From 5e45485bdd561b3b1b46b3550447e2e4c5e53761 Mon Sep 17 00:00:00 2001 From: Max Krummenacher Date: Wed, 13 Dec 2023 16:19:37 +0100 Subject: imx-mkimage: fix u-boot spl authentication vulnerability This backports the fixes addressing CVE-2023-39902 vulnerability into the imx-mkimage tool. [1] To be used with a U-Boot containing the LFU-573 patches. [1] https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196 LFOPTEE patch is backported to make the two LFU-573 patches apply with less fuzz. Relates-to: ELB-5476 Signed-off-by: Max Krummenacher --- ...1-LFOPTEE-126-Add-spl-and-sld-Blocks-info.patch | 40 ++++ ...mx8m-Generate-hash-of-FIT-FDT-structure-t.patch | 213 +++++++++++++++++++++ ...mx8m-Reserve-new-IVT-CSF-for-FIT-FDT-sign.patch | 206 ++++++++++++++++++++ recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend | 1 + recipes-bsp/imx-mkimage/imx-mkimage-patches.inc | 9 + recipes-bsp/imx-mkimage/imx-mkimage_1.0.bbappend | 1 + 6 files changed, 470 insertions(+) create mode 100644 recipes-bsp/imx-mkimage/files/0001-LFOPTEE-126-Add-spl-and-sld-Blocks-info.patch create mode 100644 recipes-bsp/imx-mkimage/files/0002-LFU-573-1-imx8m-Generate-hash-of-FIT-FDT-structure-t.patch create mode 100644 recipes-bsp/imx-mkimage/files/0003-LFU-573-2-imx8m-Reserve-new-IVT-CSF-for-FIT-FDT-sign.patch create mode 100644 recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend create mode 100644 recipes-bsp/imx-mkimage/imx-mkimage-patches.inc create mode 100644 recipes-bsp/imx-mkimage/imx-mkimage_1.0.bbappend diff --git a/recipes-bsp/imx-mkimage/files/0001-LFOPTEE-126-Add-spl-and-sld-Blocks-info.patch b/recipes-bsp/imx-mkimage/files/0001-LFOPTEE-126-Add-spl-and-sld-Blocks-info.patch new file mode 100644 index 0000000..312c1c8 --- /dev/null +++ b/recipes-bsp/imx-mkimage/files/0001-LFOPTEE-126-Add-spl-and-sld-Blocks-info.patch @@ -0,0 +1,40 @@ +From 884f7b3e917194ebb3d7e621df9af7ed496a91eb Mon Sep 17 00:00:00 2001 +From: Olivier Masse +Date: Wed, 16 Nov 2022 12:05:50 +0100 +Subject: [PATCH 1/3] LFOPTEE-126: Add spl and sld Blocks info + +Dump hab block information used by the signature script. +To ease the parsing process in meta-secure-boot recipe, +mkimage_imx8 tool dump spl and sld hab blocks correctly +formated for csf configuration file. + +Signed-off-by: Olivier Masse + +Upstream-Status: Backport [66cef04afacc104e47fb65ac9879e70e45334c3f] +Signed-off-by: Max Krummenacher +--- + iMX8M/mkimage_imx8.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/iMX8M/mkimage_imx8.c b/iMX8M/mkimage_imx8.c +index 54828d1..06ab485 100644 +--- a/iMX8M/mkimage_imx8.c ++++ b/iMX8M/mkimage_imx8.c +@@ -1662,6 +1662,14 @@ int main(int argc, char **argv) + fprintf(stderr, " sld hab block: \t0x%x 0x%x 0x%x\n", + sld_load_addr, sld_header_off, sld_csf_off - sld_header_off); + ++ fprintf(stderr, "SPL CSF block:\n"); ++ fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\"\n", ++ imx_header[IMAGE_IVT_ID].fhdr.self, header_image_off, csf_off - header_image_off); ++ ++ fprintf(stderr, "SLD CSF block:\n"); ++ fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\",\\\n", ++ sld_load_addr, sld_header_off, sld_csf_off - sld_header_off); ++ + return 0; + } + +-- +2.42.0 + diff --git a/recipes-bsp/imx-mkimage/files/0002-LFU-573-1-imx8m-Generate-hash-of-FIT-FDT-structure-t.patch b/recipes-bsp/imx-mkimage/files/0002-LFU-573-1-imx8m-Generate-hash-of-FIT-FDT-structure-t.patch new file mode 100644 index 0000000..62cac84 --- /dev/null +++ b/recipes-bsp/imx-mkimage/files/0002-LFU-573-1-imx8m-Generate-hash-of-FIT-FDT-structure-t.patch @@ -0,0 +1,213 @@ +From 15fb16dbb686250bb3b9457d3a158c7d097beb39 Mon Sep 17 00:00:00 2001 +From: Ye Li +Date: Mon, 3 Jul 2023 17:31:32 +0800 +Subject: [PATCH 2/3] LFU-573-1 imx8m: Generate hash of FIT FDT structure to + SPL image + +Generate the hash of FIT FDT structure by SHA256 and append it +to end of SPL image (after DDR FW). +SPL will get the hash from the position to verify the FIT FDT +structure in loaded FIT image. + +Signed-off-by: Ye Li + +Upstream-Status: Backport [2f2d426f03ebbcf7a9c28cf53680cd5777e70ea1] +Signed-off-by: Max Krummenacher +--- + iMX8M/mkimage_imx8.c | 109 ++++++++++++++++++++++++++++++++++++++++++- + iMX8M/soc.mak | 14 ++++-- + 2 files changed, 117 insertions(+), 6 deletions(-) + +diff --git a/iMX8M/mkimage_imx8.c b/iMX8M/mkimage_imx8.c +index 06ab485..68022d6 100644 +--- a/iMX8M/mkimage_imx8.c ++++ b/iMX8M/mkimage_imx8.c +@@ -366,6 +366,31 @@ copy_file (int ifd, const char *datafile, int pad, int offset, int datafile_offs + (void) close (dfd); + } + ++static void append_data(char *filename, uint8_t *data, int size) ++{ ++ int dfd, ret; ++ ++ if ((dfd = open(filename, O_RDWR|O_BINARY)) < 0) { ++ fprintf (stderr, "Can't open %s: %s\n", ++ filename, strerror(errno)); ++ exit (EXIT_FAILURE); ++ } ++ ++ ret = lseek(dfd, 0, SEEK_END); ++ if (ret < 0) { ++ fprintf(stderr, "%s: lseek error %s\n", ++ __func__, strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ if (write(dfd, data, size) != size) { ++ fprintf (stderr, "Write error %s\n", ++ strerror(errno)); ++ exit (EXIT_FAILURE); ++ } ++ (void) close (dfd); ++} ++ ++ + enum imximage_fld_types { + CFG_INVALID = -1, + CFG_COMMAND, +@@ -861,6 +886,77 @@ void generate_sld_with_ivt(char * input_file, uint32_t ep, char *out_file) + close(input_fd); + } + ++#define HASH_MAX_LEN 32 ++static void calc_fitimage_hash(char* filename, uint8_t *hash) ++{ ++ int sld_fd; ++ FILE *fp = NULL; ++ char sha_command[512]; ++ char *digest_type = "sha256sum"; ++ char hash_char[2 * HASH_MAX_LEN + 1]; ++ int digest_length = 64; ++ ++ uimage_header_t image_header; ++ uint32_t fit_size; ++ ++ sld_fd = open(filename, O_RDONLY | O_BINARY); ++ if (sld_fd < 0) { ++ fprintf(stderr, "%s: Can't open: %s\n", ++ filename, strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ ++ if (read(sld_fd, (char *)&image_header, sizeof(uimage_header_t)) != sizeof(uimage_header_t)) { ++ fprintf (stderr, "generate_ivt_for_fit read failed: %s\n", ++ strerror(errno)); ++ exit (EXIT_FAILURE); ++ } ++ ++ if (be32_to_cpu(image_header.ih_magic) != FDT_MAGIC){ ++ fprintf (stderr, "generate_ivt_for_fit error: not a FIT file\n"); ++ exit (EXIT_FAILURE); ++ } ++ ++ fit_size = fdt_totalsize(&image_header); ++ ++ fprintf(stderr, "fit_size: %u\n", fit_size); ++ ++ sprintf(sha_command, "dd if=\'%s\' of=tmp_pad bs=%d count=1;\ ++ %s tmp_pad; rm -f tmp_pad;", ++ filename, fit_size, digest_type); ++ ++ memset(hash, 0, HASH_MAX_LEN); ++ ++ fp = popen(sha_command, "r"); ++ if (fp == NULL) { ++ fprintf(stderr, "Failed to run command hash\n" ); ++ exit(EXIT_FAILURE); ++ } ++ ++ if(fgets(hash_char, digest_length + 1, fp) == NULL) { ++ fprintf(stderr, "Failed to hash file: %s\n", filename); ++ exit(EXIT_FAILURE); ++ } ++ ++ for(int i = 0; i < strlen(hash_char)/2; i++){ ++ sscanf(hash_char + 2*i, "%02hhx", &hash[i]); ++ } ++ ++ pclose(fp); ++ (void) close (sld_fd); ++} ++ ++void dump_fit_hash(uint8_t *hash, int size) ++{ ++ int i; ++ ++ fprintf(stderr, "FIT hash: "); ++ for (i = 0; i < size; i++) { ++ fprintf(stderr, "%x", hash[i]); ++ } ++ fprintf(stderr, "\n"); ++} ++ + /* Return this IVT offset in the final output file */ + int generate_ivt_for_fit(int fd, int fit_offset, uint32_t ep, uint32_t *fit_load_addr) + { +@@ -943,6 +1039,8 @@ int main(int argc, char **argv) + uimage_header_t uimage_hdr; + uint32_t version = ROM_V1; + ++ uint8_t fit_hash[HASH_MAX_LEN]; ++ + static struct option long_options[] = + { + {"loader", required_argument, NULL, 'i'}, +@@ -1146,6 +1244,15 @@ int main(int argc, char **argv) + exit(1); + } + ++ if (sld_img && using_fit) { ++ calc_fitimage_hash(sld_img, fit_hash); ++ ++ /* Append hash to ap_img */ ++ append_data(ap_img, fit_hash, HASH_MAX_LEN); ++ ++ dump_fit_hash(fit_hash, HASH_MAX_LEN); ++ } ++ + if (version == ROM_V2) { + + /* On V2, flexspi IVT offset is 0, image offset is 0x1000 */ +@@ -1638,7 +1745,7 @@ int main(int argc, char **argv) + } + + /* The FLEXSPI configuration parameters will add to flash.bin by script, so need add 0x1000 offset to every offset prints */ +- if ((version == ROM_V2 && rom_image_offset == IVT_OFFSET_FLEXSPI) || ++ if ((version == ROM_V2 && rom_image_offset == IVT_OFFSET_FLEXSPI) || + (version == ROM_V1 && ivt_offset == IVT_OFFSET_FLEXSPI)) { + header_image_off += IVT_OFFSET_FLEXSPI; + dcd_off += IVT_OFFSET_FLEXSPI; +diff --git a/iMX8M/soc.mak b/iMX8M/soc.mak +index 0a69b71..5131891 100644 +--- a/iMX8M/soc.mak ++++ b/iMX8M/soc.mak +@@ -100,8 +100,9 @@ u-boot-spl-ddr.bin: u-boot-spl.bin $(lpddr4_imem_1d) $(lpddr4_dmem_1d) $(lpddr4_ + @objcopy -I binary -O binary --pad-to 0x8000 --gap-fill=0x0 $(lpddr4_imem_1d) lpddr4_pmu_train_1d_imem_pad.bin + @objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x0 $(lpddr4_dmem_1d) lpddr4_pmu_train_1d_dmem_pad.bin + @objcopy -I binary -O binary --pad-to 0x8000 --gap-fill=0x0 $(lpddr4_imem_2d) lpddr4_pmu_train_2d_imem_pad.bin ++ @objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x0 $(lpddr4_dmem_2d) lpddr4_pmu_train_2d_dmem_pad.bin + @cat lpddr4_pmu_train_1d_imem_pad.bin lpddr4_pmu_train_1d_dmem_pad.bin > lpddr4_pmu_train_1d_fw.bin +- @cat lpddr4_pmu_train_2d_imem_pad.bin $(lpddr4_dmem_2d) > lpddr4_pmu_train_2d_fw.bin ++ @cat lpddr4_pmu_train_2d_imem_pad.bin lpddr4_pmu_train_2d_dmem_pad.bin > lpddr4_pmu_train_2d_fw.bin + @dd if=u-boot-spl.bin of=u-boot-spl-pad.bin