From b1dcb6a921a5922cd95fdaef72eabfe7ce3f4794 Mon Sep 17 00:00:00 2001 From: Rouven Czerwinski Date: Tue, 6 Aug 2019 07:10:58 +0200 Subject: scripts: imx: support signing for i.MX8MQ Implement signing of the PBL for i.MX8MQ. The imagesize is also modified to i.MX8MQ to only contain the PBL. This obsoletes the max_load_size, which is kept for other boards currently using it. Signed-off-by: Rouven Czerwinski Signed-off-by: Sascha Hauer --- images/Makefile.imx | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'images') diff --git a/images/Makefile.imx b/images/Makefile.imx index 42c194ba63..76beccb5d8 100644 --- a/images/Makefile.imx +++ b/images/Makefile.imx @@ -8,6 +8,14 @@ $(obj)/%.imximg: $(obj)/% FORCE $(call if_changed,imx_image,$(CFG_$(@F)),) +$(obj)/%.pimximg: $(obj)/% FORCE + $(call if_changed,imx_image,$(CFG_$(patsubst %.pimximg,%.imximg,$(@F))),\ + -p $($(patsubst $(obj)/%.pblb,PBL_MEMORY_SIZE_%,$<))) + +$(obj)/%.psimximg: $(obj)/% FORCE + $(call if_changed,imx_image,$(CFG_$(patsubst %.psimximg,%.imximg,$(@F))),-s \ + -p $($(patsubst $(obj)/%.pblb,PBL_MEMORY_SIZE_%,$<))) + $(obj)/%.simximg: $(obj)/% FORCE $(call if_changed,imx_image,$(CFG_$(patsubst %.simximg,%.imximg,$(@F))),-s) -- cgit v1.2.3 From 907a76d4eb2ad7e6850cc5fab1fa2cc8fb489aeb Mon Sep 17 00:00:00 2001 From: Rouven Czerwinski Date: Tue, 6 Aug 2019 07:10:59 +0200 Subject: images: always build sha256sum into pbl Create a sha256sum of the compressed barebox image and always add it to the PBL. We also add a custom linker section for ARM, to retrieve the sha256sum for piggydata verification. Signed-off-by: Rouven Czerwinski Signed-off-by: Sascha Hauer --- arch/arm/lib/pbl.lds.S | 7 +++++++ images/Makefile | 22 +++++++++++++++++++--- images/sha_sum.S | 7 +++++++ 3 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 images/sha_sum.S (limited to 'images') diff --git a/arch/arm/lib/pbl.lds.S b/arch/arm/lib/pbl.lds.S index d2f5ab23bd..01ed384495 100644 --- a/arch/arm/lib/pbl.lds.S +++ b/arch/arm/lib/pbl.lds.S @@ -68,6 +68,13 @@ SECTIONS . = ALIGN(4); .data : { *(.data*) } + . = ALIGN(4); + __shasum_start = .; + .shasum : { + KEEP(*(.shasum)) + } + __shasum_end = .; + .rel_dyn_start : { *(.__rel_dyn_start) } #ifdef CONFIG_CPU_32 .rel.dyn : { *(.rel*) } diff --git a/images/Makefile b/images/Makefile index 293e644319..907986e2d0 100644 --- a/images/Makefile +++ b/images/Makefile @@ -57,11 +57,12 @@ quiet_cmd_elf__ ?= LD $@ cmd_elf__ ?= $(LD) $(LDFLAGS_barebox) --gc-sections \ -e $(2) -Map $@.map $(LDFLAGS_$(@F)) -o $@ \ -T $(pbl-lds) \ - --start-group $(barebox-pbl-common) $(obj)/piggy.o --end-group + --start-group $(barebox-pbl-common) $(obj)/piggy.o \ + $(obj)/sha_sum.o --end-group PBL_CPPFLAGS += -fdata-sections -ffunction-sections -$(obj)/%.pbl: $(pbl-lds) $(barebox-pbl-common) $(obj)/piggy.o FORCE +$(obj)/%.pbl: $(pbl-lds) $(barebox-pbl-common) $(obj)/piggy.o $(obj)/sha_sum.o FORCE $(call if_changed,elf__,$(*F)) $(obj)/%.pblb: $(obj)/%.pbl FORCE @@ -111,6 +112,21 @@ suffix_$(CONFIG_IMAGE_COMPRESSION_NONE) = comp_copy $(obj)/piggy.o: $(obj)/barebox.z FORCE +$(obj)/sha_sum.o: $(obj)/barebox.sha.bin FORCE + +quiet_cmd_sha256bin ?= SHA-BIN $@ + cmd_sha256bin ?= printf "$(shell awk '{printf $$1}' < $(obj)/barebox.sum | sed -e 's/../\\x&/g' )" > $@ + +quiet_cmd_sha256sum ?= SHA $@ + cmd_sha256sum ?