Commit 03865f7279b6f66625ecad83bf8364989e5da4c1
Committed by
Ye Li
Ye Li
1 parent
77e37901c6
Exists in
smarc_8mq_lf_v2020.04
and in
4 other branches
MLK-20270-1 doc: imx: habv4: Add Secure Boot documentation for i.MX8M and i.MX8MM devices
Add HABv4 documentation for i.MX8M and i.MX8MM targets covering the following topics: - How to sign an securely boot an flash.bin image. - How to extend the root of trust for additional boot images. - Add 2 CSF examples. Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> (cherry picked from commit cc63be298a3e5f44e417f4098c124715917d09e1) (cherry picked from commit ca9c6f091095d3bf09cac42c3eb4493490ac8912)
Showing 3 changed files with 611 additions and 0 deletions Side-by-side Diff
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_fit.txt
| 1 | +[Header] | |
| 2 | + Version = 4.3 | |
| 3 | + Hash Algorithm = sha256 | |
| 4 | + Engine = CAAM | |
| 5 | + Engine Configuration = 0 | |
| 6 | + Certificate Format = X509 | |
| 7 | + Signature Format = CMS | |
| 8 | + | |
| 9 | +[Install SRK] | |
| 10 | + # Index of the key location in the SRK table to be installed | |
| 11 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
| 12 | + Source index = 0 | |
| 13 | + | |
| 14 | +[Install CSFK] | |
| 15 | + # Key used to authenticate the CSF data | |
| 16 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 17 | + | |
| 18 | +[Authenticate CSF] | |
| 19 | + | |
| 20 | +[Install Key] | |
| 21 | + # Key slot index used to authenticate the key to be installed | |
| 22 | + Verification index = 0 | |
| 23 | + # Target key slot in HAB key store where key will be installed | |
| 24 | + Target index = 2 | |
| 25 | + # Key to install | |
| 26 | + File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 27 | + | |
| 28 | +[Authenticate Data] | |
| 29 | + # Key slot index used to authenticate the image data | |
| 30 | + Verification index = 2 | |
| 31 | + # Authenticate Start Address, Offset, Length and file | |
| 32 | + Blocks = 0x401fcdc0 0x057c00 0x01020 "flash.bin", \ | |
| 33 | + 0x40200000 0x05AC00 0x9AAC8 "flash.bin", \ | |
| 34 | + 0x00910000 0x0F56C8 0x09139 "flash.bin", \ | |
| 35 | + 0xFE000000 0x0FE804 0x4D268 "flash.bin", \ | |
| 36 | + 0x4029AAC8 0x14BA6C 0x06DCF "flash.bin" |
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_spl.txt
| 1 | +[Header] | |
| 2 | + Version = 4.3 | |
| 3 | + Hash Algorithm = sha256 | |
| 4 | + Engine = CAAM | |
| 5 | + Engine Configuration = 0 | |
| 6 | + Certificate Format = X509 | |
| 7 | + Signature Format = CMS | |
| 8 | + | |
| 9 | +[Install SRK] | |
| 10 | + # Index of the key location in the SRK table to be installed | |
| 11 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
| 12 | + Source index = 0 | |
| 13 | + | |
| 14 | +[Install CSFK] | |
| 15 | + # Key used to authenticate the CSF data | |
| 16 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 17 | + | |
| 18 | +[Authenticate CSF] | |
| 19 | + | |
| 20 | +[Unlock] | |
| 21 | + # Leave Job Ring and DECO master ID registers Unlocked | |
| 22 | + Engine = CAAM | |
| 23 | + Features = MID | |
| 24 | + | |
| 25 | +[Install Key] | |
| 26 | + # Key slot index used to authenticate the key to be installed | |
| 27 | + Verification index = 0 | |
| 28 | + # Target key slot in HAB key store where key will be installed | |
| 29 | + Target index = 2 | |
| 30 | + # Key to install | |
| 31 | + File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 32 | + | |
| 33 | +[Authenticate Data] | |
| 34 | + # Key slot index used to authenticate the image data | |
| 35 | + Verification index = 2 | |
| 36 | + # Authenticate Start Address, Offset, Length and file | |
| 37 | + Blocks = 0x7e0fc0 0x1a000 0x2a600 "flash.bin" |
doc/imx/habv4/guides/mx8m_mx8mm_secure_boot.txt
| 1 | + +=======================================================+ | |
| 2 | + + i.MX8M, i.MX8MM Secure Boot guide using HABv4 + | |
| 3 | + +=======================================================+ | |
| 4 | + | |
| 5 | +1. HABv4 secure boot process | |
| 6 | +----------------------------- | |
| 7 | + | |
| 8 | +This document describes a step-by-step procedure on how to sign and securely | |
| 9 | +boot a bootloader image on i.MX8M and i.MX8MM devices. It is assumed that | |
| 10 | +the reader is familiar with basic HAB concepts and with the PKI tree generation. | |
| 11 | + | |
| 12 | +Details about HAB can be found in the application note AN4581[1] and in the | |
| 13 | +introduction_habv4.txt document. | |
| 14 | + | |
| 15 | +1.1 Understanding the i.MX8M and i.MX8MM flash.bin image layout | |
| 16 | +---------------------------------------------------------------- | |
| 17 | + | |
| 18 | +Due to the new the architecture, multiple firmwares and softwares are required | |
| 19 | +to boot i.MX8M and i.MX8MM devices. In order to store all the images in a | |
| 20 | +single binary the FIT (Flattened Image Tree) image structure is used. | |
| 21 | + | |
| 22 | +The final image is generated by the imx-mkimage project, the tool combines all | |
| 23 | +the input images in a FIT structure, generating a flash.bin image with an | |
| 24 | +appropriate IVT set. | |
| 25 | + | |
| 26 | +For a secure boot process users should ensure all images included in flash.bin | |
| 27 | +file are covered by a digital signature. | |
| 28 | + | |
| 29 | +- The diagram below illustrate a signed flash.bin image layout: | |
| 30 | + | |
| 31 | + +-----------------------------+ | |
| 32 | + | | | |
| 33 | + | *Signed HDMI/DP FW | | |
| 34 | + | | | |
| 35 | + +-----------------------------+ | |
| 36 | + | Padding | | |
| 37 | + ------- +-----------------------------+ -------- | |
| 38 | + ^ | IVT - SPL | ^ | |
| 39 | + Signed | +-----------------------------+ | | |
| 40 | + Data | | u-boot-spl.bin | | | |
| 41 | + | | + | | SPL | |
| 42 | + v | DDR FW | | Image | |
| 43 | + ------- +-----------------------------+ | | |
| 44 | + | CSF - SPL + DDR FW | v | |
| 45 | + +-----------------------------+ -------- | |
| 46 | + | Padding | | |
| 47 | + ------- +-----------------------------+ -------- | |
| 48 | + Signed ^ | FDT - FIT | ^ | |
| 49 | + Data | +-----------------------------+ | | |
| 50 | + v | IVT - FIT | | | |
| 51 | + ------- +-----------------------------+ | | |
| 52 | + | CSF - FIT | | | |
| 53 | + ------- +-----------------------------+ | | |
| 54 | + ^ | u-boot-nodtb.bin | | FIT | |