bs=4 conv=sync + @cat u-boot-spl-pad.bin lpddr4_pmu_train_1d_fw.bin lpddr4_pmu_train_2d_fw.bin > u-boot-spl-ddr.bin + @rm -f u-boot-spl-pad.bin lpddr4_pmu_train_1d_fw.bin lpddr4_pmu_train_2d_fw.bin lpddr4_pmu_train_1d_imem_pad.bin lpddr4_pmu_train_1d_dmem_pad.bin lpddr4_pmu_train_2d_imem_pad.bin +@@ -115,8 +116,9 @@ u-boot-spl-ddr4.bin: u-boot-spl.bin $(ddr4_imem_1d) $(ddr4_dmem_1d) $(ddr4_imem_ + @objcopy -I binary -O binary --pad-to 0x8000 --gap-fill=0x0 $(ddr4_imem_1d) ddr4_imem_1d_pad.bin + @objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x0 $(ddr4_dmem_1d) ddr4_dmem_1d_pad.bin + @objcopy -I binary -O binary --pad-to 0x8000 --gap-fill=0x0 $(ddr4_imem_2d) ddr4_imem_2d_pad.bin ++ @objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x0 $(ddr4_dmem_2d) ddr4_dmem_2d_pad.bin + @cat ddr4_imem_1d_pad.bin ddr4_dmem_1d_pad.bin > ddr4_1d_fw.bin +- @cat ddr4_imem_2d_pad.bin $(ddr4_dmem_2d) > ddr4_2d_fw.bin ++ @cat ddr4_imem_2d_pad.bin ddr4_dmem_2d_pad.bin > ddr4_2d_fw.bin + @dd if=u-boot-spl.bin of=u-boot-spl-pad.bin bs=4 conv=sync + @cat u-boot-spl-pad.bin ddr4_1d_fw.bin ddr4_2d_fw.bin > u-boot-spl-ddr4.bin + @rm -f u-boot-spl-pad.bin ddr4_1d_fw.bin ddr4_2d_fw.bin ddr4_imem_1d_pad.bin ddr4_dmem_1d_pad.bin ddr4_imem_2d_pad.bin +@@ -126,10 +128,12 @@ ddr3_dmem_1d = ddr3_dmem_1d$(DDR_FW_VERSION).bin + + u-boot-spl-ddr3l.bin: u-boot-spl.bin $(ddr3_imem_1d) $(ddr3_dmem_1d) + @objcopy -I binary -O binary --pad-to 0x8000 --gap-fill=0x0 $(ddr3_imem_1d) ddr3_imem_1d.bin_pad.bin +- @cat ddr3_imem_1d.bin_pad.bin $(ddr3_dmem_1d) > ddr3_pmu_train_fw.bin ++ @objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x0 $(ddr3_dmem_1d) ddr3_dmem_1d.bin_pad.bin ++ @cat ddr3_imem_1d.bin_pad.bin ddr3_dmem_1d.bin_pad.bin > ddr3_pmu_train_fw.bin ++ @dd if=/dev/zero of=ddr3_fw_zero_pad.bin bs=1 count=49152 conv=sync + @dd if=u-boot-spl.bin of=u-boot-spl-pad.bin bs=4 conv=sync +- @cat u-boot-spl-pad.bin ddr3_pmu_train_fw.bin > u-boot-spl-ddr3l.bin +- @rm -f u-boot-spl-pad.bin ddr3_pmu_train_fw.bin ddr3_imem_1d.bin_pad.bin ++ @cat u-boot-spl-pad.bin ddr3_pmu_train_fw.bin ddr3_fw_zero_pad.bin > u-boot-spl-ddr3l.bin ++ @rm -f u-boot-spl-pad.bin ddr3_pmu_train_fw.bin ddr3_imem_1d.bin_pad.bin ddr3_fw_zero_pad.bin + + u-boot-atf.bin: u-boot.bin bl31.bin + @cp bl31.bin u-boot-atf.bin +-- +2.42.0 + diff --git a/recipes-bsp/imx-mkimage/files/0003-LFU-573-2-imx8m-Reserve-new-IVT-CSF-for-FIT-FDT-sign.patch b/recipes-bsp/imx-mkimage/files/0003-LFU-573-2-imx8m-Reserve-new-IVT-CSF-for-FIT-FDT-sign.patch new file mode 100644 index 0000000..77002af --- /dev/null +++ b/recipes-bsp/imx-mkimage/files/0003-LFU-573-2-imx8m-Reserve-new-IVT-CSF-for-FIT-FDT-sign.patch @@ -0,0 +1,206 @@ +From d1ba709ee91d56f135c2fbaed666cd454243e155 Mon Sep 17 00:00:00 2001 +From: Ye Li +Date: Thu, 27 Jul 2023 09:52:33 +0800 +Subject: [PATCH 3/3] LFU-573-2 imx8m: Reserve new IVT+CSF for FIT FDT + signature + +Without using FIT FDT hash, we also allow user to sign FIT FDT structure, +so that FIT image can upgrade individually. The option needs +CONFIG_IMX_SPL_FIT_FDT_SIGNATURE enabled in SPL. + +imx-mkimage will insert