[PATCH] imx: ahab: Use authenticated header for images loading

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] imx: ahab: Use authenticated header for images loading
@ 2026-04-28 10:09 Ye Li
  2026-04-29  2:32 ` Peng Fan
  0 siblings, 1 reply; 2+ messages in thread
From: Ye Li @ 2026-04-28 10:09 UTC (permalink / raw)
  To: festevam, u-boot, peng.fan; +Cc: uboot-imx, ye.li

When loading container image, the container header is loaded into
heap memory. If ahab is enabled, the header is be copied to another
fixed RAM for authentication in ahab_auth_cntr_hdr. The better method
is using container header memory being authenticated for following
image loading.
So update ahab_auth_cntr_hdr to return the address of container header
being authenticated. Caller uses this header for following parsing
and image loading.

Signed-off-by: Ye Li <ye.li@nxp.com>
---
 arch/arm/include/asm/mach-imx/ahab.h |  2 +-
 arch/arm/mach-imx/ele_ahab.c         | 12 ++++++------
 arch/arm/mach-imx/imx8/ahab.c        | 16 +++++++++-------
 common/spl/spl_imx_container.c       | 13 +++++++++----
 4 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/arch/arm/include/asm/mach-imx/ahab.h b/arch/arm/include/asm/mach-imx/ahab.h
index 4884f056251..dad170cee47 100644
--- a/arch/arm/include/asm/mach-imx/ahab.h
+++ b/arch/arm/include/asm/mach-imx/ahab.h
@@ -8,7 +8,7 @@
 
 #include <imx_container.h>
 
-int ahab_auth_cntr_hdr(struct container_hdr *container, u16 length);
+void *ahab_auth_cntr_hdr(struct container_hdr *container, u16 length);
 int ahab_auth_release(void);
 int ahab_verify_cntr_image(struct boot_img_t *img, int image_index);
 
diff --git a/arch/arm/mach-imx/ele_ahab.c b/arch/arm/mach-imx/ele_ahab.c
index 9794391fb35..86b11bdf2ac 100644
--- a/arch/arm/mach-imx/ele_ahab.c
+++ b/arch/arm/mach-imx/ele_ahab.c
@@ -255,7 +255,7 @@ static void display_ahab_auth_ind(u32 event)
 	printf("%s\n", ele_ind_str[get_idx(ele_ind, resp_ind, ARRAY_SIZE(ele_ind))]);
 }
 
-int ahab_auth_cntr_hdr(struct container_hdr *container, u16 length)
+void *ahab_auth_cntr_hdr(struct container_hdr *container, u16 length)
 {
 	int err;
 	u32 resp;
@@ -271,9 +271,10 @@ int ahab_auth_cntr_hdr(struct container_hdr *container, u16 length)
 		printf("Authenticate container hdr failed, return %d, resp 0x%x\n",
 		       err, resp);
 		display_ahab_auth_ind(resp);
+		return NULL;
 	}
 
-	return err;
+	return (void *)IMG_CONTAINER_BASE; /* Return authenticated container header */
 }
 
 int ahab_auth_release(void)
@@ -327,7 +328,6 @@ int authenticate_os_container(ulong addr)
 {
 	struct container_hdr *phdr;
 	int i, ret = 0;
-	int err;
 	u16 length;
 	struct boot_img_t *img;
 	unsigned long s, e;
@@ -357,8 +357,8 @@ int authenticate_os_container(ulong addr)
 
 	debug("container length %u\n", length);
 
-	err = ahab_auth_cntr_hdr(phdr, length);
-	if (err) {
+	phdr = ahab_auth_cntr_hdr(phdr, length);
+	if (!phdr) {
 		ret = -EIO;
 		goto exit;
 	}
@@ -367,7 +367,7 @@ int authenticate_os_container(ulong addr)
 
 	/* Copy images to dest address */
 	for (i = 0; i < phdr->num_images; i++) {
-		img = (struct boot_img_t *)(addr +
+		img = (struct boot_img_t *)((ulong)phdr +
 					    sizeof(struct container_hdr) +
 					    i * sizeof(struct boot_img_t));
 
diff --git a/arch/arm/mach-imx/imx8/ahab.c b/arch/arm/mach-imx/imx8/ahab.c
index f13baa871cc..71a3b341913 100644
--- a/arch/arm/mach-imx/imx8/ahab.c
+++ b/arch/arm/mach-imx/imx8/ahab.c
@@ -28,7 +28,7 @@ DECLARE_GLOBAL_DATA_PTR;
 #define AHAB_HASH_TYPE_MASK	0x00000700
 #define AHAB_HASH_TYPE_SHA256	0
 
