Merge tag 'u-boot-imx-20220919' of https://gitlab.denx.de/u-boot/custodians/u-boot-imx

u-boot-imx-20220919
-------------------

CI: https://source.denx.de/u-boot/custodians/u-boot-imx/-/pipelines/13500

- Fix imx8mn-beacon-kit-u-boot
- Merged Purism
- imxrt1170 (already merged in u-boot-imx)
- Fixes in crypto FSL
- Toradex : fixes Verdin
- Serial Driver: fixes when not used as console
- DH Boards : fixes + USB
- Fix CONFIG_SYS_MALLOC_F_LEN (Kconfig)
- Add imx6ulz_smm_m2

7 files changed, 481 insertions, 0 deletions

diff --git a/doc/board/index.rst b/doc/board/index.rst
index 01b99f9cf50..53edd5301f2 100644
--- a/doc/board/index.rst
+++ b/doc/board/index.rst
@@ -28,6 +28,7 @@ Board-specific doc
    nokia/index
    nxp/index
    openpiton/index
+   purism/index
    qualcomm/index
    rockchip/index
    samsung/index
diff --git a/doc/board/purism/index.rst b/doc/board/purism/index.rst
new file mode 100644
index 00000000000..a9cdc312d46
--- /dev/null
+++ b/doc/board/purism/index.rst
@@ -0,0 +1,9 @@
+.. SPDX-License-Identifier: GPL-2.0+
+
+Purism SPC
+==========
+
+.. toctree::
+   :maxdepth: 2
+
+   librem5
diff --git a/doc/board/purism/librem5.rst b/doc/board/purism/librem5.rst
new file mode 100644
index 00000000000..fb050c63028
--- /dev/null
+++ b/doc/board/purism/librem5.rst
@@ -0,0 +1,60 @@
+.. SPDX-License-Identifier: GPL-2.0+
+
+Librem5
+==========
+
+U-Boot for the Purism Librem5 phone
+
+Quick Start
+-----------
+
+- Build the ARM Trusted firmware binary
+- Get ddr and hdmi firmware
+- Build U-Boot
+
+Get and Build the ARM Trusted firmware
+--------------------------------------
+
+Note: srctree is U-Boot source directory
+Get ATF from: https://source.puri.sm/Librem5/arm-trusted-firmware
+branch: librem5
+
+.. code-block:: bash
+
+   $ make PLAT=imx8mq CROSS_COMPILE=aarch64-linux-gnu- bl31
+   $ cp build/imx8mq/release/bl31.bin $(builddir)
+
+Get the ddr and display port firmware
+-------------------------------------
+
+.. code-block:: bash
+
+   $ wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/firmware-imx-8.15.bin
+   $ chmod +x firmware-imx-8.15.bin
+   $ ./firmware-imx-8.15.bin
+   $ cp firmware-imx-8.15/firmware/hdmi/cadence/signed_dp_imx8m.bin $(builddir)
+   $ cp firmware-imx-8.15/firmware/ddr/synopsys/lpddr4*.bin $(builddir)
+
+Build U-Boot
+------------
+
+.. code-block:: bash
+
+   $ export CROSS_COMPILE=aarch64-linux-gnu-
+   $ make librem5_defconfig
+   $ make ARCH=arm
+
+Burn the flash.bin
+------------------
+
+Use uuu to burn flash.bin. Power on the phone while holding vol+ to get it
+into uuu mode.
+
+.. code-block:: bash
+
+   $ git clone https://source.puri.sm/Librem5/librem5-devkit-tools.git
+   $ cd librem5-devkit-tools
+   $ cp $(builddir)/flash.bin files/u-boot-librem5.imx
+   $ uuu uuu_scripts/u-boot_flash_librem5.lst
+
+Reboot the phone.
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf.sh b/doc/imx/habv4/csf_examples/mx8m/csf.sh
new file mode 100644
index 00000000000..6898513be51
--- /dev/null
+++ b/doc/imx/habv4/csf_examples/mx8m/csf.sh
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# 0) Generate keys
+#
+# WARNING: ECDSA keys are only supported by HAB 4.5 and newer (i.e. i.MX8M Plus)
+#
+# cd /path/to/cst-3.3.1/keys/
+#    ./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 10 -num-srk 4 -srk-ca y
+# cd /path/to/cst-3.3.1/crts/
+#   ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1
+
+# 1) Build U-Boot (e.g. for i.MX8MM)
+#
+# export ATF_LOAD_ADDR=0x920000
+# cp -Lv /path/to/arm-trusted-firmware/build/imx8mm/release/bl31.bin .
