1b182a5d9SBryan O'DonoghueTrusted Firmware-A for i.MX7 WaRP7 2b182a5d9SBryan O'Donoghue================================== 3b182a5d9SBryan O'Donoghue 4b182a5d9SBryan O'DonoghueThe Trusted Firmware-A port for the i.MX7Solo WaRP7 implements BL2 at EL3. 5b182a5d9SBryan O'DonoghueThe i.MX7S contains a BootROM with a High Assurance Boot (HAB) functionality. 6b182a5d9SBryan O'DonoghueThis functionality provides a mechanism for establishing a root-of-trust from 7b182a5d9SBryan O'Donoghuethe reset vector to the command-line in user-space. 8b182a5d9SBryan O'Donoghue 9b182a5d9SBryan O'DonoghueBoot Flow 10b182a5d9SBryan O'Donoghue========= 11b182a5d9SBryan O'Donoghue 12b182a5d9SBryan O'DonoghueBootROM --> TF-A BL2 --> BL32(OP-TEE) --> BL33(U-Boot) --> Linux 13b182a5d9SBryan O'Donoghue 14b182a5d9SBryan O'DonoghueIn the WaRP7 port we encapsulate OP-TEE, DTB and U-Boot into a FIP. This FIP is 15b182a5d9SBryan O'Donoghueexpected and required 16b182a5d9SBryan O'Donoghue 17b182a5d9SBryan O'Donoghue# Build Instructions 18b182a5d9SBryan O'Donoghue 19b182a5d9SBryan O'DonoghueWe need to use a file generated by u-boot in order to generate a .imx image the 20b182a5d9SBryan O'DonoghueBootROM will boot. It is therefore _required_ to build u-boot before TF-A and 21b182a5d9SBryan O'Donoghuefurthermore it is _recommended_ to use the mkimage in the u-boot/tools directory 22b182a5d9SBryan O'Donoghueto generate the TF-A .imx image. 23b182a5d9SBryan O'Donoghue 24b182a5d9SBryan O'Donoghue## U-Boot: 25b182a5d9SBryan O'Donoghue 26b182a5d9SBryan O'Donoghuehttps://git.linaro.org/landing-teams/working/mbl/u-boot.git 27b182a5d9SBryan O'Donoghue 28b182a5d9SBryan O'Donoghue.. code:: shell 29b182a5d9SBryan O'Donoghue 30b182a5d9SBryan O'Donoghue git checkout -b rms-atf-optee-uboot linaro-mbl/rms-atf-optee-uboot 31b182a5d9SBryan O'Donoghue make warp7_bl33_defconfig; 32b182a5d9SBryan O'Donoghue make u-boot.imx arch=ARM CROSS_COMPILE=arm-linux-gnueabihf- 33b182a5d9SBryan O'Donoghue 34b182a5d9SBryan O'Donoghue## OP-TEE: 35b182a5d9SBryan O'Donoghue 36b182a5d9SBryan O'Donoghuehttps://github.com/OP-TEE/optee_os.git 37b182a5d9SBryan O'Donoghue 38b182a5d9SBryan O'Donoghue.. code:: shell 39b182a5d9SBryan O'Donoghue 40b182a5d9SBryan O'Donoghue make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- PLATFORM=imx PLATFORM_FLAVOR=mx7swarp7 ARCH=arm CFG_PAGEABLE_ADDR=0 CFG_DT_ADDR=0x83000000 CFG_NS_ENTRY_ADDR=0x87800000 41b182a5d9SBryan O'Donoghue 42*31e4c20dSBryan O'Donoghue## TF-A: 43*31e4c20dSBryan O'Donoghue 44*31e4c20dSBryan O'Donoghuehttps://github.com/ARM-software/arm-trusted-firmware.git 45*31e4c20dSBryan O'Donoghue 46*31e4c20dSBryan O'DonoghueThe following commands assume that a directory exits in the top-level TFA build 47*31e4c20dSBryan O'Donoghuedirectory "fiptool_images". "fiptool_images" contains 48*31e4c20dSBryan O'Donoghue 49*31e4c20dSBryan O'Donoghue- u-boot.bin 50*31e4c20dSBryan O'Donoghue The binary output from the u-boot instructions above 51*31e4c20dSBryan O'Donoghue 52*31e4c20dSBryan O'Donoghue- tee-header_v2.bin 53*31e4c20dSBryan O'Donoghue- tee-pager_v2.bin 54*31e4c20dSBryan