1*b182a5d9SBryan O'DonoghueTrusted Firmware-A for i.MX7 WaRP7 2*b182a5d9SBryan O'Donoghue================================== 3*b182a5d9SBryan O'Donoghue 4*b182a5d9SBryan O'DonoghueThe Trusted Firmware-A port for the i.MX7Solo WaRP7 implements BL2 at EL3. 5*b182a5d9SBryan O'DonoghueThe i.MX7S contains a BootROM with a High Assurance Boot (HAB) functionality. 6*b182a5d9SBryan O'DonoghueThis functionality provides a mechanism for establishing a root-of-trust from 7*b182a5d9SBryan O'Donoghuethe reset vector to the command-line in user-space. 8*b182a5d9SBryan O'Donoghue 9*b182a5d9SBryan O'DonoghueBoot Flow 10*b182a5d9SBryan O'Donoghue========= 11*b182a5d9SBryan O'Donoghue 12*b182a5d9SBryan O'DonoghueBootROM --> TF-A BL2 --> BL32(OP-TEE) --> BL33(U-Boot) --> Linux 13*b182a5d9SBryan O'Donoghue 14*b182a5d9SBryan O'DonoghueIn the WaRP7 port we encapsulate OP-TEE, DTB and U-Boot into a FIP. This FIP is 15*b182a5d9SBryan O'Donoghueexpected and required 16*b182a5d9SBryan O'Donoghue 17*b182a5d9SBryan O'Donoghue# Build Instructions 18*b182a5d9SBryan O'Donoghue 19*b182a5d9SBryan O'DonoghueWe need to use a file generated by u-boot in order to generate a .imx image the 20*b182a5d9SBryan O'DonoghueBootROM will boot. It is therefore _required_ to build u-boot before TF-A and 21*b182a5d9SBryan O'Donoghuefurthermore it is _recommended_ to use the mkimage in the u-boot/tools directory 22*b182a5d9SBryan O'Donoghueto generate the TF-A .imx image. 23*b182a5d9SBryan O'Donoghue 24*b182a5d9SBryan O'Donoghue## U-Boot: 25*b182a5d9SBryan O'Donoghue 26*b182a5d9SBryan O'Donoghuehttps://git.linaro.org/landing-teams/working/mbl/u-boot.git 27*b182a5d9SBryan O'Donoghue 28*b182a5d9SBryan O'Donoghue.. code:: shell 29*b182a5d9SBryan O'Donoghue 30*b182a5d9SBryan O'Donoghue git checkout -b rms-atf-optee-uboot linaro-mbl/rms-atf-optee-uboot 31*b182a5d9SBryan O'Donoghue make warp7_bl33_defconfig; 32*b182a5d9SBryan O'Donoghue make u-boot.imx arch=ARM CROSS_COMPILE=arm-linux-gnueabihf- 33*b182a5d9SBryan O'Donoghue 34*b182a5d9SBryan O'Donoghue## TF-A: 35*b182a5d9SBryan O'Donoghue 36*b182a5d9SBryan O'Donoghuehttps://github.com/ARM-software/arm-trusted-firmware.git 37*b182a5d9SBryan O'Donoghue 38*b182a5d9SBryan O'Donoghue.. code:: shell 39*b182a5d9SBryan O'Donoghue 40*b182a5d9SBryan O'Donoghue make CROSS_COMPILE=arm-linux-gnueabihf- PLAT=warp7 ARCH=aarch32 ARM_ARCH_MAJOR=7 ARM_CORTEX_A7=yes AARCH32_SP=optee all 41*b182a5d9SBryan O'Donoghue /path/to/u-boot/tools/mkimage -n /path/to/u-boot/u-boot.cfgout -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx 42*b182a5d9SBryan O'Donoghue 43*b182a5d9SBryan O'Donoghue## OP-TEE: 44*b182a5d9SBryan O'Donoghue 45*b182a5d9SBryan O'Donoghuehttps://github.com/OP-TEE/optee_os.git 46*b182a5d9SBryan O'Donoghue 47*b182a5d9SBryan O'Donoghue.. code:: shell 48*b182a5d9SBryan O'Donoghue 49*b182a5d9SBryan O'Donoghue make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- PLATFORM=imx PLATFORM_FLAVOR=mx7swarp7 ARCH=arm CFG_PAGEABLE_ADDR=0 CFG_DT_ADDR=0x83000000 CFG_NS_ENTRY_ADDR=0x87800000 50*b182a5d9SBryan O'Donoghue 51*b182a5d9SBryan O'Donoghue 