Commit graph

40 commits

Author SHA1 Message Date
Tim Harvey
ff1dd52024 mx8m: csf.sh: use vars for keys to avoid file edits when signing
The csf_spl.txt and csf_fit.txt templates contain file paths which must
be edited for the location of your NXP CST generated key files.

Streamline the process of signing an image by assigning unique var names
to these which can be expended from env variables in the csf.sh script.

The following vars are used:
 SRK_TABLE - full path to SRK_1_2_3_4_table.bin
 CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
 IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem

Additionally provide an example of running the csf.sh script.

Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
2023-07-13 11:29:40 +02:00
Fabio Estevam
f5d98b01e1 doc: imx: habv4: Fix typo in 'signing'
Fix two occurrences where 'signing' is misspelled.

Signed-off-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Tim Harvey <tharvey@gateworks.com>
2023-07-03 10:20:13 -04:00
Marek Vasut
6039e0edc8 imx: hab: Simplify the mechanism
The current mechanism is unnecessarily complex. Simplify the whole mechanism
such that the entire fitImage is signed, IVT is placed at the end, followed
by CSF, and this entire bundle is also authenticated. This makes the signing
scripting far simpler.

Signed-off-by: Marek Vasut <marex@denx.de>
2023-06-24 13:47:02 -04:00
Tom Rini
65cc0e2a65 global: Move remaining CONFIG_SYS_* to CFG_SYS_*
The rest of the unmigrated CONFIG symbols in the CONFIG_SYS namespace do
not easily transition to Kconfig. In many cases they likely should come
from the device tree instead. Move these out of CONFIG namespace and in
to CFG namespace.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2022-12-05 16:06:08 -05:00
Simon Glass
984639039f Rename CONFIG_SYS_TEXT_BASE to CONFIG_TEXT_BASE
The current name is inconsistent with SPL which uses CONFIG_SPL_TEXT_BASE
and this makes it imposible to use CONFIG_VAL().

Rename it to resolve this problem.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-10-31 11:01:31 -04:00
Fabio Estevam
8b9d90d634 mx8m: csf.sh: Fix the calculation of fit_block_size
When running the script to sign SPL/U-Boot on a kontron-sl-mx8mm board,
the fit_block_size was calculated as 0x1000 instead of 0x1020.

Add an extra parenthesis pair to fix it.

Signed-off-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Marek Vasut <marex@denx.de>
2022-09-21 16:19:45 +02:00
Marek Vasut
0c2c1c9415 doc: imx: habv4: Add Secure Boot guide for i.MX8M SPL targets
Add HABv4 documentation extension for SPL targets covering the
following topics:

- How to sign an securely boot an flash.bin container image.
- How to extend the root of trust for additional boot images.
- Add SPL and fitImage CSF examples.
- Add signature generation script example.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Breno Lima <breno.lima@nxp.com>
Cc: Fabio Estevam <festevam@denx.de>
Cc: Heiko Schocher <hs@denx.de>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Cc: Ye Li <ye.li@nxp.com>
2022-09-18 20:42:56 +02:00
Tom Rini
8b83b53a8d imx7: Update CONFIG_SPL_STACK defaults in Kconfig
Update the Kconfig entry to have the correct defaults for i.MX7
platforms, and move the existing large comment from imx7_spl.h to
doc/imx/common/imx7.txt so that it's not lost.

Signed-off-by: Tom Rini <trini@konsulko.com>
2022-06-06 12:09:28 -04:00
Tom Rini
23780398b5 imx6: Update CONFIG_SPL_STACK defaults in Kconfig
Update the Kconfig entry to have the correct defaults for i.MX6
platforms, and move the existing large comment from imx6_spl.h to
doc/imx/common/imx6.txt so that it's not lost.

Signed-off-by: Tom Rini <trini@konsulko.com>
2022-06-06 12:09:28 -04:00
Tom Rini
8ba59608dc arm: Remove zmx25 board and ARCH_MX25
This board has not been converted to CONFIG_DM by the deadline.
Remove it.  As this is the last ARCH_MX25 platform, remove those
references as well.

