AnsweredAssumed Answered

High Assurance Boot Activity .

Question asked by supriya negi on Sep 18, 2014
Latest reply on Sep 21, 2014 by Yuri Muhin

I have started with the High Assurance Boot Activity .

Below are the steps followed by now , followed by few concerns..

(Links I am referring …

https://community.freescale.com/docs/DOC-96451

http://marc.info/?l=u-boot&m=139227973004718&q=p5

https://community.freescale.com/message/379101#379101

 

)

Step 1)  IMX_CST_TOOL – This package was successfully downloaded BLN_CST_MAIN_02.00.00.zip

Step2)  Generate HAB4 Keys and Certificates – Was successfully able to generate hab4 keys and certificates also HAB4 SRK tables and efuse Hash.

Step 3)  Modify u-boot for HAB and sign u-boot image

 

Uboot 2013 is not having any files related to HAB (like arch/arm/cpu/armv7/mx6/hab.c )

Why is u-boot 2013 is not having hab.c ???


From the  link -- https://www.mail-archive.com/u-boot@lists.denx.de/msg146403.html

I tried generating and applying  patch but facing below error messages..(Patch file is shown below)

 

....../i.MX6/linux/yocto/u-boot-fslc_v2013.04-r0$ patch  < hab.patch

(Stripping trailing CRs from patch.)

patching file clock.c

Hunk #1 FAILED at 1.

Hunk #2 FAILED at 543.

2 out of 2 hunks FAILED -- saving rejects to file clock.c.rej

(Stripping trailing CRs from patch.)

patching file hab.c

Hunk #1 FAILED at 1.

Hunk #2 FAILED at 7.

Hunk #3 FAILED at 71.

Hunk #4 FAILED at 144.

patch: **** malformed patch at line 254: char * const argv[])

 

I understand there might be few additions required as showed in above links in uboot 2013 so as to possibly enable and use HAB . What and where all those changes are required ??

 

     hab.patch contents

Signed-off-by: Nitin Garg <nitin.g...@freescale.com>

---

arch/arm/cpu/armv7/mx6/clock.c            |   40 ++++++-

arch/arm/cpu/armv7/mx6/hab.c              |  180 ++++++++++++++++++++++++++++-

arch/arm/cpu/armv7/mx6/soc.c              |   15 +++

arch/arm/include/asm/arch-mx6/clock.h     |    6 +

arch/arm/include/asm/arch-mx6/sys_proto.h |    4 +-

5 files changed, 242 insertions(+), 3 deletions(-)

 

 

diff --git a/arch/arm/cpu/armv7/mx6/clock.c b/arch/arm/cpu/armv7/mx6/clock.c

index 820b8d5..62de8c9 100644

--- a/arch/arm/cpu/armv7/mx6/clock.c

+++ b/arch/arm/cpu/armv7/mx6/clock.c

@@ -1,5 +1,5 @@

/*

- * Copyright (C) 2010-2011 Freescale Semiconductor, Inc.

+ * Copyright (C) 2010-2014 Freescale Semiconductor, Inc.

  *

  * SPDX-License-Identifier:    GPL-2.0+

  */

@@ -543,6 +543,44 @@ int enable_pcie_clock(void)

                               BM_ANADIG_PLL_ENET_ENABLE_PCIE);

}

 

+#ifdef CONFIG_SECURE_BOOT

+void hab_caam_clock_enable(void)

+{

+       struct mxc_ccm_reg *ccm_regs = (struct mxc_ccm_reg *)CCM_BASE_ADDR;

+       u32 reg = 0;

+

+       /*CG4 ~ CG6, enable CAAM clocks*/

+       reg = readl(&ccm_regs->CCGR0);

+       reg |= (MXC_CCM_CCGR0_CAAM_WRAPPER_IPG_MASK |

+                       MXC_CCM_CCGR0_CAAM_WRAPPER_ACLK_MASK |

+                       MXC_CCM_CCGR0_CAAM_SECURE_MEM_MASK);

+       writel(reg, &ccm_regs->CCGR0);

+

+       /* Enable EMI slow clk */

+       reg = readl(&ccm_regs->CCGR6);

+       reg |= MXC_CCM_CCGR6_EMI_SLOW_MASK;