52*b182a5d9SBryan O'Donoghue## FIP: 53*b182a5d9SBryan O'Donoghue 54*b182a5d9SBryan O'Donoghue.. code:: shell 55*b182a5d9SBryan O'Donoghue 56*b182a5d9SBryan O'Donoghue mkdir fiptool_images 57*b182a5d9SBryan O'Donoghue cp /path/to/uboot/u-boot.bin fiptool_images 58*b182a5d9SBryan O'Donoghue cp /path/to/optee/out/arm-plat-imx/core/tee-header_v2.bin fiptool_images 59*b182a5d9SBryan O'Donoghue cp /path/to/optee/out/arm-plat-imx/core/tee-pager_v2.bin fiptool_images 60*b182a5d9SBryan O'Donoghue cp /path/to/optee/out/arm-plat-imx/core/tee-pageable_v2.bin fiptool_images 61*b182a5d9SBryan O'Donoghue cp /path/to/linux/arch/boot/dts/imx7s-warp.dtb fiptool_images 62*b182a5d9SBryan O'Donoghue tools/fiptool/fiptool create --tos-fw fiptool_images/tee-header_v2.bin --tos-fw-extra1 fiptool_images/tee-pager_v2.bin --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin --nt-fw fiptool_images/u-boot.bin --hw-config fiptool_images/imx7s-warp.dtb warp7.fip 63*b182a5d9SBryan O'Donoghue 64*b182a5d9SBryan O'Donoghue 65*b182a5d9SBryan O'Donoghue# Deploy Images 66*b182a5d9SBryan O'Donoghue 67*b182a5d9SBryan O'Donoghue 68*b182a5d9SBryan O'DonoghueFirst place the WaRP7 into UMS mode in u-boot this should produce an entry in 69*b182a5d9SBryan O'Donoghue/dev like /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 70*b182a5d9SBryan O'Donoghue 71*b182a5d9SBryan O'Donoghue.. code:: shell 72*b182a5d9SBryan O'Donoghue 73*b182a5d9SBryan O'Donoghue => ums 0 mmc 0 74*b182a5d9SBryan O'Donoghue 75*b182a5d9SBryan O'DonoghueNext flash bl2.imx and warp7.fip 76*b182a5d9SBryan O'Donoghue 77*b182a5d9SBryan O'Donoghuebl2.imx is flashed @ 1024 bytes 78*b182a5d9SBryan O'Donoghuewarp7.fip is flash @ 1048576 bytes 79*b182a5d9SBryan O'Donoghue 80*b182a5d9SBryan O'Donoghue.. code:: shell 81*b182a5d9SBryan O'Donoghue 82*b182a5d9SBryan O'Donoghue sudo dd if=bl2.bin.imx of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2 conv=notrunc 83*b182a5d9SBryan O'Donoghue # Offset is 1MB 1048576 => 1048576 / 512 = 2048 84*b182a5d9SBryan O'Donoghue sudo dd if=./warp7.fip of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2048 conv=notrunc 85*b182a5d9SBryan O'Donoghue 86*b182a5d9SBryan O'DonoghueRemember to umount the USB device pefore proceeding 87*b182a5d9SBryan O'Donoghue 88*b182a5d9SBryan O'Donoghue.. code:: shell 89*b182a5d9SBryan O'Donoghue 90*b182a5d9SBryan O'Donoghue sudo umount /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0* 91*b182a5d9SBryan O'Donoghue 92*b182a5d9SBryan O'Donoghue 93*b182a5d9SBryan O'Donoghue# Signing BL2 94*b182a5d9SBryan O'Donoghue 95*b182a5d9SBryan O'DonoghueA further step is to sign BL2. 96*b182a5d9SBryan O'Donoghue 97*b182a5d9SBryan O'DonoghueThe image_sign.sh and bl2_sign.csf files alluded to blow are available here. 98*b182a5d9SBryan O'Donoghue 99*b182a5d9SBryan O'Donoghuehttps://github.com/bryanodonoghue/atf-code-signing 100*b182a5d9SBryan O'Donoghue 101*b182a5d9SBryan O'DonoghueIt is suggested you use this script plus the example CSF file in order to avoid 102*b182a5d9SBryan O'Donoghuehard-coding data into your CSF files. 