 include/configs/colibri_imx7.h              |  4 ----
 include/configs/mx6_common.h                |  9 +++++++++
 include/configs/mx7_common.h                |  9 +++++++++
 include/configs/mx7dsabresd.h               |  4 ----
 12 files changed, 59 insertions(+), 8 deletions(-)

-- 
2.8.1

[U-Boot] [PATCH v2 1/5] arm: imx-common: add SECURE_BOOT option to Kconfig

[Gary Bisson]

So the option can easily be selected through menuconfig.

Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
---
 arch/arm/imx-common/Kconfig | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig
index 1b7da5a..1a09a2c 100644
--- a/arch/arm/imx-common/Kconfig
+++ b/arch/arm/imx-common/Kconfig
@@ -17,3 +17,10 @@ config IMX_BOOTAUX
 	depends on ARCH_MX7 || ARCH_MX6
 	help
 	  bootaux [addr] to boot auxiliary core.
+
+config SECURE_BOOT
+	bool "Support i.MX HAB features"
+	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
+	help
+	  This option enables the support for secure boot (HAB).
+	  See doc/README.mxc_hab for more details.
-- 
2.8.1

[U-Boot] [PATCH v2 2/5] arm: imx-common: introduce back usec2ticks

[Gary Bisson]

From: Peng Fan <van.freenix@gmail.com>

This commit "2bb014820c49a63902103bac710bc86b5772e843"
do some clean up to use the code in lib/time.c.
But usec2ticks is still being used by security related job ring code.
Bring back the function to avoid build break when CONFIG_FSL_CAAM
is defined.
The computation logic has been changed, using 64-bit variable
to ease the process, making it work on older (MX5) platforms.

Signed-off-by: Peng Fan <van.freenix@gmail.com>
Signed-off-by: Troy Kisky <troy.kisky@boundarydevices.com>
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
---
 arch/arm/imx-common/timer.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/arch/arm/imx-common/timer.c b/arch/arm/imx-common/timer.c
index a01590c..a04c7ae 100644
--- a/arch/arm/imx-common/timer.c
+++ b/arch/arm/imx-common/timer.c
@@ -119,3 +119,19 @@ ulong get_tbclk(void)
 {
 	return gpt_get_clk();
 }
+
+/*
+ * This function is intended for SHORT delays only.
+ * It will overflow at around 10 seconds @ 400MHz,
+ * or 20 seconds @ 200MHz.
+ */
+unsigned long usec2ticks(unsigned long _usec)
+{
+	unsigned long long usec = _usec;
+
+	usec *= get_tbclk();
+	usec += 999999;
+	do_div(usec, 1000000);
+
+	return usec;
+}
-- 
2.8.1

[U-Boot] [PATCH v2 3/5] mx6_common: add secure boot support

[Gary Bisson]

Selecting the proper options to enable the build of the HAB tools.

Note, this support is disabled by default, one will have to select
the SECURE_BOOT configuration through menuconfig to enable it.

See doc/README.mxc_hab for more details.

Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
---
 include/configs/mx6_common.h | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/include/configs/mx6_common.h b/include/configs/mx6_common.h
index fb49322..02afe8a 100644
--- a/include/configs/mx6_common.h
+++ b/include/configs/mx6_common.h
@@ -93,4 +93,13 @@
 #define CONFIG_CMD_FUSE
 #define CONFIG_MXC_OCOTP
 
+/* Secure boot (HAB) support */
+#ifdef CONFIG_SECURE_BOOT
+#define CONFIG_CSF_SIZE			0x2000
+#define CONFIG_SYS_FSL_SEC_COMPAT	4
+#define CONFIG_FSL_CAAM
+#define CONFIG_CMD_DEKBLOB
+#define CONFIG_SYS_FSL_SEC_LE
+#endif
+
 #endif
-- 
2.8.1

[U-Boot] [PATCH v2 4/5] mx7_common: add secure boot support

[Gary Bisson]

Selecting the proper options to enable the build of the HAB tools.

Note, this support is disabled by default, one will have to select
the SECURE_BOOT configuration through menuconfig to enable it.

See doc/README.mxc_hab for more details.

Also remove duplicate options from board config headers.

Cc: Stefan Agner <stefan.agner@toradex.com>
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
---
 include/configs/colibri_imx7.h | 4 ----
 include/configs/mx7_common.h   | 9 +++++++++
 include/configs/mx7dsabresd.h  | 4 ----
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/include/configs/colibri_imx7.h b/include/configs/colibri_imx7.h
index 9da219c..486f2a4 100644
--- a/include/configs/colibri_imx7.h
+++ b/include/configs/colibri_imx7.h
@@ -29,10 +29,6 @@
 /* Size of malloc() pool */
 #define CONFIG_SYS_MALLOC_LEN		(32 * SZ_1M)
 
-/* Uncomment to enable secure boot support */
-/* #define CONFIG_SECURE_BOOT */
-#define CONFIG_CSF_SIZE			0x4000
-
 #define CONFIG_CMD_BMODE
 
