diff mbox series

[v4,07/12] tools: mkimage: add tee-bootable image type

Message ID 1519648566-12061-8-git-send-email-bryan.odonoghue@linaro.org
State New
Headers show
Series Add new OPTEE bootm support to u-boot | expand

Commit Message

Bryan O'Donoghue Feb. 26, 2018, 12:36 p.m. UTC
This patch adds support for bootable TEE images to mkimage. Currently
there is a (Trusted Execution Environment) TEE image type, the TEE image
type is installed to a memory location control is passed to the TEE and
then the TEE returns to u-boot.

flow #0:
BootROM -> u-boot -> tee -> u-boot -> onwards

For some TEE implementations, such as upstream OPTEE for i.MX6 and i.MX7
the boot flow is

flow #1:
BootROM -> u-boot -> optee -> kernel

This patch adds a new image type to mkimage -  IH_TYPE_TEE_BOOTABLE to
reflect this TEE boot flow and to facilitate additional OPTEE specific
verification of that image type - prior to handing control to that image.

The new image type enables us to more easily generate and validate a
bootable OPTEE image also, for example instead of generating an OPTEE image
like this:

mkimage -A arm -O linux -C none -a 0x9c0fffe4 -e 0x9c100000 -d
./out/arm-plat-imx/core/tee.bin uTee

we can instead generate images like this:
mkimage -A arm -T tee-bootable -C none -d ./out/arm-plat-imx/core/tee.bin
uTee.optee

That OPTEE image then will have a specific image type that bootm can
automatically identify and consequently perform additional optee-header
checks on.

Subsequent patches add logic to perform those optee-specific changes prior
to handing over control as described in flow #1 above.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
Link: http://mrvan.github.io/optee-imx6ul
Tested-by: Peng Fan <peng.fan@nxp.com>
---
 common/image.c        |  1 +
 include/image.h       |  1 +
 tools/default_image.c | 25 +++++++++++++++++++------
 3 files changed, 21 insertions(+), 6 deletions(-)

Comments

Tom Rini Feb. 26, 2018, 2:29 p.m. UTC | #1
On Mon, Feb 26, 2018 at 12:36:01PM +0000, Bryan O'Donoghue wrote:
> This patch adds support for bootable TEE images to mkimage. Currently

> there is a (Trusted Execution Environment) TEE image type, the TEE image

> type is installed to a memory location control is passed to the TEE and

> then the TEE returns to u-boot.

> 

> flow #0:

> BootROM -> u-boot -> tee -> u-boot -> onwards

> 

> For some TEE implementations, such as upstream OPTEE for i.MX6 and i.MX7

> the boot flow is

> 

> flow #1:

> BootROM -> u-boot -> optee -> kernel


Can you please re-phrase these flows in the way Andrew had, in the other
thread where it's clear what happens on the secure vs non-secure side?
I found that most helpful and I bet others reading the log in the future
will as well.  Thanks!

-- 
Tom
diff mbox series

Patch

diff --git a/common/image.c b/common/image.c
index e9609cd..e7785ce 100644
--- a/common/image.c
+++ b/common/image.c
@@ -161,6 +161,7 @@  static const table_entry_t uimage_type[] = {
 	{       IH_TYPE_TEE,        "tee",        "Trusted Execution Environment Image",},
 	{	IH_TYPE_FIRMWARE_IVT, "firmware_ivt", "Firmware with HABv4 IVT" },
 	{       IH_TYPE_PMMC,        "pmmc",        "TI Power Management Micro-Controller Firmware",},
+	{       IH_TYPE_TEE_BOOTABLE, "tee-bootable", "Trusted Execution Environment Bootable Image",},
 	{	-1,		    "",		  "",			},
 };
 
diff --git a/include/image.h b/include/image.h
index a2372de..d2c47ef 100644
--- a/include/image.h
+++ b/include/image.h
@@ -272,6 +272,7 @@  enum {
 	IH_TYPE_TEE,            /* Trusted Execution Environment (TEE) OS Image */
 	IH_TYPE_FIRMWARE_IVT,		/* Firmware Image with HABv4 IVT */
 	IH_TYPE_PMMC,            /* TI Power Management Micro-Controller Firmware */
+	IH_TYPE_TEE_BOOTABLE,		/* TEE Bootable Image */
 
 	IH_TYPE_COUNT,			/* Number of image types */
 };
diff --git a/tools/default_image.c b/tools/default_image.c
index 4e5568e..fc0b0c0 100644
--- a/tools/default_image.c
+++ b/tools/default_image.c
@@ -18,6 +18,7 @@ 
 #include "mkimage.h"
 
 #include <image.h>
+#include <tee/optee.h>
 #include <u-boot/crc.h>
 
 static image_header_t header;
@@ -25,7 +26,8 @@  static image_header_t header;
 static int image_check_image_types(uint8_t type)
 {
 	if (((type > IH_TYPE_INVALID) && (type < IH_TYPE_FLATDT)) ||
-	    (type == IH_TYPE_KERNEL_NOLOAD) || (type == IH_TYPE_FIRMWARE_IVT))
+	    (type == IH_TYPE_KERNEL_NOLOAD) || (type == IH_TYPE_FIRMWARE_IVT) ||
+	    (type == IH_TYPE_TEE_BOOTABLE))
 		return EXIT_SUCCESS;
 	else
 		return EXIT_FAILURE;
@@ -90,6 +92,8 @@  static void image_set_header(void *ptr, struct stat *sbuf, int ifd,
 	uint32_t checksum;
 	time_t time;
 	uint32_t imagesize;
+	uint32_t ep;
+	uint32_t addr;
 
 	image_header_t * hdr = (image_header_t *)ptr;
 
@@ -99,18 +103,27 @@  static void image_set_header(void *ptr, struct stat *sbuf, int ifd,
 			sbuf->st_size - sizeof(image_header_t));
 
 	time = imagetool_get_source_date(params, sbuf->st_mtime);
-	if (params->type == IH_TYPE_FIRMWARE_IVT)
+	ep = params->ep;
+	addr = params->addr;
+	imagesize = sbuf->st_size - sizeof(image_header_t);
+
+	switch (params->type) {
+	case IH_TYPE_FIRMWARE_IVT:
 		/* Add size of CSF minus IVT */
 		imagesize = sbuf->st_size - sizeof(image_header_t) + 0x1FE0;
-	else
-		imagesize = sbuf->st_size - sizeof(image_header_t);
+		break;
+	case IH_TYPE_TEE_BOOTABLE:
+		addr = optee_image_get_load_addr(hdr);
+		ep = optee_image_get_entry_point(hdr);
+		break;
+	}
 
 	/* Build new header */
 	image_set_magic(hdr, IH_MAGIC);
 	image_set_time(hdr, time);
 	image_set_size(hdr, imagesize);
-	image_set_load(hdr, params->addr);
-	image_set_ep(hdr, params->ep);
+	image_set_load(hdr, addr);
+	image_set_ep(hdr, ep);
 	image_set_dcrc(hdr, checksum);
 	image_set_os(hdr, params->os);
 	image_set_arch(hdr, params->arch);