1NXP i.MX7 WaRP7 2=============== 3 4The Trusted Firmware-A port for the i.MX7Solo WaRP7 implements BL2 at EL3. 5The i.MX7S contains a BootROM with a High Assurance Boot (HAB) functionality. 6This functionality provides a mechanism for establishing a root-of-trust from 7the reset vector to the command-line in user-space. 8 9Boot Flow 10--------- 11 12BootROM --> TF-A BL2 --> BL32(OP-TEE) --> BL33(U-Boot) --> Linux 13 14In the WaRP7 port we encapsulate OP-TEE, DTB and U-Boot into a FIP. This FIP is 15expected and required 16 17Build Instructions 18------------------ 19 20We need to use a file generated by u-boot in order to generate a .imx image the 21BootROM will boot. It is therefore _required_ to build u-boot before TF-A and 22furthermore it is _recommended_ to use the mkimage in the u-boot/tools directory 23to generate the TF-A .imx image. 24 25U-Boot 26~~~~~~ 27 28https://git.linaro.org/landing-teams/working/mbl/u-boot.git 29 30.. code:: shell 31 32 git checkout -b rms-atf-optee-uboot linaro-mbl/rms-atf-optee-uboot 33 make warp7_bl33_defconfig; 34 make u-boot.imx arch=ARM CROSS_COMPILE=arm-linux-gnueabihf- 35 36OP-TEE 37~~~~~~ 38 39https://github.com/OP-TEE/optee_os.git 40 41.. code:: shell 42 43 make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- PLATFORM=imx PLATFORM_FLAVOR=mx7swarp7 ARCH=arm CFG_PAGEABLE_ADDR=0 CFG_DT_ADDR=0x83000000 CFG_NS_ENTRY_ADDR=0x87800000 44 45TF-A 46~~~~ 47 48https://github.com/ARM-software/arm-trusted-firmware.git 49 50The following commands assume that a directory exits in the top-level TFA build 51directory "fiptool_images". "fiptool_images" contains 52 53- u-boot.bin 54 The binary output from the u-boot instructions above 55 56- tee-header_v2.bin 57- tee-pager_v2.bin 58- tee-pageable_v2.bin 59 Binary outputs from the previous OPTEE build steps 60 61It is also assumed copy of mbedtls is available on the path path ../mbedtls 62 https://github.com/ARMmbed/mbedtls.git 63 At the time of writing HEAD points to 0592ea772aee48ca1e6d9eb84eca8e143033d973 64 65.. code:: shell 66 67 mkdir fiptool_images 68 cp /path/to/optee/out/arm-plat-imx/core/tee-header_v2.bin fiptool_images 69 cp /path/to/optee/out/arm-plat-imx/core/tee-pager_v2.bin fiptool_images 70 cp /path/to/optee/out/arm-plat-imx/core/tee-pageable_v2.bin fiptool_images 71 72 make CROSS_COMPILE=${CROSS_COMPILE} PLAT=warp7 ARCH=aarch32 ARM_ARCH_MAJOR=7 \ 73 ARM_CORTEX_A7=yes AARCH32_SP=optee PLAT_WARP7_UART=1 GENERATE_COT=1 \ 74 TRUSTED_BOARD_BOOT=1 USE_TBBR_DEFS=1 MBEDTLS_DIR=../mbedtls \ 75 NEED_BL32=yes BL32=fiptool_images/tee-header_v2.bin \ 76 BL32_EXTRA1=fiptool_images/tee-pager_v2.bin \ 77 BL32_EXTRA2=fiptool_images/tee-pageable_v2.bin \ 78 BL33=fiptool_images/u-boot.bin certificates all 79 80 /path/to/u-boot/tools/mkimage -n /path/to/u-boot/u-boot.cfgout -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx 81 82FIP 83~~~ 84 85.. code:: shell 86 87 cp /path/to/uboot/u-boot.bin fiptool_images 88 cp /path/to/linux/arch/boot/dts/imx7s-warp.dtb fiptool_images 89 90 tools/cert_create/cert_create -n --rot-key "build/warp7/debug/rot_key.pem" \ 91 --tfw-nvctr 0 \ 92 --ntfw-nvctr 0 \ 93 --trusted-key-cert fiptool_images/trusted-key-cert.key-crt \ 94 --tb-fw=build/warp7/debug/bl2.bin \ 95 --tb-fw-cert fiptool_images/trusted-boot-fw.key-crt\ 96 --tos-fw fiptool_images/tee-header_v2.bin \ 97 --tos-fw-cert fiptool_images/tee-header_v2.bin.crt \ 98 --tos-fw-key-cert fiptool_images/tee-header_v2.bin.key-crt \ 99 --tos-fw-extra1 fiptool_images/tee-pager_v2.bin \ 100 --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin \ 101 --nt-fw fiptool_images/u-boot.bin \ 102 --nt-fw-cert