= sha256sum $(obj)/barebox.z > $@ + +$(obj)/barebox.sha.bin: $(obj)/barebox.sum FORCE + $(call if_changed,sha256bin) + +$(obj)/barebox.sum: $(obj)/barebox.z FORCE + $(call if_changed,sha256sum) + + # barebox.z - compressed barebox binary # ---------------------------------------------------------------- $(obj)/barebox.z: $(obj)/../barebox.bin FORCE @@ -152,7 +168,7 @@ ifneq ($(pblx-y)$(pblx-),) $(error pblx- has been removed. Please use pblb- instead.) endif -targets += $(image-y) pbl.lds barebox.x barebox.z piggy.o +targets += $(image-y) pbl.lds barebox.x barebox.z piggy.o sha_sum.o barebox.sha.bin barebox.sum targets += $(patsubst %,%.pblb,$(pblb-y)) targets += $(patsubst %,%.pbl,$(pblb-y)) targets += $(patsubst %,%.s,$(pblb-y)) diff --git a/images/sha_sum.S b/images/sha_sum.S new file mode 100644 index 0000000000..5928c206a8 --- /dev/null +++ b/images/sha_sum.S @@ -0,0 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + .section .shasum,"a" + .globl sha_sum +sha_sum: + .incbin "images/barebox.sha.bin" + .globl sha_sum_end +sha_sum_end: -- cgit v1.2.3 From dd5dfb6ff467f6d640e48046acedfe435c649c94 Mon Sep 17 00:00:00 2001 From: Rouven Czerwinski Date: Tue, 6 Aug 2019 07:11:06 +0200 Subject: boards: nxp-mx8-evk: rework to different boot flow Rework the evk boot flow to use the new piggydata load function and install a trampoline for the TF-A setup. This allows the PBL boot process to stay in SRAM up until the verification of the piggydata is done and main barebox can be loaded. The trampoline loads 4 bytes right after the trampoline, we copy the runtime offset there so the trampoline jumps back into the SRAM PBL. Signed-off-by: Rouven Czerwinski Signed-off-by: Sascha Hauer --- arch/arm/boards/nxp-imx8mq-evk/Makefile | 4 +- .../nxp-imx8mq-evk/flash-header-imx8mq-evk.imxcfg | 1 + arch/arm/boards/nxp-imx8mq-evk/lowlevel.c | 81 ++++++++++++---------- arch/arm/boards/nxp-imx8mq-evk/trampoline.S | 10 +++ images/Makefile.imx | 3 +- 5 files changed, 58 insertions(+), 41 deletions(-) create mode 100644 arch/arm/boards/nxp-imx8mq-evk/trampoline.S (limited to 'images') diff --git a/arch/arm/boards/nxp-imx8mq-evk/Makefile b/arch/arm/boards/nxp-imx8mq-evk/Makefile index 0546b0b078..7907de411f 100644 --- a/arch/arm/boards/nxp-imx8mq-evk/Makefile +++ b/arch/arm/boards/nxp-imx8mq-evk/Makefile @@ -1,4 +1,2 @@ obj-y += board.o -lwl-y += lowlevel.o ddr_init.o ddrphy_train.o - - +lwl-y += lowlevel.o ddr_init.o ddrphy_train.o trampoline.o diff --git a/arch/arm/boards/nxp-imx8mq-evk/flash-header-imx8mq-evk.imxcfg b/arch/arm/boards/nxp-imx8mq-evk/flash-header-imx8mq-evk.imxcfg index aff8321b9a..11463fe850 100644 --- a/arch/arm/boards/nxp-imx8mq-evk/flash-header-imx8mq-evk.imxcfg +++ b/arch/arm/boards/nxp-imx8mq-evk/flash-header-imx8mq-evk.imxcfg @@ -3,3 +3,4 @@ soc imx8mq loadaddr 0x007E1000 max_load_size 0x3F000 dcdofs 0x400 +#include diff --git a/arch/arm/boards/nxp-imx8mq-evk/lowlevel.c b/arch/arm/boards/nxp-imx8mq-evk/lowlevel.c index 6451e5d414..bc7827bf01 100644 --- a/arch/arm/boards/nxp-imx8mq-evk/lowlevel.c +++ b/arch/arm/boards/nxp-imx8mq-evk/lowlevel.c @@ -53,20 +53,29 @@ static void setup_uart(void) static void nxp_imx8mq_evk_sram_setup(void) { - enum bootsource src = BOOTSOURCE_UNKNOWN; - int instance = BOOTSOURCE_INSTANCE_UNKNOWN; - int ret = -ENOTSUPP; - ddr_init(); +} - imx8_get_boot_source(&src, &instance); +extern unsigned char trampoline_start[]; +extern unsigned char trampoline_end[]; - if (src == BOOTSOURCE_MMC) - ret = imx8_esdhc_start_image(instance); +static void nxp_imx8mq_evk_install_tfa_trampoline(void) +{ + unsigned int tramp_len; + unsigned int offset; + /* + * Create a trampoline which is places in DRAM and calls back into the + * PBL entry function found in the TCRAM. Register x0 is set to 1 to + * indicate that DRAM setup was already run. + */ + tramp_len = (void *)trampoline_end - (void *)trampoline_start; + memcpy((void *)MX8MQ_ATF_BL33_BASE_ADDR, (void *)trampoline_start, + tramp_len); - BUG_ON(ret); + offset = get_runtime_offset(); + memcpy((void *)MX8MQ_ATF_BL33_BASE_ADDR + tramp_len, &offset, + sizeof(offset)); } - /* * Power-on execution flow of start_nxp_imx8mq_evk() might not be * obvious for a very first read, so here's, hopefully helpful, @@ -75,53 +84,53 @@ static void nxp_imx8mq_evk_sram_setup(void) * 1. MaskROM uploads PBL into OCRAM and that's where this function is * executed for the first time * - * 2. DDR is initialized and full i.MX image is loaded to the - * beginning of RAM - * - * 3. start_nxp_imx8mq_evk, now in RAM, is executed again + * 2. DDR is initialized and the TF-A trampoline is installed in the + * DRAM. * - * 4. BL31 blob is uploaded to OCRAM and the control is transfer to it + * 3. TF-A is executed and exits into the trampoline in RAM, which enters the + * PBL for the second time. DRAM setup done is indicated by a one in register + * x0 by the trampoline * - * 5. BL31 exits EL3 into EL2 at address MX8MQ_ATF_BL33_BASE_ADDR, - * executing start_nxp_imx8mq_evk() the third time + * 4. The piggydata is loaded from the SD card and copied to the expected + * location in the DRAM. * - * 6. Standard barebox boot flow continues + * 5. Standard barebox boot flow continues */ ENTRY_FUNCTION(start_nxp_imx8mq_evk, r0, r1, r2) { + enum bootsource src = BOOTSOURCE_UNKNOWN; + int instance = BOOTSOURCE_INSTANCE_UNKNOWN; + int ret = -ENOTSUPP; + const u8 *bl31; + size_t bl31_size; + imx8mq_cpu_lowlevel_init(); if (IS_ENABLED(CONFIG_DEBUG_LL)) setup_uart(); - if (get_pc() < MX8MQ_DDR_CSD1_BASE_ADDR) { - /* - * We assume that we were just loaded by MaskROM into - * SRAM if we are not running from DDR. We also assume - * that means DDR needs to be initialized for the - * first time. - */ - nxp_imx8mq_evk_sram_setup(); - } /* - * Straight from the power-on we are at EL3, so the following - * code _will_ load and jump to ATF. - * - * However when we are re-executed upon exit from ATF's - * initialization routine, it is EL2 which means we'll skip - * loadting ATF blob again + * if register r0 does not contain 1, we are running for the first time + * and need to initialize the DRAM, install the trampoline and run TF-A + * (BL31). + * Otherwise the 1 indicates that the DRAM setup and trampoline are + * already installed and TF-A has been run. In this case we can skip */ if (current_el() == 3) { - const u8 *bl31; - size_t bl31_size; - + nxp_imx8mq_evk_sram_setup(); + nxp_imx8mq_evk_install_tfa_trampoline(); get_builtin_firmware(imx8mq_bl31_bin, &bl31, &bl31_size); imx8mq_atf_load_bl31(bl31, bl31_size); } + imx8_get_boot_source(&src, &instance); + + if (src == BOOTSOURCE_MMC) + ret = imx8_esdhc_load_piggy(instance); + else + BUG_ON(ret); /* * Standard entry we hit once we initialized both DDR and ATF */ imx8mq_barebox_entry(__dtb_imx8mq_evk_start); } - diff --git a/arch/arm/boards/nxp-imx8mq-evk/trampoline.S b/arch/arm/boards/nxp-imx8mq-evk/trampoline.S new file mode 100644 index 0000000000..54a1b76518 --- /dev/null +++ b/arch/arm/boards/nxp-imx8mq-evk/trampoline.S @@ -0,0 +1,10 @@ +/* SPDX-License-Identifier: (GPL-2.0) */ +#include +#include + .section .trampoline,"a" + .globl trampoline_start +trampoline_start: + ldr w19, trampoline_end + br x19 + .globl trampoline_end +trampoline_end: diff --git a/images/Makefile.imx b/images/Makefile.imx index 76beccb5d8..0fd1fe159b 100644 --- a/images/Makefile.imx +++ b/images/Makefile.imx @@ -582,8 +582,7 @@ image-$(CONFIG_MACH_ZII_IMX7D_DEV) += barebox-zii-imx7d-dev.img # ----------------------- i.MX8mq based boards -------------------------- pblb-$(CONFIG_MACH_NXP_IMX8MQ_EVK) += start_nxp_imx8mq_evk CFG_start_nxp_imx8mq_evk.pblb.imximg = $(board)/nxp-imx8mq-evk/flash-header-imx8mq-evk.imxcfg -MAX_PBL_MEMORY_SIZE_start_nxp_imx8mq_evk = 0x3f000 -FILE_barebox-nxp-imx8mq-evk.img = start_nxp_imx8mq_evk.pblb.imximg +FILE_barebox-nxp-imx8mq-evk.img = start_nxp_imx8mq_evk.pblb.pimximg image-$(CONFIG_MACH_NXP_IMX8MQ_EVK) += barebox-nxp-imx8mq-evk.img pblb-$(CONFIG_MACH_ZII_IMX8MQ_DEV) += start_zii_imx8mq_dev -- cgit v1.2.3