[00/23] Fix and extend i.MX HAB layer

Message ID	1514377566-28512-1-git-send-email-bryan.odonoghue@linaro.org
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) client-ip=81.169.180.215; From: Bryan O'Donoghue <bryan.odonoghue@linaro.org> To: u-boot@lists.denx.de Date: Wed, 27 Dec 2017 12:25:43 +0000 Message-Id: <1514377566-28512-1-git-send-email-bryan.odonoghue@linaro.org> Subject: [U-Boot] [PATCH 00/23] Fix and extend i.MX HAB layer Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	Fix and extend i.MX HAB layer \| expand [00/23] Fix and extend i.MX HAB layer [01/23] arm: imx: hab: Make authenticate_image return int [02/23] arm: imx: hab: Fix authenticate_image result code [03/23] arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail [04/23] arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail [05/23] arm: imx: hab: Fix authenticate_image input parameters [06/23] arm: imx: hab: Fix authenticate image lockup on MX7 [07/23] arm: imx: hab: Move IVT_SIZE to hab.h [08/23] arm: imx: hab: Move CSF_PAD_SIZE to hab.h [09/23] arm: imx: hab: Add IVT header definitions [10/23] arm: imx: hab: Add IVT header verification [11/23] arm: imx: hab: Verify IVT self matches calculated address [12/23] arm: imx: hab: Print CSF based on IVT descriptor [13/23] arm: imx: hab: Print additional IVT elements during debug [14/23] arm: imx: hab: Define rvt_check_target() [15/23] arm: imx: hab: Implement hab_rvt_check_target [16/23] arm: imx: hab: Add a hab_rvt_check_target to image auth [17/23] arm: imx: hab: Make internal functions and data static [18/23] arm: imx: hab: Prefix authenticate_image with imx_hab [19/23] arm: imx: hab: Rename is_hab_enabled imx_hab_is_enabled [20/23] arm: imx: hab: Make imx_hab_is_enabled global [21/23] arm: imx: hab: Define rvt_failsafe() [22/23] arm: imx: hab: Implement hab_rvt_failsafe [23/23] arm: imx: hab: Add hab_failsafe console command

Message ID

1514377566-28512-1-git-send-email-bryan.odonoghue@linaro.org

Headers

Received-SPF: pass (google.com: best guess record for domain of
	u-boot-bounces@lists.denx.de designates 81.169.180.215 as
	permitted sender) client-ip=81.169.180.215; 
From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
To: u-boot@lists.denx.de
Date: Wed, 27 Dec 2017 12:25:43 +0000
Message-Id: <1514377566-28512-1-git-send-email-bryan.odonoghue@linaro.org>
Subject: [U-Boot] [PATCH 00/23] Fix and extend i.MX HAB layer
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

Fix and extend i.MX HAB layer | expand

Message

Bryan O'Donoghue Dec. 27, 2017, 12:25 p.m. UTC

This patchset updates the i.MX HAB layer in u-boot to fix a list of
identified issues and then to add and extend existing functionality.

The first block of patches 0001-0006 deal with fixing existing code,

- Fixes indentation
- Fixes the treatment of input parameters to hab_auth_image.

The second block of patches 0007-0013 are about tidying up the HAB code

- Remove reliance on hard-coding to specific offsets
- IVT header drives locating CSF
- Continue to support existing boards

Patches 0014 onwards extend out the HAB functionality.

- hab_rvt_check_target is a recommended check in the NXP documents to
  perform prior to hab_rvt_authenticate_image
- hab_rvt_failsafe is a useful function to set the board into BootROM
  USB recovery mode.

Bryan O'Donoghue (23):
  arm: imx: hab: Make authenticate_image return int
  arm: imx: hab: Fix authenticate_image result code
  arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail
  arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail
  arm: imx: hab: Fix authenticate_image input parameters
  arm: imx: hab: Fix authenticate image lockup on MX7
  arm: imx: hab: Move IVT_SIZE to hab.h
  arm: imx: hab: Move CSF_PAD_SIZE to hab.h
  arm: imx: hab: Add IVT header definitions
  arm: imx: hab: Add IVT header verification
  arm: imx: hab: Verify IVT self matches calculated address
  arm: imx: hab: Print CSF based on IVT descriptor
  arm: imx: hab: Print additional IVT elements during debug
  arm: imx: hab: Define rvt_check_target()
  arm: imx: hab: Implement hab_rvt_check_target
  arm: imx: hab: Add a hab_rvt_check_target to image auth
  arm: imx: hab: Make internal functions and data static
  arm: imx: hab: Prefix authenticate_image with imx_hab
  arm: imx: hab: Rename is_hab_enabled imx_hab_is_enabled
  arm: imx: hab: Make imx_hab_is_enabled global
  arm: imx: hab: Define rvt_failsafe()
  arm: imx: hab: Implement hab_rvt_failsafe
  arm: imx: hab: Add hab_failsafe console command

 arch/arm/include/asm/mach-imx/hab.h |  46 +++-
 arch/arm/mach-imx/hab.c             | 480 ++++++++++++++++++++++--------------
 arch/arm/mach-imx/spl.c             |  38 ++-
 3 files changed, 370 insertions(+), 194 deletions(-)

