mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-11-24 21:54:01 +00:00
9e19031ca3
Add a simple documentation about how to use the Verified Boot on UniPhier boards. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
407 lines
13 KiB
Text
407 lines
13 KiB
Text
U-Boot for UniPhier SoC family
|
|
==============================
|
|
|
|
|
|
Recommended toolchains
|
|
----------------------
|
|
|
|
The UniPhier platform is well tested with Linaro toolchains.
|
|
You can download pre-built toolchains from:
|
|
|
|
http://www.linaro.org/downloads/
|
|
|
|
|
|
Compile the source
|
|
------------------
|
|
|
|
The source can be configured and built with the following commands:
|
|
|
|
$ make <defconfig>
|
|
$ make CROSS_COMPILE=<toolchain-prefix> DEVICE_TREE=<device-tree>
|
|
|
|
The recommended <toolchain-prefix> is `arm-linux-gnueabihf-` for 32bit SoCs,
|
|
`aarch64-linux-gnu-` for 64bit SoCs, but you may wish to change it to use your
|
|
favorite compiler.
|
|
|
|
The following tables show <defconfig> and <device-tree> for each board.
|
|
|
|
32bit SoC boards:
|
|
|
|
Board | <defconfig> | <device-tree>
|
|
---------------|-----------------------------|------------------------------
|
|
LD4 reference | uniphier_ld4_sld8_defconfig | uniphier-ld4-ref (default)
|
|
sld8 reference | uniphier_ld4_sld8_defconfig | uniphier-sld8-def
|
|
Pro4 reference | uniphier_v7_defconfig | uniphier-pro4-ref
|
|
Pro4 Ace | uniphier_v7_defconfig | uniphier-pro4-ace
|
|
Pro4 Sanji | uniphier_v7_defconfig | uniphier-pro4-sanji
|
|
Pro5 4KBOX | uniphier_v7_defconfig | uniphier-pro5-4kbox
|
|
PXs2 Gentil | uniphier_v7_defconfig | uniphier-pxs2-gentil
|
|
PXs2 Vodka | uniphier_v7_defconfig | uniphier-pxs2-vodka (default)
|
|
LD6b reference | uniphier_v7_defconfig | uniphier-ld6b-ref
|
|
|
|
64bit SoC boards:
|
|
|
|
Board | <defconfig> | <device-tree>
|
|
---------------|-----------------------|----------------------------
|
|
LD11 reference | uniphier_v8_defconfig | uniphier-ld11-ref
|
|
LD11 Global | uniphier_v8_defconfig | uniphier-ld11-global
|
|
LD20 reference | uniphier_v8_defconfig | uniphier-ld20-ref (default)
|
|
LD20 Global | uniphier_v8_defconfig | uniphier-ld20-global
|
|
PXs3 reference | uniphier_v8_defconfig | uniphier-pxs3-ref
|
|
|
|
For example, to compile the source for PXs2 Vodka board, run the following:
|
|
|
|
$ make uniphier_v7_defconfig
|
|
$ make CROSS_COMPILE=arm-linux-gnueabihf- DEVICE_TREE=uniphier-pxs2-vodka
|
|
|
|
The device tree marked as (default) can be omitted. `uniphier-pxs2-vodka` is
|
|
the default device tree for the configuration `uniphier_v7_defconfig`, so the
|
|
following gives the same result.
|
|
|
|
$ make uniphier_v7_defconfig
|
|
$ make CROSS_COMPILE=arm-linux-gnueabihf-
|
|
|
|
|
|
Booting 32bit SoC boards
|
|
------------------------
|
|
|
|
The build command will generate the following:
|
|
- u-boot.bin
|
|
- spl/u-boot.bin
|
|
|
|
U-Boot can boot UniPhier 32bit SoC boards by itself. Flash the generated images
|
|
to the storage device (NAND or eMMC) on your board.
|
|
|
|
- spl/u-boot-spl.bin at the offset address 0x00000000
|
|
- u-boot.bin at the offset address 0x00020000
|
|
|
|
The `u-boot-with-spl.bin` is the concatenation of the two (with appropriate
|
|
padding), so you can also do:
|
|
|
|
- u-boot-with-spl.bin at the offset address 0x00000000
|
|
|
|
If a TFTP server is available, the images can be easily updated.
