8148b82449
It is necessary to modify the configuration file for the target board. It wasn't well documented that to enable any of the secure boot modes, it is required to add CONFIG_SECURE_BOOT to the board configuration file. Also, fixed a typo in the encrypted boot section. Signed-off-by: Ulises Cardenas <Ulises.Cardenas@freescale.com>
104 lines
3.7 KiB
Plaintext
104 lines
3.7 KiB
Plaintext
High Assurance Boot (HAB) for i.MX6 CPUs
|
|
|
|
To enable the authenticated or encrypted boot mode of U-Boot, it is
|
|
required to set the proper configuration for the target board. This
|
|
is done by adding the following configuration in in the proper config
|
|
file (e.g. include/configs/mx6qarm2.h)
|
|
|
|
#define CONFIG_SECURE_BOOT
|
|
|
|
In addition, the U-Boot image to be programmed into the
|
|
boot media needs to be properly constructed, i.e. it must contain a
|
|
proper Command Sequence File (CSF).
|
|
|
|
The Initial Vector Table contains a pointer to the CSF. Please see
|
|
doc/README.imximage for how to prepare u-boot.imx.
|
|
|
|
The CSF itself is being generated by Freescale HAB tools.
|
|
|
|
mkimage will output additional information about "HAB Blocks"
|
|
which can be used in the Freescale tooling to authenticate U-Boot
|
|
(entries in the CSF file).
|
|
|
|
Image Type: Freescale IMX Boot Image
|
|
Image Ver: 2 (i.MX53/6 compatible)
|
|
Data Size: 327680 Bytes = 320.00 kB = 0.31 MB
|
|
Load Address: 177ff420
|
|
Entry Point: 17800000
|
|
HAB Blocks: 177ff400 00000000 0004dc00
|
|
^^^^^^^^ ^^^^^^^^ ^^^^^^^^
|
|
| | |
|
|
| | -------- (1)
|
|
| |
|
|
| ------------------- (2)
|
|
|
|
|
--------------------------- (3)
|
|
|
|
(1) Size of area in file u-boot.imx to sign
|
|
This area should include the IVT, the Boot Data the DCD
|
|
and U-Boot itself.
|
|
(2) Start of area in u-boot.imx to sign
|
|
(3) Start of area in RAM to authenticate
|
|
|
|
CONFIG_SECURE_BOOT currently enables only an additional command
|
|
'hab_status' in U-Boot to retrieve the HAB status and events. This
|
|
can be useful while developing and testing HAB.
|
|
|
|
Commands to generate a signed U-Boot using Freescale HAB tools:
|
|
cst --o U-Boot_CSF.bin < U-Boot.CSF
|
|
objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
|
|
U-Boot_CSF.bin U-Boot_CSF_pad.bin
|
|
cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
|
|
|
|
NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
|
|
the imximage.cfg file.
|
|
|
|
Setup U-Boot Image for Encrypted Boot
|
|
-------------------------------------
|
|
An authenticated U-Boot image is used as starting point for
|
|
Encrypted Boot. The image is encrypted by Freescale's Code
|
|
Signing Tool (CST). The CST replaces only the image data of
|
|
u-boot.imx with the encrypted data. The Initial Vector Table,
|
|
DCD, and Boot data, remains in plaintext.
|
|
|
|
The image data is encrypted with a Encryption Key (DEK).
|
|
Therefore, this key is needed to decrypt the data during the
|
|
booting process. The DEK is protected by wrapping it in a Blob,
|
|
which needs to be appended to the U-Boot image and specified in
|
|
the CSF file.
|
|
|
|
The DEK blob is generated by an authenticated U-Boot image with
|
|
the dek_blob cmd enabled. The image used for DEK blob generation
|
|
needs to have the following configurations enabled:
|
|
|
|
CONFIG_SECURE_BOOT
|
|
CONFIG_SYS_FSL_SEC_COMPAT 4 /* HAB version */
|
|
CONFIG_FSL_CAAM
|
|
CONFIG_CMD_DEKBLOB
|
|
CONFIG_SYS_FSL_SEC_LE
|
|
|
|
Note: The encrypted boot feature is only supported by HABv4 or
|
|
greater.
|
|
|
|
The dek_blob command then can be used to generate the DEK blob of
|
|
a DEK previously loaded in memory. The command is used as follows:
|
|
|
|
dek_blob <DEK address> <Output Address> <Key Size in Bits>
|
|
example: dek_blob 0x10800000 0x10801000 192
|
|
|
|
The resulting DEK blob then is used to construct the encrypted
|
|
U-Boot image. Note that the blob needs to be transferred back
|
|
to the host.Then the following commands are used to construct
|
|
the final image.
|
|
|
|
objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
|
|
U-Boot_CSF.bin U-Boot_CSF_pad.bin
|
|
cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
|
|
objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \
|
|
u-boot-signed.imx u-boot-signed-pad.bin
|
|
cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx
|
|
|
|
NOTE: u-boot-signed.bin needs to be padded to the value
|
|
equivalent to the address in which the DEK blob is specified
|
|
in the CSF.
|