10 Apr, 2019
2 commits
-
The csf_additional_images.txt example should match with
mx6_mx7_secure_boot.txt guide.Fix addresses provided in csf_additional_images.txt CSF
example.Reviewed-by: Ye Li
Signed-off-by: Breno Lima
(cherry picked from commit 17c3af7a1935a40057c01459766d41ff0a19723b) -
When booting in low power or dual boot modes the M4 binary is
authenticated by the M4 ROM code.Add an option in hab_status command so users can retrieve M4 HAB
failure and warning events.=> hab_status m4
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!Add command documentation in mx6_mx7_secure_boot.txt guide.
As HAB M4 API cannot be called from A7 core the code is parsing
the M4 HAB persistent memory region. The HAB persistent memory
stores HAB events, public keys and others HAB related information.The HAB persistent memory region addresses and sizes can be found
in AN12263 "HABv4 RVT Guidelines and Recommendations".Reviewed-by: Utkarsh Gupta
Reviewed-by: Ye Li
Signed-off-by: Breno Lima
(cherry picked from commit 0efff16579fabcf57acb9c8857afac8fb58de355)
26 Feb, 2019
4 commits
-
Fix a typo in path provided for imx-mkimage iMX8QM and iMX8QXP directories.
Reported-by: Marius Grigoras
Signed-off-by: Breno Lima
Reviewed-by: Ye Li
(cherry picked from commit c75243c1a87a10f003377d9c144bcf412ba80440) -
The commands included in introduction guide should not be used as
reference for programming the SRK Hash fuses as they are in big
endian.Add a note to avoid a possible mistake.
Reported-by: Clement Le Marquis
Signed-off-by: Breno Lima
Reviewed-by: Ye Li
(cherry picked from commit 137319826cc32d98a9b6890f35dd6670e104c2a5) -
Since commit 771b824728ca ("MLK-20919 imx8: ahab: Add command to
close the chip") the U-Boot is able to move the lifecycle from
NXP closed to OEM closed.Update AHAB guides to use U-Boot ahab_close command instead of SCFW CLI.
As the procedure is now independent of SCFW terminal we can remove
this condition from documentation.Signed-off-by: Breno Lima
Reviewed-by: Ye Li
(cherry picked from commit 6f93d877e1454024f666a4810d24148cf595429e) -
Starting in L4.14.78 release, the OP-TEE CAAM driver does not set the
JROWN_NS field in case LMID is locked.We need to include the Unlock MID command in CSF file otherwise device
will fail to boot in HAB closed mode.Add section to avoid crash when OP-TEE is enabled.
Reported-by: Frank Zhang
Signed-off-by: Breno Lima
Reviewed-by: Ye Li
(cherry picked from commit af03284ad38bd03ef1f0d4942842629db93d2c11)
14 Feb, 2019
2 commits
-
Since commit cf2acc5b7cde ("MLK-18942-2 imx8: ahab: Add ahab_status
command") the U-Boot is able to display and parse the SECO events.Update AHAB guides to use U-Boot ahab_status command instead of
SCFW CLI.Starting in SECO FW v0.2.0 engineering release an invalid image
integrity is logged as an event in open mode. As ahab_status
is able to return this event the note can be removed.Signed-off-by: Breno Lima
Reviewed-by: Ye Li
(cherry picked from commit 385ed19051a47f5858e8d326e5ee97f8a08a679d) -
The set_priblob_bitfield command is enabled by selecting
CONFIG_CMD_PRIBLOB.Fix typo in mx6_mx7_encrypted_boot.txt guide.
Signed-off-by: Breno Lima
(cherry picked from commit 99f9696ef5f7d1c0f93b7d910e884890fca6c973)
14 Dec, 2018
4 commits
-
There is no need to have an extra hab directory under doc/imx/:
- doc/imx/hab/ahab/
- doc/imx/hab/habv4/Remove extra hab directory for a cleaner documentation structure.
Signed-off-by: Breno Lima
Reviewed-by: Ye Li -
The current U-Boot implementation includes SPL targets for i.MX8QM and
i.MXQXP MEK boards:- imx8qxp_mek_spl_defconfig
- imx8qxp_mek_spl_fspi_defconfig
- imx8qm_mek_spl_defconfig
- imx8qm_mek_spl_fspi_defconfigThe U-Boot proper and ATF are included in an additional container being
necessary a different procedure for signing the flash.bin image.Add a step-by-step guide covering the signing procedure.