|
|
Just copy the u-boot-spl.bin and u-boot.bin to the TFTP public directory,
|
|
and run the following command at the U-Boot command line:
|
|
|
|
To update the images in NAND:
|
|
|
|
=> run nandupdate
|
|
|
|
To update the images in eMMC:
|
|
|
|
=> run emmcupdate
|
|
|
|
|
|
Booting 64bit SoC boards
|
|
------------------------
|
|
|
|
The build command will generate the following:
|
|
- u-boot.bin
|
|
|
|
However, U-Boot is not the first stage loader for UniPhier 64bit SoC boards.
|
|
U-Boot serves as a non-secure boot loader loaded by [ARM Trusted Firmware],
|
|
so you need to provide the `u-boot.bin` to the build command of ARM Trusted
|
|
Firmware.
|
|
|
|
[ARM Trusted Firmware]: https://github.com/ARM-software/arm-trusted-firmware
|
|
|
|
|
|
Verified Boot
|
|
-------------
|
|
|
|
U-Boot supports an image verification method called "Verified Boot".
|
|
This is a brief tutorial to utilize this feature for the UniPhier platform.
|
|
You will find details documents in the doc/uImage.FIT directory.
|
|
|
|
Here, we take LD20 reference board for example, but it should work for any
|
|
other boards including 32 bit SoCs.
|
|
|
|
1. Generate key to sign with
|
|
|
|
$ mkdir keys
|
|
$ openssl genpkey -algorithm RSA -out keys/dev.key \
|
|
-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
|
|
$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
|
|
|
|
Two files "dev.key" and "dev.crt" will be created. The base name is arbitrary,
|
|
but need to match to the "key-name-hint" property described below.
|
|
|
|
2. Describe FIT source
|
|
|
|
You need to write an FIT (Flattened Image Tree) source file to describe the
|
|
structure of the image container.
|
|
|
|
The following is an example for a simple usecase:
|
|
|
|
---------------------------------------->8----------------------------------------
|
|
/dts-v1/;
|
|
|
|
/ {
|
|
description = "Kernel, DTB and Ramdisk for UniPhier LD20 Reference Board";
|
|
#address-cells = <1>;
|
|
|
|
images {
|
|
kernel@0 {
|
|
description = "linux";
|
|
data = /incbin/("PATH/TO/YOUR/LINUX/DIR/arch/arm64/boot/Image.gz");
|
|
type = "kernel";
|
|
arch = "arm64";
|
|
os = "linux";
|
|
compression = "gzip";
|
|
load = <0x82080000>;
|
|
entry = <0x82080000>;
|
|
hash@0 {
|
|
algo = "sha256";
|
|
};
|
|
};
|
|
|
|
fdt@0 {
|
|
description = "fdt";
|
|
data = /incbin/("PATH/TO/YOUR/LINUX/DIR/arch/arm64/boot/dts/socionext/uniphier-ld20-ref.dtb");
|
|
type = "flat_dt";
|
|
arch = "arm64";
|
|
compression = "none";
|
|
hash@0 {
|
|
algo = "sha256";
|
|
};
|
|
};
|
|
|
|
ramdisk@0 {
|
|
description = "ramdisk";
|
|
data = /incbin/("PATH/TO/YOUR/ROOTFS/DIR/rootfs.cpio");
|
|
type = "ramdisk";
|
|
arch = "arm64";
|
|
os = "linux";
|
|
compression = "none";
|
|
hash@0 {
|
|
algo = "sha256";
|
|
};
|
|
};
|
|
};
|
|
|
|
configurations {
|
|
default = "config@0";
|
|
|
|
config@0 {
|
|
description = "Configuration0";
|
|
kernel = "kernel@0";
|
|
fdt = "fdt@0";
|
|
ramdisk = "ramdisk@0";
|
|
signature@0 {
|
|
algo = "sha256,rsa2048";
|
|
key-name-hint = "dev";
|
|
sign-images = "kernel", "fdt", "ramdisk";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
---------------------------------------->8----------------------------------------
|
|
|
|
You need to change the three '/incbin/' lines, depending on the location of
|
|
your kernel image, device tree blob, and init ramdisk. The "load" and "entry"
|
|
properties also need to be adjusted if you want to change the physical placement
|
|
of the kernel.
|
|
|
|
The "key-name-hint" must specify the key name you have created in the step 1.
|
|
|
|
The FIT file name is arbitrary. Let's say you saved it into "fit.its".
