LFU-573-2 imx8m: hab: Verify optional FIT FDT signature

One limitation of verifying FIT hash approach is SPL must bind with FIT,
because FIT FDT hash is inserted into SPL image and authenticated by ROM.
For use cases need to upgrade the FIT individually, for example, android's
dual bootloader, this patch introduces an optional approach.

This optional approach adds FIT FDT signature (a new pair of IVT and CSF
for FIT FDT structure) after original FIT image IVT and CSF. imx-mkimage
always generates the new IVT and reserves the space for the new CSF.
Users just need an additional signing step.

This approach is default not enabled in SPL except Android build.
To enable it, set CONFIG_IMX_SPL_FIT_FDT_SIGNATURE=y with CONFIG_IMX_HAB=y
in u-boot defconfig

Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

Upstream-Status: Inappropriate [downstream specific]

Upstream U-Boot fixed this differently in combination with binman to
create the final bootcontainer.
Commit 6039e0edc854 ("imx: hab: Simplify the mechanism")

Backport from NXP downstream  [07b688228c5817e4d76cdc5484fd50f92e9cf1f0]

Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>

3 files changed, 30 insertions, 6 deletions

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 0616b05a05..b51a0464bf 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -81,6 +81,14 @@ config IMX_HAB
 	  This option enables the support for secure boot (HAB).
 	  See doc/imx/habv4/* for more details.
 
+config IMX_SPL_FIT_FDT_SIGNATURE
+	bool "Enable to verify signature of FIT FDT"
+	depends on IMX_HAB
+	depends on ARCH_IMX8M
+	help
+	  Enable SPL to verify signature of FIT FDT during FIT loading.
+	  This needs additional signing to FIT FDT part.
+
 config CSF_SIZE
 	hex "Maximum size for Command Sequence File (CSF) binary"
 	depends on IMX_HAB
@@ -275,6 +283,7 @@ config ANDROID_SUPPORT
 	select SUPPORT_RAW_INITRD
 	select LIBAVB
 	select AVB_SUPPORT
+	imply IMX_SPL_FIT_FDT_SIGNATURE
 
 config ANDROID_AUTO_SUPPORT
 	bool "Android Automotive features support"
diff --git a/arch/arm/mach-imx/spl.c b/arch/arm/mach-imx/spl.c
index 26b3d00387..62888a4729 100644
--- a/arch/arm/mach-imx/spl.c
+++ b/arch/arm/mach-imx/spl.c
@@ -316,7 +316,7 @@ ulong board_spl_fit_size_align(ulong size)
 	 */
 
 	size = ALIGN(size, 0x1000);
-	size += CONFIG_CSF_SIZE;
+	size += 2 * CONFIG_CSF_SIZE;
 
 	if (size > CONFIG_SYS_BOOTM_LEN)
 		panic("spl: ERROR: image too big\n");
@@ -402,12 +402,27 @@ void *spl_load_simple_fit_fix_load(const void *fit)
 	u8 *tmp = (u8 *)fit;
 
 	if (IS_ENABLED(CONFIG_IMX_HAB)) {
-		int ret = spl_verify_fit_hash(fit);
+		if (IS_ENABLED(CONFIG_IMX_SPL_FIT_FDT_SIGNATURE)) {
+			u32 offset = ALIGN(fdt_totalsize(fit), 0x1000);
+
+			if (imx_hab_authenticate_image((uintptr_t)fit,
+						       offset + 2 * CSF_PAD_SIZE,
+						       offset + CSF_PAD_SIZE)) {
+#ifdef CONFIG_ANDROID_SUPPORT
+				printf("spl: ERROR:  FIT FDT authentication unsuccessful\n");
+				return NULL;
+#else
+				panic("spl: ERROR:  FIT FDT authentication unsuccessful\n");
+#endif
+			}
+		} else {
+			int ret = spl_verify_fit_hash(fit);
 
-		if (ret && imx_hab_is_enabled())
-			panic("spl: ERROR:  FIT hash verify unsuccessful\n");
+			if (ret && imx_hab_is_enabled())
+				panic("spl: ERROR:  FIT hash verify unsuccessful\n");
 
-		debug("spl_verify_fit_hash %d\n", ret);
+			debug("spl_verify_fit_hash %d\n", ret);
+		}
 	}
 
 	offset = ALIGN(fdt_totalsize(fit), 0x1000);
diff --git a/arch/arm/mach-imx/spl_imx_romapi.c b/arch/arm/mach-imx/spl_imx_romapi.c
index d619f1e5d9..c0e8bed958 100644
--- a/arch/arm/mach-imx/spl_imx_romapi.c
+++ b/arch/arm/mach-imx/spl_imx_romapi.c
@@ -263,7 +263,7 @@ static u32 img_header_size(void)
 static int img_info_size(void *img_hdr)
 {
 #ifdef CONFIG_SPL_LOAD_FIT
-	return fit_get_size(img_hdr);
+	return board_spl_fit_size_align(fit_get_size(img_hdr));
 #elif defined CONFIG_SPL_LOAD_IMX_CONTAINER
 	struct container_hdr *container = img_hdr;