[PATCH 1/3] scripts: imx-image: document -d, -e, -s, -u

[PATCH 1/3] scripts: imx-image: document -d, -e, -s, -u

[Bastian Krause]

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 scripts/imx/imx-image.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/scripts/imx/imx-image.c b/scripts/imx/imx-image.c
index a7f1421fa3..90be8a9b9b 100644
--- a/scripts/imx/imx-image.c
+++ b/scripts/imx/imx-image.c
@@ -363,6 +363,15 @@ static void usage(const char *prgname)
 		"-b           add barebox header to image. If used, barebox recognizes\n"
 		"             the image as regular barebox image which can be used as\n"
 		"             second stage image\n"
+		"-d           write DCD table only\n"
+		"-e           prepare image for encryption and use Freescale's Code Signing\n"
+		"             to encrypt image. Note that the device-specific encapsulated\n"
+		"             DEK as cryptgraphic blob needs to be appended afterwards\n"
+		"-s           use Freescale's Code Signing Tool (CST) to sign the image\n"
+		"             'cst' is expected to be in PATH or given via the environment\n"
+		"             variable 'CST'\n"
+		"-u           create USB image suitable for imx-usb-loader\n"
+		"             necessary for signed images (-s) only\n"
 		"-h           this help\n", prgname);
 	exit(1);
 }
-- 
2.20.1


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH 2/3] doc: boards: imx: document image creation

[Bastian Krause]

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 Documentation/boards/imx.rst | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/Documentation/boards/imx.rst b/Documentation/boards/imx.rst
index 27d0123c87..abd9c76151 100644
--- a/Documentation/boards/imx.rst
+++ b/Documentation/boards/imx.rst
@@ -31,6 +31,21 @@ the i.MX images are generated with the ``scripts/imx/imx-image`` tool.
 Normally it's not necessary to call this tool manually, it is executed
 automatically at the end of the build process.
 
+Required entries for an i.MX image in ``images/Makefile.imx`` are for example:
+
+.. code-block:: none
+
+  pblb-$(CONFIG_MACH_MYBOARD) += start_imx6dl_myboard
+  CFG_start_imx6dl_myboard.pblb.imximg = $(board)/myboard/flash-header-imx6dl-myboard.imxcfg
+  FILE_barebox-imx6dl-myboard.img = start_imx6dl_myboard.pblb.imximg
+  image-$(CONFIG_MACH_MYBOARD) += barebox-imx6dl-myboard.img
+
+The first line defines the entry function of the pre-bootloader.
+This function must be defined in the board's ``lowlevel.c``.
+The second line describes the flash header to be used for the image, which is
+then compiled into an imximg file.
+The prebootloader is then added to the final barebox image.
+
 The images generated by the build process can be directly written to an
 SD card:
 
-- 
2.20.1


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH 3/3] doc: boards: imx: add HAB section

[Bastian Krause]

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 Documentation/boards/imx.rst | 59 ++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/Documentation/boards/imx.rst b/Documentation/boards/imx.rst
index abd9c76151..ba0a3b7988 100644
--- a/Documentation/boards/imx.rst
+++ b/Documentation/boards/imx.rst
@@ -83,6 +83,65 @@ The images can also always be started as second stage on the target:
 
   barebox@Board Name:/ bootm /mnt/tftp/barebox-freescale-imx51-babbage.img
 
+High Assurance Boot
+^^^^^^^^^^^^^^^^^^^
+
+HAB is a NXP ROM code feature which is able to authenticate software in
+external memory at boot time.
+This is done by verifying signatures as defined in the Command Sequence FILE
+(CSF) as compiled into the i.MX boot header.
+
+barebox supports generating signed images, signed USB images suitable for
+*imx-usb-loader* and encrypted images.
+
+In contrast to normal (unsigned) images booting signed images via
+imx-usb-loader requires special images:
+DCD data is invalidated (DCD pointer set to zero), the image is then signed and
+afterwards the DCD pointer is set to the DCD data again (practically making
+the signature invalid).
+This works because the imx-usb-loader transmits the DCD table setup prior to
+the actual image to set up the RAM in order to load the barebox image.
+Now the DCD pointer is set to zero (making the signature valid again) and the
+image is loaded and verified by the ROM code.
+
+Note that the device-specific Data Encryption Key (DEK) blob needs to be
+appended to the image after the build process for appropriately encrypted
+images.
+
+In order to generate these special image types barebox is equipped with
+corresponding static pattern rules in ``images/Makefile.imx``.
+Unlike the typical ``imximg`` file extension the following ones are used for
+these cases:
+
+* ``simximg``: generate signed image
+* ``usimximg``: generate signed USB image
+* ``esimximg``: generate encrypted and signed image
+
+The imx-image tool is then automatically called with the appropriate flags
+during image creation.
+This again calls Freescale's Code Signing Tool (CST) which must be installed in
+the path or given via the environment variable "CST".
+
+Assuming ``CONFIG_HAB`` and ``CONFIG_HABV4`` are enabled the necessary
+keys/certificates are expected in these config variables (assuming HABv4):
+
+.. code-block:: none
+
+  CONFIG_HABV4_TABLE_BIN
+  CONFIG_HABV4_CSF_CRT_PEM
+  CONFIG_HABV4_IMG_CRT_PEM
+
+A CSF template is located in
+``arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h`` which is preprocessed
+by barebox.
+It must be included in the board's flash header:
+
+.. code-block:: none
+
+  #include <mach/habv4-imx6-gencsf.h>
+
+Analogous to HABv4 options and a template exist for HABv3.
+
 Using GPT on i.MX
 ^^^^^^^^^^^^^^^^^
 