Cc: Matthias Weisser <weisserm@arcor.de>
Cc: Stefano Babic <sbabic@denx.de>
Signed-off-by: Tom Rini <trini@konsulko.com>
2021-10-01 21:08:18 -04:00
Wolfgang Denk
0a50b3c97b WS cleanup: remove trailing white space
Signed-off-by: Wolfgang Denk <wd@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-09-30 08:08:56 -04:00
Heinrich Schuchardt
f1991bdf97 doc: move i.MX7D/i.MX8MM A/B booting to board specific
Having "i.MX7D/i.MX8MM SRC_GPR10 PERSIST_SECONDARY_BOOT for bootloader A/B
switching" at the top level of the documentation tree does not make sense.
Move it to board specific information.

Fixes: 59e3d1bd49 ("doc: imx: psb: Document usage of SRC_GPR10 PERSIST_SECONDARY_BOOT for A/B switching")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-08-17 17:24:07 +02:00
Marek Vasut
3c73c5eb60 doc: imx: psb: Fix missing setexpr arguments
Due to copy-paste error, two of the setexpr arguments were missing.
Add the missing arguments.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Ye Li <ye.li@nxp.com>
Cc: uboot-imx <uboot-imx@nxp.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-04-24 06:53:40 +02:00
Heinrich Schuchardt
41ad972426 doc: imx: psb: fix footnotes
In reStructured text footnotes are referenced like [1]_.

Add missing underscores.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Marek Vasut <marex@denx.de>
2021-04-17 20:01:31 +02:00
Marek Vasut
59e3d1bd49 doc: imx: psb: Document usage of SRC_GPR10 PERSIST_SECONDARY_BOOT for A/B switching
Document SRC_GPR10 PERSIST_SECONDARY_BOOT functionality. This is useful for
reliable bootloader A/B updates, as it permits switching between two copies
of bootloader at different offsets of the same storage. The switch happens
in case one copy is corrupted OR can be enforced by user. This functionality
is present at least since i.MX53, however is poorly documented in all known
SoC datasheets, hence this document aims to clarify the usage, currently on
i.MX7D and i.MX8MM.

Signed-off-by: Marek Vasut <marex@denx.de> # Original MX7D work, this document
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io> # All the MX8M work
Cc: Christoph Niedermaier <cniedermaier@dh-electronics.de>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Harald Seiler <hws@denx.de>
Cc: Igor Opaniuk <igor.opaniuk@foundries.io>
Cc: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Ludwig Zenz <lzenz@dh-electronics.com>
Cc: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Ye Li <ye.li@nxp.com>
Cc: uboot-imx <uboot-imx@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
2021-04-08 23:59:50 +02:00
Breno Lima
58f75efeaf mx7ulp: hab: Add hab_status command for HABv4 M4 boot
When booting in low power or dual boot modes the M4 binary is
authenticated by the M4 ROM code.

Add an option in hab_status command so users can retrieve M4 HAB
failure and warning events.

=> hab_status m4

   Secure boot disabled

   HAB Configuration: 0xf0, HAB State: 0x66
   No HAB Events Found!

Add command documentation in mx6_mx7_secure_boot.txt guide.

As HAB M4 API cannot be called from A7 core the code is parsing
the M4 HAB persistent memory region. The HAB persistent memory
stores HAB events, public keys and others HAB related information.

The HAB persistent memory region addresses and sizes can be found
in AN12263 "HABv4 RVT Guidelines and Recommendations".

Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
2021-04-08 09:18:29 +02:00
Simon Glass
41575d8e4c dm: treewide: Rename auto_alloc_size members to be shorter
This construct is quite long-winded. In earlier days it made some sense
since auto-allocation was a strange concept. But with driver model now
used pretty universally, we can shorten this to 'auto'. This reduces
verbosity and makes it easier to read.

Coincidentally it also ensures that every declaration is on one line,
thus making dtoc's job easier.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 08:00:25 -07:00
Sean Anderson
78ce0bd3ac clk: Always use the supplied struct clk
CCF clocks should always use the struct clock passed to their methods for
extracting the driver-specific clock information struct. Previously, many
functions would use the clk->dev->priv if the device was bound. This could
cause problems with composite clocks. The individual clocks in a composite
clock did not have the ->dev field filled in. This was fine, because the
device-specific clock information would be used. However, since there was
no ->dev, there was no way to get the parent clock. This caused the
recalc_rate method of the CCF divider clock to fail. One option would be to
use the clk->priv field to get the composite clock and from there get the
appropriate parent device. However, this would tie the implementation to
the composite clock. In general, different devices should not rely on the
contents of ->priv from another device.

