Re: [EXT] [PATCH] doc: imx: habv4: Add Secure Boot guide for i.MX8M SPL targets

2022-07-17 Thread Marek Vasut

On 7/13/22 00:57, Utkarsh Gupta wrote:

Hi Marek,

The Secure/Encrypted boot guides for 8M exist in NXP BSP at
https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx?h=lf_v2022
.04. Looks like they need to be up streamed. @Peng Fan/@Ye Li - FYI

Regards,
Utkarsh G.


-Original Message-
From: Marek Vasut 
Sent: Tuesday, July 12, 2022 10:05 AM
To: u-boot@lists.denx.de
Cc: Marek Vasut ; Breno Matheus Lima
; Fabio Estevam ; Heiko Schocher
; Peng Fan ; Stefano Babic
; Utkarsh Gupta ; Ye Li

Subject: [EXT] [PATCH] doc: imx: habv4: Add Secure Boot guide for i.MX8M

SPL

targets

Caution: EXT Email

Add HABv4 documentation extension for SPL targets covering the following
topics:

- How to sign an securely boot an flash.bin container image.
- How to extend the root of trust for additional boot images.
- Add SPL and fitImage CSF examples.
- Add signature generation script example.

Signed-off-by: Marek Vasut 
Cc: Breno Lima 
Cc: Fabio Estevam 
Cc: Heiko Schocher 
Cc: Peng Fan 
Cc: Stefano Babic 
Cc: Utkarsh Gupta 
Cc: Ye Li 
---
  doc/imx/habv4/csf_examples/mx8m/csf.sh|  77 +
  doc/imx/habv4/csf_examples/mx8m/csf_fit.txt   |  36 +++
  doc/imx/habv4/csf_examples/mx8m/csf_spl.txt   |  33 +++
  doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 265 ++
  4 files changed, 411 insertions(+)
  create mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh
  create mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
  create mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
  create mode 100644 doc/imx/habv4/guides/mx8m_spl_secure_boot.txt

diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh
b/doc/imx/habv4/csf_examples/mx8m/csf.sh
new file mode 100644
index 000..6898513be51
--- /dev/null
+++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# 0) Generate keys
+#
+# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e.
+i.MX8M Plus) # # cd /path/to/cst-3.3.1/keys/
+#./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10

-num-srk

4 -srk-ca y
+# cd /path/to/cst-3.3.1/crts/
+#   ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e
SRK_1_2_3_4_fuse.bin -d sha256 -
c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_
ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_
65537_v3_ca_crt.pem -f 1
+
+# 1) Build U-Boot (e.g. for i.MX8MM)
+#
+# export ATF_LOAD_ADDR=0x92
+# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin .
+# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* .
+# make -j imx8mm_board_defconfig
+# make -j`nproc` flash.bin
+
+# 2) Sign SPL and DRAM blobs
+
+cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp cp
+doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
+
+spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/
+s@.*=@@p" .config) - 0x40)) ) spl_block_size=$(printf "0x%x" $(stat -tc
+%s u-boot-spl-ddr.bin)) sed -i "/Blocks = / s@.*@  Blocks =
+$spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp
+
+# Generate CSF blob
+cst -i csf_spl.tmp -o csf_spl.bin
+
+# Patch CSF blob into flash.bin
+spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed
+"s@^@0x@") spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f
+2 | sed "s@^@0x@") spl_dd_offset=$((${spl_csf_offset} -
+${spl_bin_offset} + 0x40)) dd if=csf_spl.bin of=flash.bin bs=1
+seek=${spl_dd_offset} conv=notrunc
+
+# 3) Sign u-boot.itb
+
+# fitImage tree
+fit_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SYS_TEXT_BASE=/
+s@.*=@@p" .config) - $(sed -n "/CONFIG_FIT_EXTERNAL_OFFSET=/
s@.*=@@p"
+.config) - 0x200 - 0x40)) ) fit_block_offset=$(printf "0x%s" $(fdtget
+-t x u-boot.dtb /binman/imx-boot/uboot offset)) fit_block_size=$(printf
+"0x%x" $(( ( $(fdtdump u-boot.itb 2>/dev/null | sed -n
+"/^...totalsize:/ s@.*\(0x[0-9a-f]\+\).*@\1@p") + 0x1000 - 0x1 ) &
+~(0x1000 - 0x1) + 0x20 )) ) sed -i "/Blocks = / s@.*@  Blocks =
+$fit_block_base $fit_block_offset $fit_block_size \"flash.bin\", @"
+csf_fit.tmp
+
+# U-Boot
+uboot_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot
+load)) uboot_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget
+-t x u-boot.itb /images/uboot data-position)) + ${fit_block_offset} )))
uboot_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot

data-

size))
+sed -i "/0x/ s@.*@   $uboot_block_base $uboot_block_offset
$uboot_block_size \"flash.bin\", @" csf_fit.tmp
+
+# ATF
+atf_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf
+load)) atf_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t
+x u-boot.itb /images/atf data-position)) + ${fit_block_offset} )))
atf_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf

data-size))

+sed -i "/0x/ s@.*@   $atf_block_base $atf_block_offset
$atf_block_size \"flash.bin\", @" csf_fit.tmp
+
+# DTB
+dtb_block_base=$(printf "0x%x" $(( ${uboot_block_base} +

RE: [EXT] [PATCH] doc: imx: habv4: Add Secure Boot guide for i.MX8M SPL targets

2022-07-13 Thread Utkarsh Gupta
Hi Marek,

The Secure/Encrypted boot guides for 8M exist in NXP BSP at
https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx?h=lf_v2022
.04. Looks like they need to be up streamed. @Peng Fan/@Ye Li - FYI

Regards,
Utkarsh G.

