From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81909C433EF for ; Mon, 4 Oct 2021 20:32:40 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 52E3761248 for ; Mon, 4 Oct 2021 20:32:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 52E3761248 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id ACC1C81468; Mon, 4 Oct 2021 22:32:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.b="F9lYbLqn"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BB35B80F0E; Mon, 4 Oct 2021 22:32:34 +0200 (CEST) Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C1DC5831BF for ; Mon, 4 Oct 2021 22:32:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jorge@foundries.io Received: by mail-wr1-x429.google.com with SMTP id t8so33140203wri.1 for ; Mon, 04 Oct 2021 13:32:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foundries.io; s=google; h=from:date:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=LFjF2wAov9am2IO8M0VzwWkqYix6tCNho8IJsKm10lI=; b=F9lYbLqn/f+saM7GBuAtUb/rhFHpFjhuuuxrpO8jlfncbYPxwLKx12xWcILpIIODMG y/EHb+Yx9kfSWfSwTiXZL8Yo4HzqbnpFCQ4LcxIMorO4NHqmnAfZvTwXj7pKcaDm15Io UeoLluWnHLxmnLsxapH2DiPuGVIuoqB+zvpTe4GNjJzK3T8LOSyWZG5l2pk3PW5eqh2q /pe/47M7mAQ0JLKBMpm9X6NX5BUuYzXRD6jQHoQUyIAN0gv6bb71vZFlGsaNbqgS/U4t KeB181uKTpFT5ATUYklc60QuSl3IFeejaaJ/7fZvDsaHTZqwa5e03QQIYqkj5Gfu59Wd sX1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:date:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=LFjF2wAov9am2IO8M0VzwWkqYix6tCNho8IJsKm10lI=; b=yF58RXVqKDEelg/YvlWq0EOYgkLiYplvFnf86VIaCRlgkXwX8VCHZ6Z0xrDqM2ExBe 9CnODEj/EEUQHDfg983HO0BVA2HspcwLTDjRLWqWbCMTpFM9II1KO9IcerCr5RFDJaXd 6marlVn+hb1ncL0a2ERWK8tqVhm/rUQL8wsmUjt1BfBq6YaCj6D4Nleel7KhdHxmsjfv uXx3d6jBLMScS/4C6f6uOL4RmJ693qJ1GTtWSS42D7RpNJWGH9VWgxK1ApuVN5UEUod2 0Asvav0JYZrzNWpWsukLIHE/kyHCdZlXRuRwIcz86jaWlZHm3wHSu9TDWf7I9+zeJS14 xiGw== X-Gm-Message-State: AOAM533Pyj44XXA492piwkQBUz0tuGnbXA/W2Sg86fPFRt79+gPnA9z3 ghiwN1CiXkGhN5hVGx203M38ig== X-Google-Smtp-Source: ABdhPJwVeggObN1ivQbHGC+9Jeccr17IxKR0mgEK7IX5LzX6MP7rKAe2CEEdrAGr/YuMQNp29T0P0Q== X-Received: by 2002:a05:6000:18cf:: with SMTP id w15mr16574713wrq.314.1633379548339; Mon, 04 Oct 2021 13:32:28 -0700 (PDT) Received: from trex (197.red-79-154-202.dynamicip.rima-tde.net. [79.154.202.197]) by smtp.gmail.com with ESMTPSA id b15sm18485112wru.9.2021.10.04.13.32.27 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 04 Oct 2021 13:32:27 -0700 (PDT) From: "Jorge Ramirez-Ortiz, Foundries" X-Google-Original-From: "Jorge Ramirez-Ortiz, Foundries" Date: Mon, 4 Oct 2021 22:32:26 +0200 To: michal.simek@xilinx.com, trini@konsulko.com, sjg@chromium.org Cc: u-boot@lists.denx.de, ricardo@foundries.io, mike@foundries.io, igor.opaniuk@foundries.io Subject: FIT image: load secure FPGA Message-ID: <20211004203226.GA4704@trex> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Hello, We are enabling secure boot on Zynqmp with SPL. The issue however is that during secure boot, the bootrom not only validates the first loader (SPL and PMUFW combo) but it will also expect a signed bitstream during load(FPGA). Since currently the SPL load of an FPGA image from FIT does not support loading images for authentication (fpga_loads), I'd like to discuss how to best implement such support. A pretty standard file.its description of the FPGA loadable looks like this: fpga { description = "FPGA binary"; data = /incbin/("${DEPLOY_DIR_IMAGE}/${SPL_FPGA_BINARY}"); type = "fpga"; arch = "${UBOOT_ARCH}"; compression = "none"; load = <${fpgaloadaddr}>; hash-1 { algo = "${FIT_HASH_ALG}"; }; }; We could extend imagetool.h struct image_tool_params to add more params or perhpas just define different 'types' of fpga? Something like: "fpga" "fpga-auth" : authenticated "fpga-enc" : encrypted "fpga-sec" : encrypted and authenticated Then it would be a matter of modifying https://github.com/u-boot/u-boot/blob/master/common/spl/spl_fit.c#L572 any thoughts? TIA Jorge