The current mechanism is unnecessarily complex. Simplify the whole mechanism
such that the entire fitImage is signed, IVT is placed at the end, followed
by CSF, and this entire bundle is also authenticated. This makes the signing
scripting far simpler.
Signed-off-by: Marek Vasut <marex@denx.de>
The rest of the unmigrated CONFIG symbols in the CONFIG_SYS_SDRAM
namespace do not easily transition to Kconfig. In many cases they likely
should come from the device tree instead. Move these out of CONFIG
namespace and in to CFG namespace.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The current name is inconsistent with SPL which uses CONFIG_SPL_TEXT_BASE
and this makes it imposible to use CONFIG_VAL().
Rename it to resolve this problem.
Signed-off-by: Simon Glass <sjg@chromium.org>
Move the default mapping of spl_boot_device to weak function of
spl_board_boot_device. So that every board of iMX7/8/8M can overwrite
this function to implement specific mapping.
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
The SPL SDP is configured as BOOT_DEVICE_BOARD, so when booting from
USB, change its type to BOOT_DEVICE_BOARD, so we can use SDP.
Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Platforms can overwrite the weak definition of spl_mmc_boot_mode() to
determine where to load U-Boot proper from.
For most of them this is a trivial decision based on Kconfig variables,
but it might be desirable the probe the actual device to answer this
question.
Pass the pointer to the mmc struct to that function, so implementations
can make use of that.
Compile-tested for all users changed.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Stefano Babic <sbabic@denx.de>
Reviewed-by: Ley Foon Tan <ley.foon.tan@inte.com> (for SoCFPGA)
Acked-by: Lokesh Vutla <lokeshvutla@ti.com> (for OMAP and K3)
Reviewed-by: Simon Glass <sjg@chromium.org>
The interface for NOR/OneNAND is called "EIM" not "EMI". Fix this.
Signed-off-by: Harald Seiler <hws@denx.de>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
cherry-picked from NXP code:
719d665a87c6: ("MLK-20467 imx8m: Fix issue for booting signed image through uuu")
which fixes secure boot on imx8m based boards. Problem was
that FIT header and so IVT header too, was loaded to
memallocated address. So the ivt header address coded
in IVT itself does not fit with the real position.
Signed-off-by: Heiko Schocher <hs@denx.de>
Tested-by: Tim Harvey <tharvey@gateworks.com>
read the address where the IVT header must sit
from IVT image header, loaded from SPL into
an malloced buffer and copy the IVT header
to this address
May make this dependend on SoC ?
Signed-off-by: Heiko Schocher <hs@denx.de>
Rename these options so that CONFIG_IS_ENABLED can be used with them.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
[trini: Fixup some incorrect renames]
Signed-off-by: Tom Rini <trini@konsulko.com>
The size is derived from the FIT image itself. Any alignment
requirements are machine-specific and known by the board code. Thus
the total length can be derived from the FIT image and knowledge of
the platform. The 'length' argument is redundant. Remove it.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
CC: Matt Porter <mporter@konsulko.com>
Move this out of the common header and include it only where needed. In
a number of cases this requires adding "struct udevice;" to avoid adding
another large header or in other cases replacing / adding missing header
files that had been pulled in, very indirectly. Finally, we have a few
cases where we did not need to include <asm/global_data.h> at all, so
remove that include.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
When boot type could not be detected from rom sw info,
read sbmr1 to detect, here we only use it to detect FLEXSPI
boot, because ROM not update it in rom sw info.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Add g_dnl_get_board_bcd_device_number, the new BCD value is used by uuu to distinguish
if the SPL supports the SDPV.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Lukasz Majewski <lukma@denx.de>
Instead of hang()ing the system and thus disallowing any automated
recovery possibility from a HAB authentication failure, panic() .
The panic() function can be configured to hang() the system after
printing an error message, however the default is to reset the
system instead.
This allows redundant boot to work correctly. In case the primary
or secondary image cannot be authenticated, the system reboots and
bootrom can try to start the other one.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: NXP i.MX U-Boot Team <uboot-imx@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
CONFIG_SPL_FAT_SUPPORT was removed in commit 0c3a9ed409
("spl: Kconfig: Replace CONFIG_SPL_FAT_SUPPORT with CONFIG_SPL_FS_FAT").
Fixup a leftover use of the symbol.
Fixes: 9d86dbd9cf ("imx: spl: implement spl_boot_mode for i.MX7/8/8M")
Signed-off-by: Harald Seiler <hws@denx.de>
It is hard to read code which contains nested ifdef blocks. Replace
them with normal if-blocks and the IS_ENABLED() macro. This is not only
more readable but also helps as both arms are validated by the compiler
in all cases.
