imx: Kconfig: Reduce default CONFIG_CSF_SIZE
authorBreno Matheus Lima <breno.lima@nxp.com>
Mon, 23 Sep 2019 18:39:47 +0000 (18:39 +0000)
committerStefano Babic <sbabic@denx.de>
Tue, 8 Oct 2019 14:36:36 +0000 (16:36 +0200)
The default CSF_SIZE defined in Kconfig is too high and SPL cannot
fit into the OCRAM in certain cases.

The CSF cannot achieve 0x2000 length when using RSA 4K key which is
the largest key size supported by HABv4.

According to AN12056 "Encrypted Boot on HABv4 and CAAM Enabled Devices"
it's recommended to pad CSF binary to 0x2000 and append DEK blob to
deploy encrypted boot images.

As the maximum DEK blob size is 0x58 we can reduce CSF_SIZE to 0x2060
which should cover both CSF and DEK blob length.

Update default_image.c and image.c to align with this change and avoid
a U-Boot proper authentication failure in HAB closed devices:

Authenticate image from DDR location 0x877fffc0...
bad magic magic=0x32 length=0x6131 version=0x38
bad length magic=0x32 length=0x6131 version=0x38
bad version magic=0x32 length=0x6131 version=0x38
spl: ERROR:  image authentication fail

Fixes: 96d27fb218 (Revert "habv4: tools: Avoid hardcoded CSF size for SPL targets")

Reported-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
arch/arm/mach-imx/Kconfig
common/image.c
tools/default_image.c

index d44f74e4745031b7a9f588c1624c21fc37922dbd..f721eaf937c983a5a0e29a91222bc6b928a2bbb6 100644 (file)
@@ -45,7 +45,7 @@ config SECURE_BOOT
 
 config CSF_SIZE
        hex "Maximum size for Command Sequence File (CSF) binary"
-       default 0x4000
+       default 0x2060
        help
          Define the maximum size for Command Sequence File (CSF) binary
          this information is used to define the image boot data.
index 179eef0bd2dc8524bec46d4455de88d8da718162..62ba6b3bfe99b98e3ecdd9b9b89e9987211504fb 100644 (file)
@@ -61,6 +61,7 @@ static const image_header_t *image_get_ramdisk(ulong rd_addr, uint8_t arch,
 #endif /* !USE_HOSTCC*/
 
 #include <u-boot/crc.h>
+#include <imximage.h>
 
 #ifndef CONFIG_SYS_BARGSIZE
 #define CONFIG_SYS_BARGSIZE 512
@@ -378,9 +379,9 @@ void image_print_contents(const void *ptr)
                }
        } else if (image_check_type(hdr, IH_TYPE_FIRMWARE_IVT)) {
                printf("HAB Blocks:   0x%08x   0x0000   0x%08x\n",
-                               image_get_load(hdr) - image_get_header_size(),
-                               image_get_size(hdr) + image_get_header_size()
-                                               - 0x1FE0);
+                       image_get_load(hdr) - image_get_header_size(),
+                       (int)(image_get_size(hdr) + image_get_header_size()
+                       + sizeof(flash_header_v2_t) - 0x2060));
        }
 }
 
index 4b7d1ed4a1a5247d72a1f73c65466c2daac486e9..f7990e28c0639852a8abe4951416c5f7647526f2 100644 (file)
@@ -19,6 +19,7 @@
 #include <image.h>
 #include <tee/optee.h>
 #include <u-boot/crc.h>
+#include <imximage.h>
 
 static image_header_t header;
 
@@ -106,7 +107,9 @@ static void image_set_header(void *ptr, struct stat *sbuf, int ifd,
 
        if (params->type == IH_TYPE_FIRMWARE_IVT)
                /* Add size of CSF minus IVT */
-               imagesize = sbuf->st_size - sizeof(image_header_t) + 0x1FE0;
+               imagesize = sbuf->st_size - sizeof(image_header_t)
+                           + 0x2060 - sizeof(flash_header_v2_t);
+
        else
                imagesize = sbuf->st_size - sizeof(image_header_t);