O'Donoghue- tee-pageable_v2.bin 55*31e4c20dSBryan O'Donoghue Binary outputs from the previous OPTEE build steps 56*31e4c20dSBryan O'Donoghue 57*31e4c20dSBryan O'DonoghueIt is also assumed copy of mbedtls is available on the path path ../mbedtls 58*31e4c20dSBryan O'Donoghue https://github.com/ARMmbed/mbedtls.git 59*31e4c20dSBryan O'Donoghue At the time of writing HEAD points to 0592ea772aee48ca1e6d9eb84eca8e143033d973 60*31e4c20dSBryan O'Donoghue 61*31e4c20dSBryan O'Donoghue.. code:: shell 62*31e4c20dSBryan O'Donoghue 63*31e4c20dSBryan O'Donoghue mkdir fiptool_images 64*31e4c20dSBryan O'Donoghue cp /path/to/optee/out/arm-plat-imx/core/tee-header_v2.bin fiptool_images 65*31e4c20dSBryan O'Donoghue cp /path/to/optee/out/arm-plat-imx/core/tee-pager_v2.bin fiptool_images 66*31e4c20dSBryan O'Donoghue cp /path/to/optee/out/arm-plat-imx/core/tee-pageable_v2.bin fiptool_images 67*31e4c20dSBryan O'Donoghue 68*31e4c20dSBryan O'Donoghue make CROSS_COMPILE=${CROSS_COMPILE} PLAT=warp7 ARCH=aarch32 ARM_ARCH_MAJOR=7 \ 69*31e4c20dSBryan O'Donoghue ARM_CORTEX_A7=yes AARCH32_SP=optee PLAT_WARP7_UART=1 GENERATE_COT=1 \ 70*31e4c20dSBryan O'Donoghue TRUSTED_BOARD_BOOT=1 USE_TBBR_DEFS=1 MBEDTLS_DIR=../mbedtls \ 71*31e4c20dSBryan O'Donoghue NEED_BL32=yes BL32=fiptool_images/tee-header_v2.bin \ 72*31e4c20dSBryan O'Donoghue BL32_EXTRA1=fiptool_images/tee-pager_v2.bin \ 73*31e4c20dSBryan O'Donoghue BL32_EXTRA2=fiptool_images/tee-pageable_v2.bin \ 74*31e4c20dSBryan O'Donoghue BL33=fiptool_images/u-boot.bin certificates all 75*31e4c20dSBryan O'Donoghue 76*31e4c20dSBryan O'Donoghue /path/to/u-boot/tools/mkimage -n /path/to/u-boot/u-boot.cfgout -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx 77b182a5d9SBryan O'Donoghue 78b182a5d9SBryan O'Donoghue## FIP: 79b182a5d9SBryan O'Donoghue 80b182a5d9SBryan O'Donoghue.. code:: shell 81b182a5d9SBryan O'Donoghue 82b182a5d9SBryan O'Donoghue cp /path/to/uboot/u-boot.bin fiptool_images 83b182a5d9SBryan O'Donoghue cp /path/to/linux/arch/boot/dts/imx7s-warp.dtb fiptool_images 84b182a5d9SBryan O'Donoghue 85*31e4c20dSBryan O'Donoghue tools/cert_create/cert_create -n --rot-key "build/warp7/debug/rot_key.pem" \ 86*31e4c20dSBryan O'Donoghue --tfw-nvctr 0 \ 87*31e4c20dSBryan O'Donoghue --ntfw-nvctr 0 \ 88*31e4c20dSBryan O'Donoghue --trusted-key-cert fiptool_images/trusted-key-cert.key-crt \ 89*31e4c20dSBryan O'Donoghue --tb-fw=build/warp7/debug/bl2.bin \ 90*31e4c20dSBryan O'Donoghue --tb-fw-cert fiptool_images/trusted-boot-fw.key-crt\ 91*31e4c20dSBryan O'Donoghue --tos-fw fiptool_images/tee-header_v2.bin \ 92*31e4c20dSBryan O'Donoghue --tos-fw-cert fiptool_images/tee-header_v2.bin.crt \ 93*31e4c20dSBryan O'Donoghue --tos-fw-key-cert fiptool_images/tee-header_v2.bin.key-crt \ 94*31e4c20dSBryan O'Donoghue --tos-fw-extra1 fiptool_images/tee-pager_v2.bin \ 95*31e4c20dSBryan O'Donoghue --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin \ 96*31e4c20dSBryan O'Donoghue --nt-fw fiptool_images/u-boot.bin \ 97*31e4c20dSBryan O'Donoghue --nt-fw-cert fiptool_images/u-boot.bin.crt \ 98*31e4c20dSBryan O'Donoghue --nt-fw-key-cert