Comments

Breno Matheus Lima Dec. 28, 2017, 5:54 p.m. UTC | #1

Hi Bryan,

2017-12-27 10:25 GMT-02:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
> This patchset updates the i.MX HAB layer in u-boot to fix a list of
> identified issues and then to add and extend existing functionality.
>
> The first block of patches 0001-0006 deal with fixing existing code,
>
> - Fixes indentation
> - Fixes the treatment of input parameters to hab_auth_image.
>
> The second block of patches 0007-0013 are about tidying up the HAB code
>
> - Remove reliance on hard-coding to specific offsets
> - IVT header drives locating CSF
> - Continue to support existing boards
>
> Patches 0014 onwards extend out the HAB functionality.
>
> - hab_rvt_check_target is a recommended check in the NXP documents to
>   perform prior to hab_rvt_authenticate_image
> - hab_rvt_failsafe is a useful function to set the board into BootROM
>   USB recovery mode.
>
> Bryan O'Donoghue (23):
>   arm: imx: hab: Make authenticate_image return int
>   arm: imx: hab: Fix authenticate_image result code
>   arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail
>   arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail
>   arm: imx: hab: Fix authenticate_image input parameters

After applying "[PATCH 05/23] arm: imx: hab: Fix authenticate_image
input parameters" I'm getting the following error when building
mx6sabreauto:

arch/arm/mach-imx/spl.c: In function 'jump_to_image_no_args':
arch/arm/mach-imx/spl.c:200:14: error: 'IVT_SIZE' undeclared (first
use in this function)
     offset + IVT_SIZE + CSF_PAD_SIZE, offset)) {
              ^
arch/arm/mach-imx/spl.c:200:14: note: each undeclared identifier is
reported only once for each function it appears in
arch/arm/mach-imx/spl.c:200:25: error: 'CSF_PAD_SIZE' undeclared
(first use in this function)
     offset + IVT_SIZE + CSF_PAD_SIZE, offset)) {
                         ^
arch/arm/mach-imx/spl.c:206:1: warning: 'noreturn' function does return
 }
 ^
scripts/Makefile.build:280: recipe for target
'spl/arch/arm/mach-imx/spl.o' failed
make[2]: *** [spl/arch/arm/mach-imx/spl.o] Error 1
make[2]: *** Waiting for unfinished jobs....

>   arm: imx: hab: Fix authenticate image lockup on MX7
>   arm: imx: hab: Move IVT_SIZE to hab.h
>   arm: imx: hab: Move CSF_PAD_SIZE to hab.h

I believe patches "[PATCH 07/23] arm: imx: hab: Move IVT_SIZE to
hab.h" and "[PATCH 08/23] arm: imx: hab: Move CSF_PAD_SIZE to hab.h"
have to be applied before the [PATCH 05/23] to avoid this build error.
Can you please check if it's possible to move these patches?

Thanks,
Breno Lima

Bryan O'Donoghue Dec. 28, 2017, 6 p.m. UTC | #2

On 28/12/17 17:54, Breno Matheus Lima wrote:
> Hi Bryan,
> 
> 2017-12-27 10:25 GMT-02:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
>> This patchset updates the i.MX HAB layer in u-boot to fix a list of
>> identified issues and then to add and extend existing functionality.
>>
>> The first block of patches 0001-0006 deal with fixing existing code,
>>
>> - Fixes indentation
>> - Fixes the treatment of input parameters to hab_auth_image.
>>
>> The second block of patches 0007-0013 are about tidying up the HAB code
>>
>> - Remove reliance on hard-coding to specific offsets
>> - IVT header drives locating CSF
>> - Continue to support existing boards
>>
>> Patches 0014 onwards extend out the HAB functionality.
>>
>> - hab_rvt_check_target is a recommended check in the NXP documents to
>>    perform prior to hab_rvt_authenticate_image
>> - hab_rvt_failsafe is a useful function to set the board into BootROM
>>    USB recovery mode.
>>
>> Bryan O'Donoghue (23):
>>    arm: imx: hab: Make authenticate_image return int
>>    arm: imx: hab: Fix authenticate_image result code
>>    arm: imx: hab: Optimise flow of authenticate_image on is_enabled fail
>>    arm: imx: hab: Optimise flow of authenticate_image on hab_entry fail
>>    arm: imx: hab: Fix authenticate_image input parameters
> 
> After applying "[PATCH 05/23] arm: imx: hab: Fix authenticate_image
> input parameters" I'm getting the following error when building
> mx6sabreauto:

That's funny. I just build mx6sabreauto_config + CONFIG_SECURE_BOOT and 
it works.

I'll rebase and build each patch incrementally - obviously there's some 
breakage with your configuration.

Thanks for testing