tools: mkimage: add firmware-ivt image type for HAB verification

When we want to use Secure Boot with HAB from SPL over U-Boot.img,
we need to append the IVT to the image and leave space for the CSF.
Images generated as firmware_ivt can directly be signed using the
Freescale code signing tool. For creation of a CSF, mkimage outputs
the correct HAB Blocks for the image.
The changes to the usual firmware image class are quite small,
that is why I implemented that directly into the default_image.

Cc: sbabic@denx.de

v2-Changes: None

Signed-off-by: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Reviewed-by: George McCollister <george.mccollister@gmail.com>
Tested-by: George McCollister <george.mccollister@gmail.com>

Makefile

@@ -763,7 +763,11 @@ ALL-$(CONFIG_RAMBOOT_PBL) += u-boot.pbl
 endif
 endif
 ALL-$(CONFIG_SPL) += spl/u-boot-spl.bin
+ifeq ($(CONFIG_MX6)$(CONFIG_SECURE_BOOT), yy)
+ALL-$(CONFIG_SPL_FRAMEWORK) += u-boot-ivt.img
+else
 ALL-$(CONFIG_SPL_FRAMEWORK) += u-boot.img
+endif
 ALL-$(CONFIG_TPL) += tpl/u-boot-tpl.bin
 ALL-$(CONFIG_OF_SEPARATE) += u-boot.dtb
 ifeq ($(CONFIG_SPL_FRAMEWORK),y)
@@ -938,6 +942,9 @@ else
 MKIMAGEFLAGS_u-boot.img = -A $(ARCH) -T firmware -C none -O u-boot \
 	-a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \
 	-n "U-Boot $(UBOOTRELEASE) for $(BOARD) board"
+MKIMAGEFLAGS_u-boot-ivt.img = -A $(ARCH) -T firmware_ivt -C none -O u-boot \
+	-a $(CONFIG_SYS_TEXT_BASE) -e $(CONFIG_SYS_UBOOT_START) \
+	-n "U-Boot $(UBOOTRELEASE) for $(BOARD) board"
 endif
 
 MKIMAGEFLAGS_u-boot-dtb.img = $(MKIMAGEFLAGS_u-boot.img)
@@ -951,7 +958,7 @@ MKIMAGEFLAGS_u-boot-spl.kwb = -n $(srctree)/$(CONFIG_SYS_KWD_CONFIG:"%"=%) \
 MKIMAGEFLAGS_u-boot.pbl = -n $(srctree)/$(CONFIG_SYS_FSL_PBL_RCW:"%"=%) \
 		-R $(srctree)/$(CONFIG_SYS_FSL_PBL_PBI:"%"=%) -T pblimage
 
-u-boot-dtb.img u-boot.img u-boot.kwb u-boot.pbl: \
+u-boot-dtb.img u-boot.img u-boot.kwb u-boot.pbl u-boot-ivt.img: \
 		$(if $(CONFIG_SPL_LOAD_FIT),u-boot-nodtb.bin dts/dt.dtb,u-boot.bin) FORCE
 	$(call if_changed,mkimage)
 

common/image.c

@@ -166,6 +166,7 @@ static const table_entry_t uimage_type[] = {
 	{	IH_TYPE_ZYNQMPIMAGE, "zynqmpimage", "Xilinx ZynqMP Boot Image" },
 	{	IH_TYPE_FPGA,       "fpga",       "FPGA Image" },
 	{       IH_TYPE_TEE,        "tee",        "Trusted Execution Environment Image",},
+	{	IH_TYPE_FIRMWARE_IVT, "firmware_ivt", "Firmware with HABv4 IVT" },
 	{	-1,		    "",		  "",			},
 };
 
