From: Ye Li <ye.li@nxp.com>
To: "hs@denx.de" <hs@denx.de>,
"Peng Fan (OSS)" <peng.fan@oss.nxp.com>,
"u-boot@lists.denx.de" <u-boot@lists.denx.de>,
"sbabic@denx.de" <sbabic@denx.de>
Cc: "jh80.chung@samsung.com" <jh80.chung@samsung.com>,
"marex@denx.de" <marex@denx.de>,
"tharvey@gateworks.com" <tharvey@gateworks.com>,
"t.remmet@phytec.de" <T.remmet@phytec.de>,
"sjg@chromium.org" <sjg@chromium.org>,
"festevam@gmail.com" <festevam@gmail.com>,
"faiz_abbas@ti.com" <faiz_abbas@ti.com>,
"philippe.reynes@softathome.com" <philippe.reynes@softathome.com>,
"michal.simek@xilinx.com" <michal.simek@xilinx.com>,
"mr.nuke.me@gmail.com" <mr.nuke.me@gmail.com>,
"michael@walle.cc" <michael@walle.cc>, "sr@denx.de" <sr@denx.de>,
"pali@kernel.org" <pali@kernel.org>,
dl-uboot-imx <uboot-imx@nxp.com>
Subject: Re: [EXT] Re: [PATCH v1 0/2] imx8m: fix secure boot
Date: Fri, 6 Aug 2021 07:16:59 +0000 [thread overview]
Message-ID: <1628233812.61893.14.camel@nxp.com> (raw)
In-Reply-To: <30be0d4f-adad-c5b0-935a-49b2e604f615@denx.de>
On Fri, 2021-08-06 at 08:39 +0200, Heiko Schocher wrote:
> Caution: EXT Email
>
> Hello Peng,
>
> On 06.08.21 07:56, Peng Fan (OSS) wrote:
> >
> >
> >
> > On 2021/8/6 12:44, Heiko Schocher wrote:
> > >
> > >
> > > This series fixes secure boot on imx8m based boards. Tim
> > > also detected this issue and the patches fixed on his hardware
> > > also the problem, see discussion here:
> > >
> > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2
> > > Flists.denx.de%2Fpipermail%2Fu-boot%2F2021-
> > > July%2F454351.html&data=04%7C01%7Cye.li%40nxp.com%7C4e50cef1a
> > > 559457dc78c08d958a4f5d9%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C
> > > 0%7C637638287788477666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
> > > AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata
> > > =Rcmml9Sg0hSc%2FE68Dzjcn0wce1xYSpQNfJ0wfT4Jork%3D&reserved=0
> > >
> > >
> > > Problem is that the IVT header gets loaded to a memallocated
> > > buffer, but it needs to sit on memaddress coded in IVT header
> > > itself. This patchseries adds a weak function
> > > spl_load_simple_fit()
> > > in common spl code, which does not change current code behaviour.
> > >
> > > Second patch than implements this weak function for imx based
> > > boards (if no IVT header is found on address which is passed
> > > to it, it does nothing).
> > >
> > > I am not sure if this is the best solution, but it fixes a real
> > > bug, and may could be made clearer, if possible.
> > NXP downstream dropped malloc, with
> > buf = board_spl_fit_buffer_addr(size, sectors, info->bl_len);
> >
> > And this will use previous fixed address.
> Ah, okay, you mean:
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsou
> rce.codeaurora.org%2Fexternal%2Fimx%2Fuboot-
> imx%2Ftree%2Farch%2Farm%2Fmach-
> imx%2Fspl.c%3Fh%3Dlf_v2021.04%23n334&data=04%7C01%7Cye.li%40nxp.c
> om%7C4e50cef1a559457dc78c08d958a4f5d9%7C686ea1d3bc2b4c6fa92cd99c5c301
> 635%7C0%7C0%7C637638287788487624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w
> LjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sda
> ta=prhVBpPvqD1CDGWi7tWcN5%2BzChBeSQzeIK%2FvhedGcfE%3D&reserved=0
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsou
> rce.codeaurora.org%2Fexternal%2Fimx%2Fuboot-
> imx%2Ftree%2Fcommon%2Fspl%2Fspl_fit.c%3Fh%3Dlf_v2021.04%23n541&da
> ta=04%7C01%7Cye.li%40nxp.com%7C4e50cef1a559457dc78c08d958a4f5d9%7C686
> ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637638287788487624%7CUnknown%
> 7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ
> XVCI6Mn0%3D%7C1000&sdata=J%2FH%2FBBtiMMl9G744CjjPESEUVCxmO%2Bg7%2
> BHVJsM1yKc4%3D&reserved=0
>
> and
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsou
> rce.codeaurora.org%2Fexternal%2Fimx%2Fuboot-
> imx%2Ftree%2Fcommon%2Fspl%2Fspl_fit.c%3Fh%3Dlf_v2021.04%23n581&da
> ta=04%7C01%7Cye.li%40nxp.com%7C4e50cef1a559457dc78c08d958a4f5d9%7C686
> ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637638287788487624%7CUnknown%
> 7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ
> XVCI6Mn0%3D%7C1000&sdata=WVZ6Az8kazKu%2BWzysM7%2B3u5XHOb6gtggwiCK
> rewnI2o%3D&reserved=0
>
> correct?
