diff options
author | lei zhou <lei.zhou@linaro.org> | 2022-11-22 12:28:19 -0500 |
---|---|---|
committer | lei zhou <lei.zhou@linaro.org> | 2022-11-22 12:28:19 -0500 |
commit | 648be66578a1383a694a10bffd33faa9db53d63f (patch) | |
tree | 2de2e472f669f3b559c48f73f69069379c4051a0 | |
parent | 5f7405549e588ff667bc0cecebf51c998d0b0e55 (diff) |
u-boot-imx: update build, package and sign, test procedures
-rw-r--r-- | how_to_test.txt | 126 |
1 files changed, 93 insertions, 33 deletions
diff --git a/how_to_test.txt b/how_to_test.txt index 484a7fea91..d3ec15af76 100644 --- a/how_to_test.txt +++ b/how_to_test.txt @@ -2,19 +2,20 @@ Depending on how you build and steps are different. In my case to make simple, use standalone way to build and flash instead of YOCTO environment. 1. Get IMX-MKIMAGE source and will be used to package final bootloader image flash.bin - https://source.codeaurora.org/external/imx/imx-mkimage + https://git.linaro.org/people/lei.zhou/security/imx8mq-uboot.git +(forked from https://source.codeaurora.org/external/imx/imx-mkimage) -2. Build U-Boot with the HAB configuration enabled: +2. Build U-Boot(v2022.04) with the HAB configuration enabled: * CONFIG_IMX_HAB for U-Boot >= 2019.10 $ git clone https://github.com/nxp-imx/uboot-imx - ~$ cd u-boot-imx6 + ~$ cd u-boot-imx6 && git checkout lf_v2022.04 ~/u-boot-imx6$ export ARCH=arm64 ~/u-boot-imx6$ export CROSS_COMPILE=aarch64-linux-gnu- ~/u-boot-imx6$ export CROSS_COMPILE64=aarch64-linux-gnu- ~/u-boot-imx6$ make distclean; make imx8mq_evk_defconfig ~/u-boot-imx6$ make menuconfig - (enable the HAB configuration here) + (enable the HAB configuration here. eg CONFIG_IMX_HAB) $ make Output images $(UBOOT_SRC)/u-boot-nodtb.bin(1M) @@ -36,38 +37,40 @@ use standalone way to build and flash instead of YOCTO environment. ~$ cp firmware-imx-8.5/firmware/hdmi/cadence/signed_*.bin imx-mkimage/iMX8M/ ~$ cp firmware-imx-8.5/firmware/ddr/synopsys/lpddr4*.bin imx-mkimage/iMX8M/ -4. Download and build ATF/OPTEE firmware +4. Download and build ATF(IMX 2.6)/OPTEE(3.15) firmware Get the ATF from the below mentioned source link - https://source.codeaurora.org/external/imx/imx-atf + https://git.linaro.org/people/lei.zhou/security/imx8mq-atf.git +(forked from https://source.codeaurora.org/external/imx/imx-atf) ----Build images export CROSS_COMPILE=aarch64-linux-gnu- export CROSS_COMPILE64=aarch64-linux-gnu- export ARCH=arm64 - $ make realclean; make PLAT=imx8mq LOG_LEVEL=50 bl31 + $ make realclean + // $ make PLAT=imx8mq LOG_LEVEL=50 bl31 // imx-atf$ vi ./plat/imx/imx8m/imx8mq/include/platform_def.h // #define DEBUG_CONSOLE (1) $ make PLAT=imx8mq SPD=opteed LOG_LEVEL=50 bl31 // to enable OPTEE ----Output images - $(ATF_SRC)/build/imx8mq/release/bl31.bin + $(ATF_SRC)/build/imx8mq/release/bl31.bin && copy to imx-mkimage/iMX8M/ folder. - --- build OPTEE + --- build OPTEE (3.15) $git clone http://source.codeaurora.org/external/imx/imx-optee-os $ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf CROSS_COMPILE64=aarch64-linux-gnu- CFG_TEE_CORE_LOG_LEVEL=4 CFG_TEE_TA_LOG_LEVEL=3 CFG_TEE_CORE_DEBUG=y CFG_DEBUG_INFO=y ./scripts/nxp_build.sh imx-mx8mqevk Note: tee.bin is not a raw binary and tee-pager_v2.bin(tee-raw.bin) || tee-header_v2.bin. Actually, the optee header information are only mandatory when "optee pager" is enabled.When optee pager is not enable, tee.bin contains the header + the unique raw optee core image to be loaded in DDR. This raw optee core image is the file tee-pager.bin, generated next to out/.../core/tee.bin -5. Build i.MX8Mq final boot image flash.bin - - 5.1 Below mentioned are the steps to generate bootloder using mkimage and gather necessary images +5. Below mentioned are the steps to generate bootloder using mkimage and gather necessary images SPL and U-boot images - u-boot-nodtb.bin - u-boot-spl.bin - imx8mq-evk.dtb ATF image - bl31.bin + OP-TEE image + - tee.bin (tee-raw.bin) DDR firmware images - lpddr4_pmu_train_1d_dmem.bin - lpddr4_pmu_train_1d_imem.bin @@ -77,26 +80,83 @@ use standalone way to build and flash instead of YOCTO environment. Copy these files to imx-mkimage/iMX8M directory - $ make SOC=iMX8M flash_evk - -6. Validate POC test case 1: No valid BL32 OPTEE is flashed to eMMC - Boot up the system and make sure it can boot successfuly to uboot cmdline. By