From patchwork Mon Sep 23 18:39:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Breno Matheus Lima X-Patchwork-Id: 1166171 X-Patchwork-Delegate: sbabic@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nxp.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=nxp.com header.i=@nxp.com header.b="g+40IMSE"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 46cY5x6XfBz9sCJ for ; Tue, 24 Sep 2019 04:40:03 +1000 (AEST) Received: by lists.denx.de (Postfix, from userid 105) id E024AC21C29; Mon, 23 Sep 2019 18:39:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_HELO_PASS, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id B79A2C21C29; Mon, 23 Sep 2019 18:39:50 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 13D46C21C29; Mon, 23 Sep 2019 18:39:49 +0000 (UTC) Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30075.outbound.protection.outlook.com [40.107.3.75]) by lists.denx.de (Postfix) with ESMTPS id 857D3C21BE5 for ; Mon, 23 Sep 2019 18:39:48 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MuJDMv7IYNWJ2ou0iEKUgeHUV+TcQZEq/DYotNqy8N+2ej6J1/6RaFjzUNJ3kaAP+He+4gXBg4L7zrlBngfiOv8A/I9+KYqIWQTPcxbd9WDBXv83MgIiFJoVR9wiNBtTdUiZfCA/vH4TsS7vvKhyF+K8kwE1c0Dda7VND6qpdfJsWgMWzIaG04noTes/aSghOKHxJi1VhUxh9XhoRrUUovycG5LjNu45ihOJtwyfDcB33GdaEACs6M7+g4MLLnBwvtSoL9yXco1qx6RXA1tuiLpCOP1ftaeS/3XU2e6yUTeQY1sddg1+y3uyIS6XiX2vt0ap/2r3Lxp4dMMISLPQXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Iw0bqbjXVC8C0BH5F+ZGhFIPWPSW+RHEmZvVz4eYPZs=; b=Psp7DCbS0GJVdnTadZaBFu1NdNfY+Yf5B0CQvt2wHDV+3ybAhNqkY6zqLj4plX++VeLJJccXKb/I60gMCpo1OvWYRYsZnOe6KCy3t2Twll/Ai6Zy6I+98OlVZ6GTIE0VN0VyzzYu59cZ9/1fISimzMi7HRANBDodAYDQMQyBfumGHTgDFT+6j3faaNkQ4FKkTBV68wcB6WPteeLwCCNWo396BbVMV/u1TQmHNcr6hgBcW4JxzWNSieFHryGIdwvv3bdj8ihs21ohkx4UAsFQ8WhYdlEZFeTxHo/328aM3/CeMre0Y7dhVNYkFzETQWFsrcSokrGU7z+rJNe4Bgwrsg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Iw0bqbjXVC8C0BH5F+ZGhFIPWPSW+RHEmZvVz4eYPZs=; b=g+40IMSEhO7fy5T6f6hCpbikJpPxHa3lE82x2bVn4o1TQpt+ngJ055NbmA86iIJYJO75vkql39EXvEjdk/octGZBKj/zZow31B7XGWttxpDq8TbgzP08JKp4bIJOPbsIH/4uRNAvq6r+3dMB+cD8ZDJhhY7k0U1J5JYlmvJ4PRg= Received: from DB7PR04MB4636.eurprd04.prod.outlook.com (52.135.134.158) by DB7PR04MB5516.eurprd04.prod.outlook.com (20.178.104.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.21; Mon, 23 Sep 2019 18:39:47 +0000 Received: from DB7PR04MB4636.eurprd04.prod.outlook.com ([fe80::c1ff:ff49:a1c6:4072]) by DB7PR04MB4636.eurprd04.prod.outlook.com ([fe80::c1ff:ff49:a1c6:4072%2]) with mapi id 15.20.2284.023; Mon, 23 Sep 2019 18:39:47 +0000 From: Breno Matheus Lima To: "jagan@amarulasolutions.com" , "sbabic@denx.de" , "festevam@gmail.com" Thread-Topic: [PATCH] imx: Kconfig: Reduce default CONFIG_CSF_SIZE Thread-Index: AQHVcj5G+qZNbet/rUaL+0n9IXmIYg== Date: Mon, 23 Sep 2019 18:39:47 +0000 Message-ID: <1569263961-140-1-git-send-email-breno.lima@nxp.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [177.221.114.206] x-clientproxiedby: SN4PR0401CA0017.namprd04.prod.outlook.com (2603:10b6:803:21::27) To DB7PR04MB4636.eurprd04.prod.outlook.com (2603:10a6:5:2e::30) authentication-results: spf=none (sender IP is ) smtp.mailfrom=breno.lima@nxp.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.7.4 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 63fe93bb-6ff7-4fe9-1a8b-08d7405568a7 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DB7PR04MB5516; x-ms-traffictypediagnostic: DB7PR04MB5516:|DB7PR04MB5516: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:7691; x-forefront-prvs: 0169092318 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(346002)(376002)(39860400002)(136003)(396003)(189003)(199004)(8676002)(66476007)(66446008)(64756008)(66556008)(6486002)(5660300002)(66946007)(386003)(8936002)(476003)(54906003)(2616005)(316002)(86362001)(81166006)(6506007)(2501003)(2906002)(305945005)(7736002)(66066001)(71200400001)(71190400001)(81156014)(14454004)(478600001)(186003)(25786009)(99286004)(50226002)(14444005)(256004)(2201001)(6512007)(36756003)(26005)(52116002)(3846002)(6116002)(4326008)(6436002)(486006)(102836004)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR04MB5516; H:DB7PR04MB4636.