| 55 | + | | + | | Image | |
| 56 | + | | u-boot.bin | | | |
| 57 | + Signed | +-----------------------------+ | | |
| 58 | + Data | | OP-TEE (Optional) | | | |
| 59 | + | +-----------------------------+ | | |
| 60 | + | | bl31.bin (ATF) | | | |
| 61 | + | +-----------------------------+ | | |
| 62 | + v | u-boot.dtb | v | |
| 63 | + ------- +-----------------------------+ -------- | |
| 64 | + * Only supported on i.MX8M series | |
| 65 | + | |
| 66 | +The boot flow on i.MX8M and i.MX8MM devices are slightly different when compared | |
| 67 | +with i.MX6 and i.MX7 series, the diagram below illustrate the boot sequence | |
| 68 | +overview: | |
| 69 | + | |
| 70 | +- i.MX8M and i.MX8MM devices boot flow: | |
| 71 | + | |
| 72 | + Secure World Non-Secure World | |
| 73 | + | | |
| 74 | + | | |
| 75 | + +------------+ +------------+ | | |
| 76 | + | SPL | | i.MX 8M/MM | | | |
| 77 | + | + | ---> | ROM | | | |
| 78 | + | DDR FW | | + HAB | | | |
| 79 | + +------------+ +------------+ | | |
| 80 | + | | | |
| 81 | + v | | |
| 82 | + +------------+ | | |
| 83 | + | *Signed | | | |
| 84 | + | HDMI/DP FW | | | |
| 85 | + +------------+ | | |
| 86 | + | | | |
| 87 | + v | | |
| 88 | + +------------+ +------------+ | | |
| 89 | + | FIT Image: | | SPL | | | |
| 90 | + | ATF + TEE | ---> | + | | | |
| 91 | + | + U-Boot | | DDR FW | | +-----------+ | |
| 92 | + +------------+ +------------+ | | Linux | | |
| 93 | + | | +-----------+ | |
| 94 | + v | ^ | |
| 95 | + +------------+ | | +-------+ | |
| 96 | + | ARM | | +-----------+ | Linux | | |
| 97 | + | Trusted | ----+---> | U-Boot | <--- | + | | |
| 98 | + | Firmware | | +-----------+ | DTB | | |
| 99 | + +------------+ | +-------+ | |
| 100 | + | | | |
| 101 | + v | | |
| 102 | + +----------+ | | |
| 103 | + | **OP-TEE | | | |
| 104 | + +----------+ | | |
| 105 | + * Only supported on i.MX8M series | |
| 106 | + ** Optional | |
| 107 | + | |
| 108 | +On i.MX8M devices the HDMI firmware or DisplayPort firmware are the first image | |
| 109 | +to boot on the device. These firmwares are signed and distributed by NXP, and | |
| 110 | +are always authenticated regardless of security configuration. In case not | |
| 111 | +required by the application the HDMI or DisplayPort controllers can be disabled | |
| 112 | +by eFuses and the firmwares are not required anymore. | |
| 113 | + | |
| 114 | +The next images are not signed by NXP and users should follow the signing | |
| 115 | +procedure as described in this document. | |
| 116 | + | |
| 117 | +The Second Program Loader (SPL) and DDR firmware are loaded and authenticated | |
| 118 | +by the ROM code, these images are executed in the internal RAM and responsible | |
| 119 | +for initializing essential features such as DDR, UART, PMIC and clock | |
| 120 | +enablement. | |
| 121 | + | |
| 122 | +Once the DDR is available, the SPL code loads all the images included in the | |
| 123 | +FIT structure to their specific execution addresses, the HAB APIs are called | |
| 124 | +to extend the root of trust, authenticating the U-Boot, ARM trusted firmware | |
| 125 | +(ATF) and OP-TEE (If included). | |
| 126 | + | |