+       writel(reg, &ccm_regs->CCGR6);

+}

+

+void hab_caam_clock_disable(void)

+{

+       struct mxc_ccm_reg *ccm_regs = (struct mxc_ccm_reg *)CCM_BASE_ADDR;

+       u32 reg = 0;

+

+       /*CG4 ~ CG6, disable CAAM clocks*/

+       reg = readl(&ccm_regs->CCGR0);

+       reg &= ~(MXC_CCM_CCGR0_CAAM_WRAPPER_IPG_MASK |

+                       MXC_CCM_CCGR0_CAAM_WRAPPER_ACLK_MASK |

+                       MXC_CCM_CCGR0_CAAM_SECURE_MEM_MASK);

+       writel(reg, &ccm_regs->CCGR0);

+

+       /* Disable EMI slow clk */

+       reg = readl(&ccm_regs->CCGR6);

+       reg &= ~MXC_CCM_CCGR6_EMI_SLOW_MASK;

+       writel(reg, &ccm_regs->CCGR6);

+}

+#endif

+

unsigned int mxc_get_clock(enum mxc_clock clk)

{

        switch (clk) {

diff --git a/arch/arm/cpu/armv7/mx6/hab.c b/arch/arm/cpu/armv7/mx6/hab.c

index f6810a6..55780b8 100644

--- a/arch/arm/cpu/armv7/mx6/hab.c

+++ b/arch/arm/cpu/armv7/mx6/hab.c

@@ -1,5 +1,5 @@

/*

- * Copyright (C) 2010-2013 Freescale Semiconductor, Inc.

+ * Copyright (C) 2010-2014 Freescale Semiconductor, Inc.

  *

  * SPDX-License-Identifier:    GPL-2.0+

  */

@@ -7,8 +7,12 @@

#include <common.h>

#include <asm/io.h>

#include <asm/arch/hab.h>

+#include <asm/arch/clock.h>

#include <asm/arch/sys_proto.h>

 

+/* enable HAB (High Assurance Boot) debug */

+/* #define DEBUG_AUTHENTICATE_IMAGE */

+

/* -------- start of HAB API updates ------------*/

 

#define hab_rvt_report_event_p                                 \

@@ -71,6 +75,41 @@

        ((hab_rvt_exit_t *)HAB_RVT_EXIT)                        \

)

 

+#define IVT_SIZE               0x20

+#define ALIGN_SIZE             0x1000

+#define CSF_PAD_SIZE           0x2000

+

+/*

+ * +------------+  0x0 (DDR_UIMAGE_START) -

+ * |   Header   |                          |

+ * +------------+  0x40                    |

+ * |            |                          |

+ * |            |                          |

+ * |            |                          |

+ * |            |                          |

+ * | Image Data |                          |

+ * .            |                          |

+ * .            |                           > Stuff to be authenticated ----+

+ * .            |                          |                                |

+ * |            |                          |                                |

+ * |            |                          |                                |

+ * +------------+                          |                                |

+ * |            |                          |                                |

+ * | Fill Data  |                          |                                |

+ * |            |                          |                                |

+ * +------------+ Align to ALIGN_SIZE      |                                |

+ * |    IVT     |                          |                                |

+ * +------------+ + IVT_SIZE              -                                 |

+ * |            |                                                           |

+ * |  CSF DATA  | <---------------------------------------------------------+

+ * |            |

+ * +------------+

+ * |            |

+ * | Fill Data  |

+ * |            |

+ * +------------+ + CSF_PAD_SIZE

+ */

+

bool is_hab_enabled(void)

{

        struct ocotp_regs *ocotp = (struct ocotp_regs *)OCOTP_BASE_ADDR;

@@ -144,6 +183,120 @@ int get_hab_status(void)

        return 0;

}

 

+#ifdef DEBUG_AUTHENTICATE_IMAGE

+void dump_mem(uint32_t addr, int size)

+{

+       int i;

+

+       for (i = 0; i < size; i += 4) {

+               if (i != 0) {

+                       if (i % 16 == 0)

+                               printf("\n");

+                       else

+                               printf(" ");

+               }

+

+               printf("0x%08x", *(uint32_t *)addr);

+               addr += 4;

+       }

+

+       printf("\n");

+

+       return;

