arm: mxs: Add support for generating signed BootStream

This patch adds the groundwork for generating signed BootStream, which can be used by the HAB library in i.MX28. We are adding a new target, u-boot-signed.sb , since the process for generating regular non-signed BootStream is much easier. Moreover, the signed bootstream depends on external _proprietary_ _binary-only_ tool from Freescale called 'cst', which is available only under NDA. To make things even uglier, the CST or HAB mandates a kind-of circular dependency. The problem is, unlike the regular IVT, which is generated by mxsimage, the IVT for signed boot must be generated by hand here due to special demands of the CST. The U-Boot binary (or SPL binary) and IVT are then signed by the CST as a one block. But here is the problem. The size of the entire image (U-Boot, IVT, CST blocks) must be appended at the end of IVT. But the size of the entire image is not known until the CST has finished signing the U-Boot and IVT. We solve this by expecting the CST block to be always 3904B (which it is in case two files, U-Boot and the hand-made IVT, are signed in the CST block). Signed-off-by: Marek Vasut <marex@denx.de> Cc: Stefano Babic <sbabic@denx.de>

arm: mxs: Add support for generating signed BootStream
This patch adds the groundwork for generating signed BootStream, which can be used by the HAB library in i.MX28. We are adding a new target, u-boot-signed.sb , since the process for generating regular non-signed BootStream is much easier. Moreover, the signed bootstream depends on external _proprietary_ _binary-only_ tool from Freescale called 'cst', which is available only under NDA. To make things even uglier, the CST or HAB mandates a kind-of circular dependency. The problem is, unlike the regular IVT, which is generated by mxsimage, the IVT for signed boot must be generated by hand here due to special demands of the CST. The U-Boot binary (or SPL binary) and IVT are then signed by the CST as a one block. But here is the problem. The size of the entire image (U-Boot, IVT, CST blocks) must be appended at the end of IVT. But the size of the entire image is not known until the CST has finished signing the U-Boot and IVT. We solve this by expecting the CST block to be always 3904B (which it is in case two files, U-Boot and the hand-made IVT, are signed in the CST block). Signed-off-by: Marek Vasut <marex@denx.de> Cc: Stefano Babic <sbabic@denx.de>
Marek Vasut · Stefano Babic
1 parent 1cad23c5f4
Showing 3 changed files with 72 additions and 0 deletions Side-by-side Diff
Makefile
arch/arm/cpu/arm926ejs/mxs/Makefile
arch/arm/cpu/arm926ejs/mxs/mxsimage-signed.cfg
@@ -848,6 +848,8 @@
 u-boot.ais: spl/u-boot-spl.ais u-boot.img FORCE
 	$(call if_changed,pad_cat)
  
+u-boot-signed.sb: u-boot.bin spl/u-boot-spl.bin
+	$(Q)$(MAKE) $(build)=arch/arm/cpu/arm926ejs/mxs u-boot-signed.sb
 u-boot.sb: u-boot.bin spl/u-boot-spl.bin
 	$(Q)$(MAKE) $(build)=arch/arm/cpu/arm926ejs/mxs u-boot.sb
  
@@ -17,10 +17,70 @@
 MKIMAGE_TARGET-$(CONFIG_MX23) = mxsimage.mx23.cfg
 MKIMAGE_TARGET-$(CONFIG_MX28) = mxsimage.mx28.cfg
  