@@ -365,6 +366,11 @@ void image_print_contents(const void *ptr)
 				printf("%s    Offset = 0x%08lx\n", p, data);
 			}
 		}
+	} else if (image_check_type(hdr, IH_TYPE_FIRMWARE_IVT)) {
+		printf("HAB Blocks:   0x%08x   0x0000   0x%08x\n",
+				image_get_load(hdr) - image_get_header_size(),
+				image_get_size(hdr) + image_get_header_size()
+						- 0x1FE0);
 	}
 }
 

include/image.h

@@ -280,6 +280,7 @@ enum {
 	IH_TYPE_FPGA,			/* FPGA Image */
 	IH_TYPE_VYBRIDIMAGE,	/* VYBRID .vyb Image */
 	IH_TYPE_TEE,            /* Trusted Execution Environment OS Image */
+	IH_TYPE_FIRMWARE_IVT,		/* Firmware Image with HABv4 IVT */
 
 	IH_TYPE_COUNT,			/* Number of image types */
 };

tools/default_image.c

@@ -25,7 +25,7 @@ static image_header_t header;
 static int image_check_image_types(uint8_t type)
 {
 	if (((type > IH_TYPE_INVALID) && (type < IH_TYPE_FLATDT)) ||
-	    (type == IH_TYPE_KERNEL_NOLOAD))
+	    (type == IH_TYPE_KERNEL_NOLOAD) || (type == IH_TYPE_FIRMWARE_IVT))
 		return EXIT_SUCCESS;
 	else
 		return EXIT_FAILURE;
@@ -89,6 +89,7 @@ static void image_set_header(void *ptr, struct stat *sbuf, int ifd,
 {
 	uint32_t checksum;
 	time_t time;
+	uint32_t imagesize;
 
 	image_header_t * hdr = (image_header_t *)ptr;
 
@@ -98,11 +99,16 @@ static void image_set_header(void *ptr, struct stat *sbuf, int ifd,
 			sbuf->st_size - sizeof(image_header_t));
 
 	time = imagetool_get_source_date(params, sbuf->st_mtime);
+	if (params->type == IH_TYPE_FIRMWARE_IVT)
+		/* Add size of CSF minus IVT */
+		imagesize = sbuf->st_size - sizeof(image_header_t) + 0x1FE0;
+	else
+		imagesize = sbuf->st_size - sizeof(image_header_t);
 
 	/* Build new header */
 	image_set_magic(hdr, IH_MAGIC);
 	image_set_time(hdr, time);
-	image_set_size(hdr, sbuf->st_size - sizeof(image_header_t));
+	image_set_size(hdr, imagesize);
 	image_set_load(hdr, params->addr);
 	image_set_ep(hdr, params->ep);
 	image_set_dcrc(hdr, checksum);

tools/mkimage.c

@@ -9,6 +9,7 @@
  */
 
 #include "mkimage.h"
+#include "imximage.h"
 #include <image.h>
 #include <version.h>
 
@@ -508,6 +509,37 @@ int main(int argc, char **argv)
 		} else {
 			copy_file(ifd, params.datafile, pad_len);
 		}
+		if (params.type == IH_TYPE_FIRMWARE_IVT) {
+			/* Add alignment and IVT */
+			uint32_t aligned_filesize = (params.file_size + 0x1000
+					- 1) & ~(0x1000 - 1);
+			flash_header_v2_t ivt_header = { { 0xd1, 0x2000, 0x40 },
+					params.addr, 0, 0, 0, params.addr
+							+ aligned_filesize
+							- tparams->header_size,
+					params.addr + aligned_filesize
+							- tparams->header_size
+							+ 0x20, 0 };
+			int i = params.file_size;
+			for (; i < aligned_filesize; i++) {
+				if (write(ifd, &i, 1) != 1) {
+					fprintf(stderr,
+							"%s: Write error on %s: %s\n",
+							params.cmdname,
+							params.imagefile,
+							strerror(errno));
+					exit(EXIT_FAILURE);
+				}
+			}
+			if (write(ifd, &ivt_header, sizeof(flash_header_v2_t))
+					!= sizeof(flash_header_v2_t)) {
+				fprintf(stderr, "%s: Write error on %s: %s\n",
+						params.cmdname,
+						params.imagefile,
+						strerror(errno));
+				exit(EXIT_FAILURE);
+			}
+		}
 	}
 
 	/* We're a bit of paranoid */