u-boot-imx: update build, package and sign, test procedures

1 files changed, 93 insertions, 33 deletions

diff --git a/how_to_test.txt b/how_to_test.txt
index 484a7fea91..d3ec15af76 100644
--- a/how_to_test.txt
+++ b/how_to_test.txt
@@ -2,19 +2,20 @@ Depending on how you build and steps are different. In my case to make simple,
 use standalone way to build and flash instead of YOCTO environment.
 
 1. Get IMX-MKIMAGE source and will be used to package final bootloader image flash.bin
-	https://source.codeaurora.org/external/imx/imx-mkimage
+	https://git.linaro.org/people/lei.zhou/security/imx8mq-uboot.git
+(forked from https://source.codeaurora.org/external/imx/imx-mkimage)
 
-2. Build U-Boot with the HAB configuration enabled:
+2. Build U-Boot(v2022.04) with the HAB configuration enabled:
    * CONFIG_IMX_HAB for U-Boot >= 2019.10
 
 	$ git clone https://github.com/nxp-imx/uboot-imx
-	~$ cd u-boot-imx6
+	~$ cd u-boot-imx6 && git checkout lf_v2022.04
 	~/u-boot-imx6$ export ARCH=arm64
 	~/u-boot-imx6$ export CROSS_COMPILE=aarch64-linux-gnu- 
 	~/u-boot-imx6$ export CROSS_COMPILE64=aarch64-linux-gnu-
 	~/u-boot-imx6$ make distclean; make imx8mq_evk_defconfig
 	~/u-boot-imx6$ make menuconfig
-	(enable the HAB configuration here)
+	(enable the HAB configuration here. eg CONFIG_IMX_HAB)
 	$ make
 	Output images
 		$(UBOOT_SRC)/u-boot-nodtb.bin(1M)
@@ -36,38 +37,40 @@ use standalone way to build and flash instead of YOCTO environment.
 	~$ cp firmware-imx-8.5/firmware/hdmi/cadence/signed_*.bin imx-mkimage/iMX8M/ 
 	~$ cp firmware-imx-8.5/firmware/ddr/synopsys/lpddr4*.bin imx-mkimage/iMX8M/
 
-4. Download and build ATF/OPTEE firmware
+4. Download and build ATF(IMX 2.6)/OPTEE(3.15) firmware
 	Get the ATF from the below mentioned source link
-	https://source.codeaurora.org/external/imx/imx-atf
+	https://git.linaro.org/people/lei.zhou/security/imx8mq-atf.git
+(forked from https://source.codeaurora.org/external/imx/imx-atf)
 
 	----Build images
 	export CROSS_COMPILE=aarch64-linux-gnu-
 	export CROSS_COMPILE64=aarch64-linux-gnu-
 	export ARCH=arm64
-	$ make realclean; make PLAT=imx8mq LOG_LEVEL=50 bl31
+	$ make realclean
+        // $ make PLAT=imx8mq LOG_LEVEL=50 bl31
 	// imx-atf$ vi ./plat/imx/imx8m/imx8mq/include/platform_def.h
 	// #define DEBUG_CONSOLE     (1)
 	$ make PLAT=imx8mq SPD=opteed LOG_LEVEL=50 bl31 // to enable OPTEE
 
 	----Output images
-	$(ATF_SRC)/build/imx8mq/release/bl31.bin
+	$(ATF_SRC)/build/imx8mq/release/bl31.bin && copy to imx-mkimage/iMX8M/ folder.
 
-	--- build OPTEE
+	--- build OPTEE (3.15)
 	$git clone http://source.codeaurora.org/external/imx/imx-optee-os
 
 	$ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf CROSS_COMPILE64=aarch64-linux-gnu- CFG_TEE_CORE_LOG_LEVEL=4 CFG_TEE_TA_LOG_LEVEL=3 CFG_TEE_CORE_DEBUG=y CFG_DEBUG_INFO=y ./scripts/nxp_build.sh imx-mx8mqevk
 	
 	Note: tee.bin is not a raw binary and tee-pager_v2.bin(tee-raw.bin) || tee-header_v2.bin. Actually, the optee header information are only mandatory when "optee pager" is enabled.When optee pager is not enable, tee.bin contains the header + the unique raw optee core image to be loaded in DDR. This raw optee core image is the file tee-pager.bin, generated next to out/.../core/tee.bin
 
-5. Build i.MX8Mq final boot image flash.bin
-
-	5.1 Below mentioned are the steps to generate bootloder using mkimage and gather necessary images
+5. Below mentioned are the steps to generate bootloder using mkimage and gather necessary images
 	SPL and U-boot images
 	- u-boot-nodtb.bin
 	- u-boot-spl.bin
 	- imx8mq-evk.dtb
 	ATF image
 	- bl31.bin
+	OP-TEE image
+	- tee.bin (tee-raw.bin)
 	DDR firmware images
 	- lpddr4_pmu_train_1d_dmem.bin
 	- lpddr4_pmu_train_1d_imem.bin
@@ -77,26 +80,83 @@ use standalone way to build and flash instead of YOCTO environment.
 