|
|
|
|
3. Compile U-Boot with FIT and signature enabled
|
|
|
|
To use the Verified Boot, you need to enable the following two options:
|
|
CONFIG_FIT
|
|
CONFIG_FIT_SIGNATURE
|
|
|
|
They are disabled by default for UniPhier defconfig files. So, you need to
|
|
tweak the configuration from "make menuconfig" or friends.
|
|
|
|
$ make uniphier_v8_defconfig
|
|
$ make menuconfig
|
|
[ enable CONFIG_FIT and CONFIG_FIT_SIGNATURE ]
|
|
$ make CROSS_COMPILE=aarch64-linux-gnu-
|
|
|
|
4. Build the image tree blob
|
|
|
|
After building U-Boot, you will see tools/mkimage. With this tool, you can
|
|
create an image tree blob as follows:
|
|
|
|
$ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
|
|
|
|
The -k option must specify the key directory you have created in step 1.
|
|
|
|
A file "fitImage" will be created. This includes kernel, DTB, Init-ramdisk,
|
|
hash data for each of the three, and signature data.
|
|
|
|
The public key needed for the run-time verification is stored in "dts/dt.dtb".
|
|
|
|
5. Compile U-Boot again
|
|
|
|
Since the "dt.dtb" has been updated in step 4, you need to re-compile the
|
|
U-Boot.
|
|
|
|
$ make CROSS_COMPILE=aarch64-linux-gnu-
|
|
|
|
The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
|
|
|
|
6. Flash the image
|
|
|
|
Flash the "fitImage" to a storage device (NAND, eMMC, or whatever) on your
|
|
board.
|
|
|
|
Please note the "u-boot.bin" must be signed, and verified by someone when it is
|
|
loaded. For ARMv8 SoCs, the "someone" is generally ARM Trusted Firmware BL2.
|
|
ARM Trusted Firmware supports an image authentication mechanism called Trusted
|
|
Board Boot (TBB). The verification process must be chained from the moment of
|
|
the system reset. If the Chain of Trust has a breakage somewhere, the verified
|
|
boot process is entirely pointless.
|
|
|
|
7. Boot verified kernel
|
|
|
|
Load the fitImage to memory and run the following from the U-Boot command line.
|
|
|
|
> bootm <addr>
|
|
|
|
Here, <addr> is the base address of the fitImage.
|
|
|
|
If it is successful, you will see messages like follows:
|
|
|
|
---------------------------------------->8----------------------------------------
|
|
## Loading kernel from FIT Image at 84100000 ...
|
|
Using 'config@0' configuration
|
|
Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
|
|
Trying 'kernel@0' kernel subimage
|
|
Description: linux
|
|
Created: 2017-10-20 14:32:29 UTC
|
|
Type: Kernel Image
|
|
Compression: gzip compressed
|
|
Data Start: 0x841000c8
|
|
Data Size: 6957818 Bytes = 6.6 MiB
|
|
Architecture: AArch64
|
|
OS: Linux
|
|
Load Address: 0x82080000
|
|
Entry Point: 0x82080000
|
|
Hash algo: sha256
|
|
Hash value: 82a37b7f11ae55f4e07aa25bf77e4067cb9dc1014d52d6cd4d588f92eee3aaad
|
|
Verifying Hash Integrity ... sha256+ OK
|
|
## Loading ramdisk from FIT Image at 84100000 ...
|
|
Using 'config@0' configuration
|
|
Trying 'ramdisk@0' ramdisk subimage
|
|
Description: ramdisk
|
|
Created: 2017-10-20 14:32:29 UTC
|
|
Type: RAMDisk Image
|
|
Compression: uncompressed
|
|
Data Start: 0x847a5cc0
|
|
Data Size: 5264365 Bytes = 5 MiB
|
|
Architecture: AArch64
|
|
OS: Linux
|
|
Load Address: unavailable
|
|
Entry Point: unavailable
|
|
Hash algo: sha256
|
|
Hash value: 44980a2874154a2e31ed59222c9f8ea968867637f35c81e4107a984de7014deb
|
|
Verifying Hash Integrity ... sha256+ OK
|
|
## Loading fdt from FIT Image at 84100000 ...
|
|
Using 'config@0' configuration
|
|
Trying 'fdt@0' fdt subimage
|
|
Description: fdt
|
|
Created: 2017-10-20 14:32:29 UTC
|
|
Type: Flat Device Tree
|
|
Compression: uncompressed
|
|
Data Start: 0x847a2cb0
|
|
Data Size: 12111 Bytes = 11.8 KiB
|
|
Architecture: AArch64
|
|
Hash algo: sha256
|
|
Hash value: c517099db537f6d325e6be46b25c871a41331ad5af0283883fd29d40bfc14e1d
|
|
Verifying Hash Integrity ... sha256+ OK
|
|
Booting using the fdt blob at 0x847a2cb0
|
|
Uncompressing Kernel Image ... OK
|
|
reserving fdt memory region: addr=80000000 size=2000000
|
|
Loading Device Tree to 000000009fffa000, end 000000009fffff4e ... OK
|
|
|
|
Starting kernel ...