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: eFqEHhCyg40PfKQdtMAIeP/fUfRebjp9a2fsbneDqnEjQnRnc5YLgKSAYOKALS8Zqqsu9gAfT88YdP6FOVmBLM3BaQo6eO0svVDNPFjDocI9EvgkVPM0myh5+WYpwrbZKDZjD0bv8w26UfuGvnpd8To5tgCVj8AK0864KovygaT/6aant5JbKjrtXAe10wxfrtz555XYS82mkj+rMGZSIRUjrtR0qo6aIhzTo8VBLCdwLUcJkhFDVcnqpVOTS1f+PZm76S5W6VjAInH6absHCxqT7abQBxSMsLzvmRqVremvc7WTXQUFDBMLvELEOxDqAfVj/5Zl6e0TKEL3k7fKI3xO9EW53b96+GAT0tpdak1ljAWcF8A0kuAqKXF9Cdo3rLdBVgv1OELoEPHzunDTQAcSXuoUtR3HqxRH/ZmI3gs= MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 63fe93bb-6ff7-4fe9-1a8b-08d7405568a7 X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2019 18:39:47.3051 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: FeEdE4Bei2DxCcR4W0aBxNB++9jmXgd8/eTdvNpZ1UkSZsMagKjX0lK1Bd1cJc9o3AWKjK9Yp76YE4QtpuOcuQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR04MB5516 Cc: Breno Matheus Lima , "u-boot@lists.denx.de" , "igor.opaniuk@toradex.com" Subject: [U-Boot] [PATCH] imx: Kconfig: Reduce default CONFIG_CSF_SIZE X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" The default CSF_SIZE defined in Kconfig is too high and SPL cannot fit into the OCRAM in certain cases. The CSF cannot achieve 0x2000 length when using RSA 4K key which is the largest key size supported by HABv4. According to AN12056 "Encrypted Boot on HABv4 and CAAM Enabled Devices" it's recommended to pad CSF binary to 0x2000 and append DEK blob to deploy encrypted boot images. As the maximum DEK blob size is 0x58 we can reduce CSF_SIZE to 0x2060 which should cover both CSF and DEK blob length. Update default_image.c and image.c to align with this change and avoid a U-Boot proper authentication failure in HAB closed devices: Authenticate image from DDR location 0x877fffc0... bad magic magic=0x32 length=0x6131 version=0x38 bad length magic=0x32 length=0x6131 version=0x38 bad version magic=0x32 length=0x6131 version=0x38 spl: ERROR: image authentication fail Fixes: 96d27fb218 (Revert "habv4: tools: Avoid hardcoded CSF size for SPL targets") Reported-by: Jagan Teki Signed-off-by: Breno Lima --- arch/arm/mach-imx/Kconfig | 2 +- common/image.c | 7 ++++--- tools/default_image.c | 5 ++++- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig index d44f74e474..f721eaf937 100644 --- a/arch/arm/mach-imx/Kconfig +++ b/arch/arm/mach-imx/Kconfig @@ -45,7 +45,7 @@ config SECURE_BOOT config CSF_SIZE hex "Maximum size for Command Sequence File (CSF) binary" - default 0x4000 + default 0x2060 help Define the maximum size for Command Sequence File (CSF) binary this information is used to define the image boot data. diff --git a/common/image.c b/common/image.c index 179eef0bd2..62ba6b3bfe 100644 --- a/common/image.c +++ b/common/image.c @@ -61,6 +61,7 @@ static const image_header_t *image_get_ramdisk(ulong rd_addr, uint8_t arch, #endif /* !USE_HOSTCC*/ #include +#include #ifndef CONFIG_SYS_BARGSIZE #define CONFIG_SYS_BARGSIZE 512 @@ -378,9 +379,9 @@ void image_print_contents(const void *ptr) } } else if (image_check_type(hdr, IH_TYPE_FIRMWARE_IVT)) { printf("HAB Blocks: 0x%08x 0x0000 0x%08x\n", - image_get_load(hdr) - image_get_header_size(), - image_get_size(hdr) + image_get_header_size() - - 0x1FE0); + image_get_load(hdr) - image_get_header_size(), + (int)(image_get_size(hdr) + image_get_header_size() + + sizeof(flash_header_v2_t) - 0x2060)); } } diff --git a/tools/default_image.c b/tools/default_image.c index 4b7d1ed4a1..f7990e28c0 100644 --- a/tools/default_image.c +++ b/tools/default_image.c @@ -19,6 +19,7 @@ #include #include #include +#include static image_header_t header; @@ -106,7 +107,9 @@ static void image_set_header(void *ptr, struct stat *sbuf, int ifd, if (params->type == IH_TYPE_FIRMWARE_IVT) /* Add size of CSF minus IVT */ - imagesize = sbuf->st_size - sizeof(image_header_t) + 0x1FE0; + imagesize = sbuf->st_size - sizeof(image_header_t) + + 0x2060 - sizeof(flash_header_v2_t); + else imagesize = sbuf->st_size - sizeof(image_header_t);