The csf_additional_images.txt example should match with
mx6_mx7_secure_boot.txt guide.
Fix addresses provided in csf_additional_images.txt CSF
example.
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
(cherry picked from commit 17c3af7a1935a40057c01459766d41ff0a19723b)
When booting in low power or dual boot modes the M4 binary is
authenticated by the M4 ROM code.
Add an option in hab_status command so users can retrieve M4 HAB
failure and warning events.
=> hab_status m4
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
Add command documentation in mx6_mx7_secure_boot.txt guide.
As HAB M4 API cannot be called from A7 core the code is parsing
the M4 HAB persistent memory region. The HAB persistent memory
stores HAB events, public keys and others HAB related information.
The HAB persistent memory region addresses and sizes can be found
in AN12263 "HABv4 RVT Guidelines and Recommendations".
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
(cherry picked from commit 0efff16579fabcf57acb9c8857afac8fb58de355)
Fix a typo in path provided for imx-mkimage iMX8QM and iMX8QXP directories.
Reported-by: Marius Grigoras <marius.grigoras@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit c75243c1a87a10f003377d9c144bcf412ba80440)
The commands included in introduction guide should not be used as
reference for programming the SRK Hash fuses as they are in big
endian.
Add a note to avoid a possible mistake.
Reported-by: Clement Le Marquis <clement.lemarquis@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit 137319826cc32d98a9b6890f35dd6670e104c2a5)
Since commit 771b824728ca ("MLK-20919 imx8: ahab: Add command to
close the chip") the U-Boot is able to move the lifecycle from
NXP closed to OEM closed.
Update AHAB guides to use U-Boot ahab_close command instead of SCFW CLI.
As the procedure is now independent of SCFW terminal we can remove
this condition from documentation.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit 6f93d877e1454024f666a4810d24148cf595429e)
Starting in L4.14.78 release, the OP-TEE CAAM driver does not set the
JROWN_NS field in case LMID is locked.
We need to include the Unlock MID command in CSF file otherwise device
will fail to boot in HAB closed mode.
Add section to avoid crash when OP-TEE is enabled.
Reported-by: Frank Zhang <frank.zhang@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit af03284ad38bd03ef1f0d4942842629db93d2c11)
Since commit cf2acc5b7c ("MLK-18942-2 imx8: ahab: Add ahab_status
command") the U-Boot is able to display and parse the SECO events.
Update AHAB guides to use U-Boot ahab_status command instead of
SCFW CLI.
Starting in SECO FW v0.2.0 engineering release an invalid image
integrity is logged as an event in open mode. As ahab_status
is able to return this event the note can be removed.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit 385ed19051a47f5858e8d326e5ee97f8a08a679d)
The set_priblob_bitfield command is enabled by selecting
CONFIG_CMD_PRIBLOB.
Fix typo in mx6_mx7_encrypted_boot.txt guide.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
(cherry picked from commit 99f9696ef5f7d1c0f93b7d910e884890fca6c973)
There is no need to have an extra hab directory under doc/imx/:
- doc/imx/hab/ahab/
- doc/imx/hab/habv4/
Remove extra hab directory for a cleaner documentation structure.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
The current U-Boot implementation includes SPL targets for i.MX8QM and
i.MXQXP MEK boards:
- imx8qxp_mek_spl_defconfig
- imx8qxp_mek_spl_fspi_defconfig
- imx8qm_mek_spl_defconfig
- imx8qm_mek_spl_fspi_defconfig
The U-Boot proper and ATF are included in an additional container being
necessary a different procedure for signing the flash.bin image.
Add a step-by-step guide covering the signing procedure.
Add a CSF example for the 3rd container.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Frank Zhang <frank.zhang@nxp.com>
Reviewed-by: Marius Grigoras <marius.grigoras@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Add AHAB secure boot step-by-step guide for i.MX8 and i.MX8x families
devices.
Add 3 CSF example files:
- Example to sign flash.bin only using SRK keys.
- Example to sign flash.bin using a subordinate SGK key.
- Example to sign Linux image only using SRK keys.
Signed-off-by: Clement Le Marquis <clement.lemarquis@nxp.com>
Reviewed-by: Frank Zhang <frank.zhang@nxp.com>
Reviewed-by: Marius Grigoras <marius.grigoras@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
The AHAB is currently supported in i.MX8QXP and i.MX8QM devices.
Add an introductory document containing the following topics:
- AHAB Secure Boot Architecture
- System Control Unit (SCU) introduction
- Security Controller (SECO) introduction
- i.MX8/8x secure boot flow
- AHAB PKI tree generation
- SRK Table and SRK Hash generation
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Frank Zhang <frank.zhang@nxp.com>
Reviewed-by: Marius Grigoras <marius.grigoras@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Add HABv4 documentation for i.MX8M and i.MX8MM targets covering the
following topics:
- How to sign an securely boot an flash.bin image.
- How to extend the root of trust for additional boot images.
- Add 2 CSF examples.
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Add useful documentation for encrypted boot:
- Add 2 CSF examples for encrypt and sign
- How to encrypt and sign a U-Boot binary on closed device
- Why and how increase the PRIBLOB bitfield from CAAM SCFGR
Signed-off-by: Clement Le Marquis <clement.lemarquis@nxp.com>
Add HABv4 documentation for u-boot-dtb.imx targets covering the
following topics:
- How to sign an securely boot an u-boot-dtb.imx image.
- How to extend the root of trust for additional boot images.
- Add 3 CSF examples.
- Add IVT generation script example.
Reviewed-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
The HABv4 is supported in i.MX 50, i.MX 53, i.MX 6, i.MX 7,
series and i.MX 8M, i.MX8MM devices.
Add an introductory document containing the following topics:
- HABv4 Introduction
- HABv4 Secure Boot
- HABv4 Encrypted Boot
- HAB PKI tree generation
- HAB Fast Authentication PKI tree generation
- SRK Table and SRK Hash generation
Reviewed-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
There is no need to have README in all i.MX documents name.
Remove README from i.MX docs name and add .txt file extension.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
The Serial Download Protocol feature is availible in various
i.MX SoCs.
Move README.sdp document to imx/misc directory.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
The current High Assurance Boot document README.mxc_hab
include details for the following features in a single file:
- HAB Secure Boot
- HAB Encrypted Boot
Split HAB documentation in a specific directory for a cleaner
documentation structure, subsequent patches will include more
content in HAB documentation.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
The following documents describe device details according to the
i.MX family:
- README.imx25
- README.imx27
- README.imx5
- README.imx6
- README.mxs
Move all device common related document to doc/imx/common for a better
directory structure.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
The following documents describe the image type used by the mkimage
tool to generate U-Boot images for i.MX devices.
- README.imximage
- README.mxsimage
Move all mkimage related document to doc/imx/mkimage for a better
directory structure.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Currently the Serial Download Protocol tools and procedure are
documented in two places:
- doc/imx/README.sdp
- doc/imx/README.imx6
It is better to consolidate all SDP related information into
README.sdp file, so move the content from README.imx6 to
README.sdp.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Currently the U-Boot doc/ directory contains the following files
that are only relevant for i.MX devices:
- doc/README.imx25
- doc/README.imx27
- doc/README.imx5
- doc/README.imx6
- doc/README.imximage
- doc/README.mxc_hab
- doc/README.mxs
- doc/README.mxsimage
- doc/README.sdp
Move all content to a common i.MX folder for a better documentation
structure.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Breno Lima
Clement Le Marquis