Add DEK encapsulation support for imx8. The DEK blob is generated by the
SECO through the SCFW API.
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.
To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
It is highly recommended to set the PRIBLOB bitfield to 0x3 once your
encrypted boot image has booted up, this prevents the generation of new
blobs that can be used to decrypt an encrypted boot image. The PRIBLOB is
a sticky type bit and cannot be changed until the next power on reset.
Add the set_priblob_bitfield U-Boot command to prevent the generation of
new blobs.
Signed-off-by: Clement Le Marquis <clement.lemarquis@nxp.com>
Acked-by: Ye Li <Ye.Li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Since cmd_dek is using CAAM JR, so enable the CMD_DEK only when
HAS_CAAM is set
Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Add some SOC level codes and build configurations to use HAB lib for
CONFIG_IMX_HAB (secure boot), like adding the SEC_CONFIG fuse, enable
fuse driver, CAAM clock function, and add CAAM secure RAM to MMU table.
The FSL_CAAM is temporally not enabled for iMX8M when CONFIG_IMX_HAB is set,
because we don't need the CAAM driver for SPL.
Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.
More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html
i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.
The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.
The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.
Command usage:
Print the public key for the device.
- mfgprot pubk
Generates Signature over given data.
- mfgprot sign <data_address> <data_size>
Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Add the basic differentiation between i.MX6 and i.MX7 into the bmode
command, the mechanism really works almost the same on both platforms.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: NXP i.MX U-Boot Team <uboot-imx@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
While in most cases CSF_SIZE is handled via Kconfig we have some i.MX8M
platforms that set the size based on the now-renamed CONFIG_SECURE_BOOT
symbol. Update things so that CSF_SIZE itself depends on IMX_HAB being
enabled and provide the default value for i.MX8M family of parts.
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Ye Li <ye.li@nxp.com>
Cc: NXP i.MX U-Boot Team <uboot-imx@nxp.com>
Fixes: d714a75fd4 ("imx: replace CONFIG_SECURE_BOOT with CONFIG_IMX_HAB")
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Stefano Babic <sbabic@denx.de>
Reviewed-by: Ye Li <ye.li@nxp.com>
Tested on i.MX8MM EVK, imx8mm evk uses BCH
encoding and randomizer
modify macro and print size_t with %zx
use CONFIG_IMX8M because it should apply to imx8mq/mm/mn
Signed-off-by: Alice Guo <alice.guo@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
There are different parts from one SoC. Take i.MX6ULL for example,
some part might not have ENET, some might have; some might not have
USB, some might have. The information could be got from OCOTP,
to make one image support the different parts, we need runtime
disable linux kernel dts node and uboot driver probe if the
corresponding module not exists in the part.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Update reference in files detected by
scripts/documentation-file-ref-check
doc/README.mxc_hab => doc/imx/habv4/*
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
IMX based platforms can have the DCD table located on different
addresses due to differences in their memory maps (ie iMX7ULP).
This information is required by the user to sign the images for secure
boot so continue making it accessible via mkimage.
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Stefano Babic <sbabic@denx.de>
Add more clarity by changing the Kconfig entry name.
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
[trini: Re-run migration, update a few more cases]
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Boris Brezillon <boris.brezillon@bootlin.com>
i.MX8MN support loading images with rom api, so we implement
reuse board_return_to_bootrom to let ROM loading images.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Add support for updating FCB/DBBT on i.MX7:
- additional new fields in FCB structure
- Leverage hardware BCH/randomizer for writing FCB
Signed-off-by: Igor Opaniuk <igor.opaniuk@toradex.com>
Tested-by: Max Krummenacher <max.krummenacher@toradex.com>
Reviewed-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
CONFIG_SECURE_BOOT is too generic and forbids to use it for cross
architecture purposes. If Secure Boot is required for imx, this means to
enable and use the HAB processor in the soc.
Signed-off-by: Stefano Babic <sbabic@denx.de>
The default CSF_SIZE defined in Kconfig is too high and SPL cannot
fit into the OCRAM in certain cases.
The CSF cannot achieve 0x2000 length when using RSA 4K key which is
the largest key size supported by HABv4.
According to AN12056 "Encrypted Boot on HABv4 and CAAM Enabled Devices"
it's recommended to pad CSF binary to 0x2000 and append DEK blob to
deploy encrypted boot images.
As the maximum DEK blob size is 0x58 we can reduce CSF_SIZE to 0x2060
which should cover both CSF and DEK blob length.