fiptool_images/u-boot.bin.crt \ 103 --nt-fw-key-cert fiptool_images/u-boot.bin.key-crt \ 104 --hw-config fiptool_images/imx7s-warp.dtb 105 106 tools/fiptool/fiptool create --tos-fw fiptool_images/tee-header_v2.bin \ 107 --tos-fw-extra1 fiptool_images/tee-pager_v2.bin \ 108 --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin \ 109 --nt-fw fiptool_images/u-boot.bin \ 110 --hw-config fiptool_images/imx7s-warp.dtb \ 111 --tos-fw-cert fiptool_images/tee-header_v2.bin.crt \ 112 --tos-fw-key-cert fiptool_images/tee-header_v2.bin.key-crt \ 113 --nt-fw-cert fiptool_images/u-boot.bin.crt \ 114 --nt-fw-key-cert fiptool_images/u-boot.bin.key-crt \ 115 --trusted-key-cert fiptool_images/trusted-key-cert.key-crt \ 116 --tb-fw-cert fiptool_images/trusted-boot-fw.key-crt warp7.fip 117 118Deploy Images 119------------- 120 121First place the WaRP7 into UMS mode in u-boot this should produce an entry in 122/dev like /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 123 124.. code:: shell 125 126 => ums 0 mmc 0 127 128Next flash bl2.imx and warp7.fip 129 130bl2.imx is flashed @ 1024 bytes 131warp7.fip is flash @ 1048576 bytes 132 133.. code:: shell 134 135 sudo dd if=bl2.bin.imx of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2 conv=notrunc 136 # Offset is 1MB 1048576 => 1048576 / 512 = 2048 137 sudo dd if=./warp7.fip of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2048 conv=notrunc 138 139Remember to umount the USB device pefore proceeding 140 141.. code:: shell 142 143 sudo umount /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0* 144 145 146Signing BL2 147----------- 148 149A further step is to sign BL2. 150 151The image_sign.sh and bl2_sign.csf files alluded to blow are available here. 152 153https://github.com/bryanodonoghue/atf-code-signing 154 155It is suggested you use this script plus the example CSF file in order to avoid 156hard-coding data into your CSF files. 157 158Download both "image_sign.sh" and "bl2_sign.csf" to your 159arm-trusted-firmware top-level directory. 160 161.. code:: shell 162 163 #!/bin/bash 164 SIGN=image_sign.sh 165 TEMP=`pwd`/temp 166 BL2_CSF=bl2_sign.csf 167 BL2_IMX=bl2.bin.imx 168 CST_PATH=/path/to/cst-2.3.2 169 CST_BIN=${CST_PATH}/linux64/cst 170 171 #Remove temp 172 rm -rf ${TEMP} 173 mkdir ${TEMP} 174 175 # Generate IMX header 176 /path/to/u-boot/tools/mkimage -n u-boot.cfgout.warp7 -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx > ${TEMP}/${BL2_IMX}.log 177 178 # Copy required items to $TEMP 179 cp build/warp7/debug/bl2.bin.imx ${TEMP} 180 cp ${CST_PATH}/keys/* ${TEMP} 181 cp ${CST_PATH}/crts/* ${TEMP} 182 cp ${BL2_CSF} ${TEMP} 183 184 # Generate signed BL2 image 185 ./${SIGN} image_sign_mbl_binary ${TEMP} ${BL2_CSF} ${BL2_IMX} ${CST_BIN} 186 187 # Copy signed BL2 to top-level directory 188 cp ${TEMP}/${BL2_IMX}-signed . 189 cp ${BL2_RECOVER_CSF} ${TEMP} 190 191 192The resulting bl2.bin.imx-signed can replace bl2.bin.imx in the Deploy 193Images section above, once done. 194 195Suggested flow for verifying. 196 1971. Followed all previous steps above and verify a non-secure ATF boot 1982. Down the NXP Code Singing Tool 1993. Generate keys 2004. Program the fuses on your board 2015. Replace bl2.bin.imx with bl2.bin.imx-signed 2026. Verify inside u-boot that "hab_status" shows no events 2037. Subsequently close your board. 204 205If you have HAB events @ step 6 - do not lock your board. 206 207To get a good over-view of generating keys and programming the fuses on the 208board read "High Assurance Boot for Dummies" by Boundary Devices. 209 210https://boundarydevices.com/high-assurance-boot-hab-dummies/ 211