Signed-off-by: Harald Seiler <hws@denx.de>
The CONFIG_SPL_FORCE_MMC_BOOT config flag is not needed as its behavior
is the correct one in all cases; using spl_boot_device() instead of the
boot_device parameter will lead to inconsistency issues, for example,
when a board_boot_order() is defined. In fact, this is the reason the
parameter was introduced in the first place, in commit 2b1cdafa9f
("common: Pass the boot device into spl_boot_mode()").
This reverts commit 772b55723b.
Link: https://lists.denx.de/pipermail/u-boot/2020-April/405979.html
Signed-off-by: Harald Seiler <hws@denx.de>
Boards may extend or re-define the boot list in their board_boot_order()
function by modifying spl_boot_list. E.g. a board might boot SPL from a
slow SPI NOR flash and then load the U-Boot from an eMMC or SD-card.
Or it might use additional MMC boot device in spl_boot_list for cases
when the image in SPI NOR flash is not found, so it could fall back to
eMMC, SD-card or another boot device.
Getting the MMC boot mode in spl_mmc will fail when we are trying to
boot from an MMC device in the spl_boot_list and the original board
boot mode (as returned by spl_boot_device()) is not an MMC boot mode.
Fix it by checking the asked MMC boot device from the spl_mmc_boot_mode()
argument.
Signed-off-by: Anatolij Gustschin <agust@denx.de>
The function's name is misleading as one might think it is used
generally to select the boot-mode when in reality it is only used by the
MMC driver to find out in what way it should try reading U-Boot Proper
from a device (either using a filesystem, a raw sector/partition, or an
eMMC boot partition).
Rename it to spl_mmc_boot_mode() to make it more obvious what this
function is about.
Link: https://lists.denx.de/pipermail/u-boot/2020-April/405979.html
Signed-off-by: Harald Seiler <hws@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
At present panic() is in the vsprintf.h header file. That does not seem
like an obvious choice for hang(), even though it relates to panic(). So
let's put hang() in its own header.
Signed-off-by: Simon Glass <sjg@chromium.org>
[trini: Migrate a few more files]
Signed-off-by: Tom Rini <trini@konsulko.com>
It will be easy to separate SD/EMMC when booting in SPL stage, then
no need to bother which device is BOOT_DEVICE_MMC1/2.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Apologies to everyone whose board I broke by attempting to return
MMC1 or MMC2. I misunderstood how the MMC indexing worked.
This reverts commit 14d319b185.
Signed-off-by: Adam Ford <aford173@gmail.com>
CONFIG_SECURE_BOOT is too generic and forbids to use it for cross
architecture purposes. If Secure Boot is required for imx, this means to
enable and use the HAB processor in the soc.
Signed-off-by: Stefano Babic <sbabic@denx.de>
This patch adds the missing boot mode detection for QSPI boot on
i.MX6UL/ULL. Without it, booting with SPL from QSPI NOR does not work.
Signed-off-by: Stefan Roese <sr@denx.de>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Stefano Babic <sbabic@denx.de>
This change tries to fix the following problem:
- The board boots (to be more precise - ROM loads SPL) from a slow SPI-NOR
memory.
As a result the spl_boot_device() will return SPI-NOR as a boot device
(which is correct).
- The problem is that in 'falcon boot' the eMMC is used as a boot medium to
load kernel from its partition.
Calling spl_boot_device() will break things as it returns SPI-NOR device.
To fix this issue the new CONFIG_SPL_FORCE_MMC_BOOT Kconfig flag is
introduced to handle this special use case. By default it is not defined,
so there is no change in the legacy code flow.
Signed-off-by: Lukasz Majewski <lukma@denx.de>
There is no need to use HAB for FIT signature validation when
SPL_FIT_SIGNATURE is also enabled, as that will be validated via the
normal U-Boot signed FIT image flow.
This allows having SPL validated by HAB and the payloads to follow
being validated with FIT signatures only.
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Currently, when the spl_boot_device checks the boot device, it
will only return MMC1 when it's either sd or eMMC regardless
of whether or not it's MMC1 or MMC2. This is a problem when
booting from MMC2 if MMC isn't being manually configured like in
the DM_SPL case with SPL_OF_CONTROL.
This patch will check the register and return either MMC1 or MMC2.
Signed-off-by: Adam Ford <aford173@gmail.com>
Replace CONFIG_SPL_FAT_SUPPORT with CONFIG_SPL_FS_FAT so
obj-$(CONFIG_$(SPL_)FS_FAT) can be used to control the build in both
SPL and U-Boot.
Signed-off-by: Tien Fong Chee <tien.fong.chee@intel.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Introduce two board level callback functions to FIT image loading process, and
a SPL_FIT_FOUND flag to differentiate FIT image or RAW image.
