[PATCH v2 00/14] am625: support secure loading of full barebox

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On K3 SoCs only a small barebox is loaded by the ROM into SRAM. This
barebox then loads the full barebox from SD/eMMC or USB DFU. In a secure
boot environment the full barebox must be authenticated. This series
implements two ways for accomplishing this.

First way is to utilize the ROM API to authenticate images. The other
way is to compile a secure hash into the first stage binary and check
if the full barebox image matches the hash. Using the ROM API means
different first stage and second stage images can be combined whereas
hashing binds specific builds together avoiding mix and match attacks.

Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
---
Changes in v2:
- select HAS_INSECURE_DEFAULTS when necessary
- use 'ret' as error value variable rather than mixing 'err' and 'ret'
  in a single file
- rename firmware_next_image_verify() to
  firmware_next_image_check_sha256() and drop unnecessary hash_size argument
- Link to v1: https://lore.kernel.org/r/20250228-am625-secure-v1-0-4002488ff5ed@xxxxxxxxxxxxxx

---
Sascha Hauer (14):
      firmware: always generate sha256sum
      firmware: add function to verify next image
      ARM: k3: r5: drop loading of separate binaries
      ARM: k3: r5: add proper error handling
      fip: rework fip_image_open()
      fip: fix wrong function call
      fip: add function to calculate a sha256 over FIP image
      ARM: am625: support hash verification of full barebox
      ARM: k3: add support for authenticating images against the ROM API
      ARM: k3: r5: delete fip image when it can't be opened
      ARM: k3: r5: Allow to authenticate next image by ROM API
      scripts/k3img: remove temporary files
      scripts: add k3sign
      ARM: k3: r5: select HAS_INSECURE_DEFAULTS when necessary

 arch/arm/mach-k3/Kconfig  |  16 ++++
 arch/arm/mach-k3/common.c |  99 +++++++++++++++++++++
 arch/arm/mach-k3/r5.c     | 214 ++++++++++++++++++++++++----------------------
 firmware/Kconfig          |  23 +++++
 firmware/Makefile         |   8 +-
 include/fiptool.h         |   3 +
 include/firmware.h        |  26 ++++++
 include/mach/k3/common.h  |   1 +
 lib/fip.c                 | 101 ++++++++++++++--------
 scripts/k3img             |   9 +-
 scripts/k3sign            | 126 +++++++++++++++++++++++++++
 11 files changed, 481 insertions(+), 145 deletions(-)
---
base-commit: 66b293c915276c3926cfda068f3f7a4b39b19f4a
change-id: 20250228-am625-secure-49301f641738

Best regards,
-- 
Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
[Index of Archives]     [Linux Embedded]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux