This series enables an automated HAB verified secure boot which chain-loads via OPTEE see `git show 5cf3251..c225e7c` for details.
This set depends on three in-flight patchsets 1. [PATCH v3 0/3] NXP WaARP7 set serial# from OTP fuses for USB iSerial Already has a Reviewed-by from Fabio 2. [PATCH v3 0/2] imx: hab: Add helper functions for scripted HAB auth Has a Reviewed-by: from Breno 3. [PATCH] configs: warp7: Fix CAAM on boot with tip-of-tree I'm trying not to make this cover email too long. So - once this set is applied it is possible to boot from the BootROM using HAB to verify - u-boot - boot.scr - Kernel - DTB Chainload via OPTEE and boot up to Linux. If there is a HAB failure at any stage of the process we force-drop down to the USB HID failover mode, from which we can send up a recovery image to unblock. I've run the WaRP7 default u-boot and this new version on NXP's reference yocto image and verified that that yocto image boots with both versions of the WaRP7 -> warp7_defconfig and warp7_secure_defconfig. http://freescale.github.io/#download -> BoardsWaRPboard community - WaRP - Wearable Reference PlatformFSL Community BSP 2.3fsl-image-multimediawayland In addition the modifications targeting warp7_secure_defconfig mean it is possible to chain-load via OPTEE using scripted HAB to verify images prior to exiting the u-boot domain. Here is an example of the scripting we are doing which shows further reuse of shell functions introduced in previous patches. #### Example secure-boot boot.scr.imx-signed #### # This section is responsbile for loading a signed Linux kernel setenv image_signed zImage.imx-signed if test ${hab_enabled} -eq 1; then setexpr hab_ivt_addr ${loadaddr} - ${ivt_offset} ${loadcmd} mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${image_signed} run warp7_auth_or_fail else run loadimage; fi # This section is responsbile for loading a signed FDT image setenv fdt_file_signed imx7s-warp.dtb.imx-signed if test ${hab_enabled} -eq 1; then setexpr hab_ivt_addr ${fdt_addr} - ${ivt_offset} ${loadcmd} mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${fdt_file_signed} run warp7_auth_or_fail else run loadfdt; fi # Set the filesystem type and partition target setenv loadcmd ext4load # Boot from rootfs1 by default setenv mmcpart 3 # But if the rootfs2 file exists in partition 2, boot from rootfs2 ext4size mmc 0:2 rootfs2 && setenv mmcpart 5 # This section is responsbile for loading a signed OPTEE image setenv optee_file /lib/firmware/uTee.optee setenv optee_file_signed /lib/firmware/uTee.optee.imx-signed setenv loadoptee "${loadcmd} mmc ${mmcdev}:${mmcpart} ${optee_addr} ${optee_file}" if test ${hab_enabled} -eq 1; then setexpr hab_ivt_addr ${optee_addr} - ${ivt_offset} ${loadcmd} mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${optee_file_signed} run warp7_auth_or_fail else run loadoptee; fi # Set UUID mmcpart will be used to pass root id to kernel setenv rootpart ${mmcpart} run finduuid; run mmcargs; # Now boot echo Booting secure Linux/OPTEE OS from mmc ...; bootm ${optee_addr} - ${fdt_addr}; # Failsafe if something goes wrong hab_failsafe Bryan O'Donoghue (18): imximage: Specify default IVT offset in IMX image warp7: hab: Add a CSF location definition warp7: hab: Set environment variable indicating HAB enable warp7: defconfig: Enable OPTEE for WaRP7 warp7: Allocate specific region of memory to OPTEE warp7: Print out the OPTEE DRAM region warp7: Specify CONFIG_OPTEE_LOAD_ADDR warp7: defconfig: Enable CONFIG_SECURE_BOOT warp7: defconfig: Enable CONFIG_BOOTM_TEE warp7: Make CONFIG_SYS_FDT_ADDR a define warp7: Add Kconfig WARP7_ROOT_PART warp7: select uuid partition based on rootpart warp7: Define the name of a signed boot-script file warp7: add warp7_auth_or_fail warp7: Make load command an environment variable warp7: hab: Set environment variable indicating IVT offset warp7_secure: defconfig: Enable CMD_SETEXPR warp7: Add support for automated secure boot.scr verification board/warp7/Kconfig | 14 ++++++++++++++ board/warp7/imximage.cfg | 4 ++++ board/warp7/warp7.c | 23 +++++++++++++++++++++++ configs/warp7_secure_defconfig | 6 +++++- include/configs/warp7.h | 29 ++++++++++++++++++++++++----- include/imximage.h | 3 +++ 6 files changed, 73 insertions(+), 6 deletions(-) -- 2.7.4 _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
