diff mbox

[U-Boot,3/3] nitrogen6x: add secure boot support

Message ID 1471989321-25280-4-git-send-email-gary.bisson@boundarydevices.com
State Superseded
Delegated to: Stefano Babic
Headers show

Commit Message

Gary Bisson Aug. 23, 2016, 9:55 p.m. UTC 
Selecting the proper options to enable the build of the HAB tools.

Also adding a CSF section to the imx final image so it can contain
the signature information.

Note, this support is disabled by default, one will have to select
the SECURE_BOOT configuration through menuconfig to enable it.

Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
---
 board/boundary/nitrogen6x/nitrogen6dl.cfg   | 3 +++
 board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++
 board/boundary/nitrogen6x/nitrogen6q.cfg    | 3 +++
 board/boundary/nitrogen6x/nitrogen6q2g.cfg  | 3 +++
 board/boundary/nitrogen6x/nitrogen6s.cfg    | 3 +++
 board/boundary/nitrogen6x/nitrogen6s1g.cfg  | 3 +++
 include/configs/nitrogen6x.h                | 9 +++++++++
 7 files changed, 27 insertions(+)

Comments

Eric Nelson Aug. 24, 2016, 12:35 a.m. UTC | #1 
Hi Gary,

On 08/23/2016 02:55 PM, Gary Bisson wrote:
> Selecting the proper options to enable the build of the HAB tools.
> 
> Also adding a CSF section to the imx final image so it can contain
> the signature information.
> 
> Note, this support is disabled by default, one will have to select
> the SECURE_BOOT configuration through menuconfig to enable it.
> 
> Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
> ---
>  board/boundary/nitrogen6x/nitrogen6dl.cfg   | 3 +++
>  board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++
>  board/boundary/nitrogen6x/nitrogen6q.cfg    | 3 +++
>  board/boundary/nitrogen6x/nitrogen6q2g.cfg  | 3 +++
>  board/boundary/nitrogen6x/nitrogen6s.cfg    | 3 +++
>  board/boundary/nitrogen6x/nitrogen6s1g.cfg  | 3 +++
>  include/configs/nitrogen6x.h                | 9 +++++++++
>  7 files changed, 27 insertions(+)
> 
> diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg
> index 1cdccad..5c3e961 100644
> --- a/board/boundary/nitrogen6x/nitrogen6dl.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> index 516d67e..fe19ed0 100644
> --- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg
> index b6642e6..60e1885 100644
> --- a/board/boundary/nitrogen6x/nitrogen6q.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6q.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> index fe6dfc1..7a3ee94 100644
> --- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg
> index ca30cd6..2540b7b 100644
> --- a/board/boundary/nitrogen6x/nitrogen6s.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6s.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> index b1489fb..946af7b 100644
> --- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> +++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> @@ -20,6 +20,9 @@ BOOT_FROM      spi
>  
>  #define __ASSEMBLY__
>  #include <config.h>
> +#ifdef CONFIG_SECURE_BOOT
> +CSF CONFIG_CSF_SIZE
> +#endif
>  #include "asm/arch/mx6-ddr.h"
>  #include "asm/arch/iomux.h"
>  #include "asm/arch/crm_regs.h"
> diff --git a/include/configs/nitrogen6x.h b/include/configs/nitrogen6x.h
> index b651eb3..3281e42 100644
> --- a/include/configs/nitrogen6x.h
> +++ b/include/configs/nitrogen6x.h
> @@ -35,6 +35,15 @@
>  #define CONFIG_SF_DEFAULT_MODE (SPI_MODE_0)
>  #endif
>  
> +/* Secure boot (HAB) support */
> +#ifdef CONFIG_SECURE_BOOT
> +#define CONFIG_CSF_SIZE			0x2000
> +#define CONFIG_SYS_FSL_SEC_COMPAT	4
> +#define CONFIG_FSL_CAAM
> +#define CONFIG_CMD_DEKBLOB
> +#define CONFIG_SYS_FSL_SEC_LE
> +#endif
> +

I agree with the comment in your cover letter, that this belongs
in a common place.
Gary Bisson Aug. 24, 2016, 10:17 a.m. UTC | #2 
Hi Eric, all,

