Merge branch 'for-next/hab'

4 files changed, 122 insertions, 1 deletions

diff --git a/arch/arm/Makefile b/arch/arm/Makefile
index 9ce16b9006..5ccdb83dc7 100644
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -222,7 +222,7 @@ KBUILD_IMAGE  := barebox.kwb barebox.kwbuart
 endif
 
 barebox.imximg: $(KBUILD_BINARY) FORCE
-	$(call if_changed,imx_image)
+	$(call if_changed,imx_image,$(CFG_$(@F)),)
 
 boarddir = $(srctree)/arch/arm/boards
 imxcfg-$(CONFIG_MACH_FREESCALE_MX53_SMD) += $(boarddir)/freescale-mx53-smd/flash-header.imxcfg
diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 3f6dd7743e..c631c33cf3 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -66,6 +66,12 @@ config ARCH_IMX_IMXIMAGE
 	help
 	  if enabled the imx-image tool is compiled
 
+config ARCH_IMX_IMXIMAGE_SSL_SUPPORT
+	bool
+	help
+	  This enables SSL support for the imx-image tool. This is required
+	  for created images for HABv3. This adds openssl to the build dependencies
+
 config ARCH_IMX_XLOAD
 	bool
 	depends on ARCH_IMX51
@@ -695,8 +701,12 @@ config IMX_OCOTP_WRITE
 		mw -l -d /dev/imx-ocotp 0x8C 0x00001234
 		mw -l -d /dev/imx-ocotp 0x88 0x56789ABC
 
+config HAB
+	bool
+
 config HABV4
 	tristate "HABv4 support"
+	select HAB
 	depends on ARCH_IMX6
 	help
 	  High Assurance Boot, as found on i.MX28/i.MX6.
@@ -735,6 +745,30 @@ config HABV4_IMG_CRT_PEM
 
 endif
 
+config HABV3
+	tristate "HABv3 support"
+	select HAB
+	select ARCH_IMX_IMXIMAGE_SSL_SUPPORT
+	depends on ARCH_IMX25
+	help
+	  High Assurance Boot, as found on i.MX25.
+
+if HABV3
+
+config HABV3_SRK_PEM
+	string "Path to SRK Certificate (PEM)"
+	default "../crts/SRK1_sha256_2048_65537_v3_ca_x509_crt.pem"
+
+config HABV3_CSF_CRT_DER
+	string "Path to CSF certificate"
+	default "../crts/CSF1_1_sha256_2048_65537_v3_ca_crt.der"
+
+config HABV3_IMG_CRT_DER
+	string "Path to IMG certificate"
+	default "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.der"
+
+endif
+
 endmenu
 
 endif
diff --git a/arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h b/arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h
new file mode 100644
index 0000000000..4b81d49203
--- /dev/null
+++ b/arch/arm/mach-imx/include/mach/habv3-imx25-gencsf.h
@@ -0,0 +1,43 @@
+/*
+ * This snippet can be included from a i.MX flash header configuration
+ * file for generating signed images. The necessary keys/certificates
+ * are expected in these config variables:
+ *
+ * CONFIG_HABV3_SRK_PEM
+ * CONFIG_HABV3_SRK_PEM
+ * CONFIG_HABV3_IMG_CRT_PEM
+ */
+super_root_key CONFIG_HABV3_SRK_PEM
+
+hab [Header]
+hab Version = 3.0
+hab Security Configuration = Engineering
+hab Hash Algorithm = SHA256
+hab Engine = RTIC
+hab Certificate Format = WTLS
+hab Signature Format = PKCS1
+hab UID = Generic
+hab Code = 0x00
+
+hab [Install SRK]
+hab File = "not-used"
+
+hab [Install CSFK]
+hab File = CONFIG_HABV3_CSF_CRT_DER
+
+hab [Authenticate CSF]
+/* below is the command that unlock the access to the DryIce registers */
+
+hab [Write Data]
+hab Width = 4
+hab Address Data = 0x53FFC03C 0xCA693569
+
+hab [Install Key]
+hab Verification index = 1
+hab Target index = 2
+hab File = CONFIG_HABV3_IMG_CRT_DER
+
+hab [Authenticate Data]
+hab Verification index = 2
+
+hab_blocks
diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
new file mode 100644
index 0000000000..1a143a8b18
--- /dev/null
+++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
@@ -0,0 +1,44 @@
+/*
+ * This snippet can be included from a i.MX flash header configuration
+ * file for generating signed images. The necessary keys/certificates
+ * are expected in these config variables:
+ *
+ * CONFIG_HABV4_TABLE_BIN
+ * CONFIG_HABV4_CSF_CRT_PEM
+ * CONFIG_HABV4_IMG_CRT_PEM
+ */
+
+hab [Header]
+hab Version = 4.1
+hab Hash Algorithm = sha256
+hab Engine Configuration = 0
+hab Certificate Format = X509
+hab Signature Format = CMS
+hab Engine = CAAM
+
+hab [Install SRK]
+hab File = CONFIG_HABV4_TABLE_BIN
+hab # SRK index within SRK-Table 0..3
+hab Source index = 0
+
+hab [Install CSFK]
+hab File = CONFIG_HABV4_CSF_CRT_PEM
+
+hab [Authenticate CSF]
+
+hab [Unlock]
+hab Engine = CAAM
+hab Features = RNG
+
+hab [Install Key]
+/* verification key index in key store (0, 2...5) */
+hab Verification index = 0
+/* target key index in key store (2...5) */
+hab Target index = 2
+hab File = CONFIG_HABV4_IMG_CRT_PEM
+
+hab [Authenticate Data]
+/* verification key index in key store (2...5) */
+hab Verification index = 2
+
+hab_blocks
\ No newline at end of file