inpsecting the console logs, -make sure SPL->BL31->UBOOT booting without any spotted failure. - Use following sequence to flash bootloader to the target board. - 6.1 u-boot> fastboot 0 - 6.2 PC @imx-mkimage/iMX8M> fastboot flash bootloader flash.bin - -7. Validate POC test case 2: Flash valid OPTEE tee-raw.bin to eMMC at predefined eMMC LBA sectors(boot partition) - 7.1 Steps on writing tee-raw.bin to specified eMMC offset. - * Prepare a SD card with FAT partition and copy tee-raw.bin over, then insert SD card into iMX8MQ board. - * Boot up from eMMC and run following sequence to flash tee-raw.bin - - => uboot > fatload mmc 1:1 0x62000000 tee-raw.bin - => uboot > mmc dev 0 // based on $mmc list info to switch eMMC media - => uboot > mmc partconf 0 1 1 1 // switch to R/W boot partition 1 - => mmc write 0x62000000 0x1000(2M(offset)/512) 0x44C(file-size-tee-raw.bin/512) - - 7.2 Then reboot the board and make sure board can successfully boot to uboot. - Inspect the console logs make sure SPL->BL31->BL32->UBOOT boots with non-failing logs +6. Following steps cover detailed procedure on how to build, package and sign final image before deploy +to iMX8MQ-EVK target. + Step 1: $ make SOC=iMX8M flash_evk_notee_no_hdmi + ========= OFFSET dump ========= + Loader IMAGE: + header_image_off 0x0 + dcd_off 0x0 + image_off 0x40 + csf_off 0x35800 + spl hab block: 0x7e0fc0 0x0 0x35800 + + Second Loader IMAGE: + sld_header_off 0x57c00 + sld_csf_off 0x58c20 + sld hab block: 0x401fcdc0 0x57c00 0x1020 + + Step 2: $make SOC=iMX8M print_fit_hab_notee + + ATF_LOAD_ADDR=0x00910000 VERSION=v1 ./print_fit_hab_notee.sh 0x60000 evk.dtb + 0x40200000 0x5AC00 0xD6EA8 + 0x402D6EA8 0x131AA8 0xCD98 + 0x910000 0x13E840 0xA0E0 + + Step 3: Update csf_spl.txt & csf_fit.txt’s “[Authenticate Data]” section based on +the information captured earlier(Essentially this section will be used by CST signing tool +to compute and create image signature signed by SRK’s CSF/IMAGE key respectively.) + + Step 4: Run CST signing too to create signing signature for different image partitions(SPL and +FIT image) + $cst -i csf_spl.txt -o csf_spl.bin + $cst -i csf_fit.txt -o csf_fit.bin + + Step 5: Copy signed CSF sections from Step 4: into final flash.bin ( +Make sure the offsets are captured from earlier make command’s outputs) + + $dd if=csf_spl.bin of=flash.bin.sig seek=$((0x35800)) bs=1 conv=notrunc + $dd if=csf_fit.bin of=flash.bin.sig seek=$((0x58c20)) bs=1 conv=notrunc + + Step 6: Flash the image to target (iMX8MQ-EVK board with Linux) + $fastboot 0 // from u-boot command line + $fastboot flash bootloader flash.bin.sig // from dev machine + +So far, Part number image is packaged and signed, also depolyed to target.iMX8MQ can be boot up to U-Boot command line. Next section covers steps how to package and sign/deploy FIT-TEE image. + + Step 7: $make clean && make SOC=iMX8M flash_tee + FIT IVT IMAGE: + fit_csf_off 0x1020 + fit hab block: 0x401fcdc0 0x0 0x1020 + Step 8: $make SOC=iMX8M print_fit_hab_tee + TEE_LOAD_ADDR=0xfe000000 VERSION=v1 ./print_fit_hab_tee.sh 0 + 0xFE000000 0x3000 0x7EEB0 + Step 9: Update csf_fit_tee.txt’s “[Authenticate Data]” section based on the information captured earlier then sign it. + $cst -i csf_fit_tee.txt -o csf_fit_tee.bin + + Step 10: Copy signed CSF sections from Step 4: into final image. + $dd if=csf_fit_tee.bin of=tee-ivt.itb.sig seek=$((0x1020)) bs=1 conv=notrunc + + Step 11: Flash tee-ivt.itb.sig to eMMC at predefined offset. One of options can be like following: + iMX8MQ U-Boot> ums 0 1 + Dev_machine> cp tee-ivt.itb.sig /media/${user}/boot + U-Boot > fatload mmc 1:1 0x62000000 tee-ivt.itb.sig + => mmc partconf 0 1 1 1 // switch to R/W boot partition 1 + // mmc partconf ${emmc_dev}0 ${emmc_ack}1 1 0 + => mmc dev 0 // based on $mmc list info + => mmc write 0x62000000 0x1000(eMMC_offset_in_LBA) 0x40f(image_sz_in_sector) + +Test to make sure: + Under U-Boot command line run >>>had_statue to confirm no image verifying failure + u-boot=> hab_status + Secure boot disabled + HAB Configuration: 0xf0, HAB State: 0x66 + No HAB Events Found! + Under Linux command line run OP-TEE test suite to confirm passing successfully + $xtest + 35625 subtests of which 0 failed + 126 test cases of which 0 failed + 0 test cases were skipped + TEE test application done! |