Update default_image.c and image.c to align with this change and avoid
a U-Boot proper authentication failure in HAB closed devices:
Authenticate image from DDR location 0x877fffc0...
bad magic magic=0x32 length=0x6131 version=0x38
bad length magic=0x32 length=0x6131 version=0x38
bad version magic=0x32 length=0x6131 version=0x38
spl: ERROR: image authentication fail
Fixes: 96d27fb218 (Revert "habv4: tools: Avoid hardcoded CSF size for SPL targets")
Reported-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Move CONFIG_CSF_SIZE to Kconfig and define default value as 0x4000.
mx8mqevk requires 0x2000 add this configuration in imx8mq_evk_defconfig
file.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Writing/updating boot image in nand device is not
straight forward in i.MX6 platform and it requires
boot control block(BCB) to be configured.
It becomes difficult to use uboot 'nand' command to
write BCB since it requires platform specific attributes
need to be taken care of.
It is even difficult to use existing msx-nand.c driver by
incorporating BCB attributes like mxs_dma_desc does
because it requires change in mtd and nand command.
So, cmd_nandbcb implemented in arch/arm/mach-imx
BCB contains two data structures, Firmware Configuration Block(FCB)
and Discovered Bad Block Table(DBBT). FCB has nand timings,
DBBT search area, page address of firmware.
On summary, nandbcb update will
- erase the entire partition
- create BCB by creating 2 FCB/DBBT block followed by
1 FW block based on partition size and erasesize.
- fill FCB/DBBT structures
- write FW/SPL on FW1
- write FCB/DBBT in first 2 blocks
for nand boot, up on reset bootrom look for FCB structure in
first block's if FCB found the nand timings are loaded for
further reads. once FCB read done, DTTB will load and finally
firmware will be loaded which is boot image.
Refer section "NAND Boot" from doc/imx/common/imx6.txt for more usage
information.
Reviewed-by: Stefano Babic <sbabic@denx.de>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Sergey Kubushyn <ksi@koi8.net>
Signed-off-by: Shyam Saini <shyam.saini@amarulasolutions.com>
Add common plugin codes to call ROM's hwcnfg_setup and generate IVT2
header.
Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Allow using bootaux also on VF610 aka Vybrid.
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Reviewed-by: Igor Opaniuk <igor.opaniuk@toradex.com>
This patch provides the code to calibrate the DDR's
DQS to DQ signals (RDLVL).
It is based on:
VFxxx Controller Reference Manual, Rev. 0, 10/2016, page 1600
10.1.6.16.4.1 "Software Read Leveling in MC Evaluation Mode"
and NXP's community thread:
"Vybrid: About DDR leveling feature on DDRMC."
https://community.nxp.com/thread/395323
Signed-off-by: Lukasz Majewski <lukma@denx.de>
i.MX7 does not support BMODE due to the erratum e10574 ("Watchdog:
A watchdog timeout or software trigger will not reset the SOC"), so
remove its support.
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Introduce a new config symbol to select the i.MX
General Purpose Timer (GPT).
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Currently CONFIG_SECURE_BOOT is selecting FSL_CAAM for all i.MX devices,
this causes the following error when building mx6sl boards since
this SoC doesn't have the CAAM block:
In file included from drivers/crypto/fsl/jobdesc.c:12:0:
drivers/crypto/fsl/jobdesc.c: In function 'inline_cnstr_jobdesc_blob_dek':
include/fsl_sec.h:268:25: error: 'CAAM_ARB_BASE_ADDR' undeclared (first use
in this function)
#define SEC_MEM_PAGE1 (CAAM_ARB_BASE_ADDR + 0x1000)
^
drivers/crypto/fsl/jobdesc.c:140:21: note: in expansion of macro 'SEC_MEM_PAGE1'
memcpy((uint32_t *)SEC_MEM_PAGE1, (uint32_t *)plain_txt, in_sz);
^
include/fsl_sec.h:268:25: note: each undeclared identifier is reported only
once for each function it appears in
#define SEC_MEM_PAGE1 (CAAM_ARB_BASE_ADDR + 0x1000)
^
drivers/crypto/fsl/jobdesc.c:140:21: note: in expansion of macro 'SEC_MEM_PAGE1'
memcpy((uint32_t *)SEC_MEM_PAGE1, (uint32_t *)plain_txt, in_sz);
^
scripts/Makefile.build:280: recipe for target 'drivers/crypto/fsl/jobdesc.o'
failed
make[3]: *** [drivers/crypto/fsl/jobdesc.o] Error 1
scripts/Makefile.build:425: recipe for target 'drivers/crypto/fsl' failed
make[2]: *** [drivers/crypto/fsl] Error 2
scripts/Makefile.build:425: recipe for target 'drivers/crypto' failed
make[1]: *** [drivers/crypto] Error 2
Add HAS_CAAM configuration to avoid this error.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
NXP development boards based on i.MX6/i.MX7 contain the board
revision information stored in the fuses.