 	Copy these files to imx-mkimage/iMX8M directory
 
-	$ make SOC=iMX8M flash_evk
-
-6. Validate POC test case 1: No valid BL32 OPTEE is flashed to eMMC
-   Boot up the system and make sure it can boot successfuly to uboot cmdline. By inpsecting the console logs,
-make sure SPL->BL31->UBOOT booting without any spotted failure.
-   Use following sequence to flash bootloader to the target board.
-    	6.1 u-boot> fastboot 0
-	6.2 PC @imx-mkimage/iMX8M> fastboot flash bootloader flash.bin
-
-7. Validate POC test case 2: Flash valid OPTEE tee-raw.bin to eMMC at predefined eMMC LBA sectors(boot partition)
-	7.1 Steps on writing tee-raw.bin to specified eMMC offset.
-	   * Prepare a SD card with FAT partition and copy tee-raw.bin over, then insert SD card into iMX8MQ board.
-	   * Boot up from eMMC and run following sequence to flash tee-raw.bin
-
-	=> uboot > fatload mmc 1:1 0x62000000 tee-raw.bin
-	=> uboot > mmc dev 0 // based on $mmc list info to switch eMMC media
-	=> uboot > mmc partconf 0 1 1 1 // switch to R/W boot partition 1 
-	=> mmc write 0x62000000 0x1000(2M(offset)/512) 0x44C(file-size-tee-raw.bin/512)
-
-	7.2 Then reboot the board and make sure board can successfully boot to uboot.
-		Inspect the console logs make sure SPL->BL31->BL32->UBOOT boots with non-failing logs
+6. Following steps cover detailed procedure on how to build, package and sign final image before deploy
+to iMX8MQ-EVK target.
+	Step 1: $ make SOC=iMX8M flash_evk_notee_no_hdmi
+		========= OFFSET dump =========
+		Loader IMAGE:
+		 header_image_off 	0x0
+		 dcd_off 		0x0
+		 image_off 		0x40
+		 csf_off 		0x35800
+		 spl hab block: 	0x7e0fc0 0x0 0x35800
+
+		Second Loader IMAGE:
+		 sld_header_off 	0x57c00
+		 sld_csf_off 		0x58c20
+		 sld hab block: 	0x401fcdc0 0x57c00 0x1020
+
+	Step 2: $make SOC=iMX8M print_fit_hab_notee
+
+		ATF_LOAD_ADDR=0x00910000 VERSION=v1 ./print_fit_hab_notee.sh 0x60000 evk.dtb
+		0x40200000 0x5AC00 0xD6EA8
+		0x402D6EA8 0x131AA8 0xCD98
+		0x910000 0x13E840 0xA0E0
+
+	Step 3: Update csf_spl.txt & csf_fit.txt’s “[Authenticate Data]” section based on
+the information captured earlier(Essentially this section will be used by CST signing tool
+to compute and create image signature signed by SRK’s CSF/IMAGE key respectively.)
+
+	Step 4:  Run CST signing too to create signing signature for different image partitions(SPL and 
+FIT image) 
+		$cst -i csf_spl.txt -o csf_spl.bin
+		$cst -i csf_fit.txt -o csf_fit.bin
+
+	Step 5: Copy signed CSF sections from Step 4: into final flash.bin (
+Make sure the offsets are captured from earlier make command’s outputs)
+
+		$dd if=csf_spl.bin of=flash.bin.sig seek=$((0x35800)) bs=1 conv=notrunc
+		$dd if=csf_fit.bin of=flash.bin.sig seek=$((0x58c20)) bs=1 conv=notrunc
+
+	Step 6: Flash the image to target (iMX8MQ-EVK board with Linux)
+		$fastboot 0 // from u-boot command line
+		$fastboot flash bootloader flash.bin.sig // from dev machine
+
+So far, Part number image is packaged and signed, also depolyed to target.iMX8MQ can be boot up to U-Boot command line. Next section covers steps how to package and sign/deploy FIT-TEE image.
+
+	Step 7: $make clean && make SOC=iMX8M flash_tee
+		FIT IVT IMAGE:
+		 fit_csf_off 		0x1020
+		 fit hab block: 	0x401fcdc0 0x0 0x1020
+	Step 8: $make SOC=iMX8M print_fit_hab_tee
+		TEE_LOAD_ADDR=0xfe000000 VERSION=v1 ./print_fit_hab_tee.sh 0
+		0xFE000000 0x3000 0x7EEB0
+	Step 9: Update csf_fit_tee.txt’s “[Authenticate Data]” section based on the information captured earlier then sign it.
+		$cst -i csf_fit_tee.txt -o csf_fit_tee.bin
+
+	Step 10: Copy signed CSF sections from Step 4: into final image.
+		$dd if=csf_fit_tee.bin of=tee-ivt.itb.sig seek=$((0x1020)) bs=1 conv=notrunc
+
+	Step 11: Flash tee-ivt.itb.sig to eMMC at predefined offset. One of options can be like following:
+	    iMX8MQ U-Boot> ums 0 1
+	    Dev_machine> cp tee-ivt.itb.sig /media/${user}/boot
+		U-Boot > fatload mmc 1:1 0x62000000 tee-ivt.itb.sig
+	=> mmc partconf 0 1 1 1 // switch to R/W boot partition 1 
+	// mmc partconf ${emmc_dev}0 ${emmc_ack}1 1 0
+	=> mmc dev 0 // based on $mmc list info
+	=> mmc write 0x62000000 0x1000(eMMC_offset_in_LBA) 0x40f(image_sz_in_sector)
+
+Test to make sure:
+	Under U-Boot command line run >>>had_statue to confirm no image verifying failure
+	    u-boot=> hab_status
+		Secure boot disabled
+		HAB Configuration: 0xf0, HAB State: 0x66
+		No HAB Events Found!
+	Under Linux command line run OP-TEE test suite to confirm passing successfully
+		$xtest
+	       35625 subtests of which 0 failed
+	      126 test cases of which 0 failed
+	      0 test cases were skipped
+	      TEE test application done!