Add a CSF example for the 3rd container.Signed-off-by: Breno Lima
Reviewed-by: Frank Zhang
Reviewed-by: Marius Grigoras
Reviewed-by: Utkarsh Gupta -
Add AHAB secure boot step-by-step guide for i.MX8 and i.MX8x families
devices.Add 3 CSF example files:
- Example to sign flash.bin only using SRK keys.
- Example to sign flash.bin using a subordinate SGK key.
- Example to sign Linux image only using SRK keys.Signed-off-by: Clement Le Marquis
Reviewed-by: Frank Zhang
Reviewed-by: Marius Grigoras
Reviewed-by: Utkarsh Gupta -
The AHAB is currently supported in i.MX8QXP and i.MX8QM devices.
Add an introductory document containing the following topics:
- AHAB Secure Boot Architecture
- System Control Unit (SCU) introduction
- Security Controller (SECO) introduction
- i.MX8/8x secure boot flow
- AHAB PKI tree generation
- SRK Table and SRK Hash generationSigned-off-by: Breno Lima
Reviewed-by: Frank Zhang
Reviewed-by: Marius Grigoras
Reviewed-by: Utkarsh Gupta
26 Nov, 2018
2 commits
-
The HABv4 secure boot procedure is now documented in different files:
.
└── habv4
├── csf_examples
│ ├── additional_images
│ │ └── csf_additional_images.txt
│ ├── mx6_mx7
│ │ ├── csf_uboot_fast_authentication.txt
│ │ └── csf_uboot.txt
│ └── mx8m_mx8mm
│ ├── csf_fit.txt
│ └── csf_spl.txt
├── guides
│ ├── mx6_mx7_secure_boot.txt
│ ├── mx8m_mx8mm_secure_boot.pdf
│ └── mx8m_mx8mm_secure_boot.txt
├── introduction_habv4.txt
└── script_examples
└── genIVT.plThe old documentation secure_boot.txt can be removed.
Reviewed-by: Utkarsh Gupta
Signed-off-by: Breno Lima -
Add HABv4 documentation for i.MX8M and i.MX8MM targets covering the
following topics:- How to sign an securely boot an flash.bin image.
- How to extend the root of trust for additional boot images.
- Add 2 CSF examples.Reviewed-by: Utkarsh Gupta
Signed-off-by: Breno Lima
03 Nov, 2018
2 commits
-
Signed-off-by: Clement Le Marquis
-
Add useful documentation for encrypted boot:
- Add 2 CSF examples for encrypt and sign
- How to encrypt and sign a U-Boot binary on closed device
- Why and how increase the PRIBLOB bitfield from CAAM SCFGRSigned-off-by: Clement Le Marquis
23 Oct, 2018
2 commits
-
Add HABv4 documentation for u-boot-dtb.imx targets covering the
following topics:- How to sign an securely boot an u-boot-dtb.imx image.
- How to extend the root of trust for additional boot images.
- Add 3 CSF examples.
- Add IVT generation script example.Reviewed-by: Ye Li
Reviewed-by: Utkarsh Gupta
Signed-off-by: Breno Lima -
The HABv4 is supported in i.MX 50, i.MX 53, i.MX 6, i.MX 7,
series and i.MX 8M, i.MX8MM devices.Add an introductory document containing the following topics:
- HABv4 Introduction
- HABv4 Secure Boot
- HABv4 Encrypted Boot
- HAB PKI tree generation
- HAB Fast Authentication PKI tree generation
- SRK Table and SRK Hash generationReviewed-by: Ye Li
Reviewed-by: Utkarsh Gupta
Signed-off-by: Breno Lima
09 Oct, 2018
8 commits
-
There is no need to have README in all i.MX documents name.
Remove README from i.MX docs name and add .txt file extension.Signed-off-by: Breno Lima
Reviewed-by: Ye Li -
The Serial Download Protocol feature is availible in various
i.MX SoCs.Move README.sdp document to imx/misc directory.
