| Message ID | 1523633481-20914-1-git-send-email-bryan.odonoghue@linaro.org |
|---|---|
| Headers | show |
| Series | warp7: Enable automated OPTEE/HAB boot flow | expand |
Hi Bryan, 2018-04-13 12:31 GMT-03:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>: > https://git.linaro.org/landing-teams/working/mbl/u-boot.git/log/?h=linaro-mbl%2bbod > > v3: > - Reword commit message of patch #16 - Breno > > - This patchset now relies on five in-flight patch-sets the first four of > which should be applied first > > 1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial > Already has a Reviewed-by from Fabio > > 2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth > Has a Reviewed-by: from Breno > > 3. [PATCH v3 0/2] WaRP7 unify secure and non-secure defconfigs > > 4. Pierre-Jean's generic load patches > > [U-Boot] [PATCH v3 1/2] warp7: include/configs: use generic fs commands > in CONFIG_EXTRA_ENV_SETTINGS > > [U-Boot] [PATCH v3 2/2] warp7: configs: enable CONFIG_CMD_FS_GENERIC > > 5. [PATCH] bootm: Align cache flush begin address > This last patch can be applied in any order > > v2: > - Ensure warp7_defconfig boots existing yocto with this change plus the > automated HAB layer being added here following on from "[PATCH v3 0/2] > WaRP7 unify secure and non-secure defconfigs" > > - Fix reference to partition #1 versus partition #2 in select uuidpart > patch > > - Rebase on top of Pierre-Jean Texier generic load patches > > - Drop my patch which did the same thing as Pierre-Jean's patch via > ${loadcmd} > > - Update example boot.scr from v1 to reflect use of generic 'load' command > > - This patchset now relies on four in-flight patch-sets which all have the > relevant Reviewed-by tags from the board Maintainer Fabio. > > 1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial > Already has a Reviewed-by from Fabio > > 2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth > Has a Reviewed-by: from Breno > > 3. [PATCH v3 0/2] WaRP7 unify secure and non-secure defconfigs > > 4. Pierre-Jean's generic load patches > > [U-Boot] [PATCH v3 1/2] warp7: include/configs: use generic fs commands > in CONFIG_EXTRA_ENV_SETTINGS > > [U-Boot] [PATCH v3 2/2] warp7: configs: enable CONFIG_CMD_FS_GENERIC > > v1: > This series enables an automated HAB verified secure boot which chain-loads > via OPTEE see `git show 5cf3251..c225e7c` for details. > > This set depends on three in-flight patchsets > > 1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial > Already has a Reviewed-by from Fabio > > 2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth > Has a Reviewed-by: from Breno > > 3. [PATCH] configs: warp7: Fix CAAM on boot with tip-of-tree > > I'm trying not to make this cover email too long. So - once this set is > applied it is possible to boot from the BootROM using HAB to verify > > - u-boot > - boot.scr > - Kernel > - DTB > > Chainload via OPTEE and boot up to Linux. If there is a HAB failure at any > stage of the process we force-drop down to the USB HID failover mode, from > which we can send up a recovery image to unblock. > > I've run the WaRP7 default u-boot and this new version on NXP's reference > yocto image and verified that that yocto image boots with both versions of > the WaRP7 -> warp7_defconfig and warp7_secure_defconfig. > > http://freescale.github.io/#download -> BoardsWaRPboard community - WaRP - > Wearable Reference PlatformFSL Community BSP 2.3fsl-image-multimediawayland > > In addition the modifications targeting warp7_secure_defconfig mean it is > possible to chain-load via OPTEE using scripted HAB to verify images prior > to exiting the u-boot domain. > > Here is an example of the scripting we are doing which shows further reuse > of shell functions introduced in previous patches. > > #### Example secure-boot boot.scr.imx-signed #### > > # This section is responsbile for loading a signed Linux kernel > setenv image_signed zImage.imx-signed > if test ${hab_enabled} -eq 1; then > setexpr hab_ivt_addr ${loadaddr} - ${ivt_offset} > load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${image_signed} > run warp7_auth_or_fail > else > run loadimage; > fi > > # This section is responsbile for loading a signed FDT image > setenv fdt_file_signed imx7s-warp.dtb.imx-signed > if test ${hab_enabled} -eq 1; then > setexpr hab_ivt_addr ${fdt_addr} - ${ivt_offset} > load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} > ${fdt_file_signed} > run