Implement functions in imx common SPL codes to call HAB funtion
to authenticate the FIT image. Generally, we have to sign multiple regions
in FIT image:
1. Sign FIT FDT data (configuration)
2. Sign FIT external data (Sub-images)
Because the CSF supports to sign multiple memory blocks, so that we can use one
signature to cover all regions in FIT image and only authenticate once.
The authentication should be done after the entire FIT image is loaded into
memory including all sub-images.
We use "-p" option to generate FIT image to reserve a space for FIT IVT
and FIT CSF, also this help to fix the offset of the external data (u-boot-nodtb.bin,
ATF, u-boot DTB).
The signed FIT image layout is as below:
--------------------------------------------------
| | | | | | | |
| FIT | FIT | FIT | | U-BOOT | ATF | U-BOOT |
| FDT | IVT | CSF | | nodtb.bin | | DTB |
| | | | | | | |
--------------------------------------------------
Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
Similarly to imx6, before reading the boot device, first check
bmode to see if the serial downloader has been selected
explicitly, then check whether the serial downloader has been
activated due to unbootable primary boot devices (e.g. empty eMMC).
If the serial downloader is activated, return BOOT_DEVICE_BOARD.
This allows SPL with SDP support to wait for the U-Boot image
to be loaded via the serial download protocol using imx_usb_loader.
Signed-off-by: Eran Matityahu <eran.m@variscite.com>
Commit d695d66278 ("spl: eMMC/SD: Provide one __weak spl_boot_mode()
function") breaks the boot on several i.MX6 boards,
such as cuboxi and wandboard:
U-Boot SPL 2018.03-rc1-00212-g48914fc119 (Feb 10 2018 - 11:04:33 +1300)
Trying to boot from MMC1
Failed to mount ext2 filesystem...
spl_load_image_ext: ext4fs mount err - 0
Partially revert it so that we can boot U-Boot again on these
i.MX6 platforms.
Reported-by: Jonathan Gray <jsg@jsg.id.au>
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
The goal of this patch is to clean up the code related to choosing SPL
MMC boot mode.
The spl_boot_mode() now is called only in spl_mmc_load_image() function,
which is only compiled in if CONFIG_SPL_MMC_SUPPORT is enabled.
To achieve the goal, all per mach/arch implementations eligible for
unification has been replaced with one __weak implementation.
Signed-off-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Marek Vasut <marex@denx.de>
Reviewed-by: Stefano Babic <sbabic@denx.de>
Acked-by: Michal Simek <michal.simek@xilinx.com> (For ZynqMP)
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Tidy up the HAB namespace a bit by prefixing external functions with
imx_hab. All external facing functions past this point will be prefixed in
the same way to make the fact we are doing IMX HAB activities clear from
reading the code. authenticate_image() could mean anything
imx_hab_authenticate_image() is on the other hand very explicit.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
u-boot command "hab_auth_img" tells a user that it takes
- addr - image hex address
- offset - hex offset of IVT in the image
but in fact the callback hab_auth_img makes to authenticate_image treats
the second 'offset' parameter as an image length.
Furthermore existing code requires the IVT header to be appended to the end
of the image which is not actually a requirement of HABv4.
This patch fixes this situation by
1: Adding a new parameter to hab_auth_img
- addr : image hex address
- length : total length of the image
- offset : offset of IVT from addr
2: Updates the existing call into authenticate_image() in
arch/arm/mach-imx/spl.c:jump_to_image_no_args() to pass
addr, length and IVT offset respectively.
This allows then hab_auth_img to actually operate the way it was specified
in the help text and should still allow existing code to work.
It has the added advantage that the IVT header doesn't have to be appended
to an image given to HAB - it can be prepended for example.
Note prepending the IVT is what u-boot will do when making an IVT for the
BootROM. It should be possible for u-boot properly authenticate images
made by mkimage via HAB.
This patch is the first step in making that happen subsequent patches will
focus on removing hard-coded offsets to the IVT, which again is not
mandated to live at the end of a .imx image.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
authenticate_image returns 1 for success and 0 for failure. That result
code is mapped directly to the result code for the command line function
hab_auth_img - which means when hab_auth_img succeeds it is returning
CMD_RET_FAILURE (1) instead of CMD_RET_SUCCESS (0).
This patch fixes this behaviour by making authenticate_image() return 0 for
success and 1 for failure. Both users of authenticate_image() as a result
have some minimal churn. The upshot is once done when hab_auth_img is
called from the command line we set $? in the standard way for scripting
functions to act on.
Fixes: 36c1ca4d46 ("imx: Support i.MX6 High Assurance Boot
authentication")
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>