Yes. correct.
>
> But I do not see, where ivt->self is used... or is per definiton
> ivt->self equal to:
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsou
> rce.codeaurora.org%2Fexternal%2Fimx%2Fuboot-
> imx%2Ftree%2Farch%2Farm%2Fmach-
> imx%2Fspl.c%3Fh%3Dlf_v2021.04%23n345&data=04%7C01%7Cye.li%40nxp.c
> om%7C4e50cef1a559457dc78c08d958a4f5d9%7C686ea1d3bc2b4c6fa92cd99c5c301
> 635%7C0%7C0%7C637638287788487624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w
> LjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sda
> ta=Fo5efFghnqsyUvtuykwVm68NvDnk%2Fb1hCoiuQW1JkiA%3D&reserved=0
>
> ?
>
The fit buffer was used in SPL is a fit size related offset to u-boot
base. In mkimage, we generate IVT following the same calculation. So we
don't use ivt->self, this address is aligned between SPL and IVT.
Your patch depends on IVT. But actually IVT is not necessary for non-
secure boot. The board_spl_fit_size_align in mach-imx/spl.c is only
defined for HAB enabled. So for non-secure boot, it does not include
size for IVT. This will be an issue.
Best regards,
Ye Li
> bye,
> Heiko
>
> >
> >
> > Regards,
> > Peng.
> >
> > >
> > >
> > >
> > > Heiko Schocher (2):
> > > spl_fit. add hook to make fixes after fit header is loaded
> > > imx: spl: implement spl_load_simple_fit_fix_load
> > >
> > > arch/arm/mach-imx/spl.c | 33 +++++++++++++++++++++++++++++++++
> > > common/spl/spl_fit.c | 11 +++++++++++
> > > include/spl.h | 8 ++++++++
> > > 3 files changed, 52 insertions(+)
> > >
> --
> DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
> Phone: +49-8142-66989-52 Fax: +49-8142-66989-80 Email: hs@denx.de
prev parent reply other threads:[~2021-08-06 7:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-06 4:44 [PATCH v1 0/2] imx8m: fix secure boot Heiko Schocher
2021-08-06 4:44 ` [PATCH v1 1/2] spl_fit. add hook to make fixes after fit header is loaded Heiko Schocher
2021-09-30 4:09 ` Simon Glass
2021-10-07 14:13 ` sbabic
2021-08-06 4:44 ` [PATCH v1 2/2] imx: spl: implement spl_load_simple_fit_fix_load Heiko Schocher
2021-10-07 14:12 ` sbabic
2021-08-06 5:56 ` [PATCH v1 0/2] imx8m: fix secure boot Peng Fan (OSS)
2021-08-06 6:39 ` Heiko Schocher
2021-08-06 7:16 ` Ye Li [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1628233812.61893.14.camel@nxp.com \
--to=ye.li@nxp.com \
--cc=T.remmet@phytec.de \
--cc=faiz_abbas@ti.com \
--cc=festevam@gmail.com \
--cc=hs@denx.de \
--cc=jh80.chung@samsung.com \
--cc=marex@denx.de \
--cc=michael@walle.cc \
--cc=michal.simek@xilinx.com \
--cc=mr.nuke.me@gmail.com \
--cc=pali@kernel.org \
--cc=peng.fan@oss.nxp.com \
--cc=philippe.reynes@softathome.com \
--cc=sbabic@denx.de \
--cc=sjg@chromium.org \
--cc=sr@denx.de \
--cc=tharvey@gateworks.com \
--cc=u-boot@lists.denx.de \
--cc=uboot-imx@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.