+# cp -Lv /path/to/firmware-imx-8.14/firmware/ddr/synopsys/ddr3* .
+# make -j imx8mm_board_defconfig
+# make -j`nproc` flash.bin
+
+# 2) Sign SPL and DRAM blobs
+
+cp doc/imx/habv4/csf_examples/mx8m/csf_spl.txt csf_spl.tmp
+cp doc/imx/habv4/csf_examples/mx8m/csf_fit.txt csf_fit.tmp
+
+spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) )
+spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
+sed -i "/Blocks = / s@.*@  Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.tmp
+
+# Generate CSF blob
+cst -i csf_spl.tmp -o csf_spl.bin
+
+# Patch CSF blob into flash.bin
+spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@")
+spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@")
+spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40))
+dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc
+
+# 3) Sign u-boot.itb
+
+# fitImage tree
+fit_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SYS_TEXT_BASE=/ s@.*=@@p" .config) - $(sed -n "/CONFIG_FIT_EXTERNAL_OFFSET=/ s@.*=@@p" .config) - 0x200 - 0x40)) )
+fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset))
+fit_block_size=$(printf "0x%x" $(( ( $(fdtdump u-boot.itb 2>/dev/null | sed -n "/^...totalsize:/ s@.*\(0x[0-9a-f]\+\).*@\1@p") + 0x1000 - 0x1 ) & ~(0x1000 - 0x1) + 0x20 )) )
+sed -i "/Blocks = / s@.*@  Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\", \\\\@" csf_fit.tmp
+
+# U-Boot
+uboot_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot load))
+uboot_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-position)) + ${fit_block_offset} )))
+uboot_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-size))
+sed -i "/0xuuuu/ s@.*@           $uboot_block_base $uboot_block_offset $uboot_block_size \"flash.bin\", \\\\@" csf_fit.tmp
+
+# ATF
+atf_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf load))
+atf_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-position)) + ${fit_block_offset} )))
+atf_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-size))
+sed -i "/0xaaaa/ s@.*@           $atf_block_base $atf_block_offset $atf_block_size \"flash.bin\", \\\\@" csf_fit.tmp
+
+# DTB
+dtb_block_base=$(printf "0x%x" $(( ${uboot_block_base} + ${uboot_block_size} )))
+dtb_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-position)) + ${fit_block_offset} )))
+dtb_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-size))
+sed -i "/0xdddd/ s@.*@           $dtb_block_base $dtb_block_offset $dtb_block_size \"flash.bin\"@" csf_fit.tmp
+
+# IVT
+ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
+ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
+csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
+ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20))
+csf_block_offset=$((${ivt_block_offset} + 0x20))
+
+echo "0xd1002041 ${ivt_ptr_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin
+dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc
+
+# Generate CSF blob
+cst -i csf_fit.tmp -o csf_fit.bin
+# Patch CSF blob into flash.bin
+dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
new file mode 100644
index 00000000000..cd1d4070a5e
--- /dev/null
+++ b/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt
@@ -0,0 +1,36 @@
+[Header]
+  Version = 4.3
+  Hash Algorithm = sha256
+  Engine = CAAM
+  Engine Configuration = 0
+  Certificate Format = X509
+  Signature Format = CMS
+
+[Install SRK]
+  # FIXME: Adjust path here
+  File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
+  Source index = 0
+
+[Install CSFK]
+  # FIXME: Adjust path here
+  File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
+
+[Authenticate CSF]
+
+[Install Key]
+  Verification index = 0
+  Target Index = 2
+  # FIXME: Adjust path here
+  File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
+
+[Authenticate Data]
+  Verification index = 2
+  # FIXME:
+  # Line 1 -- fitImage tree
+  # Line 2 -- U-Boot u-boot-nodtb.bin blob
+  # Line 3 -- ATF BL31 blob
+  # Line 4 -- DT blob
+  Blocks = 0x401fcdc0 0x57c00 0xffff "flash.bin", \
+           0x40200000 0x62c00 0xuuuu "flash.bin", \
+	   0x920000   0x00000 0xaaaa "flash.bin", \
+	   0x40200000 0x00000 0xdddd "flash.bin"
diff --git a/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
new file mode 100644
index 00000000000..00e34f6b1b9
--- /dev/null
+++ b/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt
@@ -0,0 +1,33 @@
+[Header]
+  Version = 4.3
+  Hash Algorithm = sha256
+  Engine = CAAM
+  Engine Configuration = 0
+  Certificate Format = X509
+  Signature Format = CMS
+
+[Install SRK]
+  # FIXME: Adjust path here
+  File = "/path/to/cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
+  Source index = 0
+
+[Install CSFK]
+  # FIXME: Adjust path here
+  File = "/path/to/cst-3.3.1/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
+
+[Authenticate CSF]
+
+[Unlock]
+  Engine = CAAM
+  Features = MID
+
+[Install Key]
+  Verification index = 0
+  Target Index = 2
+  # FIXME: Adjust path here
+  File = "/path/to/cst-3.3.1/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
+
+[Authenticate Data]
+  Verification index = 2
+  # FIXME: Adjust start (first column) and size (third column) here
+  Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin"
diff --git a/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
new file mode 100644
index 00000000000..747f7cd260f
--- /dev/null
+++ b/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
@@ -0,0 +1,265 @@
+      +=========================================================+
+      +  i.MX8M U-Boot HABv4 Secure Boot guide for SPL targets  +
+      +=========================================================+
+
+1. HABv4 secure boot process
+-----------------------------
+
+This document is an addendum of mx6_mx7_spl_secure_boot.txt guide describing
+a step-by-step procedure on how to sign and securely boot an U-Boot image for
+SPL targets on i.MX8M, i.MX8M Mini, i.MX8M Nano, i.MX8M Plus.
