MLK-12500-1 HAB: Add kernel image authentication in image loading

To support the trust boot chain, we integrate the authentication into the kernel image loading process. The kernel image will be verified at its load address. So when signing the kernel image, we need to use this load address which may change on different platforms. Signed-off-by: Ye Li <ye.li@nxp.com> (cherry picked from commit 3c118b8d6bbe1a25ca8c8bafeb528309f16fc73d) (cherry picked from commit fd9a9759ed9b3a9fc26b18aff00880382213b1ca) (cherry picked from commit 98d4faefdb83579d4a5a170e06af5efb64ad2b3c) (cherry picked from commit 3c0f0eed6cb703cd7d67ec97520b1990b5e35fb2)

MLK-12500-1 HAB: Add kernel image authentication in image loading
To support the trust boot chain, we integrate the authentication into the kernel image loading process. The kernel image will be verified at its load address. So when signing the kernel image, we need to use this load address which may change on different platforms. Signed-off-by: Ye Li <ye.li@nxp.com> (cherry picked from commit 3c118b8d6bbe1a25ca8c8bafeb528309f16fc73d) (cherry picked from commit fd9a9759ed9b3a9fc26b18aff00880382213b1ca) (cherry picked from commit 98d4faefdb83579d4a5a170e06af5efb64ad2b3c) (cherry picked from commit 3c0f0eed6cb703cd7d67ec97520b1990b5e35fb2)
Ye Li · Eric Lee
1 parent 4eca15e065
Showing 2 changed files with 33 additions and 0 deletions Side-by-side Diff
cmd/bootm.c
cmd/bootz.c
@@ -123,6 +123,31 @@
 			return do_bootm_subcommand(cmdtp, flag, argc, argv);
 	}
  
+#ifdef CONFIG_IMX_HAB
+	extern int authenticate_image(
+			uint32_t ddr_start, uint32_t raw_image_size);
+
+	switch (genimg_get_format((const void *)image_load_addr)) {
+#if defined(CONFIG_LEGACY_IMAGE_FORMAT)
+	case IMAGE_FORMAT_LEGACY:
+		if (authenticate_image(image_load_addr,
+			image_get_image_size((image_header_t *)image_load_addr)) != 0) {
+			printf("Authenticate uImage Fail, Please check\n");
+			return 1;
+		}
+		break;
+#endif
+#ifdef CONFIG_ANDROID_BOOT_IMAGE
+	case IMAGE_FORMAT_ANDROID:
+		/* Do this authentication in boota command */
+		break;
+#endif
+	default:
+		printf("Not valid image format for Authentication, Please check\n");
+		return 1;
+	}
+#endif
+
 	return do_bootm_states(cmdtp, flag, argc, argv, BOOTM_STATE_START |
 		BOOTM_STATE_FINDOS | BOOTM_STATE_FINDOTHER |
 		BOOTM_STATE_LOADOS |
@@ -56,6 +56,14 @@
 	if (bootm_find_images(flag, argc, argv))
 		return 1;
  
+#ifdef CONFIG_IMX_HAB
+	extern int authenticate_image(
+			uint32_t ddr_start, uint32_t raw_image_size);
+	if (authenticate_image(images->ep, zi_end - zi_start) != 0) {
+		printf("Authenticate zImage Fail, Please check\n");
+		return 1;
+	}
+#endif
 	return 0;
 }
...	...	@@ -123,6 +123,31 @@
123	123	return do_bootm_subcommand(cmdtp, flag, argc, argv);
124	124	}
125	125
	126	+#ifdef CONFIG_IMX_HAB
	127	+ extern int authenticate_image(
	128	+ uint32_t ddr_start, uint32_t raw_image_size);
	129	+
	130	+ switch (genimg_get_format((const void *)image_load_addr)) {
	131	+#if defined(CONFIG_LEGACY_IMAGE_FORMAT)
	132	+ case IMAGE_FORMAT_LEGACY:
	133	+ if (authenticate_image(image_load_addr,
	134	+ image_get_image_size((image_header_t *)image_load_addr)) != 0) {
	135	+ printf("Authenticate uImage Fail, Please check\n");
	136	+ return 1;
	137	+ }
	138	+ break;
	139	+#endif
	140	+#ifdef CONFIG_ANDROID_BOOT_IMAGE
	141	+ case IMAGE_FORMAT_ANDROID:
	142	+ /* Do this authentication in boota command */
	143	+ break;
	144	+#endif
	145	+ default:
	146	+ printf("Not valid image format for Authentication, Please check\n");
	147	+ return 1;
	148	+ }
	149	+#endif
	150	+
126	151	return do_bootm_states(cmdtp, flag, argc, argv, BOOTM_STATE_START \|
127	152	BOOTM_STATE_FINDOS \| BOOTM_STATE_FINDOTHER \|
128	153	BOOTM_STATE_LOADOS \|
...	...	@@ -56,6 +56,14 @@
56	56	if (bootm_find_images(flag, argc, argv))
57	57	return 1;
58	58
	59	+#ifdef CONFIG_IMX_HAB
	60	+ extern int authenticate_image(
	61	+ uint32_t ddr_start, uint32_t raw_image_size);
	62	+ if (authenticate_image(images->ep, zi_end - zi_start) != 0) {
	63	+ printf("Authenticate zImage Fail, Please check\n");
	64	+ return 1;
	65	+ }
	66	+#endif
59	67	return 0;
60	68	}
61	69