Hello Sascha, On 13.02.24 16:17, Sascha Hauer wrote: > This adds support for AHAB based secure boot on i.MX93. The user > interface is integrated into the existing hab command used for ealier > i.MX variants. On i.MX93 the hab command can: > > - read/write the SRK hash > - lock the device > - show lock status of the device > > Like done with HAB the AHAB events will be shown during boot so that > possible failure events are seen should there be any issues like no > or wrong SRK hash fused or an unsigned image is attempted to be started. > > Unlike with HAB it is currently not possible to sign the barebox images > directly within the barebox build system. Instead, the images need to be > signed afterwards with the NXP CST tool. I am currently unsure if it's > worth the hassle, as it turned out to be quite straight forward to > integrate the signing process into YOCTO (likely also ptxdist, but I > haven't tried yet). In the end it might be easier than adding another > indirection with tunneling the necessary keys through the barebox build > process. I might be convinced otherwise though. Could you make the signing inside the barebox build system optional for HAB? Then we could have a prompt symbol that depends on HABv4, e.g. CONFIG_HAB_SIGN_IMAGES or something and disabling that would require external signing like for AHAB. I think this would improve user experience a fair bit, because HAB and AHAB could be handled the same build-system side and it would be easily discoverable in Kconfig that one supports sigining internally and the other doesn't. This would also allow us to build-test this configuration. Thanks, Ahmad > > Sascha > > Sascha Hauer (6): > hab: drop incomplete i.MX28 support > hab: drop i.MX35 > hab: cleanup hab status printing during boot > hab: pass flags to lockdown_device() > ARM: i.MX: ele: implement more ELE operations > hab: implement i.MX9 support > > arch/arm/mach-imx/Kconfig | 5 + > arch/arm/mach-imx/ele.c | 345 +++++++++++++++++++++++++++++++++++++- > drivers/hab/hab.c | 137 ++++++++++++++- > drivers/hab/hab.h | 10 ++ > drivers/hab/habv3.c | 6 +- > drivers/hab/habv4.c | 62 +------ > include/hab.h | 20 +-- > include/mach/imx/ele.h | 18 ++ > 8 files changed, 516 insertions(+), 87 deletions(-) > create mode 100644 drivers/hab/hab.h > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
