Blame view
doc/README.mxc_hab
3.52 KB
0187c985a
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
High Assurance Boot (HAB) for i.MX6 CPUs To authenticate U-Boot only by the CPU there is no code required in U-Boot itself. However, the U-Boot image to be programmed into the boot media needs to be properly constructed, i.e. it must contain a proper Command Sequence File (CSF). The Initial Vector Table contains a pointer to the CSF. Please see doc/README.imximage for how to prepare u-boot.imx. The CSF itself is being generated by Freescale HAB tools. mkimage will output additional information about "HAB Blocks" which can be used in the Freescale tooling to authenticate U-Boot (entries in the CSF file). Image Type: Freescale IMX Boot Image Image Ver: 2 (i.MX53/6 compatible) Data Size: 327680 Bytes = 320.00 kB = 0.31 MB Load Address: 177ff420 Entry Point: 17800000 HAB Blocks: 177ff400 00000000 0004dc00 |
93e145964
|
23 |
^^^^^^^^ ^^^^^^^^ ^^^^^^^^ |
0187c985a
|
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
| | | | | -------- (1) | | | ------------------- (2) | --------------------------- (3) (1) Size of area in file u-boot.imx to sign This area should include the IVT, the Boot Data the DCD and U-Boot itself. (2) Start of area in u-boot.imx to sign (3) Start of area in RAM to authenticate CONFIG_SECURE_BOOT currently enables only an additional command 'hab_status' in U-Boot to retrieve the HAB status and events. This can be useful while developing and testing HAB. Commands to generate a signed U-Boot using Freescale HAB tools: cst --o U-Boot_CSF.bin < U-Boot.CSF objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ U-Boot_CSF.bin U-Boot_CSF_pad.bin cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx NOTE: U-Boot_CSF.bin needs to be padded to the value specified in the imximage.cfg file. |
0200020bc
|
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
Setup U-Boot Image for Encrypted Boot ------------------------------------- An authenticated U-Boot image is used as starting point for Encrypted Boot. The image is encrypted by Freescale's Code Signing Tool (CST). The CST replaces only the image data of u-boot.imx with the encrypted data. The Initial Vector Table, DCD, and Boot data, remains in plaintext. The image data is encrypted with a Encryption Key (DEK). Therefore, this key is needed to decrypt the data during the booting process. The DEK is protected by wrapping it in a Blob, which needs to be appended to the U-Boot image and specified in the CSF file. The DEK blob is generated by an authenticated U-Boot image with the dek_blob cmd enabled. The image used for DEK blob generation needs to have the following configurations enabled: CONFIG_SECURE_BOOT CONFIG_SYS_FSL_SEC_COMPAT 4 /* HAB version */ CONFIG_FSL_CAAM CONFIG_CMD_DEKBLOB |
f97d112eb
|
72 |
CONFIG_SYS_FSL_LE |
0200020bc
|
73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
Note: The encrypted boot feature is only supported by HABv4 or greater. The dek_blob command then can be used to generate the DEK blob of a DEK previously loaded in memory. The command is used as follows: dek_blob <DEK address> <Output Address> <Key Size in Bits> example: dek_blob 0x10800000 0x10801000 192 The resulting DEK blob then is used to construct the encrypted U-Boot image. Note that the blob needs to be transferred back to the host.Then the following commands are used to construct the final image. objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ U-Boot_CSF.bin U-Boot_CSF_pad.bin cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \ u-boot-signed.imx u-boot-signed-pad.bin cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx NOTE: u-boot-signed.bin needs to be padded to the value equivalent to the address in which the DEK blob is specified in the CSF. |