warp7.rst 4.98 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
Trusted Firmware-A for i.MX7 WaRP7
==================================

The Trusted Firmware-A port for the i.MX7Solo WaRP7 implements BL2 at EL3.
The i.MX7S contains a BootROM with a High Assurance Boot (HAB) functionality.
This functionality provides a mechanism for establishing a root-of-trust from
the reset vector to the command-line in user-space.

Boot Flow
=========

BootROM --> TF-A BL2 --> BL32(OP-TEE) --> BL33(U-Boot) --> Linux

In the WaRP7 port we encapsulate OP-TEE, DTB and U-Boot into a FIP. This FIP is
expected and required

# Build Instructions

We need to use a file generated by u-boot in order to generate a .imx image the
BootROM will boot. It is therefore _required_ to build u-boot before TF-A and
furthermore it is _recommended_ to use the mkimage in the u-boot/tools directory
to generate the TF-A .imx image.

## U-Boot:

https://git.linaro.org/landing-teams/working/mbl/u-boot.git

.. code:: shell

    git checkout -b rms-atf-optee-uboot linaro-mbl/rms-atf-optee-uboot
    make warp7_bl33_defconfig;
    make u-boot.imx arch=ARM CROSS_COMPILE=arm-linux-gnueabihf-

## TF-A:

https://github.com/ARM-software/arm-trusted-firmware.git

.. code:: shell

    make CROSS_COMPILE=arm-linux-gnueabihf- PLAT=warp7 ARCH=aarch32 ARM_ARCH_MAJOR=7 ARM_CORTEX_A7=yes AARCH32_SP=optee all
    /path/to/u-boot/tools/mkimage -n /path/to/u-boot/u-boot.cfgout -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx

## OP-TEE:

https://github.com/OP-TEE/optee_os.git

.. code:: shell

    make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- PLATFORM=imx PLATFORM_FLAVOR=mx7swarp7 ARCH=arm CFG_PAGEABLE_ADDR=0 CFG_DT_ADDR=0x83000000 CFG_NS_ENTRY_ADDR=0x87800000


## FIP:

.. code:: shell

    mkdir fiptool_images
    cp /path/to/uboot/u-boot.bin fiptool_images
    cp /path/to/optee/out/arm-plat-imx/core/tee-header_v2.bin fiptool_images
    cp /path/to/optee/out/arm-plat-imx/core/tee-pager_v2.bin fiptool_images
    cp /path/to/optee/out/arm-plat-imx/core/tee-pageable_v2.bin fiptool_images
    cp /path/to/linux/arch/boot/dts/imx7s-warp.dtb fiptool_images
    tools/fiptool/fiptool create --tos-fw fiptool_images/tee-header_v2.bin --tos-fw-extra1 fiptool_images/tee-pager_v2.bin --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin --nt-fw fiptool_images/u-boot.bin --hw-config fiptool_images/imx7s-warp.dtb warp7.fip


# Deploy Images


First place the WaRP7 into UMS mode in u-boot this should produce an entry in
/dev like /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0

.. code:: shell

    => ums 0 mmc 0

Next flash bl2.imx and warp7.fip

bl2.imx is flashed @ 1024 bytes
warp7.fip is flash @ 1048576 bytes

.. code:: shell

    sudo dd if=bl2.bin.imx of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2 conv=notrunc
    # Offset is 1MB 1048576 => 1048576 / 512 = 2048
    sudo dd if=./warp7.fip of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2048 conv=notrunc

Remember to umount the USB device pefore proceeding

.. code:: shell

    sudo umount /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0*


# Signing BL2

A further step is to sign BL2.

The image_sign.sh and bl2_sign.csf files alluded to blow are available here.

https://github.com/bryanodonoghue/atf-code-signing

It is suggested you use this script plus the example CSF file in order to avoid
hard-coding data into your CSF files.

Download both "image_sign.sh" and "bl2_sign.csf" to your
arm-trusted-firmware top-level directory.

.. code:: shell

    #!/bin/bash
    SIGN=image_sign.sh
    TEMP=`pwd`/temp
    BL2_CSF=bl2_sign.csf
    BL2_IMX=bl2.bin.imx
    CST_PATH=/path/to/cst-2.3.2
    CST_BIN=${CST_PATH}/linux64/cst

    #Remove temp
    rm -rf ${TEMP}
    mkdir ${TEMP}

    # Generate IMX header
    /path/to/u-boot/tools/mkimage -n u-boot.cfgout.warp7 -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx > ${TEMP}/${BL2_IMX}.log

    # Copy required items to $TEMP
    cp build/warp7/debug/bl2.bin.imx ${TEMP}
    cp ${CST_PATH}/keys/* ${TEMP}
    cp ${CST_PATH}/crts/* ${TEMP}
    cp ${BL2_CSF} ${TEMP}

    # Generate signed BL2 image
    ./${SIGN} image_sign_mbl_binary ${TEMP} ${BL2_CSF} ${BL2_IMX} ${CST_BIN}

    # Copy signed BL2 to top-level directory
    cp ${TEMP}/${BL2_IMX}-signed .
    cp ${BL2_RECOVER_CSF} ${TEMP}


The resulting bl2.bin.imx-signed can replace bl2.bin.imx in the Deploy
Images section above, once done.

Suggested flow for verifying.

1. Followed all previous steps above and verify a non-secure ATF boot
2. Down the NXP Code Singing Tool
3. Generate keys
4. Program the fuses on your board
5. Replace bl2.bin.imx with bl2.bin.imx-signed
6. Verify inside u-boot that "hab_status" shows no events
7. Subsequently close your board.

If you have HAB events @ step 6 - do not lock your board.

To get a good over-view of generating keys and programming the fuses on the
board read "High Assurance Boot for Dummies" by Boundary Devices.

https://boundarydevices.com/high-assurance-boot-hab-dummies/