Changes between Version 39 and Version 40 of venice/secure_boot

Timestamp:

03/28/2025 11:50:22 PM (3 days ago)

Author:

Tim Harvey

Comment:

updated build instructions for HABv4 so that they work with both v2023.04-venice and v2024.10-venice (the later will sign it for you)

venice/secure_boot

@@ -41 +41 @@
 
 The SRK_HASH fuses for the IMX6/IMX7/IMX8 are defined by a bank and a word:
- - SRK_HASH[31:00] bank 6 word 0
- - SRK_HASH[63:32] bank 6 word 1
- - SRK_HASH[95:64] bank 6 word 2
- - SRK_HASH[127:96] bank 6 word 3
- - SRK_HASH[159:128] bank 7 word 0
- - SRK_HASH]191:160] bank 7 word 1
- - SRK_HASH[223:192] bank 7 word 2
- - SRK_HASH[255:224] bank 7 word 3
+ - SRK_HASH[31..00] bank 6 word 0
+ - SRK_HASH[63..32] bank 6 word 1
+ - SRK_HASH[95..64] bank 6 word 2
+ - SRK_HASH[127..96] bank 6 word 3
+ - SRK_HASH[159..128] bank 7 word 0
+ - SRK_HASH]191..160] bank 7 word 1
+ - SRK_HASH[223..192] bank 7 word 2
+ - SRK_HASH[255..224] bank 7 word 3
 
 See also:
@@ -139 +139 @@
   * Note the above fuse values will differ per your serial/passphrase
  2. Build U-boot with HABv4 enabled and a single DTB:
-  * Pre-requisite: Build Venice BSP using this link here: [wiki:venice/bsp]
-  * Export VENICE_BSP variable to your directory: {{{export VENICE_BSP=/path/to/your/bsp/directory}}}
-{{{#!bash
-# checkout a fresh u-boot
-git clone https://github.com/Gateworks/uboot-venice.git
-cd uboot-venice
-# setup cross toolchain environment (ie source setup-environment in Venice BSP dir)
-export PATH=$VENICE_BSP/buildroot/output/host/bin:$PATH
-export CROSS_COMPILE="aarch64-linux-"
-export ARCH=arm64
-# copy necessary artifacts from bsp
-cp $VENICE_BSP/u-boot/lpddr4*.bin . # DDR firmware
-cp $VENICE_BSP/atf/build/imx8mm/release/bl31.bin . # ATF
-# configure for venice board
-make imx8mm_venice_defconfig
-make menuconfig # select CONFIG_IMX_HAB=y
-make flash.bin
-}}}
-  - if using a non-gateworks branch of U-boot, ensure that "CONFIG_SPL_LOAD_FIT_ADDRESS=0x44000000"
-  - for clarity here are the differences in defconfig:
-{{{#!bash
-$ make savedefconfig && diff defconfig configs/imx8mm_venice_defconfig
-scripts/kconfig/conf  --savedefconfig=defconfig Kconfig
-21,22d21
-< CONFIG_IMX_HAB=y
-< # CONFIG_CMD_DEKBLOB is not set
-}}}
-  - note that the above is for imx8mm (you need to copy the ATF from the imx8mp directory and use imx8mp_venice_defconfig if you are using imx8mp for example)
- 3. create a signed_flash.bin
+  * Pre-requisites:
+   - Build Venice BSP using this link here: [wiki:venice/bsp]
+   - Have CST installed 
+  * Building:
 {{{#!bash
 # setup env to point to the CST
@@ -176 +151 @@
 export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
 export PATH=$CST_DIR/linux64/bin:$PATH
+# setup cross toolchain environment (ie source setup-environment in Venice BSP dir)
+export PATH=$VENICE_BSP/buildroot/output/host/bin:$PATH
+export CROSS_COMPILE="aarch64-linux-"
+export ARCH=arm64
+# checkout a fresh u-boot
+git clone https://github.com/Gateworks/uboot-venice.git
+cd uboot-venice
+# copy ATF and DDR firmware from BSP
+cp $VENICE_BSP/u-boot/lpddr4*.bin . # DDR firmware
+cp $VENICE_BSP/atf/build/imx8mm/release/bl31.bin . # ATF
+# configure for venice board
+make imx8mm_venice_defconfig
+make menuconfig # select CONFIG_IMX_HAB=y
+make flash.bin
+}}}
+   - if using a non-gateworks branch of U-boot, ensure that "CONFIG_SPL_LOAD_FIT_ADDRESS=0x44000000"
+   - for clarity here are the differences in defconfig:
+{{{#!bash
+$ make savedefconfig && diff defconfig configs/imx8mm_venice_defconfig
+scripts/kconfig/conf  --savedefconfig=defconfig Kconfig
+21,22d21
+< CONFIG_IMX_HAB=y
+< # CONFIG_CMD_DEKBLOB is not set
+}}}
+   - note that the above is for imx8mm (you need to copy the ATF from the imx8mp directory and use imx8mp_venice_defconfig if you are using imx8mp for example)
+ 3. create a signed_flash.bin (required prior to v2024.10; for v2024.10-venice branch you can skip this step as it signs it automatically
+{{{#!bash
 # sign flash.bin (if U-Boot version is less than v2024.10 where automated signing was introduced if CONFIG_IMX_HAB=y)
-/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
+[ -f doc/imx/habv4/csf_examples/mx8m/csf.sh ] && /bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
 # create a JTAG image (if needed) using one of the following (dependent on which SoC you are using)
 mkimage_jtag --emmc -s --partconf=boot0 \
@@ -404 +406 @@
 . ./setup-environment
 }}}
+ 1. setup CST environment:
+{{{#!bash
+# setup env to point to the CST
+export CST_DIR=/usr/src/nxp/cst-3.4.0
+export CST_BIN=$CST_DIR/linux64/bin/cst
+export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
+export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
+export PATH=$CST_DIR/linux64/bin:$PATH
+}}}
  1. setup additional SOC and Board specific environment:
   - for imx8mm:
@@ -449 +461 @@
 cp firmware-imx-8.10/firmware/ddr/synopsys/lpddr4*.bin .
 }}}
- 1. Build OP-TEE (**This must be rebuilt every time you build OP-TEE):
+ 1. Build OP-TEE
 {{{#!bash
 make -j8 -C tee \
@@ -459 +471 @@
   O=out && ${CROSS_COMPILE}objcopy -O binary tee/out/core/tee.elf ./tee.bin
 }}}
- 1. Build ATF (**This must be rebuilt every time you build OP-TEE):
+ 1. Build ATF
 {{{#!bash
 make -j8 -C atf SPD=opteed PLAT=$PLAT BL32_BASE=$CFG_TZDRAM_START && \
@@ -474 +486 @@
  1. Sign it:
 {{{#!bash
-# setup env to point to the CST
-export CST_DIR=/usr/src/nxp/cst-3.4.0
-export CST_BIN=$CST_DIR/linux64/bin/cst
-export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
-export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
-export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
-export PATH=$CST_DIR/linux64/bin:$PATH
 # sign flash.bin (if U-Boot version is less than v2024.10 where automated signing was introduced if CONFIG_IMX_HAB=y)
-/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
+[ -f doc/imx/habv4/csf_examples/mx8m/csf.sh ] && /bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
 # create a JTAG image (if needed) using one of the following depending on your SoC
 mkimage_jtag --emmc -s --partconf=boot0 \