|
|
---------------------------------------->8----------------------------------------
|
|
|
|
Please pay attention to the lines that start with "Verifying Hash Integrity".
|
|
|
|
"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
|
|
passed.
|
|
|
|
"Verifying Hash Integrity ... sha256+ OK" (3 times) means the hash check passed
|
|
for kernel, DTB, and Init ramdisk.
|
|
|
|
If they are not displayed, the Verified Boot is not working.
|
|
|
|
|
|
UniPhier specific commands
|
|
--------------------------
|
|
|
|
- pinmon (enabled by CONFIG_CMD_PINMON)
|
|
shows the boot mode pins that has been latched at the power-on reset
|
|
|
|
- ddrphy (enabled by CONFIG_CMD_DDRPHY_DUMP)
|
|
shows the DDR PHY parameters set by the PHY training
|
|
|
|
- ddrmphy (enabled by CONFIG_CMD_DDRMPHY_DUMP)
|
|
shows the DDR Multi PHY parameters set by the PHY training
|
|
|
|
|
|
Supported devices
|
|
-----------------
|
|
|
|
- UART (on-chip)
|
|
- NAND
|
|
- SD/eMMC
|
|
- USB 2.0 (EHCI)
|
|
- USB 3.0 (xHCI)
|
|
- GPIO
|
|
- LAN (on-board SMSC9118)
|
|
- I2C
|
|
- EEPROM (connected to the on-board I2C bus)
|
|
- Support card (SRAM, NOR flash, some peripherals)
|
|
|
|
|
|
Micro Support Card
|
|
------------------
|
|
|
|
The recommended bit switch settings are as follows:
|
|
|
|
SW2 OFF(1)/ON(0) Description
|
|
------------------------------------------
|
|
bit 1 <---- BKSZ[0]
|
|
bit 2 ----> BKSZ[1]
|
|
bit 3 <---- SoC Bus Width 16/32
|
|
bit 4 <---- SERIAL_SEL[0]
|
|
bit 5 ----> SERIAL_SEL[1]
|
|
bit 6 ----> BOOTSWAP_EN
|
|
bit 7 <---- CS1/CS5
|
|
bit 8 <---- SOC_SERIAL_DISABLE
|
|
|
|
SW8 OFF(1)/ON(0) Description
|
|
------------------------------------------
|
|
bit 1 <---- CS1_SPLIT
|
|
bit 2 <---- CASE9_ON
|
|
bit 3 <---- CASE10_ON
|
|
bit 4 Don't Care Reserve
|
|
bit 5 Don't Care Reserve
|
|
bit 6 Don't Care Reserve
|
|
bit 7 ----> BURST_EN
|
|
bit 8 ----> FLASHBUS32_16
|
|
|
|
The BKSZ[1:0] specifies the address range of memory slot and peripherals
|
|
as follows:
|
|
|
|
BKSZ Description RAM slot Peripherals
|
|
--------------------------------------------------------------------
|
|
0b00 15MB RAM / 1MB Peri 00000000-00efffff 00f00000-00ffffff
|
|
0b01 31MB RAM / 1MB Peri 00000000-01efffff 01f00000-01ffffff
|
|
0b10 64MB RAM / 1MB Peri 00000000-03efffff 03f00000-03ffffff
|
|
0b11 127MB RAM / 1MB Peri 00000000-07efffff 07f00000-07ffffff
|
|
|
|
Set BSKZ[1:0] to 0b01 for U-Boot.
|
|
This mode is the most handy because EA[24] is always supported by the save pin
|
|
mode of the system bus. On the other hand, EA[25] is not supported for some
|
|
newer SoCs. Even if it is, EA[25] is not connected on most of the boards.
|
|
|
|
--
|
|
Masahiro Yamada <yamada.masahiro@socionext.com>
|
|
Oct. 2017
|