[PATCH] arm: imx: Add command to get offset of first image in AHAB OS container

[PATCH] arm: imx: Add command to get offset of first image in AHAB OS container

[Lukasz Majewski]

With current mainline it is possible to check with AHAB if system OS image
can be trusted (with 'auth_cntr' command).
However, after the validation one needs to use the image (fitImage in this
case) itself. Such operation requires getting the offset in the image
eligible for AHAB validation to start execution of the fitImage.

Command in this patch allows it, so with:
auth_cntr_offset ${addr} auth_cntr_os_offset;
setexpr addr ${kernel_addr_r} + ${auth_cntr_os_offset};

it is possible to boot the fitImage after AHAB IP block vaidation.

Signed-off-by: Lukasz Majewski <lukma@nabladev.com>
---
 arch/arm/mach-imx/imx8/ahab.c | 50 +++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/arch/arm/mach-imx/imx8/ahab.c b/arch/arm/mach-imx/imx8/ahab.c
index f13baa871cc..da0e1f3382b 100644
--- a/arch/arm/mach-imx/imx8/ahab.c
+++ b/arch/arm/mach-imx/imx8/ahab.c
@@ -7,6 +7,7 @@
 #include <errno.h>
 #include <imx_container.h>
 #include <log.h>
+#include <env.h>
 #include <asm/global_data.h>
 #include <asm/io.h>
 #include <firmware/imx/sci/sci.h>
@@ -424,6 +425,55 @@ static int do_ahab_commit(struct cmd_tbl *cmdtp, int flag, int argc,
 	return CMD_RET_SUCCESS;
 }
 
+static int do_ahab_get_offset(struct cmd_tbl *cmdtp, int flag, int argc,
+			      char *const argv[])
+{
+	struct container_hdr *phdr;
+	const char *name = argv[2];
+	struct boot_img_t *img;
+	u16 length;
+	ulong cntr;
+	int err;
+
+	if (argc != 3)
+		return CMD_RET_USAGE;
+
+	if (!name)
+		return CMD_RET_USAGE;
+
+	cntr = hextoul(argv[1], NULL);
+
+	phdr = (struct container_hdr *)cntr;
+	length = phdr->length_lsb + (phdr->length_msb << 8);
+
+	err = ahab_auth_cntr_hdr(phdr, length);
+	if (err) {
+		printf("Authenticate OS container header has failed!\n");
+		return 1;
+	}
+
+	ahab_auth_release();
+
+	/*
+	 * Get the offset for first image (Image0Offset at Fitgure 1.
+	 * of AN12312)
+	 */
+	img = (struct boot_img_t *)
+		((ulong)phdr + sizeof(struct container_hdr));
+
+	debug("%s=0x%x\n", name, img->offset);
+
+	return env_set_hex(name, img->offset);
+}
+
+U_BOOT_CMD(auth_cntr_offset, CONFIG_SYS_MAXARGS, 1, do_ahab_get_offset,
+	   "provide first image offset from AHAB OS container",
+	   "addr name\n"
+	   "addr - OS container hex address\n"
+	   "name - name of the env variable to store offset of the first\n"
+	   "       image from AHAB OS container\n"
+);
+
 U_BOOT_CMD(auth_cntr, CONFIG_SYS_MAXARGS, 1, do_authenticate,
 	   "autenticate OS container via AHAB",
 	   "addr\n"
-- 
2.39.5

Re: [PATCH] arm: imx: Add command to get offset of first image in AHAB OS container

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 937 bytes --]

On Mon, Nov 10, 2025 at 01:41:00PM +0100, Lukasz Majewski wrote:

> With current mainline it is possible to check with AHAB if system OS image
> can be trusted (with 'auth_cntr' command).
> However, after the validation one needs to use the image (fitImage in this
> case) itself. Such operation requires getting the offset in the image
> eligible for AHAB validation to start execution of the fitImage.
> 
> Command in this patch allows it, so with:
> auth_cntr_offset ${addr} auth_cntr_os_offset;
> setexpr addr ${kernel_addr_r} + ${auth_cntr_os_offset};
> 
> it is possible to boot the fitImage after AHAB IP block vaidation.
> 
> Signed-off-by: Lukasz Majewski <lukma@nabladev.com>
> ---
>  arch/arm/mach-imx/imx8/ahab.c | 50 +++++++++++++++++++++++++++++++++++
>  1 file changed, 50 insertions(+)

Can we please split the commands here out and put it under
cmd/imx/imxh-ahab.c or something? Thanks.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH] arm: imx: Add command to get offset of first image in AHAB OS container

[Łukasz Majewski]

Hi Tom,

> On Mon, Nov 10, 2025 at 01:41:00PM +0100, Lukasz Majewski wrote:
> 
> > With current mainline it is possible to check with AHAB if system
> > OS image can be trusted (with 'auth_cntr' command).
> > However, after the validation one needs to use the image (fitImage
> > in this case) itself. Such operation requires getting the offset in
> > the image eligible for AHAB validation to start execution of the
> > fitImage.
> > 
> > Command in this patch allows it, so with:
> > auth_cntr_offset ${addr} auth_cntr_os_offset;
> > setexpr addr ${kernel_addr_r} + ${auth_cntr_os_offset};
> > 
> > it is possible to boot the fitImage after AHAB IP block vaidation.
> > 
> > Signed-off-by: Lukasz Majewski <lukma@nabladev.com>
> > ---
> >  arch/arm/mach-imx/imx8/ahab.c | 50
> > +++++++++++++++++++++++++++++++++++ 1 file changed, 50
> > insertions(+)  
> 
> Can we please split the commands here out and put it under
> cmd/imx/imxh-ahab.c or something? Thanks.
> 

If the community is OK, with such solution (especially Peng and Ji),
then no problem - I can first exclude commands from ahab.c file and
then add the auth_cntr_offset command to the newely created
cmd/imx/imx8-ahab.c file.

-- 
Best regards,

Lukasz Majewski

--
Nabla Software Engineering GmbH
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office@nabladev.com
Managing Director : Stefano Babic