103*b182a5d9SBryan O'Donoghue 104*b182a5d9SBryan O'DonoghueDownload both "image_sign.sh" and "bl2_sign.csf" to your 105*b182a5d9SBryan O'Donoghuearm-trusted-firmware top-level directory. 106*b182a5d9SBryan O'Donoghue 107*b182a5d9SBryan O'Donoghue.. code:: shell 108*b182a5d9SBryan O'Donoghue 109*b182a5d9SBryan O'Donoghue #!/bin/bash 110*b182a5d9SBryan O'Donoghue SIGN=image_sign.sh 111*b182a5d9SBryan O'Donoghue TEMP=`pwd`/temp 112*b182a5d9SBryan O'Donoghue BL2_CSF=bl2_sign.csf 113*b182a5d9SBryan O'Donoghue BL2_IMX=bl2.bin.imx 114*b182a5d9SBryan O'Donoghue CST_PATH=/path/to/cst-2.3.2 115*b182a5d9SBryan O'Donoghue CST_BIN=${CST_PATH}/linux64/cst 116*b182a5d9SBryan O'Donoghue 117*b182a5d9SBryan O'Donoghue #Remove temp 118*b182a5d9SBryan O'Donoghue rm -rf ${TEMP} 119*b182a5d9SBryan O'Donoghue mkdir ${TEMP} 120*b182a5d9SBryan O'Donoghue 121*b182a5d9SBryan O'Donoghue # Generate IMX header 122*b182a5d9SBryan O'Donoghue /path/to/u-boot/tools/mkimage -n u-boot.cfgout.warp7 -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx > ${TEMP}/${BL2_IMX}.log 123*b182a5d9SBryan O'Donoghue 124*b182a5d9SBryan O'Donoghue # Copy required items to $TEMP 125*b182a5d9SBryan O'Donoghue cp build/warp7/debug/bl2.bin.imx ${TEMP} 126*b182a5d9SBryan O'Donoghue cp ${CST_PATH}/keys/* ${TEMP} 127*b182a5d9SBryan O'Donoghue cp ${CST_PATH}/crts/* ${TEMP} 128*b182a5d9SBryan O'Donoghue cp ${BL2_CSF} ${TEMP} 129*b182a5d9SBryan O'Donoghue 130*b182a5d9SBryan O'Donoghue # Generate signed BL2 image 131*b182a5d9SBryan O'Donoghue ./${SIGN} image_sign_mbl_binary ${TEMP} ${BL2_CSF} ${BL2_IMX} ${CST_BIN} 132*b182a5d9SBryan O'Donoghue 133*b182a5d9SBryan O'Donoghue # Copy signed BL2 to top-level directory 134*b182a5d9SBryan O'Donoghue cp ${TEMP}/${BL2_IMX}-signed . 135*b182a5d9SBryan O'Donoghue cp ${BL2_RECOVER_CSF} ${TEMP} 136*b182a5d9SBryan O'Donoghue 137*b182a5d9SBryan O'Donoghue 138*b182a5d9SBryan O'DonoghueThe resulting bl2.bin.imx-signed can replace bl2.bin.imx in the Deploy 139*b182a5d9SBryan O'DonoghueImages section above, once done. 140*b182a5d9SBryan O'Donoghue 141*b182a5d9SBryan O'DonoghueSuggested flow for verifying. 142*b182a5d9SBryan O'Donoghue 143*b182a5d9SBryan O'Donoghue1. Followed all previous steps above and verify a non-secure ATF boot 144*b182a5d9SBryan O'Donoghue2. Down the NXP Code Singing Tool 145*b182a5d9SBryan O'Donoghue3. Generate keys 146*b182a5d9SBryan O'Donoghue4. Program the fuses on your board 147*b182a5d9SBryan O'Donoghue5. Replace bl2.bin.imx with bl2.bin.imx-signed 148*b182a5d9SBryan O'Donoghue6. Verify inside u-boot that "hab_status" shows no events 149*b182a5d9SBryan O'Donoghue7. Subsequently close your board. 150*b182a5d9SBryan O'Donoghue 151*b182a5d9SBryan O'DonoghueIf you have HAB events @ step 6 - do not lock your board. 152*b182a5d9SBryan O'Donoghue 153*b182a5d9SBryan O'DonoghueTo get a good over-view of generating keys and programming the fuses on the 154*b182a5d9SBryan O'Donoghueboard read "High Assurance Boot for Dummies" by Boundary Devices. 155*b182a5d9SBryan O'Donoghue 156*b182a5d9SBryan O'Donoghuehttps://boundarydevices.com/high-assurance-boot-hab-dummies/ 157