> -Original Message-
> From: Marek Vasut 
> Sent: Tuesday, July 12, 2022 10:05 AM
> To: u-boot@lists.denx.de
> Cc: Marek Vasut ; Breno Matheus Lima
> ; Fabio Estevam ; Heiko Schocher
> ; Peng Fan ; Stefano Babic
> ; Utkarsh Gupta ; Ye Li
> 
> Subject: [EXT] [PATCH] doc: imx: habv4: Add Secure Boot guide for i.MX8M
SPL
> targets
> 
> Caution: EXT Email
> 
> Add HABv4 documentation extension for SPL targets covering the following
> topics:
> 
> - How to sign an securely boot an flash.bin container image.
> - How to extend the root of trust for additional boot images.
> - Add SPL and fitImage CSF examples.
> - Add signature generation script example.
> 
> Signed-off-by: Marek Vasut 
> Cc: Breno Lima 
> Cc: Fabio Estevam 
> Cc: Heiko Schocher 
> Cc: Peng Fan 
> Cc: Stefano Babic 
> Cc: Utkarsh Gupta 
> Cc: Ye Li 
> ---
>  doc/imx/habv4/csf_examples/mx8m/csf.sh|  77 +
>  doc/imx/habv4/csf_examples/mx8m/csf_fit.txt   |  36 +++
>  doc/imx/habv4/csf_examples/mx8m/csf_spl.txt   |  33 +++
>  doc/imx/habv4/guides/mx8m_spl_secure_boot.txt | 265 ++
>  4 files changed, 411 insertions(+)
>  create mode 100644 doc/imx/habv4/csf_examples/mx8m/csf.sh
>  create mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
>  create mode 100644 doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
>  create mode 100644 doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
> 
> diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh
> b/doc/imx/habv4/csf_examples/mx8m/csf.sh
> new file mode 100644
> index 000..6898513be51
> --- /dev/null
> +++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh
> @@ -0,0 +1,77 @@
> +#!/bin/sh
> +
> +# 0) Generate keys
> +#
> +# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e.
> +i.MX8M Plus) # # cd /path/to/cst-3.3.1/keys/
> +#./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10
-num-srk
> 4 -srk-ca y
> +# cd /path/to/cst-3.3.1/crts/
> +#   ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e
> SRK_1_2_3_4_fuse.bin -d sha256 -
> c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_
> ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_
> 65537_v3_ca_crt.pem -f 1
> +
> +# 1) Build U-Boot (e.g. for i.MX8MM)
> +#
> +# export ATF_LOAD_ADDR=0x92
> +# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin .
> +# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* .
> +# make -j imx8mm_board_defconfig
> +# make -j`nproc` flash.bin
> +
> +# 2) Sign SPL and DRAM blobs
> +
> +cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp cp
> +doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
> +
> +spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/
> +s@.*=@@p" .config) - 0x40)) ) spl_block_size=$(printf "0x%x" $(stat -tc
> +%s u-boot-spl-ddr.bin)) sed -i "/Blocks = / s@.*@  Blocks =
> +$spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp
> +
> +# Generate CSF blob
> +cst -i csf_spl.tmp -o csf_spl.bin
> +
> +# Patch CSF blob into flash.bin
> +spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed
> +"s@^@0x@") spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f
> +2 | sed "s@^@0x@") spl_dd_offset=$((${spl_csf_offset} -
> +${spl_bin_offset} + 0x40)) dd if=csf_spl.bin of=flash.bin bs=1
> +seek=${spl_dd_offset} conv=notrunc
> +
> +# 3) Sign u-boot.itb
> +
> +# fitImage tree
> +fit_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SYS_TEXT_BASE=/
> +s@.*=@@p" .config) - $(sed -n "/CONFIG_FIT_EXTERNAL_OFFSET=/
> s@.*=@@p"
> +.config) - 0x200 - 0x40)) ) fit_block_offset=$(printf "0x%s" $(fdtget
> +-t x u-boot.dtb /binman/imx-boot/uboot offset)) fit_block_size=$(printf
> +"0x%x" $(( ( $(fdtdump u-boot.itb 2>/dev/null | sed -n
> +"/^...totalsize:/ s@.*\(0x[0-9a-f]\+\).*@\1@p") + 0x1000 - 0x1 ) &
> +~(0x1000 - 0x1) + 0x20 )) ) sed -i "/Blocks = / s@.*@  Blocks =
> +$fit_block_base $fit_block_offset $fit_block_size \"flash.bin\", @"
> +csf_fit.tmp
> +
> +# U-Boot
> +uboot_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot
> +load)) uboot_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget
> +-t x u-boot.itb /images/uboot data-position)) + ${fit_block_offset} )))
> uboot_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot
data-
> size))
> +sed -i "/0x/ s@.*@   $uboot_block_base $uboot_block_offset
> $uboot_block_size \"flash.bin\", @" csf_fit.tmp
> +
> +# ATF
> +atf_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf
> +load)) atf_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t
> +x u-boot.itb /images/atf data-position)) + ${fit_block_offset} )))
> atf_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf
data-size))
> +sed -i "/0x/