the new IVT for FIT FDT signature by default +and reserve the CSF (0x2000) for the FIT FDT signature. + +Signed-off-by: Ye Li + +Upstream-Status: Backport [5a0faefc223e51e088433663b6e7d6fbce89bf59] + +Conflicts: + iMX8M/soc.mak + - meta-freescale patched to use mkimage + - upstream adds the posibility to use addtional dtbo, now dropped + +Signed-off-by: Max Krummenacher + +--- + iMX8M/mkimage_imx8.c | 42 +++++++++++++++++++++++++++++++++++++++++- + iMX8M/print_fit_hab.sh | 4 ++-- + iMX8M/soc.mak | 17 +++++++++-------- + 3 files changed, 52 insertions(+), 11 deletions(-) + +diff --git a/iMX8M/mkimage_imx8.c b/iMX8M/mkimage_imx8.c +index 68022d6..f37a2f6 100644 +--- a/iMX8M/mkimage_imx8.c ++++ b/iMX8M/mkimage_imx8.c +@@ -999,7 +999,7 @@ int generate_ivt_for_fit(int fd, int fit_offset, uint32_t ep, uint32_t *fit_load + } + + /* ep is the u-boot entry. SPL loads the FIT before the u-boot address. 0x2000 is for CSF_SIZE */ +- load_addr = (ep - (fit_size + CSF_SIZE) - 512 - ++ load_addr = (ep - (fit_size + 2 * CSF_SIZE) - 512 - + align_len) & ~align_len; + + flash_header_v2_t ivt_header = { { 0xd1, 0x2000, 0x40 }, +@@ -1013,6 +1013,24 @@ int generate_ivt_for_fit(int fd, int fit_offset, uint32_t ep, uint32_t *fit_load + exit(EXIT_FAILURE); + } + ++ ret = lseek(fd, fit_offset + fit_size + CSF_SIZE, SEEK_SET); ++ if (ret < 0) { ++ fprintf(stderr, "%s: lseek error %s\n", ++ __func__, strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ ++ flash_header_v2_t fdt_ivt_header = { { 0xd1, 0x2000, 0x40 }, ++ load_addr, 0, 0, 0, ++ (load_addr + fit_size + CSF_SIZE ), ++ (load_addr + fit_size + CSF_SIZE + 0x20), ++ 0 }; ++ ++ if (write(fd, &fdt_ivt_header, sizeof(flash_header_v2_t)) != sizeof(flash_header_v2_t)) { ++ fprintf(stderr, "FIT FDT IVT writing error on fit image\n"); ++ exit(EXIT_FAILURE); ++ } ++ + *fit_load_addr = load_addr; + + return fit_offset + fit_size; +@@ -1229,6 +1247,11 @@ int main(int argc, char **argv) + fprintf(stderr, " fit hab block: \t0x%x 0x%x 0x%x\n", + sld_load_addr, sld_src_off, sld_csf_off - sld_src_off); + ++ fprintf(stderr, " fit-fdt_csf_off \t0x%x\n", ++ sld_csf_off + CSF_SIZE); ++ fprintf(stderr, " fit-fdt hab block: \t0x%x 0x%x 0x%x\n", ++ sld_load_addr, sld_src_off, sld_csf_off + CSF_SIZE - sld_src_off); ++ + exit(0); + } + +@@ -1777,6 +1800,23 @@ int main(int argc, char **argv) + fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\",\\\n", + sld_load_addr, sld_header_off, sld_csf_off - sld_header_off); + ++ fprintf(stderr, " fit-fdt csf_off \t0x%x\n", ++ sld_csf_off + CSF_SIZE); ++ fprintf(stderr, " fit-fdt hab block: \t0x%x 0x%x 0x%x\n", ++ sld_load_addr, sld_header_off, sld_csf_off + CSF_SIZE - sld_header_off); ++ ++// fprintf(stderr, "SPL CSF block:\n"); ++// fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\"\n", ++// imx_header[IMAGE_IVT_ID].fhdr.self, header_image_off, csf_off - header_image_off); ++ ++// fprintf(stderr, "SLD CSF block:\n"); ++// fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\",\\\n", ++// sld_load_addr, sld_header_off, sld_csf_off - sld_header_off); ++ ++ fprintf(stderr, "SLD FIT-FDT CSF block:\n"); ++ fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\"\n", ++ sld_load_addr, sld_header_off, sld_csf_off + CSF_SIZE - sld_header_off); ++ + return 0; + } + +diff --git a/iMX8M/print_fit_hab.sh b/iMX8M/print_fit_hab.sh +index 6f1a22d..d1e344a 100755 +--- a/iMX8M/print_fit_hab.sh ++++ b/iMX8M/print_fit_hab.sh +@@ -24,10 +24,10 @@ fi + + if [ "$BOOT_DEV" = "flexspi" ] || [ ${fit_off} == 0 ]; then + # We dd flash.bin to 0 offset for flexspi +- let uboot_sign_off=$((fit_off + 0x3000)) ++ let uboot_sign_off=$((fit_off + $FIT_DATA_POS)) + else + # We dd flash.bin to 33KB "0x8400" offset, so need minus 0x8400 +- let uboot_sign_off=$((fit_off - 0x8000 - ivt_off + 0x3000)) ++ let uboot_sign_off=$((fit_off - 0x8000 - ivt_off + $FIT_DATA_POS)) + fi + + let uboot_size=$(stat --printf="%s" $BL33) +diff --git a/iMX8M/soc.mak b/iMX8M/soc.mak +index 5131891..945183e 100644 +--- a/iMX8M/soc.mak ++++ b/iMX8M/soc.mak +@@ -83,6 +83,7 @@ VERSION = v1 + CAPSULE_GUID = 296119cf-dd70-43de-8ac8-a7051f312577 + endif + ++FIT_EXTERNAL_POSITION = 0x5000 + + FW_DIR = imx-boot/imx-boot-tools/$(PLAT) + +@@ -157,7 +158,7 @@ u-boot.itb: $(dtb) + ./$(PAD_IMAGE) bl31.bin + ./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb) + BL32=$(TEE) DEK_BLOB_LOAD_ADDR=$(DEK_BLOB_LOAD_ADDR) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) ../$(SOC_DIR)/mkimage_fit_atf.sh $(dtb) > u-boot.its +- mkimage -E -p 0x3000 -f u-boot.its u-boot.itb ++ mkimage -E -p $(FIT_EXTERNAL_POSITION) -f u-boot.its u-boot.itb + @rm -f u-boot.its $(dtb) + + dtb_ddr3l = valddr3l.dtb +@@ -169,7 +170,7 @@ u-boot-ddr3l.itb: $(dtb_ddr3l) + ./$(PAD_IMAGE) bl31.bin + ./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb_ddr3l) + DEK_BLOB_LOAD_ADDR=$(DEK_BLOB_LOAD_ADDR) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) ../$(SOC_DIR)/mkimage_fit_atf.sh $(dtb_ddr3l) > u-boot-ddr3l.its +- mkimage -E -p 0x3000 -f u-boot-ddr3l.its u-boot-ddr3l.itb ++ mkimage -E -p $(FIT_EXTERNAL_POSITION) -f u-boot-ddr3l.its u-boot-ddr3l.itb + @rm -f u-boot.its $(dtb_ddr3l) + + dtb_ddr3l_evk = evkddr3l.dtb +@@ -181,7 +182,7 @@ u-boot-ddr3l-evk.itb: $(dtb_ddr3l_evk) + ./$(PAD_IMAGE) bl31.bin + ./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb_ddr3l_evk) + DEK_BLOB_LOAD_ADDR=$(DEK_BLOB_LOAD_ADDR) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) ../$(SOC_DIR)/mkimage_fit_atf.sh $(dtb_ddr3l_evk) > u-boot-ddr3l-evk.its +- mkimage -E -p 0x3000 -f u-boot-ddr3l-evk.its u-boot-ddr3l-evk.itb ++ mkimage -E -p $(FIT_EXTERNAL_POSITION) -f u-boot-ddr3l-evk.its u-boot-ddr3l-evk.itb + @rm -f u-boot.its $(dtb_ddr3l_evk) + + dtb_ddr4 = valddr4.dtb +@@ -193,7 +194,7 @@ u-boot-ddr4.itb: $(dtb_ddr4) + ./$(PAD_IMAGE) bl31.bin + ./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb_ddr4) + DEK_BLOB_LOAD_ADDR=$(DEK_BLOB_LOAD_ADDR) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) ../$(SOC_DIR)/mkimage_fit_atf.sh $(dtb_ddr4) > u-boot-ddr4.its +- mkimage -E -p 0x3000 -f u-boot-ddr4.its u-boot-ddr4.itb ++ mkimage -E -p $(FIT_EXTERNAL_POSITION) -f u-boot-ddr4.its u-boot-ddr4.itb + @rm -f u-boot.its $(dtb_ddr4) + + dtb_ddr4_evk = evkddr4.dtb +@@ -205,7 +206,7 @@ u-boot-ddr4-evk.itb: $(dtb_ddr4_evk) + ./$(PAD_IMAGE) bl31.bin + ./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb_ddr4_evk) + DEK_BLOB_LOAD_ADDR=$(DEK_BLOB_LOAD_ADDR) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) ../$(SOC_DIR)/mkimage_fit_atf.sh $(dtb_ddr4_evk) > u-boot-ddr4-evk.its +- mkimage -E -p 0x3000 -f u-boot-ddr4-evk.its u-boot-ddr4-evk.itb ++ mkimage -E -p $(FIT_EXTERNAL_POSITION) -f u-boot-ddr4-evk.its u-boot-ddr4-evk.itb + @rm -f u-boot.its $(dtb_ddr4_evk) + + ifeq ($(HDMI),yes) +@@ -325,21 +326,21 @@ print_fit_hab: u-boot-nodtb.bin bl31.bin $(dtb) + ./$(PAD_IMAGE) $(TEE) + ./$(PAD_IMAGE) bl31.bin + ./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb) +- TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb) ++ FIT_DATA_POS=$(FIT_EXTERNAL_POSITION) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb) + @rm -f $(dtb) + + print_fit_hab_ddr4: u-boot-nodtb.bin bl31.bin $(dtb_ddr4_evk) + ./$(PAD_IMAGE) $(TEE) + ./$(PAD_IMAGE) bl31.bin + ./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb_ddr4_evk) +- TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb_ddr4_evk) ++ FIT_DATA_POS=$(FIT_EXTERNAL_POSITION) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb_ddr4_evk) + @rm -f $(dtb_ddr4_evk) + + print_fit_hab_flexspi: u-boot-nodtb.bin bl31.bin $(dtb) + ./$(PAD_IMAGE) $(TEE) + ./$(PAD_IMAGE) bl31.bin + ./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb) +- TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) BOOT_DEV="flexspi" ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb) ++ FIT_DATA_POS=$(FIT_EXTERNAL_POSITION) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) BOOT_DEV="flexspi" ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb) + @rm -f $(dtb) + + nightly : +-- +2.42.0 + diff --git a/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend b/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend new file mode 100644 index 0000000..2e2139a --- /dev/null +++ b/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend @@ -0,0 +1 @@ +require imx-mkimage-patches.inc \ No newline at end of file diff --git a/recipes-bsp/imx-mkimage/imx-mkimage-patches.inc b/recipes-bsp/imx-mkimage/imx-mkimage-patches.inc new file mode 100644 index 0000000..b05a1ad --- /dev/null +++ b/recipes-bsp/imx-mkimage/imx-mkimage-patches.inc @@ -0,0 +1,9 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/files/:" + +# additional patches addressing U-Boot secure boot SPL Authentication Vulnerability (CVE-2023-39902) +# (plus patches LFU-573* in downstream U-Boot) +SRC_URI:append = " \ + file://0001-LFOPTEE-126-Add-spl-and-sld-Blocks-info.patch \ + file://0002-LFU-573-1-imx8m-Generate-hash-of-FIT-FDT-structure-t.patch\ + file://0003-LFU-573-2-imx8m-Reserve-new-IVT-CSF-for-FIT-FDT-sign.patch \ +" diff --git a/recipes-bsp/imx-mkimage/imx-mkimage_1.0.bbappend b/recipes-bsp/imx-mkimage/imx-mkimage_1.0.bbappend new file mode 100644 index 0000000..2e2139a --- /dev/null +++ b/recipes-bsp/imx-mkimage/imx-mkimage_1.0.bbappend @@ -0,0 +1 @@ +require imx-mkimage-patches.inc \ No newline at end of file -- cgit v1.2.3