+
+Details about HAB can be found in the application note AN4581[1] and in the
+introduction_habv4.txt document.
+
+1.1 Building a SPL target supporting secure boot
+-------------------------------------------------
+
+The U-Boot build for i.MX8M SoC makes use of Second Program Loader (SPL)
+support, fitImage support and custom i.MX8M specific flash.bin container.
+This leads to a generation of multiple intermediate build artifacts, the
+U-Boot SPL, U-Boot binary, DT blob. These later two artifacts are bundled
+with external ATF BL31 blob to form a fitImage. The fitImage is bundled
+with SPL and external DDR and optional HDMI PHY initialization blobs to
+form the final flash.bin container. The HABv4 can be used to authenticate
+all of the input binaries separately.
+
+Out of reset the ROM code authenticates the SPL and PHY initialization
+blobs, combination of which is responsible for initializing essential
+features such as DDR, UART, PMIC and clock enablement. Once the DDR is
+available, the SPL code loads the secondary fitImage to its specific
+address and call the HAB APIs to extend the root of trust on its
+components.
+
+The U-Boot SPL provides support to secure boot configuration and also
+provide access to the HAB APIs exposed by the ROM vector table, the
+U-Boot provides access to HAB APIs via SMC calls to ATF. The support
+is enabled by selecting the CONFIG_IMX_HAB option.
+
+When built with this configuration the U-Boot correctly pads combined
+SPL and PHY initialization blob image, called u-boot-spl-ddr.bin, by
+aligning to the next 0xC00 address, so the CSF signature data generated
+by CST can be concatenated to the image.
+
+The U-Boot also reserves space in the fitImage binary (u-boot.itb) between
+the fitImage tree and external blobs included in it, so it can be used to
+inject IVT and CST signatures used by SPL HAB calls to authenticate the
+fitImage components.
+
+The diagram below illustrate a signed SPL combined with DDR PHY
+initialization firmware blobs part of flash.bin container layout.
+This part is loaded to memory address ( CONFIG_SPL_TEXT_BASE - 0x40 ) and
+authenticated the BootROM. The reason for the offset is so that the *entry
+would be at memory address CONFIG_SPL_TEXT_BASE when BootROM executes the
+code within it:
+
+            ------- +-----------------------------+ <-- *start
+                ^   |      Image Vector Table     |
+                |   |         (0x20 bytes)        |
+                |   +-----------------------------+ <-- *boot_data
+                |   |          Boot Data          |
+                |   +-----------------------------+
+                |   |           Padding           |
+         Signed |   |  to 0x40 bytes from *start  |
+          Data  |   +-----------------------------+ <-- *entry
+                |   |                             |
+                |   |  SPL combined with DDR PHY  |
+                |   |    initialization blobs     |
+                |   |    (u-boot-spl-ddr.bin)     |
+                |   |                             |
+                |   +-----------------------------+
+                v   |           Padding           |
+            ------- +-----------------------------+ <-- *csf
+                    |                             |
+                    | Command Sequence File (CSF) |
+                    |                             |
+                    +-----------------------------+
+                    |      Padding (optional)     |
+                    +-----------------------------+
+
+The diagram below illustrate a signed U-Boot binary, DT blob and external
+ATF BL31 blob combined to form fitImage part of flash.bin container layout.