Introduce a common function that can be shared by different boards and
convert mx6sabreauto to use this new mechanism.
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Change is consistent with other SOCs and it is in preparation
for adding SOMs. SOC's related files are moved from cpu/ to
mach-imx/<SOC>.
This change is also coherent with the structure in kernel.
Signed-off-by: Stefano Babic <sbabic@denx.de>
CC: Fabio Estevam <fabio.estevam@nxp.com>
CC: Akshay Bhat <akshaybhat@timesys.com>
CC: Ken Lin <Ken.Lin@advantech.com.tw>
CC: Marek Vasut <marek.vasut@gmail.com>
CC: Heiko Schocher <hs@denx.de>
CC: "Sébastien Szymanski" <sebastien.szymanski@armadeus.com>
CC: Christian Gmeiner <christian.gmeiner@gmail.com>
CC: Stefan Roese <sr@denx.de>
CC: Patrick Bruenn <p.bruenn@beckhoff.com>
CC: Troy Kisky <troy.kisky@boundarydevices.com>
CC: Nikita Kiryanov <nikita@compulab.co.il>
CC: Otavio Salvador <otavio@ossystems.com.br>
CC: "Eric Bénard" <eric@eukrea.com>
CC: Jagan Teki <jagan@amarulasolutions.com>
CC: Ye Li <ye.li@nxp.com>
CC: Peng Fan <peng.fan@nxp.com>
CC: Adrian Alonso <adrian.alonso@nxp.com>
CC: Alison Wang <b18965@freescale.com>
CC: Tim Harvey <tharvey@gateworks.com>
CC: Martin Donnelly <martin.donnelly@ge.com>
CC: Marcin Niestroj <m.niestroj@grinn-global.com>
CC: Lukasz Majewski <lukma@denx.de>
CC: Adam Ford <aford173@gmail.com>
CC: "Albert ARIBAUD (3ADEV)" <albert.aribaud@3adev.fr>
CC: Boris Brezillon <boris.brezillon@free-electrons.com>
CC: Soeren Moch <smoch@web.de>
CC: Richard Hu <richard.hu@technexion.com>
CC: Wig Cheng <wig.cheng@technexion.com>
CC: Vanessa Maegima <vanessa.maegima@nxp.com>
CC: Max Krummenacher <max.krummenacher@toradex.com>
CC: Stefan Agner <stefan.agner@toradex.com>
CC: Markus Niebel <Markus.Niebel@tq-group.com>
CC: Breno Lima <breno.lima@nxp.com>
CC: Francesco Montefoschi <francesco.montefoschi@udoo.org>
CC: Jaehoon Chung <jh80.chung@samsung.com>
CC: Scott Wood <oss@buserror.net>
CC: Joe Hershberger <joe.hershberger@ni.com>
CC: Anatolij Gustschin <agust@denx.de>
CC: Simon Glass <sjg@chromium.org>
CC: "Andrew F. Davis" <afd@ti.com>
CC: "Łukasz Majewski" <l.majewski@samsung.com>
CC: Patrice Chotard <patrice.chotard@st.com>
CC: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
CC: Hans de Goede <hdegoede@redhat.com>
CC: Masahiro Yamada <yamada.masahiro@socionext.com>
CC: Stephen Warren <swarren@nvidia.com>
CC: Andre Przywara <andre.przywara@arm.com>
CC: "Álvaro Fernández Rojas" <noltari@gmail.com>
CC: York Sun <york.sun@nxp.com>
CC: Xiaoliang Yang <xiaoliang.yang@nxp.com>
CC: Chen-Yu Tsai <wens@csie.org>
CC: George McCollister <george.mccollister@gmail.com>
CC: Sven Ebenfeld <sven.ebenfeld@gmail.com>
CC: Filip Brozovic <fbrozovic@gmail.com>
CC: Petr Kulhavy <brain@jikos.cz>
CC: Eric Nelson <eric@nelint.com>
CC: Bai Ping <ping.bai@nxp.com>
CC: Anson Huang <Anson.Huang@nxp.com>
CC: Sanchayan Maity <maitysanchayan@gmail.com>
CC: Lokesh Vutla <lokeshvutla@ti.com>
CC: Patrick Delaunay <patrick.delaunay@st.com>
CC: Gary Bisson <gary.bisson@boundarydevices.com>
CC: Alexander Graf <agraf@suse.de>
CC: u-boot@lists.denx.de
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
2017-07-12 10:17:44 +02:00
Renamed from arch/arm/imx-common/Kconfig (Browse further)