Signed-off-by: Breno Lima
-
The current High Assurance Boot document README.mxc_hab
include details for the following features in a single file:- HAB Secure Boot
- HAB Encrypted BootSplit HAB documentation in a specific directory for a cleaner
documentation structure, subsequent patches will include more
content in HAB documentation.Signed-off-by: Breno Lima
-
The following documents describe device details according to the
i.MX family:- README.imx25
- README.imx27
- README.imx5
- README.imx6
- README.mxsMove all device common related document to doc/imx/common for a better
directory structure.Signed-off-by: Breno Lima
-
The following documents describe the image type used by the mkimage
tool to generate U-Boot images for i.MX devices.- README.imximage
- README.mxsimageMove all mkimage related document to doc/imx/mkimage for a better
directory structure.Signed-off-by: Breno Lima
-
Currently the Serial Download Protocol tools and procedure are
documented in two places:- doc/imx/README.sdp
- doc/imx/README.imx6It is better to consolidate all SDP related information into
README.sdp file, so move the content from README.imx6 to
README.sdp.Signed-off-by: Breno Lima
-
Currently the U-Boot doc/ directory contains the following files
that are only relevant for i.MX devices:- doc/README.imx25
- doc/README.imx27
- doc/README.imx5
- doc/README.imx6
- doc/README.imximage
- doc/README.mxc_hab
- doc/README.mxs
- doc/README.mxsimage
- doc/README.sdpMove all content to a common i.MX folder for a better documentation
structure.Signed-off-by: Breno Lima
-
Currently the U-Boot project contains 2 documentation directories:
- doc/
- Documentation/The Documentation directory only contains device tree bindings related
content, so move the 2 files to doc/device-tree-bindings/.This commit is based in a previous submission in U-Boot upstream:
http://git.denx.de/?p=u-boot.git;a=commit;h=ad7061ed742e1312289644268859a0f4b512aaeeSigned-off-by: Breno Lima
11 Mar, 2018
2 commits
-
The README.mxc_hab is outdated and need improvements, add the following
modifications:- Reorganize document and remove duplicate content
- Add CST download link
- Update CST package name
- Align command lines with CST v2.3.3
- Update U-Boot binary name
- Remove CSF padding since is not documented in AN4581Signed-off-by: Breno Lima
-
Currently the High Assurance Boot procedure is documented in two
places:- doc/README.imx6
- doc/README.mxc_habIt is better to consolidate all HAB related information into
README.mxc_hab file, so move the content from README.imx6 to
README.mxc_hab.Signed-off-by: Breno Lima
Reviewed-by: Fabio Estevam
24 Feb, 2018
1 commit
-
With the contents of config_distro_defaults.h migrated to Kconfig,
we can remove this header file completelySigned-off-by: Adam Ford
10 Feb, 2018
1 commit
-
README.efi describes two different concepts:
* U-Boot exposing the UEFI API
* U-Boot running on top of UEFI.This patch splits the document in two.
Religious references are removed.The separation of the concepts makes sense before detailing the internals
of U-Boot exposing the UEFI API in a future patch.Signed-off-by: Heinrich Schuchardt
Signed-off-by: Alexander Graf
08 Feb, 2018
1 commit
-
This commit cleans up the README.watchdog by removing the reminescent of
ADI's Blackfin architecture removed some time ago.Signed-off-by: Lukasz Majewski
04 Feb, 2018
5 commits
-
The original text is from the time that the config options were not
converted to Kconfig.After the conversion to Kconfig only CONFIG_SECURE_BOOT and
CONFIG_CMD_DEKBLOB need to be selected by the user.The other config options are automatically selected by the Kconfig
logic.Signed-off-by: Fabio Estevam
Reviewed-by: Breno Lima -
The EFI implementation does not fit into any of the existing categories.
Provide LOGC_EFI so that EFI related message can be filtered.
Signed-off-by: Heinrich Schuchardt
Reviewed-by: Simon Glass -
When functions return an error it propagates up the stack to the point
where it is reported. Often the error code provides enough information
about the root cause of the error that this is obvious what went wrong.However in some cases the error may be hard to trace. For example if a
driver uses several devices to perform an operation, it may not be
obvious which one failed.Add a log_ret() macro to help with this. This can be used to wrap any
error-return value. The logging system will then output a log record when
the original error is generated, making it easy to trace the call stack
of the error.This macro can significantly impact code size, so its use is controlled
by a Kconfig option, which is enabled for sandbox.Signed-off-by: Simon Glass
-
Add some notes about recent new features.
Signed-off-by: Simon Glass
31 Jan, 2018
1 commit
-
Xilinx changes for v2018.03
- Several Kconfig fixes (also moving configs to defconfigs)
- Some DTS updates
- ZynqMP psu rework based on Zynq concept
- Add low level initialization for zc770 and zcu102
- Add support for Zynq zc770 x16 nand configuration
- Add mini nand/emmc ZynqMP targets
- Some arasan nand changes
30 Jan, 2018
1 commit
-
zc770-xm011 is also added and supported. Reflect this in README.
Signed-off-by: Michal Simek
29 Jan, 2018
1 commit
-
The appended README explains how U-Boot and iPXE can be used
to boot a diskless system from an iSCSI SAN.The maintainer for README.efi and README.iscsi is set.
Signed-off-by: Heinrich Schuchardt
[agraf: s/Adress/Address/]
Signed-off-by: Alexander Graf
26 Jan, 2018
1 commit