+The *load_address is derived from CONFIG_SYS_TEXT_BASE such that the U-Boot
+binary *start is placed exactly at CONFIG_SPL_TEXT_BASE in DRAM, however the
+SPL moves the fitImage tree further to location:
+ *load_address = CONFIG_SPL_TEXT_BASE - CONFIG_FIT_EXTERNAL_OFFSET (=12kiB) -
+                 512 Byte sector - sizeof(mkimage header)
+
+            ------- +-----------------------------+ <-- *load_address
+                ^   |                             |
+                |   |        fitImage tree        |
+                |   |    with external data at    |
+                |   |   offset 12 kiB from tree   |
+                |   |        (cca. 1 kiB)         |
+         Signed |   |                             |
+  .-----  Tree  |   +-----------------------------+
+  |       Data  |   | Padding to next 4k aligned  |
+  |             |   |     from *load_address      |
+  |             |   +-----------------------------+ <-- *ivt
+  |             |   |     Image Vector Table      |
+  |             v   |         (0x20 bytes)        |
+  |         ------- +-----------------------------+ <-- *csf
+  |                 | Command Sequence File (CSF) |
+  |                 |  for all signed entries in  |
+   >--------------->| the fitImage, tree and data |
+  |                 |        (cca 6-7 kiB)        |
+  |                 +-----------------------------+
+  |                 |  Padding to 12 kiB offset   |
+  |                 |     from *load_address      |
+  |         ------- +-----------------------------+ <-- *start
+  |             ^   |                             |
+  |      Signed |   |                             |
+  |---- Payload |   |  U-Boot external data blob  |
+  |       Data  |   |                             |
+  |             v   |                             |
+  |         ------- +-----------------------------+
+  |                 |     Padding to 4 Bytes      |
+  |         ------- +-----------------------------+
+  |             ^   |                             |
+  |      Signed |   |                             |
+  |---- Payload |   |    ATF external data blob   |
+  |       Data  |   |                             |
+  |             v   |                             |
+  |         ------- +-----------------------------+
+  |                 |     Padding to 4 Bytes      |
+  |         ------- +-----------------------------+
+  |             ^   |                             |
+  |      Signed |   |                             |
+  '---- Payload |   |    DTB external data blob   |
+          Data  |   |                             |
+                v   |                             |
+            ------- +-----------------------------+
+
+The diagram below illustrate a combined flash.bin container layout:
+
+                    +-----------------------------+
+                    |       Signed SPL part       |
+                    +-----------------------------+
+                    |     Signed fitImage part    |
+                    +-----------------------------+
+
+1.2 Enabling the secure boot support
+-------------------------------------
+
+The first step is to generate an U-Boot image supporting the HAB features
+mentioned above, this can be achieved by adding CONFIG_IMX_HAB to the
+build configuration:
+
+- Defconfig:
+
+  CONFIG_IMX_HAB=y
+
+- Kconfig:
+
+  ARM architecture -> Support i.MX HAB features
+
+1.3 Signing the images
+-----------------------
+
+The CSF contains all the commands that the HAB executes during the secure
+boot. These commands instruct the HAB code on which memory areas of the image
+to authenticate, which keys to install, use and etc.
+
+CSF examples are available under doc/imx/habv4/csf_examples/ directory.
+
+CSF "Blocks" line for csf_spl.txt can be generated as follows:
+
+```
+spl_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SPL_TEXT_BASE=/ s@.*=@@p" .config) - 0x40)) )
+spl_block_size=$(printf "0x%x" $(stat -tc %s u-boot-spl-ddr.bin))
+sed -i "/Blocks = / s@.*@  Blocks = $spl_block_base 0x0 $spl_block_size \"flash.bin\"@" csf_spl.txt
+```
+
+The resulting line looks as follows:
+```
+  Blocks = 0x7e0fc0 0x0 0x306f0 "flash.bin"
+```
+
+The columns mean:
+  - CONFIG_SPL_TEXT_BASE - 0x40 -- Start address of signed data, in DRAM
+  - 0x0 -- Start address of signed data, in "flash.bin"
