On 26/03/2018 16:36, Bryan O'Donoghue wrote:
> This patch adds hab_auth_img_or_fail() a command line function that
> encapsulates a common usage of authenticate and failover, namely if
> authenticate image fails, then drop to BootROM USB recovery mode.
>
> For secure-boot systems, this type of locked down behavior is important to
> ensure no unsigned images can be run.
>
> It's possible to script this logic but, when done over and over again the
> environment starts get very complex and repetitive, reducing that script
> repetition down to a command line function makes sense.
>
> Signed-off-by: Bryan O'Donoghue <bryan.odonog...@linaro.org>
> Cc: Utkarsh Gupta <utkarsh.gu...@nxp.com>
> Cc: Breno Lima <breno.l...@nxp.com>
> Cc: Fabio Estevam <fabio.este...@nxp.com>
> ---
> arch/arm/mach-imx/hab.c | 35 +++++++++++++++++++++++++++++++++++
> 1 file changed, 35 insertions(+)
>
> diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c
> index c730c8f..9ca7bad 100644
> --- a/arch/arm/mach-imx/hab.c
> +++ b/arch/arm/mach-imx/hab.c
> @@ -341,6 +341,31 @@ static int do_hab_failsafe(cmd_tbl_t *cmdtp, int flag,
> int argc,
> return 0;
> }
>
> +static int do_authenticate_image_or_failover(cmd_tbl_t *cmdtp, int flag,
> + int argc, char * const argv[])
> +{
> + int ret = CMD_RET_FAILURE;
> +
> + if (argc != 4) {
> + ret = CMD_RET_USAGE;
> + goto error;
> + }
> +
> + if (!imx_hab_is_enabled()) {
> + printf("error: secure boot disabled\n");
> + goto error;
> + }
> +
> + if (do_authenticate_image(NULL, flag, argc, argv) != CMD_RET_SUCCESS) {
> + fprintf(stderr, "authentication fail -> %s %s %s %s\n",
> + argv[0], argv[1], argv[2], argv[3]);
> + do_hab_failsafe(0, 0, 1, NULL);
> + };
> + ret = CMD_RET_SUCCESS;
> +error:
> + return ret;
> +}
> +
> U_BOOT_CMD(
> hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,
> "display HAB status",
> @@ -362,6 +387,16 @@ U_BOOT_CMD(
> ""
> );
>
> +U_BOOT_CMD(
> + hab_auth_img_or_fail, 4, 0,
> + do_authenticate_image_or_failover,
> + "authenticate image via HAB on failure drop to USB BootROM
> mode",
> + "addr length ivt_offset\n"
> + "addr - image hex address\n"
> + "length - image hex length\n"
> + "ivt_offset - hex offset of IVT in the image"
> + );
> +
> #endif /* !defined(CONFIG_SPL_BUILD) */
>
> /* Get CSF Header length */
>
Applied to u-boot-imx, thanks !
Best regards,
Stefano Babic
--
=====================================================================
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de
=====================================================================
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