+# Generate HAB-capable IVT
+#
+# Note on computing the post-IVT size field value for the U-Boot binary.
+# The value is the result of adding the following:
+#  -> The size of U-Boot binary aligned to 64B (u-boot.bin)
+#  -> The size of IVT block aligned to 64B (u-boot.ivt)
+#  -> The size of U-Boot signature (u-boot.sig), 3904 B
+#  -> The 64B hole in front of U-Boot binary for 'struct mxs_spl_data' passing
+#
+quiet_cmd_mkivt_mxs = MXSIVT  $@
+cmd_mkivt_mxs =								\
+	sz=`expr \`stat -c "%s" $^\` + 64 + 3904 + 128` ;		\
+	echo -n "0x402000d1 $2 0 0 0 $3 $4 0 $$sz 0 0 0 0 0 0 0" |	\
+	tr -s " " | xargs -d " " -i printf "%08x\n" "{}" | rev |	\
+	sed "s/\(.\)\(.\)/\\\\\\\\x\2\1\n/g" | xargs -i printf "{}" >$@
+
+# Align binary to 64B
+quiet_cmd_mkalign_mxs = MXSALGN $@
+cmd_mkalign_mxs =							\
+	dd if=$^ of=$@ ibs=64 conv=sync 2>/dev/null &&			\
+	mv $@ $^
+
+# Assemble the CSF file
+quiet_cmd_mkcsfreq_mxs = MXSCSFR $@
+cmd_mkcsfreq_mxs =							\
+	ivt=$(word 1,$^) ;						\
+	bin=$(word 2,$^) ;						\
+	csf=$(word 3,$^) ;						\
+	sed "s@VENDOR@$(VENDOR)@g;s@BOARD@$(BOARD)@g" "$$csf" |		\
+		sed '/^\#\#Blocks/ d' > $@ ;				\
+	echo "  Blocks = $2 0x0 `stat -c '%s' $$bin` \"$$bin\" , \\" >> $@ ; \
+	echo "           $3 0x0 0x40 \"$$ivt\"" >> $@
+
+# Sign files
+quiet_cmd_mkcst_mxs = MXSCST  $@
+cmd_mkcst_mxs = cst -o $@ < $^						\
+	$(if $(KBUILD_VERBOSE:1=), >/dev/null)
+
+spl/u-boot-spl.ivt: spl/u-boot-spl.bin
+	$(call if_changed,mkalign_mxs)
+	$(call if_changed,mkivt_mxs,$(CONFIG_SPL_TEXT_BASE),\
+		0x00008000,0x00008040)
+
+u-boot.ivt: u-boot.bin
+	$(call if_changed,mkalign_mxs)
+	$(call if_changed,mkivt_mxs,$(CONFIG_SYS_TEXT_BASE),\
+		0x40001000,0x40001040)
+
+spl/u-boot-spl.csf: spl/u-boot-spl.ivt spl/u-boot-spl.bin board/$(VENDOR)/$(BOARD)/sign/u-boot-spl.csf
+	$(call if_changed,mkcsfreq_mxs,$(CONFIG_SPL_TEXT_BASE),0x8000)
+
+u-boot.csf: u-boot.ivt u-boot.bin board/$(VENDOR)/$(BOARD)/sign/u-boot.csf
+	$(call if_changed,mkcsfreq_mxs,$(CONFIG_SYS_TEXT_BASE),0x40001000)
+
+%.sig: %.csf
+	$(call if_changed,mkcst_mxs)
+
 quiet_cmd_mkimage_mxs = UIMAGE  $@
 cmd_mkimage_mxs = $(objtree)/tools/mkimage -n $< -T mxsimage $@ \
 	$(if $(KBUILD_VERBOSE:1=), >/dev/null)
  