| 127 | +The root of trust can be extended again at U-Boot level to authenticate Kernel | |
| 128 | +and M4 images. | |
| 129 | + | |
| 130 | +1.2 Enabling the secure boot support in U-Boot | |
| 131 | +----------------------------------------------- | |
| 132 | + | |
| 133 | +The first step is to generate an U-Boot image supporting the HAB features, | |
| 134 | +similar to i.MX6 and i.MX7 series the U-Boot provides extra functions for | |
| 135 | +HAB, such as the HAB status logs retrievement through the hab_status command | |
| 136 | +and support to extend the root of trust. | |
| 137 | + | |
| 138 | +The support is enabled by adding the CONFIG_SECURE_BOOT to the build | |
| 139 | +configuration: | |
| 140 | + | |
| 141 | +- Defconfig: | |
| 142 | + | |
| 143 | + CONFIG_SECURE_BOOT=y | |
| 144 | + | |
| 145 | +- Kconfig: | |
| 146 | + | |
| 147 | + ARM architecture -> Support i.MX HAB features | |
| 148 | + | |
| 149 | +1.3 Preparing the fit image | |
| 150 | +---------------------------- | |
| 151 | + | |
| 152 | +The imx-mkimage project is used to combines all the images in a single | |
| 153 | +flash.bin binary, the following files are required: | |
| 154 | + | |
| 155 | +- U-Boot: | |
| 156 | + u-boot.bin | |
| 157 | + u-boot-nodtb.bin | |
| 158 | + u-boot-spl.bin | |
| 159 | + U-Boot DTB file (e.g. fsl-imx8mq-evk.dtb) | |
| 160 | + | |
| 161 | +- ATF image: | |
| 162 | + bl31.bin | |
| 163 | + | |
| 164 | +- DDR firmware: | |
| 165 | + lpddr4_pmu_train_1d_dmem.bin | |
| 166 | + lpddr4_pmu_train_1d_imem.bin | |
| 167 | + lpddr4_pmu_train_2d_dmem.bin | |
| 168 | + lpddr4_pmu_train_2d_imem.bin | |
| 169 | + | |
| 170 | +- HDMI firmware (Only in i.MX8M): | |
| 171 | + signed_hdmi_imx8m.bin | |
| 172 | + | |
| 173 | +- DisplayPort firmware (Only in i.MX8M): | |
| 174 | + signed_dp_imx8m.bin | |
| 175 | + | |
| 176 | +- OP-TEE (Optional): | |
| 177 | + tee.bin | |
| 178 | + | |
| 179 | +The procedure to build ATF and download the firmwares are out of the scope | |
| 180 | +of this document, please refer to the Linux BSP Release Notes and AN12212[2] | |
| 181 | +for further details. | |
| 182 | + | |
| 183 | +Copy all files to iMX8M directory and run the following command according to | |
| 184 | +the target device, on this example we are building a HDMI target and also | |
| 185 | +including the OP-TEE binary: | |
| 186 | + | |
| 187 | +- Assembly flash.bin binary: | |
| 188 | + | |
| 189 | + $ make SOC=<SoC Name> flash_hdmi_spl_uboot | |
| 190 | + | |
| 191 | +The mkimage log can be used to calculate the authenticate image command | |
| 192 | +parameters and CSF offsets: | |
| 193 | + | |
| 194 | +- imx-mkimage build log: | |
| 195 | + | |
| 196 | + Loader IMAGE: | |
| 197 | + header_image_off 0x1a000 | |
| 198 | + dcd_off 0x0 | |
| 199 | + image_off 0x1a040 | |
| 200 | + csf_off 0x44600 | |
| 201 | + spl hab block: 0x7e0fd0 0x1a000 0x2e600 | |
| 202 | + | |
| 203 | + Second Loader IMAGE: | |
| 204 | + sld_header_off 0x57c00 | |
| 205 | + sld_csf_off 0x58c20 | |
| 206 | + sld hab block: 0x401fcdc0 0x57c00 0x1020 | |
| 207 | + | |
| 208 | +Additional HAB information is provided by running the following command: | |
| 209 | + | |