The simple solution to this problem is to just always use the supplied
struct clock. The composite clock now fills in the ->dev pointer of its
child clocks.  This allows child clocks to make calls like clk_get_parent()
without issue.

imx avoided the above problem by using a custom get_rate function with
composite clocks.

Signed-off-by: Sean Anderson <seanga2@gmail.com>
Acked-by: Lukasz Majewski <lukma@denx.de>
2020-07-01 15:01:21 +08:00
Breno Lima
ba13973479 doc: ahab: Add encrypted boot documentation for i.MX8/8x devices
Add AHAB encrypted boot documentation for i.MX8/8x family devices
covering the following topics:

- How to encrypt and sign the 2nd container in flash.bin image.
- How to encrypt and sign a standalone container image.

Include a CSF example to encrypt 2nd container in flash.bin image.

Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Catia Han <yaqian.han@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
2020-05-01 13:46:22 +02:00
Patrick Delaunay
b09e28fc54 doc: update reference to README.imximage
Update reference in many files detected by
scripts/documentation-file-ref-check

README.imximage => imx/mkimage/imximage.txt

Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
2020-04-16 23:06:54 -04:00
Stefano Babic
d714a75fd4 imx: replace CONFIG_SECURE_BOOT with CONFIG_IMX_HAB
CONFIG_SECURE_BOOT is too generic and forbids to use it for cross
architecture purposes. If Secure Boot is required for imx, this means to
enable and use the HAB processor in the soc.

Signed-off-by: Stefano Babic <sbabic@denx.de>
2019-10-08 16:36:37 +02:00
Fabio Estevam
904c31fe9f imx: mxs: Fix location for the elftosb tool
The Denx FTP location is no longer reachable.

Switch to the Timesys repository instead.

Signed-off-by: Fabio Estevam <festevam@gmail.com>
2019-10-08 16:36:36 +02:00
Peng Fan
b5661caf84 doc: imx: mkimage: introduce i.MX8 image format
Introduce i.MX8 container set configuration file and add example

Signed-off-by: Peng Fan <peng.fan@nxp.com>
2019-10-08 16:35:59 +02:00
Shyam Saini
c548451fd9 doc: imx: Add documentation for nandbcb command
Signed-off-by: Shyam Saini <shyam.saini@amarulasolutions.com>
2019-07-19 14:52:20 +02:00
Lukasz Majewski
4ebdf654b2 clk: doc: Add documentation entry for Common Clock Framework [CCF] (i.MX)
This patch describes the design decisions considerations and taken approach
for porting in a separate documentation entry.

Signed-off-by: Lukasz Majewski <lukma@denx.de>
2019-07-19 14:49:08 +02:00
Breno Matheus Lima
2dd652e665 doc: imx: habv4: Remove secure_boot.txt guide
The secure_boot.txt guide was replaced by mx6_mx7_secure_boot.txt and
mx6_mx7_spl_secure_boot.txt documents.

Both documents covers all steps needed for SPL and non-SPL tagets,
so remove secure_boot.txt file to avoid duplicated content.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:55:39 +01:00
Breno Matheus Lima
364c0a89bc doc: imx: habv4: Move encrypted boot guide
All guides are currently located at doc/imx/habv4/guides/ directory.

Move encrypted_boot.txt document to guides directory.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:47:13 +01:00
Breno Matheus Lima
cfb50207e5 doc: imx: habv4: Add Secure Boot guide for i.MX6 and i.MX7 SPL targets
The current U-Boot implementation includes SPL targets for
some NXP development boards:

- mx6sabreauto_defconfig
- mx6sabresd_defconfig
- mx6ul_14x14_evk_defconfig
- mx6ul_9x9_evk_defconfig

Add additional steps needed to completly secure the
bootloader image.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:46:59 +01:00
Breno Matheus Lima
872cfa20cd doc: imx: habv4: Add Secure Boot guide for i.MX6 and i.MX7 non-SPL targets
Add HABv4 documentation for non-SPL targets covering the
following topics:

- How to sign an securely boot an u-boot-dtb.imx image.
- How to extend the root of trust for additional boot images.
- Add 3 CSF examples.
- Add IVT generation script example.