 /* Network */
diff --git a/include/configs/mx7_common.h b/include/configs/mx7_common.h
index 7295fa6..c339e24 100644
--- a/include/configs/mx7_common.h
+++ b/include/configs/mx7_common.h
@@ -76,4 +76,13 @@
 #define CONFIG_ARMV7_PSCI_NR_CPUS	2
 #define CONFIG_ARMV7_SECURE_BASE	0x00900000
 
+/* Secure boot (HAB) support */
+#ifdef CONFIG_SECURE_BOOT
+#define CONFIG_CSF_SIZE			0x2000
+#define CONFIG_SYS_FSL_SEC_COMPAT	4
+#define CONFIG_FSL_CAAM
+#define CONFIG_CMD_DEKBLOB
+#define CONFIG_SYS_FSL_SEC_LE
+#endif
+
 #endif
diff --git a/include/configs/mx7dsabresd.h b/include/configs/mx7dsabresd.h
index 822d81f..f2d5dea 100644
--- a/include/configs/mx7dsabresd.h
+++ b/include/configs/mx7dsabresd.h
@@ -24,10 +24,6 @@
 
 #define CONFIG_DISPLAY_BOARDINFO
 
-/* Uncomment to enable secure boot support */
-/* #define CONFIG_SECURE_BOOT */
-#define CONFIG_CSF_SIZE			0x4000
-
 /* Network */
 #define CONFIG_FEC_MXC
 #define CONFIG_MII
-- 
2.8.1

[U-Boot] [PATCH v2 5/5] nitrogen6x: add secure boot support

[Gary Bisson]

Declaring a CSF section makes the imximage tool increase the size of
data to be loaded by the BootROM and also adds a pointer to that CSF
section in the IVT header to the BootROM can check the signature.

Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
---
 board/boundary/nitrogen6x/nitrogen6dl.cfg   | 3 +++
 board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++
 board/boundary/nitrogen6x/nitrogen6q.cfg    | 3 +++
 board/boundary/nitrogen6x/nitrogen6q2g.cfg  | 3 +++
 board/boundary/nitrogen6x/nitrogen6s.cfg    | 3 +++
 board/boundary/nitrogen6x/nitrogen6s1g.cfg  | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg
index 1cdccad..5c3e961 100644
--- a/board/boundary/nitrogen6x/nitrogen6dl.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
index 516d67e..fe19ed0 100644
--- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg
index b6642e6..60e1885 100644
--- a/board/boundary/nitrogen6x/nitrogen6q.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6q.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
index fe6dfc1..7a3ee94 100644
--- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg
index ca30cd6..2540b7b 100644
--- a/board/boundary/nitrogen6x/nitrogen6s.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6s.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
index b1489fb..946af7b 100644
--- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
@@ -20,6 +20,9 @@ BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
-- 
2.8.1

[U-Boot] [PATCH v2 0/5] Add i.MX HAB encryption support

[Stefano Babic]

Hi Gary,

On 25/08/2016 19:03, Gary Bisson wrote:
> Hi all,
> 
> This patch is actually a follow-up of the one from Peng Fan:
> https://patchwork.ozlabs.org/patch/616568/
> 
> As he mentioned at the time, the current i.MX source code doesn't allow
> to build a U-Boot that supports encryption features (dek commands).
> The reason is that the commit 2bb01482 did some cleanup, removing usec2ticks
> which is mandatory for the Freescale/NXP job ring code to build.
> 
> At the time of the original patch, Tom/Stefano said that a configuration
> would need to leverage those options and some of the config should be
> moved to Kconfig. The goal of this series is to enable it in the common
> mx6/7 configuration files.
> 
> The series also adds the missing CSF declaration in nitrogen6* cfg files.
> 
> Changes v1->v2:
> - Simplified the help comment of the SECURE_BOOT config option
> - Moved SECURE_BOOT options to mx6/7_common.h
> 
> Let me know your thoughts.
> 
> Regards,
> Gary
> 
> Gary Bisson (4):
>   arm: imx-common: add SECURE_BOOT option to Kconfig
>   mx6_common: add secure boot support
>   mx7_common: add secure boot support
>   nitrogen6x: add secure boot support
> 
> Peng Fan (1):
>   arm: imx-common: introduce back usec2ticks
> 
>  arch/arm/imx-common/Kconfig                 |  7 +++++++
>  arch/arm/imx-common/timer.c                 | 16 ++++++++++++++++
>  board/boundary/nitrogen6x/nitrogen6dl.cfg   |  3 +++
>  board/boundary/nitrogen6x/nitrogen6dl2g.cfg |  3 +++
>  board/boundary/nitrogen6x/nitrogen6q.cfg    |  3 +++
>  board/boundary/nitrogen6x/nitrogen6q2g.cfg  |  3 +++
>  board/boundary/nitrogen6x/nitrogen6s.cfg    |  3 +++
>  board/boundary/nitrogen6x/nitrogen6s1g.cfg  |  3 +++
>  include/configs/colibri_imx7.h              |  4 ----
>  include/configs/mx6_common.h                |  9 +++++++++
>  include/configs/mx7_common.h                |  9 +++++++++
>  include/configs/mx7dsabresd.h               |  4 ----
>  12 files changed, 59 insertions(+), 8 deletions(-)
> 

Applied to u-boot-imx, thanks  - sorry for delay !

Best regards,
Stefano Babic


-- 
=====================================================================
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
=====================================================================