|
@@ -1,4 +1,5 @@
|
|
|
-High Assurance Boot (HAB) for i.MX6 CPUs
|
|
|
|
|
|
|
+1. High Assurance Boot (HAB) for i.MX CPUs
|
|
|
|
|
+------------------------------------------
|
|
|
|
|
|
|
|
To enable the authenticated or encrypted boot mode of U-Boot, it is
|
|
To enable the authenticated or encrypted boot mode of U-Boot, it is
|
|
|
required to set the proper configuration for the target board. This
|
|
required to set the proper configuration for the target board. This
|
|
@@ -52,8 +53,58 @@ cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
|
|
|
NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
|
|
NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
|
|
|
the imximage.cfg file.
|
|
the imximage.cfg file.
|
|
|
|
|
|
|
|
-Setup U-Boot Image for Encrypted Boot
|
|
|
|
|
--------------------------------------
|
|
|
|
|
|
|
+
|
|
|
|
|
+2. Using Secure Boot on i.MX6 machines with SPL support
|
|
|
|
|
+-------------------------------------------------------
|
|
|
|
|
+
|
|
|
|
|
+This version of U-Boot is able to build a signable version of the SPL
|
|
|
|
|
+as well as a signable version of the U-Boot image. The signature can
|
|
|
|
|
+be verified through High Assurance Boot (HAB).
|
|
|
|
|
+
|
|
|
|
|
+CONFIG_SECURE_BOOT is needed to build those two binaries.
|
|
|
|
|
+After building, you need to create a command sequence file and use
|
|
|
|
|
+Freescales Code Signing Tool to sign both binaries. After creation,
|
|
|
|
|
+the mkimage tool outputs the required information about the HAB Blocks
|
|
|
|
|
+parameter for the CSF. During the build, the information is preserved
|
|
|
|
|
+in log files named as the binaries. (SPL.log and u-boot-ivt.log).
|
|
|
|
|
+
|
|
|
|
|
+More information about the CSF and HAB can be found in the AN4581.
|
|
|
|
|
+https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
|
|
|
|
|
+
|
|
|
|
|
+We don't want to explain how to create a PKI tree or SRK table as
|
|
|
|
|
+this is well explained in the Application Note.
|
|
|
|
|
+
|
|
|
|
|
+Example Output of the SPL (imximage) creation:
|
|
|
|
|
+ Image Type: Freescale IMX Boot Image
|
|
|
|
|
+ Image Ver: 2 (i.MX53/6/7 compatible)
|
|
|
|
|
+ Mode: DCD
|
|
|
|
|
+ Data Size: 61440 Bytes = 60.00 kB = 0.06 MB
|
|
|
|
|
+ Load Address: 00907420
|
|
|
|
|
+ Entry Point: 00908000
|
|
|
|
|
+ HAB Blocks: 00907400 00000000 0000cc00
|
|
|
|
|
+
|
|
|
|
|
+Example Output of the u-boot-ivt.img (firmware_ivt) creation:
|
|
|
|
|
+ Image Name: U-Boot 2016.11-rc1-31589-g2a4411
|
|
|
|
|
+ Created: Sat Nov 5 21:53:28 2016
|
|
|
|
|
+ Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
|
|
|
|
|
+ Data Size: 352192 Bytes = 343.94 kB = 0.34 MB
|
|
|
|
|
+ Load Address: 17800000
|
|
|
|
|
+ Entry Point: 00000000
|
|
|
|
|
+ HAB Blocks: 0x177fffc0 0x0000 0x00054020
|
|
|
|
|
+
|
|
|
|
|
+The CST (Code Signing Tool) can be downloaded from NXP.
|
|
|
|
|
+# Compile CSF and create signature
|
|
|
|
|
+./cst --o csf-u-boot.bin < command_sequence_uboot.csf
|
|
|
|
|
+./cst --o csf-SPL.bin < command_sequence_spl.csf
|
|
|
|
|
+# Append compiled CSF to Binary
|
|
|
|
|
+cat SPL csf-SPL.bin > SPL-signed
|
|
|
|
|
+cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
|
|
|
|
|
+
|
|
|
|
|
+These two signed binaries can be used on an i.MX6 in closed
|
|
|
|
|
+configuration when the according SRK Table Hash has been flashed.
|
|
|
|
|
+
|
|
|
|
|
+3. Setup U-Boot Image for Encrypted Boot
|
|
|
|
|
+-----------------------------------------
|
|
|
An authenticated U-Boot image is used as starting point for
|
|
An authenticated U-Boot image is used as starting point for
|
|
|
Encrypted Boot. The image is encrypted by Freescale's Code
|
|
Encrypted Boot. The image is encrypted by Freescale's Code
|
|
|
Signing Tool (CST). The CST replaces only the image data of
|
|
Signing Tool (CST). The CST replaces only the image data of
|
Breno Lima