fiptool_images/u-boot.bin.key-crt \ 99*31e4c20dSBryan O'Donoghue --hw-config fiptool_images/imx7s-warp.dtb 100*31e4c20dSBryan O'Donoghue 101*31e4c20dSBryan O'Donoghue tools/fiptool/fiptool create --tos-fw fiptool_images/tee-header_v2.bin \ 102*31e4c20dSBryan O'Donoghue --tos-fw-extra1 fiptool_images/tee-pager_v2.bin \ 103*31e4c20dSBryan O'Donoghue --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin \ 104*31e4c20dSBryan O'Donoghue --nt-fw fiptool_images/u-boot.bin \ 105*31e4c20dSBryan O'Donoghue --hw-config fiptool_images/imx7s-warp.dtb \ 106*31e4c20dSBryan O'Donoghue --tos-fw-cert fiptool_images/tee-header_v2.bin.crt \ 107*31e4c20dSBryan O'Donoghue --tos-fw-key-cert fiptool_images/tee-header_v2.bin.key-crt \ 108*31e4c20dSBryan O'Donoghue --nt-fw-cert fiptool_images/u-boot.bin.crt \ 109*31e4c20dSBryan O'Donoghue --nt-fw-key-cert fiptool_images/u-boot.bin.key-crt \ 110*31e4c20dSBryan O'Donoghue --trusted-key-cert fiptool_images/trusted-key-cert.key-crt \ 111*31e4c20dSBryan O'Donoghue --tb-fw-cert fiptool_images/trusted-boot-fw.key-crt warp7.fip 112b182a5d9SBryan O'Donoghue 113b182a5d9SBryan O'Donoghue# Deploy Images 114b182a5d9SBryan O'Donoghue 115b182a5d9SBryan O'Donoghue 116b182a5d9SBryan O'DonoghueFirst place the WaRP7 into UMS mode in u-boot this should produce an entry in 117b182a5d9SBryan O'Donoghue/dev like /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 118b182a5d9SBryan O'Donoghue 119b182a5d9SBryan O'Donoghue.. code:: shell 120b182a5d9SBryan O'Donoghue 121b182a5d9SBryan O'Donoghue => ums 0 mmc 0 122b182a5d9SBryan O'Donoghue 123b182a5d9SBryan O'DonoghueNext flash bl2.imx and warp7.fip 124b182a5d9SBryan O'Donoghue 125b182a5d9SBryan O'Donoghuebl2.imx is flashed @ 1024 bytes 126b182a5d9SBryan O'Donoghuewarp7.fip is flash @ 1048576 bytes 127b182a5d9SBryan O'Donoghue 128b182a5d9SBryan O'Donoghue.. code:: shell 129b182a5d9SBryan O'Donoghue 130b182a5d9SBryan O'Donoghue sudo dd if=bl2.bin.imx of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2 conv=notrunc 131b182a5d9SBryan O'Donoghue # Offset is 1MB 1048576 => 1048576 / 512 = 2048 132b182a5d9SBryan O'Donoghue sudo dd if=./warp7.fip of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2048 conv=notrunc 133b182a5d9SBryan O'Donoghue 134b182a5d9SBryan O'DonoghueRemember to umount the USB device pefore proceeding 135b182a5d9SBryan O'Donoghue 136b182a5d9SBryan O'Donoghue.. code:: shell 137b182a5d9SBryan O'Donoghue 138b182a5d9SBryan O'Donoghue sudo umount /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0* 139b182a5d9SBryan O'Donoghue 140b182a5d9SBryan O'Donoghue 141b182a5d9SBryan O'Donoghue# Signing BL2 142b182a5d9SBryan O'Donoghue 143b182a5d9SBryan O'DonoghueA further step is to sign BL2. 144b182a5d9SBryan O'Donoghue 145b182a5d9SBryan O'DonoghueThe image_sign.sh and bl2_sign.csf files alluded to blow are available here. 146b182a5d9SBryan O'Donoghue 147b182a5d9SBryan O'Donoghuehttps://github.com/bryanodonoghue/atf-code-signing 148b182a5d9SBryan O'Donoghue 149b182a5d9SBryan O'DonoghueIt is suggested you use this script plus the example CSF file in order to avoid 150b182a5d9SBryan O'Donoghuehard-coding data into your CSF files. 