-int ahab_auth_cntr_hdr(struct container_hdr *container, u16 length)
+void *ahab_auth_cntr_hdr(struct container_hdr *container, u16 length)
 {
 	int err;
 
@@ -37,10 +37,12 @@ int ahab_auth_cntr_hdr(struct container_hdr *container, u16 length)
 
 	err = sc_seco_authenticate(-1, SC_SECO_AUTH_CONTAINER,
 				   SECO_LOCAL_SEC_SEC_SECURE_RAM_BASE);
-	if (err)
+	if (err) {
 		printf("Authenticate container hdr failed, return %d\n", err);
+		return NULL;
+	}
 
-	return err;
+	return (void *)SEC_SECURE_RAM_BASE; /* Return authenticated container header */
 }
 
 int ahab_auth_release(void)
@@ -126,7 +128,7 @@ int authenticate_os_container(ulong addr)
 {
 	struct container_hdr *phdr;
 	int i, ret = 0;
-	int err;
+	__maybe_unused int err;
 	u16 length;
 	struct boot_img_t *img;
 	unsigned long s, e;
@@ -159,15 +161,15 @@ int authenticate_os_container(ulong addr)
 
 	debug("container length %u\n", length);
 
-	err = ahab_auth_cntr_hdr(phdr, length);
-	if (err) {
+	phdr = ahab_auth_cntr_hdr(phdr, length);
+	if (!phdr) {
 		ret = -EIO;
 		goto exit;
 	}
 
 	/* Copy images to dest address */
 	for (i = 0; i < phdr->num_images; i++) {
-		img = (struct boot_img_t *)(addr +
+		img = (struct boot_img_t *)((ulong)phdr +
 					    sizeof(struct container_hdr) +
 					    i * sizeof(struct boot_img_t));
 
diff --git a/common/spl/spl_imx_container.c b/common/spl/spl_imx_container.c
index 79d021f81dc..57cd75b9b5e 100644
--- a/common/spl/spl_imx_container.c
+++ b/common/spl/spl_imx_container.c
@@ -88,6 +88,7 @@ static int read_auth_container(struct spl_image_info *spl_image,
 			       struct spl_load_info *info, ulong offset)
 {
 	struct container_hdr *container = NULL;
+	struct container_hdr *authhdr;
 	u16 length;
 	int i, size, ret = 0;
 
@@ -140,15 +141,19 @@ static int read_auth_container(struct spl_image_info *spl_image,
 		}
 	}
 
+	authhdr = container;
+
 #ifdef CONFIG_AHAB_BOOT
-	ret = ahab_auth_cntr_hdr(container, length);
-	if (ret)
+	authhdr = ahab_auth_cntr_hdr(authhdr, length);
+	if (!authhdr) {
+		ret = -EINVAL;
 		goto end_auth;
+	}
 #endif
 
-	for (i = 0; i < container->num_images; i++) {
+	for (i = 0; i < authhdr->num_images; i++) {
 		struct boot_img_t *image = read_auth_image(spl_image, info,
-							   container, i,
+							   authhdr, i,
 							   offset);
 
 		if (!image) {
-- 
2.37.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] imx: ahab: Use authenticated header for images loading
  2026-04-28 10:09 [PATCH] imx: ahab: Use authenticated header for images loading Ye Li
@ 2026-04-29  2:32 ` Peng Fan
  0 siblings, 0 replies; 2+ messages in thread
From: Peng Fan @ 2026-04-29  2:32 UTC (permalink / raw)
  To: Ye Li; +Cc: festevam, u-boot, peng.fan, uboot-imx, ye.li

On Tue, Apr 28, 2026 at 06:09:58PM +0800, Ye Li wrote:
>When loading container image, the container header is loaded into
>heap memory. If ahab is enabled, the header is be copied to another
>fixed RAM for authentication in ahab_auth_cntr_hdr. The better method
>is using container header memory being authenticated for following
>image loading.
>So update ahab_auth_cntr_hdr to return the address of container header
>being authenticated. Caller uses this header for following parsing
>and image loading.
>
>Signed-off-by: Ye Li <ye.li@nxp.com>

Reviewed-by: Peng Fan <peng.fan@nxp.com>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-29  2:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-28 10:09 [PATCH] imx: ahab: Use authenticated header for images loading Ye Li
2026-04-29  2:32 ` Peng Fan

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.