-- 
2.20.1


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH 3/3] doc: boards: imx: add HAB section

[Ulrich Ölmann]

On Tue, Jun 04 2019 at 18:53 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> ---
>  Documentation/boards/imx.rst | 59 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 59 insertions(+)
>
> diff --git a/Documentation/boards/imx.rst b/Documentation/boards/imx.rst
> index abd9c76151..ba0a3b7988 100644
> --- a/Documentation/boards/imx.rst
> +++ b/Documentation/boards/imx.rst
> @@ -83,6 +83,65 @@ The images can also always be started as second stage on the target:
>  
>    barebox@Board Name:/ bootm /mnt/tftp/barebox-freescale-imx51-babbage.img
>  
> +High Assurance Boot
> +^^^^^^^^^^^^^^^^^^^
> +
> +HAB is a NXP ROM code feature which is able to authenticate software in

s/a NXP/an NXP/

> +external memory at boot time.
> +This is done by verifying signatures as defined in the Command Sequence FILE

s/FILE/File/ ?

Best regards
Ulrich

> +(CSF) as compiled into the i.MX boot header.
> +
> +barebox supports generating signed images, signed USB images suitable for
> +*imx-usb-loader* and encrypted images.
> +
> +In contrast to normal (unsigned) images booting signed images via
> +imx-usb-loader requires special images:
> +DCD data is invalidated (DCD pointer set to zero), the image is then signed and
> +afterwards the DCD pointer is set to the DCD data again (practically making
> +the signature invalid).
> +This works because the imx-usb-loader transmits the DCD table setup prior to
> +the actual image to set up the RAM in order to load the barebox image.
> +Now the DCD pointer is set to zero (making the signature valid again) and the
> +image is loaded and verified by the ROM code.
> +
> +Note that the device-specific Data Encryption Key (DEK) blob needs to be
> +appended to the image after the build process for appropriately encrypted
> +images.
> +
> +In order to generate these special image types barebox is equipped with
> +corresponding static pattern rules in ``images/Makefile.imx``.
> +Unlike the typical ``imximg`` file extension the following ones are used for
> +these cases:
> +
> +* ``simximg``: generate signed image
> +* ``usimximg``: generate signed USB image
> +* ``esimximg``: generate encrypted and signed image
> +
> +The imx-image tool is then automatically called with the appropriate flags
> +during image creation.
> +This again calls Freescale's Code Signing Tool (CST) which must be installed in
> +the path or given via the environment variable "CST".
> +
> +Assuming ``CONFIG_HAB`` and ``CONFIG_HABV4`` are enabled the necessary
> +keys/certificates are expected in these config variables (assuming HABv4):
> +
> +.. code-block:: none
> +
> +  CONFIG_HABV4_TABLE_BIN
> +  CONFIG_HABV4_CSF_CRT_PEM
> +  CONFIG_HABV4_IMG_CRT_PEM
> +
> +A CSF template is located in
> +``arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h`` which is preprocessed
> +by barebox.
> +It must be included in the board's flash header:
> +
> +.. code-block:: none
> +
> +  #include <mach/habv4-imx6-gencsf.h>
> +
> +Analogous to HABv4 options and a template exist for HABv3.
> +
>  Using GPT on i.MX
>  ^^^^^^^^^^^^^^^^^
-- 
Pengutronix e.K.                           | Ulrich Ölmann               |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH 1/3] scripts: imx-image: document -d, -e, -s, -u

[Sascha Hauer]

On Tue, Jun 04, 2019 at 06:53:06PM +0200, Bastian Krause wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> ---
>  scripts/imx/imx-image.c | 9 +++++++++
>  1 file changed, 9 insertions(+)

Applied, thanks

Sascha

> 
> diff --git a/scripts/imx/imx-image.c b/scripts/imx/imx-image.c
> index a7f1421fa3..90be8a9b9b 100644
> --- a/scripts/imx/imx-image.c
> +++ b/scripts/imx/imx-image.c
> @@ -363,6 +363,15 @@ static void usage(const char *prgname)
>  		"-b           add barebox header to image. If used, barebox recognizes\n"
>  		"             the image as regular barebox image which can be used as\n"
>  		"             second stage image\n"
> +		"-d           write DCD table only\n"
> +		"-e           prepare image for encryption and use Freescale's Code Signing\n"
> +		"             to encrypt image. Note that the device-specific encapsulated\n"
> +		"             DEK as cryptgraphic blob needs to be appended afterwards\n"
> +		"-s           use Freescale's Code Signing Tool (CST) to sign the image\n"
> +		"             'cst' is expected to be in PATH or given via the environment\n"
> +		"             variable 'CST'\n"
> +		"-u           create USB image suitable for imx-usb-loader\n"
> +		"             necessary for signed images (-s) only\n"
>  		"-h           this help\n", prgname);
>  	exit(1);
>  }
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox