High Assurance Boot (HAB) for i.MX6 CPUs

  To enable the authenticated or encrypted boot mode of U-Boot, it is
  required to set the proper configuration for the target board. This
  is done by adding the following configuration in in the proper config
  file (e.g. include/configs/mx6qarm2.h)
  
  #define CONFIG_SECURE_BOOT
  
  In addition, the U-Boot image to be programmed into the

  boot media needs to be properly constructed, i.e. it must contain a
  proper Command Sequence File (CSF).
  
  The Initial Vector Table contains a pointer to the CSF. Please see
  doc/README.imximage for how to prepare u-boot.imx.
  
  The CSF itself is being generated by Freescale HAB tools.
  
  mkimage will output additional information about "HAB Blocks"
  which can be used in the Freescale tooling to authenticate U-Boot
  (entries in the CSF file).
  
  Image Type:   Freescale IMX Boot Image
  Image Ver:    2 (i.MX53/6 compatible)
  Data Size:    327680 Bytes = 320.00 kB = 0.31 MB
  Load Address: 177ff420
  Entry Point:  17800000
  HAB Blocks:   177ff400 00000000 0004dc00

  	      ^^^^^^^^ ^^^^^^^^ ^^^^^^^^

  		|	|	   |
  		|	|	   -------- (1)
  		|	|
  		|	------------------- (2)
  		|
  		--------------------------- (3)
  
  (1)	Size of area in file u-boot.imx to sign
  	This area should include the IVT, the Boot Data the DCD
  	and U-Boot itself.
  (2)	Start of area in u-boot.imx to sign
  (3)	Start of area in RAM to authenticate
  
  CONFIG_SECURE_BOOT currently enables only an additional command
  'hab_status' in U-Boot to retrieve the HAB status and events. This
  can be useful while developing and testing HAB.
  
  Commands to generate a signed U-Boot using Freescale HAB tools:
  cst --o U-Boot_CSF.bin < U-Boot.CSF
  objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
  	U-Boot_CSF.bin U-Boot_CSF_pad.bin
  cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
  
  NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
  the imximage.cfg file.

  
  Setup U-Boot Image for Encrypted Boot
  -------------------------------------
  An authenticated U-Boot image is used as starting point for
  Encrypted Boot. The image is encrypted by Freescale's Code
  Signing Tool (CST). The CST replaces only the image data of
  u-boot.imx with the encrypted data. The Initial Vector Table,
  DCD, and Boot data, remains in plaintext.
  
  The image data is encrypted with a Encryption Key (DEK).
  Therefore, this key is needed to decrypt the data during the
  booting process. The DEK is protected by wrapping it in a Blob,
  which needs to be appended to the U-Boot image and specified in
  the CSF file.
  
  The DEK blob is generated by an authenticated U-Boot image with
  the dek_blob cmd enabled. The image used for DEK blob generation
  needs to have the following configurations enabled:
  
  CONFIG_SECURE_BOOT
  CONFIG_SYS_FSL_SEC_COMPAT    4 /* HAB version */
  CONFIG_FSL_CAAM
  CONFIG_CMD_DEKBLOB

  CONFIG_SYS_FSL_SEC_LE

  
  Note: The encrypted boot feature is only supported by HABv4 or
  greater.
  
  The dek_blob command then can be used to generate the DEK blob of
  a DEK previously loaded in memory. The command is used as follows:
  
  dek_blob <DEK address> <Output Address> <Key Size in Bits>
  example: dek_blob 0x10800000 0x10801000 192
  
  The resulting DEK blob then is used to construct the encrypted
  U-Boot image. Note that the blob needs to be transferred back
  to the host.Then the following commands are used to construct
  the final image.
  
  objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
      U-Boot_CSF.bin U-Boot_CSF_pad.bin
  cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
  objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \
      u-boot-signed.imx u-boot-signed-pad.bin
  cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx
  
      NOTE: u-boot-signed.bin needs to be padded to the value
      equivalent to the address in which the DEK blob is specified
      in the CSF.