151b182a5d9SBryan O'Donoghue 152b182a5d9SBryan O'DonoghueDownload both "image_sign.sh" and "bl2_sign.csf" to your 153b182a5d9SBryan O'Donoghuearm-trusted-firmware top-level directory. 154b182a5d9SBryan O'Donoghue 155b182a5d9SBryan O'Donoghue.. code:: shell 156b182a5d9SBryan O'Donoghue 157b182a5d9SBryan O'Donoghue #!/bin/bash 158b182a5d9SBryan O'Donoghue SIGN=image_sign.sh 159b182a5d9SBryan O'Donoghue TEMP=`pwd`/temp 160b182a5d9SBryan O'Donoghue BL2_CSF=bl2_sign.csf 161b182a5d9SBryan O'Donoghue BL2_IMX=bl2.bin.imx 162b182a5d9SBryan O'Donoghue CST_PATH=/path/to/cst-2.3.2 163b182a5d9SBryan O'Donoghue CST_BIN=${CST_PATH}/linux64/cst 164b182a5d9SBryan O'Donoghue 165b182a5d9SBryan O'Donoghue #Remove temp 166b182a5d9SBryan O'Donoghue rm -rf ${TEMP} 167b182a5d9SBryan O'Donoghue mkdir ${TEMP} 168b182a5d9SBryan O'Donoghue 169b182a5d9SBryan O'Donoghue # Generate IMX header 170b182a5d9SBryan O'Donoghue /path/to/u-boot/tools/mkimage -n u-boot.cfgout.warp7 -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx > ${TEMP}/${BL2_IMX}.log 171b182a5d9SBryan O'Donoghue 172b182a5d9SBryan O'Donoghue # Copy required items to $TEMP 173b182a5d9SBryan O'Donoghue cp build/warp7/debug/bl2.bin.imx ${TEMP} 174b182a5d9SBryan O'Donoghue cp ${CST_PATH}/keys/* ${TEMP} 175b182a5d9SBryan O'Donoghue cp ${CST_PATH}/crts/* ${TEMP} 176b182a5d9SBryan O'Donoghue cp ${BL2_CSF} ${TEMP} 177b182a5d9SBryan O'Donoghue 178b182a5d9SBryan O'Donoghue # Generate signed BL2 image 179b182a5d9SBryan O'Donoghue ./${SIGN} image_sign_mbl_binary ${TEMP} ${BL2_CSF} ${BL2_IMX} ${CST_BIN} 180b182a5d9SBryan O'Donoghue 181b182a5d9SBryan O'Donoghue # Copy signed BL2 to top-level directory 182b182a5d9SBryan O'Donoghue cp ${TEMP}/${BL2_IMX}-signed . 183b182a5d9SBryan O'Donoghue cp ${BL2_RECOVER_CSF} ${TEMP} 184b182a5d9SBryan O'Donoghue 185b182a5d9SBryan O'Donoghue 186b182a5d9SBryan O'DonoghueThe resulting bl2.bin.imx-signed can replace bl2.bin.imx in the Deploy 187b182a5d9SBryan O'DonoghueImages section above, once done. 188b182a5d9SBryan O'Donoghue 189b182a5d9SBryan O'DonoghueSuggested flow for verifying. 190b182a5d9SBryan O'Donoghue 191b182a5d9SBryan O'Donoghue1. Followed all previous steps above and verify a non-secure ATF boot 192b182a5d9SBryan O'Donoghue2. Down the NXP Code Singing Tool 193b182a5d9SBryan O'Donoghue3. Generate keys 194b182a5d9SBryan O'Donoghue4. Program the fuses on your board 195b182a5d9SBryan O'Donoghue5. Replace bl2.bin.imx with bl2.bin.imx-signed 196b182a5d9SBryan O'Donoghue6. Verify inside u-boot that "hab_status" shows no events 197b182a5d9SBryan O'Donoghue7. Subsequently close your board. 198b182a5d9SBryan O'Donoghue 199b182a5d9SBryan O'DonoghueIf you have HAB events @ step 6 - do not lock your board. 200b182a5d9SBryan O'Donoghue 201b182a5d9SBryan O'DonoghueTo get a good over-view of generating keys and programming the fuses on the 202b182a5d9SBryan O'Donoghueboard read "High Assurance Boot for Dummies" by Boundary Devices. 203b182a5d9SBryan O'Donoghue 204b182a5d9SBryan O'Donoghuehttps://boundarydevices.com/high-assurance-boot-hab-dummies/ 205