+}

+#endif

+

+uint32_t authenticate_image(uint32_t ddr_start, uint32_t image_size)

+{

+       uint32_t load_addr = 0;

+       size_t bytes;

+       ptrdiff_t ivt_offset = 0;

+       int result = 0;

+       ulong start;

+       hab_rvt_authenticate_image_t *hab_rvt_authenticate_image;

+       hab_rvt_entry_t *hab_rvt_entry;

+       hab_rvt_exit_t *hab_rvt_exit;

+

+       hab_rvt_authenticate_image = hab_rvt_authenticate_image_p;

+       hab_rvt_entry = hab_rvt_entry_p;

+       hab_rvt_exit = hab_rvt_exit_p;

+

+       if (is_hab_enabled()) {

+               printf("\nAuthenticate uImage from DDR location 0x%x...\n",

+                       ddr_start);

+

+               hab_caam_clock_enable();

+

+               if (hab_rvt_entry() == HAB_SUCCESS) {

+                       /* If not already aligned, Align to ALIGN_SIZE */

+                       ivt_offset = (image_size + ALIGN_SIZE - 1) &

+                                       ~(ALIGN_SIZE - 1);

+

+                       start = ddr_start;

+                       bytes = ivt_offset + IVT_SIZE + CSF_PAD_SIZE;

+

+#ifdef DEBUG_AUTHENTICATE_IMAGE

+                       printf("\nivt_offset = 0x%x, ivt addr = 0x%x\n",

+                              ivt_offset, ddr_start + ivt_offset);

+                       printf("Dumping IVT\n");

+                       dump_mem(ddr_start + ivt_offset, 0x20);

+

+                       printf("Dumping CSF Header\n");

+                       dump_mem(ddr_start + ivt_offset + 0x20, 0x40);

+

+                       get_hab_status();

+

+                       printf("\nCalling authenticate_image in ROM\n");

+                       printf("\tivt_offset = 0x%x\n\tstart = 0x%08x"

+                              "\n\tbytes = 0x%x\n", ivt_offset, start, bytes);

+#endif

+                       /*

+                        * If the MMU is enabled, we have to notify the ROM

+                        * code, or it won't flush the caches when needed.

+                        * This is done, by setting the "pu_irom_mmu_enabled"

+                        * word to 1. You can find its address by looking in

+                        * the ROM map. This is critical for

+                        * authenticate_image(). If MMU is enabled, without

+                        * setting this but, authentication will fail and may

+                        * crash.

+                        */

+                       if (is_cpu_type(MXC_CPU_MX6Q) ||

+                           is_cpu_type(MXC_CPU_MX6D)) {

+                               /*

+                                * This won't work on Rev 1.0.0 of i.MX6Q/D,

+                                * since their ROM doesn't do cache flushes.

+                                * I don't think any exist, so we ignore them.

+                                */

+                               writel(1, 0x009024a8);

+                       } else if (is_cpu_type(MXC_CPU_MX6DL) ||

+                                  is_cpu_type(MXC_CPU_MX6SOLO)) {

+                               writel(1, 0x00901dd0);

+                       } else if (is_cpu_type(MXC_CPU_MX6SL)) {

+                               writel(1, 0x00900a18);

+                       }

+

+                       load_addr = (uint32_t)hab_rvt_authenticate_image(

+                                       HAB_CID_UBOOT,

+                                       ivt_offset, (void **)&start,

+                                       (size_t *)&bytes, NULL);

+                       if (hab_rvt_exit() != HAB_SUCCESS) {

+                               printf("hab exit function fail\n");

+                               load_addr = 0;

+                       }

+               } else

+                       printf("hab entry function fail\n");

+

+               hab_caam_clock_disable();

+

+               get_hab_status();

+       }

+

+       if ((!is_hab_enabled()) || (load_addr != 0))

+               result = 1;

+

+       return result;

+}

+

int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])

{

        if ((argc != 1)) {

@@ -156,8 +309,33 @@ int do_hab_status(cmd_tbl_t *cmdtp, int flag, int argc,

char * const argv[])

        return 0;

}

 

+static int do_authenticate_image(cmd_tbl_t *cmdtp, int flag, int argc,

+                               char * const argv[])

+{

+       ulong   addr, ivt_offset;