+  - 0x306f0 -- Length of signed data, in "flash.bin"
+  - Filename -- "flash.bin"
+
+To generate signature for the SPL part of flash.bin container, use CST:
+```
+cst -i csf_spl.tmp -o csf_spl.bin
+```
+
+The newly generated CST blob has to be patched into existing flash.bin
+container. Conveniently, flash.bin IVT contains physical address of the
+CSF blob. Remember, the SPL part of flash.bin container is loaded by the
+BootROM at CONFIG_SPL_TEXT_BASE - 0x40 , so the offset of CSF blob in
+the fitImage can be calculated and inserted into the flash.bin in the
+correct location as follows:
+```
+# offset = IVT_HEADER[6 = CSF address] - CONFIG_SPL_TEXT_BASE - 0x40
+spl_csf_offset=$(xxd -s 24 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@")
+spl_bin_offset=$(xxd -s 4 -l 4 -e flash.bin | cut -d " " -f 2 | sed "s@^@0x@")
+spl_dd_offset=$((${spl_csf_offset} - ${spl_bin_offset} + 0x40))
+dd if=csf_spl.bin of=flash.bin bs=1 seek=${spl_dd_offset} conv=notrunc
+```
+
+CSF "Blocks" line for csf_fit.txt can be generated as follows:
+```
+# fitImage tree
+fit_block_base=$(printf "0x%x" $(( $(sed -n "/CONFIG_SYS_TEXT_BASE=/ s@.*=@@p" .config) - $(sed -n "/CONFIG_FIT_EXTERNAL_OFFSET=/ s@.*=@@p" .config) - 0x200 - 0x40)) )
+fit_block_offset=$(printf "0x%s" $(fdtget -t x u-boot.dtb /binman/imx-boot/uboot offset))
+fit_block_size=$(printf "0x%x" $(( ( $(fdtdump u-boot.itb 2>/dev/null | sed -n "/^...totalsize:/ s@.*\(0x[0-9a-f]\+\).*@\1@p") + 0x1000 - 0x1 ) & ~(0x1000 - 0x1) + 0x20 )) )
+sed -i "/Blocks = / s@.*@  Blocks = $fit_block_base $fit_block_offset $fit_block_size \"flash.bin\", \\\\@" csf_fit.tmp
+
+# U-Boot
+uboot_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot load))
+uboot_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-position)) + ${fit_block_offset} )))
+uboot_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/uboot data-size))
+sed -i "/0xuuuu/ s@.*@           $uboot_block_base $uboot_block_offset $uboot_block_size \"flash.bin\", \\\\@" csf_fit.tmp
+
+# ATF
+atf_block_base=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf load))
+atf_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-position)) + ${fit_block_offset} )))
+atf_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/atf data-size))
+sed -i "/0xaaaa/ s@.*@           $atf_block_base $atf_block_offset $atf_block_size \"flash.bin\", \\\\@" csf_fit.tmp
+
+# DTB
+dtb_block_base=$(printf "0x%x" $(( ${uboot_block_base} + ${uboot_block_size} )))
+dtb_block_offset=$(printf "0x%x" $(( $(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-position)) + ${fit_block_offset} )))
+dtb_block_size=$(printf "0x%s" $(fdtget -t x u-boot.itb /images/fdt-1 data-size))
+sed -i "/0xdddd/ s@.*@           $dtb_block_base $dtb_block_offset $dtb_block_size \"flash.bin\"@" csf_fit.tmp
+```
+
+The fitImage part of flash.bin requires separate IVT. Generate the IVT and
+patch it into the correct aligned location of flash.bin as follows:
+```
+# IVT
+ivt_ptr_base=$(printf "%08x" ${fit_block_base} | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
+ivt_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} - 0x20 )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
+csf_block_base=$(printf "%08x" $(( ${fit_block_base} + ${fit_block_size} )) | sed "s@\(..\)\(..\)\(..\)\(..\)@0x\4\3\2\1@")
+ivt_block_offset=$((${fit_block_offset} + ${fit_block_size} - 0x20))
+csf_block_offset=$((${ivt_block_offset} + 0x20))
+
+echo "0xd1002041 ${ivt_ptr_base} 0x00000000 0x00000000 0x00000000 ${ivt_block_base} ${csf_block_base} 0x00000000" | xxd -r -p > ivt.bin
+dd if=ivt.bin of=flash.bin bs=1 seek=${ivt_block_offset} conv=notrunc
+
+To generate CSF signature for the fitImage part of flash.bin container, use CST:
+```
+cst -i csf_fit.tmp -o csf_fit.bin
+```
+
+Finally, patch the CSF signature into the fitImage right past the IVT:
+```
+dd if=csf_fit.bin of=flash.bin bs=1 seek=${csf_block_offset} conv=notrunc
+```
+
+The entire script is available in doc/imx/habv4/csf_examples/mx8m/csf.sh
+
+1.4 Closing the device
+-----------------------
+
+The procedure for closing the device is similar as in Non-SPL targets, for a
+complete procedure please refer to section "1.5 Programming SRK Hash" in
+mx6_mx7_secure_boot.txt document available under doc/imx/habv4/guides/
+directory.
+
+References:
+[1] AN4581: "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using
+ HABv4" - Rev 2.