| 210 | +- Printing HAB FIT information: | |
| 211 | + | |
| 212 | + $ make SOC=<SoC Name> print_fit_hab | |
| 213 | + | |
| 214 | + TEE_LOAD_ADDR=0xfe000000 ATF_LOAD_ADDR=0x00910000 ./print_fit_hab.sh \ | |
| 215 | + 0x60000 fsl-imx8mq-evk.dtb | |
| 216 | + 0x40200000 0x5AC00 0x9AAC8 | |
| 217 | + 0x910000 0xF56C8 0x9139 | |
| 218 | + 0xFE000000 0xFE804 0x4D268 | |
| 219 | + 0x4029AAC8 0x14BA6C 0x6DCF | |
| 220 | + | |
| 221 | +1.4 Creating the CSF description file | |
| 222 | +-------------------------------------- | |
| 223 | + | |
| 224 | +The CSF contains all the commands that the ROM executes during the secure | |
| 225 | +boot. These commands instruct the HAB code on which memory areas of the image | |
| 226 | +to authenticate, which keys to install, use and etc. | |
| 227 | + | |
| 228 | +CSF examples are available under doc/imx/hab/habv4/csf_examples/ directory. | |
| 229 | + | |
| 230 | +As explained in sections above the SPL is first authenticated by the ROM code | |
| 231 | +and the root of trust is extended to the FIT image, hence two CSF files are | |
| 232 | +necessary to completely sign an flash.bin image. | |
| 233 | + | |
| 234 | +The build log provided by imx-mkimage can be used to define the "Authenticate | |
| 235 | +Data" parameter in CSF. | |
| 236 | + | |
| 237 | +- SPL "Authenticate Data" addresses in flash.bin build log: | |
| 238 | + | |
| 239 | + spl hab block: 0x7e0fd0 0x1a000 0x2e600 | |
| 240 | + | |
| 241 | +- "Authenticate Data" command in csf_spl.txt file: | |
| 242 | + | |
| 243 | + Blocks = 0x7e0fd0 0x1a000 0x2e600 "flash.bin" | |
| 244 | + | |
| 245 | +- FIT image "Authenticate Data" addresses in flash.bin build log: | |
| 246 | + | |
| 247 | + sld hab block: 0x401fcdc0 0x57c00 0x1020 | |
| 248 | + | |
| 249 | +- FIT image "Authenticate Data" addresses in print_fit_hab build log: | |
| 250 | + | |
| 251 | + 0x40200000 0x5AC00 0x9AAC8 | |
| 252 | + 0x910000 0xF56C8 0x9139 | |
| 253 | + 0xFE000000 0xFE804 0x4D268 | |
| 254 | + 0x4029AAC8 0x14BA6C 0x6DCF | |
| 255 | + | |
| 256 | +- "Authenticate Data" command in csf_fit.txt file: | |
| 257 | + | |
| 258 | + Blocks = 0x401fcdc0 0x057c00 0x01020 "flash.bin", \ | |
| 259 | + 0x40200000 0x05AC00 0x9AAC8 "flash.bin", \ | |
| 260 | + 0x00910000 0x0F56C8 0x09139 "flash.bin", \ | |
| 261 | + 0xFE000000 0x0FE804 0x4D268 "flash.bin", \ | |
| 262 | + 0x4029AAC8 0x14BA6C 0x06DCF "flash.bin" | |
| 263 | + | |
| 264 | +1.4.1 Avoiding Kernel crash in closed devices | |
| 265 | +---------------------------------------------- | |
| 266 | + | |
| 267 | +For devices prior to HAB v4.4.0, the HAB code locks the Job Ring and DECO | |
| 268 | +master ID registers in closed configuration. In case the user specific | |
| 269 | +application requires any changes in CAAM MID registers it's necessary to | |
| 270 | +add the "Unlock CAAM MID" command in CSF file. | |
| 271 | + | |
| 272 | +The current NXP BSP implementation expects the CAAM registers to be unlocked | |
| 273 | +when configuring CAAM to operate in non-secure TrustZone world. | |
| 274 | + | |
| 275 | +The Unlock command is already included by default in the signed HDMI and | |