warp7_auth_or_fail > else > run loadfdt; > fi > > # Boot from rootfs1 by default > setenv mmcpart 3 > > # But if the rootfs2 file exists in partition 2, boot from rootfs2 > ext4size mmc 0:2 rootfs2 && setenv mmcpart 5 > > # This section is responsbile for loading a signed OPTEE image > setenv optee_file /lib/firmware/uTee.optee > setenv optee_file_signed /lib/firmware/uTee.optee.imx-signed > setenv loadoptee "load mmc ${mmcdev}:${mmcpart} ${optee_addr} > ${optee_file}" > if test ${hab_enabled} -eq 1; then > setexpr hab_ivt_addr ${optee_addr} - ${ivt_offset} > load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} > ${optee_file_signed} > run warp7_auth_or_fail > else > run loadoptee; > fi > > # Set UUID mmcpart will be used to pass root id to kernel > setenv rootpart ${mmcpart} > run finduuid; > run mmcargs; > > # Now boot > echo Booting secure Linux/OPTEE OS from mmc ...; > bootm ${optee_addr} - ${fdt_addr}; > > # Failsafe if something goes wrong > hab_failsafe > > Bryan O'Donoghue (17): > imximage: Specify default IVT offset in IMX image > warp7: hab: Add a CSF location definition > warp7: hab: Set environment variable indicating HAB enable > warp7: defconfig: Enable OPTEE for WaRP7 > warp7: Allocate specific region of memory to OPTEE > warp7: Print out the OPTEE DRAM region > warp7: Specify CONFIG_OPTEE_LOAD_ADDR > warp7: defconfig: Enable CONFIG_SECURE_BOOT > warp7: defconfig: Enable CONFIG_BOOTM_TEE > warp7: Make CONFIG_SYS_FDT_ADDR a define > warp7: Add Kconfig WARP7_ROOT_PART > warp7: select uuid partition based on rootpart > warp7: Define the name of a signed boot-script file > warp7: add warp7_auth_or_fail > warp7: hab: Set environment variable indicating IVT offset > warp7: defconfig: Enable CMD_SETEXPR > warp7: Add support for automated secure boot.scr verification For the entire series: Tested-by: Breno Lima <breno.lima@nxp.com> Thanks, Breno Lima
On Fri, Apr 13, 2018 at 12:31 PM, Bryan O'Donoghue <bryan.odonoghue@linaro.org> wrote: > Bryan O'Donoghue (17): > imximage: Specify default IVT offset in IMX image > warp7: hab: Add a CSF location definition > warp7: hab: Set environment variable indicating HAB enable > warp7: defconfig: Enable OPTEE for WaRP7 > warp7: Allocate specific region of memory to OPTEE > warp7: Print out the OPTEE DRAM region > warp7: Specify CONFIG_OPTEE_LOAD_ADDR > warp7: defconfig: Enable CONFIG_SECURE_BOOT > warp7: defconfig: Enable CONFIG_BOOTM_TEE > warp7: Make CONFIG_SYS_FDT_ADDR a define > warp7: Add Kconfig WARP7_ROOT_PART > warp7: select uuid partition based on rootpart > warp7: Define the name of a signed boot-script file > warp7: add warp7_auth_or_fail > warp7: hab: Set environment variable indicating IVT offset > warp7: defconfig: Enable CMD_SETEXPR > warp7: Add support for automated secure boot.scr verification For the series: Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
https://git.linaro.org/landing-teams/working/mbl/u-boot.git/log/?h=linaro-mbl%2bbod v3: - Reword commit message of patch #16 - Breno - This patchset now relies on five in-flight patch-sets the first four of which should be applied first 1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial Already has a Reviewed-by from Fabio 2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth Has a Reviewed-by: from Breno 3. [PATCH v3 0/2] WaRP7 unify secure and non-secure defconfigs 4. Pierre-Jean's generic load patches [U-Boot] [PATCH v3 1/2] warp7: include/configs: use generic fs commands in CONFIG_EXTRA_ENV_SETTINGS [U-Boot] [PATCH v3 2/2] warp7: configs: enable CONFIG_CMD_FS_GENERIC 5. [PATCH] bootm: Align cache flush begin address This last patch can be applied in any order v2: - Ensure warp7_defconfig boots existing yocto with this change plus the automated HAB layer being added here following on from "[PATCH v3 0/2] WaRP7 unify secure and non-secure defconfigs" - Fix reference to partition #1 versus partition #2 in select uuidpart patch - Rebase on top of Pierre-Jean Texier generic load patches - Drop my patch which did the same thing as Pierre-Jean's patch via ${loadcmd} - Update example boot.scr from v1 to reflect use of generic 'load' command - This patchset now relies on four in-flight patch-sets which all have the relevant Reviewed-by tags from the board Maintainer Fabio. 