 u-boot.sb: $(src)/$(MKIMAGE_TARGET-y) u-boot.bin spl/u-boot-spl.bin FORCE
+	$(call if_changed,mkimage_mxs)
+
+u-boot-signed.sb: $(src)/mxsimage-signed.cfg u-boot.ivt u-boot.sig spl/u-boot-spl.ivt spl/u-boot-spl.sig FORCE
 	$(call if_changed,mkimage_mxs)
+SECTION 0x0 BOOTABLE
+ TAG LAST
+ LOAD     0x1000     spl/u-boot-spl.bin
+ LOAD     0x8000     spl/u-boot-spl.ivt
+ LOAD     0x8040     spl/u-boot-spl.sig
+ CALL HAB 0x8000     0x0
+ LOAD     0x40002000 u-boot.bin
+ LOAD     0x40001000 u-boot.ivt
+ LOAD     0x40001040 u-boot.sig
+ CALL HAB 0x40001000 0x0
...	...	@@ -848,6 +848,8 @@
848	848	u-boot.ais: spl/u-boot-spl.ais u-boot.img FORCE
849	849	$(call if_changed,pad_cat)
850	850
	851	+u-boot-signed.sb: u-boot.bin spl/u-boot-spl.bin
	852	+ $(Q)$(MAKE) $(build)=arch/arm/cpu/arm926ejs/mxs u-boot-signed.sb
851	853	u-boot.sb: u-boot.bin spl/u-boot-spl.bin
852	854	$(Q)$(MAKE) $(build)=arch/arm/cpu/arm926ejs/mxs u-boot.sb
853	855
...	...	@@ -17,10 +17,70 @@
17	17	MKIMAGE_TARGET-$(CONFIG_MX23) = mxsimage.mx23.cfg
18	18	MKIMAGE_TARGET-$(CONFIG_MX28) = mxsimage.mx28.cfg
19	19
	20	+# Generate HAB-capable IVT
	21	+#
	22	+# Note on computing the post-IVT size field value for the U-Boot binary.
	23	+# The value is the result of adding the following:
	24	+# -> The size of U-Boot binary aligned to 64B (u-boot.bin)
	25	+# -> The size of IVT block aligned to 64B (u-boot.ivt)
	26	+# -> The size of U-Boot signature (u-boot.sig), 3904 B
	27	+# -> The 64B hole in front of U-Boot binary for 'struct mxs_spl_data' passing
	28	+#
	29	+quiet_cmd_mkivt_mxs = MXSIVT $@
	30	+cmd_mkivt_mxs = \
	31	+ sz=`expr \`stat -c "%s" $^\` + 64 + 3904 + 128` ; \
	32	+ echo -n "0x402000d1 $2 0 0 0 $3 $4 0 $$sz 0 0 0 0 0 0 0" \| \
	33	+ tr -s " " \| xargs -d " " -i printf "%08x\n" "{}" \| rev \| \
	34	+ sed "s/\(.\)\(.\)/\\\\\\\\x\2\1\n/g" \| xargs -i printf "{}" >$@
	35	+
	36	+# Align binary to 64B
	37	+quiet_cmd_mkalign_mxs = MXSALGN $@
	38	+cmd_mkalign_mxs = \
	39	+ dd if=$^ of=$@ ibs=64 conv=sync 2>/dev/null && \
	40	+ mv $@ $^
	41	+
	42	+# Assemble the CSF file
	43	+quiet_cmd_mkcsfreq_mxs = MXSCSFR $@
	44	+cmd_mkcsfreq_mxs = \
	45	+ ivt=$(word 1,$^) ; \
	46	+ bin=$(word 2,$^) ; \
	47	+ csf=$(word 3,$^) ; \
	48	+ sed "s@VENDOR@$(VENDOR)@g;s@BOARD@$(BOARD)@g" "$$csf" \| \
	49	+ sed '/^\#\#Blocks/ d' > $@ ; \
	50	+ echo " Blocks = $2 0x0 `stat -c '%s' $$bin` \"$$bin\" , \\" >> $@ ; \
	51	+ echo " $3 0x0 0x40 \"$$ivt\"" >> $@
	52	+
	53	+# Sign files
	54	+quiet_cmd_mkcst_mxs = MXSCST $@
	55	+cmd_mkcst_mxs = cst -o $@ < $^ \
	56	+ $(if $(KBUILD_VERBOSE:1=), >/dev/null)
	57	+
	58	+spl/u-boot-spl.ivt: spl/u-boot-spl.bin
	59	+ $(call if_changed,mkalign_mxs)
	60	+ $(call if_changed,mkivt_mxs,$(CONFIG_SPL_TEXT_BASE),\
	61	+ 0x00008000,0x00008040)
	62	+
	63	+u-boot.ivt: u-boot.bin
	64	+ $(call if_changed,mkalign_mxs)
	65	+ $(call if_changed,mkivt_mxs,$(CONFIG_SYS_TEXT_BASE),\
	66	+ 0x40001000,0x40001040)
	67	+
	68	+spl/u-boot-spl.csf: spl/u-boot-spl.ivt spl/u-boot-spl.bin board/$(VENDOR)/$(BOARD)/sign/u-boot-spl.csf
	69	+ $(call if_changed,mkcsfreq_mxs,$(CONFIG_SPL_TEXT_BASE),0x8000)
	70	+
	71	+u-boot.csf: u-boot.ivt u-boot.bin board/$(VENDOR)/$(BOARD)/sign/u-boot.csf
	72	+ $(call if_changed,mkcsfreq_mxs,$(CONFIG_SYS_TEXT_BASE),0x40001000)
	73	+
	74	+%.sig: %.csf
	75	+ $(call if_changed,mkcst_mxs)
	76	+
20	77	quiet_cmd_mkimage_mxs = UIMAGE $@
21	78	cmd_mkimage_mxs = $(objtree)/tools/mkimage -n $< -T mxsimage $@ \
22	79	$(if $(KBUILD_VERBOSE:1=), >/dev/null)
23	80
24	81	u-boot.sb: $(src)/$(MKIMAGE_TARGET-y) u-boot.bin spl/u-boot-spl.bin FORCE
	82	+ $(call if_changed,mkimage_mxs)
	83	+
	84	+u-boot-signed.sb: $(src)/mxsimage-signed.cfg u-boot.ivt u-boot.sig spl/u-boot-spl.ivt spl/u-boot-spl.sig FORCE
25	85	$(call if_changed,mkimage_mxs)
	1	+SECTION 0x0 BOOTABLE
	2	+ TAG LAST
	3	+ LOAD 0x1000 spl/u-boot-spl.bin
	4	+ LOAD 0x8000 spl/u-boot-spl.ivt
	5	+ LOAD 0x8040 spl/u-boot-spl.sig
	6	+ CALL HAB 0x8000 0x0
	7	+ LOAD 0x40002000 u-boot.bin
	8	+ LOAD 0x40001000 u-boot.ivt
	9	+ LOAD 0x40001040 u-boot.sig
	10	+ CALL HAB 0x40001000 0x0