+       int     rcode = 0;

+

+       if (argc < 3)

+               return CMD_RET_USAGE;

+

+       addr = simple_strtoul(argv[1], NULL, 16);

+       ivt_offset = simple_strtoul(argv[2], NULL, 16);

+

+       rcode = authenticate_image(addr, ivt_offset);

+

+       return rcode;

+}

+

U_BOOT_CMD(

                hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,

                "display HAB status",

                ""

          );

+

+U_BOOT_CMD(

+               hab_auth_img, 3, 1, do_authenticate_image,

+               "authenticate image via HAB",

+               "addr ivt_offset\n"

+               "addr - image hex address\n"

+               "ivt_offset - hex offset of IVT in the image"

+         );

diff --git a/arch/arm/cpu/armv7/mx6/soc.c b/arch/arm/cpu/armv7/mx6/soc.c

index 8aacdaf..4cb46a8 100644

--- a/arch/arm/cpu/armv7/mx6/soc.c

+++ b/arch/arm/cpu/armv7/mx6/soc.c

@@ -408,10 +408,25 @@ int board_postclk_init(void)

#ifndef CONFIG_SYS_DCACHE_OFF

void enable_caches(void)

{

+#if defined(CONFIG_SYS_ARM_CACHE_WRITETHROUGH)

+       enum dcache_option option = DCACHE_WRITETHROUGH;

+#else

+       enum dcache_option option = DCACHE_WRITEBACK;

+#endif

+

        /* Avoid random hang when download by usb */

        invalidate_dcache_all();

+

        /* Enable D-cache. I-cache is already enabled in start.S */

        dcache_enable();

+

+       /* Enable caching on OCRAM and ROM */

+       mmu_set_region_dcache_behaviour(ROMCP_ARB_BASE_ADDR,

+                                       ROMCP_ARB_END_ADDR,

+                                       option);

+       mmu_set_region_dcache_behaviour(IRAM_BASE_ADDR,

+                                       IRAM_SIZE,

+                                       option);

}

#endif

 

diff --git a/arch/arm/include/asm/arch-mx6/clock.h

b/arch/arm/include/asm/arch-mx6/clock.h

index 339c789..b7c36e5 100644

--- a/arch/arm/include/asm/arch-mx6/clock.h

+++ b/arch/arm/include/asm/arch-mx6/clock.h

@@ -2,6 +2,8 @@

  * (C) Copyright 2009

  * Stefano Babic, DENX Software Engineering, sba...@denx.de.

  *

+ * (C) Copyright 2014 Freescale Semiconductor, Inc.

+ *

  * SPDX-License-Identifier:    GPL-2.0+

  */

 

@@ -60,4 +62,8 @@ int enable_i2c_clk(unsigned char enable, unsigned i2c_num);

int enable_spi_clk(unsigned char enable, unsigned spi_num);

void enable_ipu_clock(void);

int enable_fec_anatop_clock(enum enet_freq freq);

+#ifdef CONFIG_SECURE_BOOT

+void hab_caam_clock_enable(void);

+void hab_caam_clock_disable(void);

+#endif

#endif /* __ASM_ARCH_CLOCK_H */

diff --git a/arch/arm/include/asm/arch-mx6/sys_proto.h

b/arch/arm/include/asm/arch-mx6/sys_proto.h

index 306d699..2bbb86e 100644

--- a/arch/arm/include/asm/arch-mx6/sys_proto.h

+++ b/arch/arm/include/asm/arch-mx6/sys_proto.h

@@ -2,6 +2,8 @@

  * (C) Copyright 2009

  * Stefano Babic, DENX Software Engineering, sba...@denx.de.

  *

+ * (C) Copyright 2014 Freescale Semiconductor, Inc.

+ *

  * SPDX-License-Identifier:    GPL-2.0+

  */

 

@@ -11,7 +13,7 @@

#include <asm/imx-common/regs-common.h>

#include "../arch-imx/cpu.h"

 

-#define soc_rev() (get_cpu_rev() & 0xFF)

+#define soc_rev() ((int)(get_cpu_rev() & 0xFF))

#define is_soc_rev(rev)        (soc_rev() - rev)

 

u32 get_nr_cpus(void);

--

1.7.9.5

 

 

Regards

Outcomes