1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial Already has a Reviewed-by from Fabio 2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth Has a Reviewed-by: from Breno 3. [PATCH v3 0/2] WaRP7 unify secure and non-secure defconfigs 4. Pierre-Jean's generic load patches [U-Boot] [PATCH v3 1/2] warp7: include/configs: use generic fs commands in CONFIG_EXTRA_ENV_SETTINGS [U-Boot] [PATCH v3 2/2] warp7: configs: enable CONFIG_CMD_FS_GENERIC v1: This series enables an automated HAB verified secure boot which chain-loads via OPTEE see `git show 5cf3251..c225e7c` for details. This set depends on three in-flight patchsets 1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial Already has a Reviewed-by from Fabio 2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth Has a Reviewed-by: from Breno 3. [PATCH] configs: warp7: Fix CAAM on boot with tip-of-tree I'm trying not to make this cover email too long. So - once this set is applied it is possible to boot from the BootROM using HAB to verify - u-boot - boot.scr - Kernel - DTB Chainload via OPTEE and boot up to Linux. If there is a HAB failure at any stage of the process we force-drop down to the USB HID failover mode, from which we can send up a recovery image to unblock. I've run the WaRP7 default u-boot and this new version on NXP's reference yocto image and verified that that yocto image boots with both versions of the WaRP7 -> warp7_defconfig and warp7_secure_defconfig. http://freescale.github.io/#download -> BoardsWaRPboard community - WaRP - Wearable Reference PlatformFSL Community BSP 2.3fsl-image-multimediawayland In addition the modifications targeting warp7_secure_defconfig mean it is possible to chain-load via OPTEE using scripted HAB to verify images prior to exiting the u-boot domain. Here is an example of the scripting we are doing which shows further reuse of shell functions introduced in previous patches. #### Example secure-boot boot.scr.imx-signed #### # This section is responsbile for loading a signed Linux kernel setenv image_signed zImage.imx-signed if test ${hab_enabled} -eq 1; then setexpr hab_ivt_addr ${loadaddr} - ${ivt_offset} load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${image_signed} run warp7_auth_or_fail else run loadimage; fi # This section is responsbile for loading a signed FDT image setenv fdt_file_signed imx7s-warp.dtb.imx-signed if test ${hab_enabled} -eq 1; then setexpr hab_ivt_addr ${fdt_addr} - ${ivt_offset} load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${fdt_file_signed} run warp7_auth_or_fail else run loadfdt; fi # Boot from rootfs1 by default setenv mmcpart 3 # But if the rootfs2 file exists in partition 2, boot from rootfs2 ext4size mmc 0:2 rootfs2 && setenv mmcpart 5 # This section is responsbile for loading a signed OPTEE image setenv optee_file /lib/firmware/uTee.optee setenv optee_file_signed /lib/firmware/uTee.optee.imx-signed setenv loadoptee "load mmc ${mmcdev}:${mmcpart} ${optee_addr} ${optee_file}" if test ${hab_enabled} -eq 1; then setexpr hab_ivt_addr ${optee_addr} - ${ivt_offset} load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${optee_file_signed} run warp7_auth_or_fail else run loadoptee; fi # Set UUID mmcpart will be used to pass root id to kernel setenv rootpart ${mmcpart} run finduuid; run mmcargs; # Now boot echo Booting secure Linux/OPTEE OS from mmc ...; bootm ${optee_addr} - ${fdt_addr}; # Failsafe if something goes wrong hab_failsafe Bryan O'Donoghue (17): imximage: Specify default IVT offset in IMX image warp7: hab: Add a CSF location definition warp7: hab: Set environment variable indicating HAB enable warp7: defconfig: Enable OPTEE for WaRP7 warp7: Allocate specific region of memory to OPTEE warp7: Print out the OPTEE DRAM region warp7: Specify CONFIG_OPTEE_LOAD_ADDR warp7: defconfig: Enable CONFIG_SECURE_BOOT warp7: defconfig: Enable CONFIG_BOOTM_TEE warp7: Make CONFIG_SYS_FDT_ADDR a define warp7: Add Kconfig WARP7_ROOT_PART warp7: select uuid partition based on rootpart warp7: Define the name of a signed boot-script file warp7: add warp7_auth_or_fail warp7: hab: Set environment variable indicating IVT offset warp7: defconfig: Enable CMD_SETEXPR warp7: Add support for automated secure boot.scr verification board/warp7/Kconfig | 14 ++++++++++++++ board/warp7/imximage.cfg | 4 ++++ board/warp7/warp7.c | 23 +++++++++++++++++++++++ configs/warp7_defconfig | 6 +++++- include/configs/warp7.h | 22 ++++++++++++++++++++-- include/imximage.h | 3 +++ 6 files changed, 69 insertions(+), 3 deletions(-)