Reviewed-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:46:45 +01:00
Breno Matheus Lima
cbc4b0418c doc: imx: habv4: Add HABv4 introduction
The HABv4 is supported in i.MX50, i.MX53, i.MX6, i.MX7,
series and i.MX 8M, i.MX8MM devices.

Add an introductory document containing the following topics:

- HABv4 Introduction
- HABv4 Secure Boot
- HABv4 Encrypted Boot
- HAB PKI tree generation
- HAB Fast Authentication PKI tree generation
- SRK Table and SRK Hash generation

Reviewed-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:46:31 +01:00
Breno Matheus Lima
8a23fc9c94 doc: imx: habv4: Remove extra hab directory for a cleaner documentation structure
There is no need to have an extra hab directory under doc/imx/.

Habv4 and AHAB documentation can be added directly in doc/imx/ for a
cleaner documentation structure.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:46:18 +01:00
Michael Heimpold
210594a868 doc: imx: fix typos in mxsimage.txt
This fixes two small typos in mxsimage.txt.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Reviewed-by: Breno Lima <breno.lima@nxp.com>
2019-01-01 14:12:18 +01:00
Michael Heimpold
5271dcf581 doc: imx: fix typo in imximage.txt
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Reviewed-by: Breno Lima <breno.lima@nxp.com>
2019-01-01 14:12:18 +01:00
Breno Matheus Lima
75e8ca6a5e doc: imx: Improve i.MX documentation naming
There is no need to have README in all i.MX documents name.
Remove README from i.MX docs name and add .txt file extension.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
2018-10-22 14:22:42 +02:00
Breno Matheus Lima
29530093ff doc: imx: misc: Reorganize miscellaneous documentation
The Serial Download Protocol feature is availible in various
i.MX SoCs.

Move README.sdp document to imx/misc directory.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2018-10-22 14:22:42 +02:00
Breno Matheus Lima
dfe9ff9cc7 doc: imx: hab: Reorganize High Assurance Boot documentation
The current High Assurance Boot document README.mxc_hab
include details for the following features in a single file:

- HAB Secure Boot
- HAB Encrypted Boot

Split HAB documentation in a specific directory for a cleaner
documentation structure, subsequent patches will include more
content in HAB documentation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2018-10-22 14:22:42 +02:00
Breno Matheus Lima
843400fd26 doc: imx: Reorganize i.MX SoC common documentation
The following documents describe device details according to the
i.MX family:

- README.imx25
- README.imx27
- README.imx5
- README.imx6
- README.mxs

Move all device common related document to doc/imx/common for a better
directory structure.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2018-10-22 14:22:42 +02:00
Breno Matheus Lima
5eba73c52b doc: imx: mkimage: reorganize i.MX mkimage documentation
The following documents describe the image type used by the mkimage
tool to generate U-Boot images for i.MX devices.

- README.imximage
- README.mxsimage

Move all mkimage related document to doc/imx/mkimage for a better
directory structure.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2018-10-22 14:22:42 +02:00
Breno Matheus Lima
3af3bebc21 doc: imx: Move SPD related info to the appropriate doc
Currently the Serial Download Protocol tools and procedure are
documented in two places:

- doc/imx/README.sdp
- doc/imx/README.imx6

It is better to consolidate all SDP related information into
README.sdp file, so move the content from README.imx6 to
README.sdp.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2018-10-22 14:22:42 +02:00
Breno Matheus Lima
df11b0c4d4 doc: imx: reorganize i.MX documentation
Currently the U-Boot doc/ directory contains the following files
that are only relevant for i.MX devices:

- doc/README.imx25
- doc/README.imx27
- doc/README.imx5
- doc/README.imx6
- doc/README.imximage
- doc/README.mxc_hab
- doc/README.mxs
- doc/README.mxsimage
- doc/README.sdp

Move all content to a common i.MX folder for a better documentation
structure.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2018-10-22 14:22:42 +02:00