[00/23] Fix and extend i.MX HAB layer

Message ID 1514377566-28512-1-git-send-email-bryan.odonoghue@linaro.org
Headers show
Series
  • Fix and extend i.MX HAB layer
Related show

Message

Bryan O'Donoghue Dec. 27, 2017, 12:25 p.m.
This patchset updates the i.MX HAB layer in u-boot to fix a list of
identified issues and then to add and extend existing functionality.

The first block of patches 0001-0006 deal with fixing existing code,

- Fixes indentation
- Fixes the treatment of input parameters to hab_auth_image.

The second block of patches 0007-0013 are about tidying up the HAB code

- Remove reliance on hard-coding to specific offsets
- IVT header drives locating CSF
- Continue to support existing boards

Patches 0014 onwards extend out the HAB functionality.

- hab_rvt_check_target is a recommended check in the NXP documents to
  perform prior to hab_rvt_authenticate_image
- hab_rvt_failsafe is a useful function to set the board into BootROM
  USB recovery mode.

Bryan O'Donoghue (23):
  arm: imx: hab: Make authenticate_image return int
  arm: imx: hab: Fix authenticate_image result code
  arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail
  arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail
  arm: imx: hab: Fix authenticate_image input parameters
  arm: imx: hab: Fix authenticate image lockup on MX7
  arm: imx: hab: Move IVT_SIZE to hab.h
  arm: imx: hab: Move CSF_PAD_SIZE to hab.h
  arm: imx: hab: Add IVT header definitions
  arm: imx: hab: Add IVT header verification
  arm: imx: hab: Verify IVT self matches calculated address
  arm: imx: hab: Print CSF based on IVT descriptor
  arm: imx: hab: Print additional IVT elements during debug
  arm: imx: hab: Define rvt_check_target()
  arm: imx: hab: Implement hab_rvt_check_target
  arm: imx: hab: Add a hab_rvt_check_target to image auth
  arm: imx: hab: Make internal functions and data static
  arm: imx: hab: Prefix authenticate_image with imx_hab
  arm: imx: hab: Rename is_hab_enabled imx_hab_is_enabled
  arm: imx: hab: Make imx_hab_is_enabled global
  arm: imx: hab: Define rvt_failsafe()
  arm: imx: hab: Implement hab_rvt_failsafe
  arm: imx: hab: Add hab_failsafe console command

 arch/arm/include/asm/mach-imx/hab.h |  46 +++-
 arch/arm/mach-imx/hab.c             | 480 ++++++++++++++++++++++--------------
 arch/arm/mach-imx/spl.c             |  38 ++-
 3 files changed, 370 insertions(+), 194 deletions(-)

Comments

Breno Matheus Lima Dec. 28, 2017, 5:54 p.m. | #1
Hi Bryan,

2017-12-27 10:25 GMT-02:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
> This patchset updates the i.MX HAB layer in u-boot to fix a list of
> identified issues and then to add and extend existing functionality.
>
> The first block of patches 0001-0006 deal with fixing existing code,
>
> - Fixes indentation
> - Fixes the treatment of input parameters to hab_auth_image.
>
> The second block of patches 0007-0013 are about tidying up the HAB code
>
> - Remove reliance on hard-coding to specific offsets
> - IVT header drives locating CSF
> - Continue to support existing boards
>
> Patches 0014 onwards extend out the HAB functionality.
>
> - hab_rvt_check_target is a recommended check in the NXP documents to
>   perform prior to hab_rvt_authenticate_image
> - hab_rvt_failsafe is a useful function to set the board into BootROM
>   USB recovery mode.
>
> Bryan O'Donoghue (23):
>   arm: imx: hab: Make authenticate_image return int
>   arm: imx: hab: Fix authenticate_image result code
>   arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail
>   arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail
>   arm: imx: hab: Fix authenticate_image input parameters

After applying "[PATCH 05/23] arm: imx: hab: Fix authenticate_image
input parameters" I'm getting the following error when building
mx6sabreauto:

arch/arm/mach-imx/spl.c: In function 'jump_to_image_no_args':
arch/arm/mach-imx/spl.c:200:14: error: 'IVT_SIZE' undeclared (first
use in this function)
     offset + IVT_SIZE + CSF_PAD_SIZE, offset)) {
              ^
arch/arm/mach-imx/spl.c:200:14: note: each undeclared identifier is
reported only once for each function it appears in
arch/arm/mach-imx/spl.c:200:25: error: 'CSF_PAD_SIZE' undeclared
(first use in this function)
     offset + IVT_SIZE + CSF_PAD_SIZE, offset)) {
                         ^
arch/arm/mach-imx/spl.c:206:1: warning: 'noreturn' function does return
 }
 ^
scripts/Makefile.build:280: recipe for target
'spl/arch/arm/mach-imx/spl.o' failed
make[2]: *** [spl/arch/arm/mach-imx/spl.o] Error 1
make[2]: *** Waiting for unfinished jobs....

>   arm: imx: hab: Fix authenticate image lockup on MX7
>   arm: imx: hab: Move IVT_SIZE to hab.h
>   arm: imx: hab: Move CSF_PAD_SIZE to hab.h

I believe patches "[PATCH 07/23] arm: imx: hab: Move IVT_SIZE to
hab.h" and "[PATCH 08/23] arm: imx: hab: Move CSF_PAD_SIZE to hab.h"
have to be applied before the [PATCH 05/23] to avoid this build error.
Can you please check if it's possible to move these patches?

Thanks,
Breno Lima
Bryan O'Donoghue Dec. 28, 2017, 6 p.m. | #2
On 28/12/17 17:54, Breno Matheus Lima wrote:
> Hi Bryan,
> 
> 2017-12-27 10:25 GMT-02:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
>> This patchset updates the i.MX HAB layer in u-boot to fix a list of
>> identified issues and then to add and extend existing functionality.
>>
>> The first block of patches 0001-0006 deal with fixing existing code,
>>
>> - Fixes indentation
>> - Fixes the treatment of input parameters to hab_auth_image.
>>
>> The second block of patches 0007-0013 are about tidying up the HAB code
>>
>> - Remove reliance on hard-coding to specific offsets
>> - IVT header drives locating CSF
>> - Continue to support existing boards
>>
>> Patches 0014 onwards extend out the HAB functionality.
>>
>> - hab_rvt_check_target is a recommended check in the NXP documents to
>>    perform prior to hab_rvt_authenticate_image
>> - hab_rvt_failsafe is a useful function to set the board into BootROM
>>    USB recovery mode.
>>
>> Bryan O'Donoghue (23):
>>    arm: imx: hab: Make authenticate_image return int
>>    arm: imx: hab: Fix authenticate_image result code
>>    arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail
>>    arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail
>>    arm: imx: hab: Fix authenticate_image input parameters
> 
> After applying "[PATCH 05/23] arm: imx: hab: Fix authenticate_image
> input parameters" I'm getting the following error when building
> mx6sabreauto:

That's funny. I just build mx6sabreauto_config + CONFIG_SECURE_BOOT and 
it works.

I'll rebase and build each patch incrementally - obviously there's some 
breakage with your configuration.

Thanks for testing