On Tue, Aug 23, 2016 at 05:35:14PM -0700, Eric Nelson wrote:
> Hi Gary,
> 
> On 08/23/2016 02:55 PM, Gary Bisson wrote:
> > Selecting the proper options to enable the build of the HAB tools.
> > 
> > Also adding a CSF section to the imx final image so it can contain
> > the signature information.
> > 
> > Note, this support is disabled by default, one will have to select
> > the SECURE_BOOT configuration through menuconfig to enable it.
> > 
> > Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
> > ---
> >  board/boundary/nitrogen6x/nitrogen6dl.cfg   | 3 +++
> >  board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++
> >  board/boundary/nitrogen6x/nitrogen6q.cfg    | 3 +++
> >  board/boundary/nitrogen6x/nitrogen6q2g.cfg  | 3 +++
> >  board/boundary/nitrogen6x/nitrogen6s.cfg    | 3 +++
> >  board/boundary/nitrogen6x/nitrogen6s1g.cfg  | 3 +++
> >  include/configs/nitrogen6x.h                | 9 +++++++++
> >  7 files changed, 27 insertions(+)
> > 
> > diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg
> > index 1cdccad..5c3e961 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6dl.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> > index 516d67e..fe19ed0 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg
> > index b6642e6..60e1885 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6q.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6q.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> > index fe6dfc1..7a3ee94 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg
> > index ca30cd6..2540b7b 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6s.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6s.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> > index b1489fb..946af7b 100644
> > --- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> > +++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
> > @@ -20,6 +20,9 @@ BOOT_FROM      spi
> >  
> >  #define __ASSEMBLY__
> >  #include <config.h>
> > +#ifdef CONFIG_SECURE_BOOT
> > +CSF CONFIG_CSF_SIZE
> > +#endif
> >  #include "asm/arch/mx6-ddr.h"
> >  #include "asm/arch/iomux.h"
> >  #include "asm/arch/crm_regs.h"
> > diff --git a/include/configs/nitrogen6x.h b/include/configs/nitrogen6x.h
> > index b651eb3..3281e42 100644
> > --- a/include/configs/nitrogen6x.h
> > +++ b/include/configs/nitrogen6x.h
> > @@ -35,6 +35,15 @@
> >  #define CONFIG_SF_DEFAULT_MODE (SPI_MODE_0)
> >  #endif
> >  
> > +/* Secure boot (HAB) support */
> > +#ifdef CONFIG_SECURE_BOOT
> > +#define CONFIG_CSF_SIZE			0x2000
> > +#define CONFIG_SYS_FSL_SEC_COMPAT	4
> > +#define CONFIG_FSL_CAAM
> > +#define CONFIG_CMD_DEKBLOB
> > +#define CONFIG_SYS_FSL_SEC_LE
> > +#endif
> > +
> 
> I agree with the comment in your cover letter, that this belongs
> in a common place.

Does Fabio agree with that? Also, should we differenciate the options
needed for signature only (SECURE_BOOT and CSF_SIZE) to the other that
are only useful when encryption is needed.

Regards,
Gary
Fabio Estevam Aug. 25, 2016, 4:22 p.m. UTC | #3 
Hi Gary,

On Wed, Aug 24, 2016 at 7:17 AM, Gary Bisson
<gary.bisson@boundarydevices.com> wrote:

>> I agree with the comment in your cover letter, that this belongs
>> in a common place.
>
> Does Fabio agree with that? Also, should we differenciate the options

What about placing the options below:

+/* Secure boot (HAB) support */
+#ifdef CONFIG_SECURE_BOOT
+#define CONFIG_CSF_SIZE                        0x2000
+#define CONFIG_SYS_FSL_SEC_COMPAT      4
+#define CONFIG_FSL_CAAM
+#define CONFIG_CMD_DEKBLOB
+#define CONFIG_SYS_FSL_SEC_LE
+#endif

,into include/configs/mx6_common.h ?

Thanks
diff mbox

Patch

diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg
index 1cdccad..5c3e961 100644
--- a/board/boundary/nitrogen6x/nitrogen6dl.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg
@@ -20,6 +20,9 @@  BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
index 516d67e..fe19ed0 100644
--- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg
@@ -20,6 +20,9 @@  BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg
index b6642e6..60e1885 100644
--- a/board/boundary/nitrogen6x/nitrogen6q.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6q.cfg
@@ -20,6 +20,9 @@  BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
index fe6dfc1..7a3ee94 100644
--- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg
@@ -20,6 +20,9 @@  BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg
index ca30cd6..2540b7b 100644
--- a/board/boundary/nitrogen6x/nitrogen6s.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6s.cfg
@@ -20,6 +20,9 @@  BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
index b1489fb..946af7b 100644
--- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg
+++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg
@@ -20,6 +20,9 @@  BOOT_FROM      spi
 
 #define __ASSEMBLY__
 #include <config.h>
+#ifdef CONFIG_SECURE_BOOT
+CSF CONFIG_CSF_SIZE
+#endif
 #include "asm/arch/mx6-ddr.h"
 #include "asm/arch/iomux.h"
 #include "asm/arch/crm_regs.h"
diff --git a/include/configs/nitrogen6x.h b/include/configs/nitrogen6x.h
index b651eb3..3281e42 100644
--- a/include/configs/nitrogen6x.h
+++ b/include/configs/nitrogen6x.h
@@ -35,6 +35,15 @@ 
 #define CONFIG_SF_DEFAULT_MODE (SPI_MODE_0)
 #endif
 
+/* Secure boot (HAB) support */
+#ifdef CONFIG_SECURE_BOOT
+#define CONFIG_CSF_SIZE			0x2000
+#define CONFIG_SYS_FSL_SEC_COMPAT	4
+#define CONFIG_FSL_CAAM
+#define CONFIG_CMD_DEKBLOB
+#define CONFIG_SYS_FSL_SEC_LE
+#endif
+
 /* I2C Configs */
 #define CONFIG_SYS_I2C
 #define CONFIG_SYS_I2C_MXC