| NXP i.MX7 WaRP7 |
| =============== |
| |
| The Trusted Firmware-A port for the i.MX7Solo WaRP7 implements BL2 at EL3. |
| The i.MX7S contains a BootROM with a High Assurance Boot (HAB) functionality. |
| This functionality provides a mechanism for establishing a root-of-trust from |
| the reset vector to the command-line in user-space. |
| |
| Boot Flow |
| --------- |
| |
| BootROM --> TF-A BL2 --> BL32(OP-TEE) --> BL33(U-Boot) --> Linux |
| |
| In the WaRP7 port we encapsulate OP-TEE, DTB and U-Boot into a FIP. This FIP is |
| expected and required |
| |
| Build Instructions |
| ------------------ |
| |
| We need to use a file generated by u-boot in order to generate a .imx image the |
| BootROM will boot. It is therefore _required_ to build u-boot before TF-A and |
| furthermore it is _recommended_ to use the mkimage in the u-boot/tools directory |
| to generate the TF-A .imx image. |
| |
| U-Boot |
| ~~~~~~ |
| |
| https://git.linaro.org/landing-teams/working/mbl/u-boot.git |
| |
| .. code:: shell |
| |
| git checkout -b rms-atf-optee-uboot linaro-mbl/rms-atf-optee-uboot |
| make warp7_bl33_defconfig; |
| make u-boot.imx arch=ARM CROSS_COMPILE=arm-linux-gnueabihf- |
| |
| OP-TEE |
| ~~~~~~ |
| |
| https://github.com/OP-TEE/optee_os.git |
| |
| .. code:: shell |
| |
| make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- PLATFORM=imx PLATFORM_FLAVOR=mx7swarp7 ARCH=arm CFG_PAGEABLE_ADDR=0 CFG_DT_ADDR=0x83000000 CFG_NS_ENTRY_ADDR=0x87800000 |
| |
| TF-A |
| ~~~~ |
| |
| https://github.com/ARM-software/arm-trusted-firmware.git |
| |
| The following commands assume that a directory exits in the top-level TFA build |
| directory "fiptool_images". "fiptool_images" contains |
| |
| - u-boot.bin |
| The binary output from the u-boot instructions above |
| |
| - tee-header_v2.bin |
| - tee-pager_v2.bin |
| - tee-pageable_v2.bin |
| Binary outputs from the previous OPTEE build steps |
| |
| It is also assumed copy of mbedtls is available on the path path ../mbedtls |
| https://github.com/ARMmbed/mbedtls.git |
| At the time of writing HEAD points to 0592ea772aee48ca1e6d9eb84eca8e143033d973 |
| |
| .. code:: shell |
| |
| mkdir fiptool_images |
| cp /path/to/optee/out/arm-plat-imx/core/tee-header_v2.bin fiptool_images |
| cp /path/to/optee/out/arm-plat-imx/core/tee-pager_v2.bin fiptool_images |
| cp /path/to/optee/out/arm-plat-imx/core/tee-pageable_v2.bin fiptool_images |
| |
| make CROSS_COMPILE=${CROSS_COMPILE} PLAT=warp7 ARCH=aarch32 ARM_ARCH_MAJOR=7 \ |
| ARM_CORTEX_A7=yes AARCH32_SP=optee PLAT_WARP7_UART=1 GENERATE_COT=1 \ |
| TRUSTED_BOARD_BOOT=1 USE_TBBR_DEFS=1 MBEDTLS_DIR=../mbedtls \ |
| NEED_BL32=yes BL32=fiptool_images/tee-header_v2.bin \ |
| BL32_EXTRA1=fiptool_images/tee-pager_v2.bin \ |
| BL32_EXTRA2=fiptool_images/tee-pageable_v2.bin \ |
| BL33=fiptool_images/u-boot.bin certificates all |
| |
| /path/to/u-boot/tools/mkimage -n /path/to/u-boot/u-boot.cfgout -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx |
| |
| FIP |
| ~~~ |
| |
| .. code:: shell |
| |
| cp /path/to/uboot/u-boot.bin fiptool_images |
| cp /path/to/linux/arch/boot/dts/imx7s-warp.dtb fiptool_images |
| |
| tools/cert_create/cert_create -n --rot-key "build/warp7/debug/rot_key.pem" \ |
| --tfw-nvctr 0 \ |
| --ntfw-nvctr 0 \ |
| --trusted-key-cert fiptool_images/trusted-key-cert.key-crt \ |
| --tb-fw=build/warp7/debug/bl2.bin \ |
| --tb-fw-cert fiptool_images/trusted-boot-fw.key-crt\ |
| --tos-fw fiptool_images/tee-header_v2.bin \ |
| --tos-fw-cert fiptool_images/tee-header_v2.bin.crt \ |
| --tos-fw-key-cert fiptool_images/tee-header_v2.bin.key-crt \ |
| --tos-fw-extra1 fiptool_images/tee-pager_v2.bin \ |
| --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin \ |
| --nt-fw fiptool_images/u-boot.bin \ |
| --nt-fw-cert fiptool_images/u-boot.bin.crt \ |
| --nt-fw-key-cert fiptool_images/u-boot.bin.key-crt \ |
| --hw-config fiptool_images/imx7s-warp.dtb |
| |
| tools/fiptool/fiptool create --tos-fw fiptool_images/tee-header_v2.bin \ |
| --tos-fw-extra1 fiptool_images/tee-pager_v2.bin \ |
| --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin \ |
| --nt-fw fiptool_images/u-boot.bin \ |
| --hw-config fiptool_images/imx7s-warp.dtb \ |
| --tos-fw-cert fiptool_images/tee-header_v2.bin.crt \ |
| --tos-fw-key-cert fiptool_images/tee-header_v2.bin.key-crt \ |
| --nt-fw-cert fiptool_images/u-boot.bin.crt \ |
| --nt-fw-key-cert fiptool_images/u-boot.bin.key-crt \ |
| --trusted-key-cert fiptool_images/trusted-key-cert.key-crt \ |
| --tb-fw-cert fiptool_images/trusted-boot-fw.key-crt warp7.fip |
| |
| Deploy Images |
| ------------- |
| |
| First place the WaRP7 into UMS mode in u-boot this should produce an entry in |
| /dev like /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 |
| |
| .. code:: shell |
| |
| => ums 0 mmc 0 |
| |
| Next flash bl2.imx and warp7.fip |
| |
| bl2.imx is flashed @ 1024 bytes |
| warp7.fip is flash @ 1048576 bytes |
| |
| .. code:: shell |
| |
| sudo dd if=bl2.bin.imx of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2 conv=notrunc |
| # Offset is 1MB 1048576 => 1048576 / 512 = 2048 |
| sudo dd if=./warp7.fip of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2048 conv=notrunc |
| |
| Remember to umount the USB device pefore proceeding |
| |
| .. code:: shell |
| |
| sudo umount /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0* |
| |
| |
| Signing BL2 |
| ----------- |
| |
| A further step is to sign BL2. |
| |
| The image_sign.sh and bl2_sign.csf files alluded to blow are available here. |
| |
| https://github.com/bryanodonoghue/atf-code-signing |
| |
| It is suggested you use this script plus the example CSF file in order to avoid |
| hard-coding data into your CSF files. |
| |
| Download both "image_sign.sh" and "bl2_sign.csf" to your |
| arm-trusted-firmware top-level directory. |
| |
| .. code:: shell |
| |
| #!/bin/bash |
| SIGN=image_sign.sh |
| TEMP=`pwd`/temp |
| BL2_CSF=bl2_sign.csf |
| BL2_IMX=bl2.bin.imx |
| CST_PATH=/path/to/cst-2.3.2 |
| CST_BIN=${CST_PATH}/linux64/cst |
| |
| #Remove temp |
| rm -rf ${TEMP} |
| mkdir ${TEMP} |
| |
| # Generate IMX header |
| /path/to/u-boot/tools/mkimage -n u-boot.cfgout.warp7 -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx > ${TEMP}/${BL2_IMX}.log |
| |
| # Copy required items to $TEMP |
| cp build/warp7/debug/bl2.bin.imx ${TEMP} |
| cp ${CST_PATH}/keys/* ${TEMP} |
| cp ${CST_PATH}/crts/* ${TEMP} |
| cp ${BL2_CSF} ${TEMP} |
| |
| # Generate signed BL2 image |
| ./${SIGN} image_sign_mbl_binary ${TEMP} ${BL2_CSF} ${BL2_IMX} ${CST_BIN} |
| |
| # Copy signed BL2 to top-level directory |
| cp ${TEMP}/${BL2_IMX}-signed . |
| cp ${BL2_RECOVER_CSF} ${TEMP} |
| |
| |
| The resulting bl2.bin.imx-signed can replace bl2.bin.imx in the Deploy |
| Images section above, once done. |
| |
| Suggested flow for verifying. |
| |
| 1. Followed all previous steps above and verify a non-secure ATF boot |
| 2. Down the NXP Code Singing Tool |
| 3. Generate keys |
| 4. Program the fuses on your board |
| 5. Replace bl2.bin.imx with bl2.bin.imx-signed |
| 6. Verify inside u-boot that "hab_status" shows no events |
| 7. Subsequently close your board. |
| |
| If you have HAB events @ step 6 - do not lock your board. |
| |
| To get a good over-view of generating keys and programming the fuses on the |
| board read "High Assurance Boot for Dummies" by Boundary Devices. |
| |
| https://boundarydevices.com/high-assurance-boot-hab-dummies/ |