| 276 | +DisplayPort firmwares, on i.MX8MM devices or in case the HDMI or DisplayPort | |
| 277 | +controllers are disabled, users must ensure this command is included in SPL CSF. | |
| 278 | + | |
| 279 | +- Add Unlock MID command in csf_spl.txt: | |
| 280 | + | |
| 281 | + [Unlock] | |
| 282 | + Engine = CAAM | |
| 283 | + Features = MID | |
| 284 | + | |
| 285 | +1.5 Signing the flash.bin binary | |
| 286 | +--------------------------------- | |
| 287 | + | |
| 288 | +The CST tool is used for singing the flash.bin image and generating the CSF | |
| 289 | +binary. Users should input the CSF description file created in the step above | |
| 290 | +and receive a CSF binary, which contains the CSF commands, SRK table, | |
| 291 | +signatures and certificates. | |
| 292 | + | |
| 293 | +- Create SPL CSF binary file: | |
| 294 | + | |
| 295 | + $ ./cst -i csf_spl.txt -o csf_spl.bin | |
| 296 | + | |
| 297 | +- Create FIT CSF binary file: | |
| 298 | + | |
| 299 | + $ ./cst -i csf_fit.txt -o csf_fit.bin | |
| 300 | + | |
| 301 | +1.6 Assembling the CSF in flash.bin binary | |
| 302 | +------------------------------------------- | |
| 303 | + | |
| 304 | +The CSF binaries generated in the step above have to be inserted into the | |
| 305 | +flash.bin image. | |
| 306 | + | |
| 307 | +The CSF offsets can be obtained from the flash.bin build log: | |
| 308 | + | |
| 309 | +- SPL CSF offset: | |
| 310 | + | |
| 311 | + csf_off 0x44600 | |
| 312 | + | |
| 313 | +- FIT CSF offset: | |
| 314 | + | |
| 315 | + sld_csf_off 0x58c20 | |
| 316 | + | |
| 317 | +The signed flash.bin image can be then assembled: | |
| 318 | + | |
| 319 | +- Create a flash.bin copy: | |
| 320 | + | |
| 321 | + $ cp flash.bin signed_flash.bin | |
| 322 | + | |
| 323 | +- Insert csf_spl.bin in signed_flash.bin at 0x44600 offset: | |
| 324 | + | |
| 325 | + $ dd if=csf_spl.bin of=signed_flash.bin seek=$((0x44600)) bs=1 conv=notrunc | |
| 326 | + | |
| 327 | +- Insert csf_fit.bin in signed_flash.bin at 0x58c20 offset: | |
| 328 | + | |
| 329 | + $ dd if=csf_fit.bin of=signed_flash.bin seek=$((0x58c20)) bs=1 conv=notrunc | |
| 330 | + | |
| 331 | +- Flash signed flash.bin image: | |
| 332 | + | |
| 333 | + $ sudo dd if=signed_flash.bin of=/dev/sd<x> bs=1K seek=33 && sync | |
| 334 | + | |
| 335 | +1.7 Programming SRK Hash | |
| 336 | +------------------------- | |
| 337 | + | |
| 338 | +As explained in AN4581[1] and in introduction_habv4.txt document the SRK Hash | |
| 339 | +fuse values are generated by the srktool and should be programmed in the | |
| 340 | +SoC SRK_HASH[255:0] fuses. | |
| 341 | + | |
| 342 | +Be careful when programming these values, as this data is the basis for the | |
| 343 | +root of trust. An error in SRK Hash results in a part that does not boot. | |
| 344 | + | |
| 345 | +The U-Boot fuse tool can be used for programming eFuses on i.MX SoCs. | |
| 346 | + | |
| 347 | +- Dump SRK Hash fuses values in host machine: | |
| 348 | + | |
| 349 | + $ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin | |
| 350 | + 0x20593752 | |
| 351 | + 0x6ACE6962 | |
| 352 | + 0x26E0D06C | |
| 353 | + 0xFC600661 | |
| 354 | + 0x1240E88F | |
| 355 | + 0x1209F144 | |
| 356 | + 0x831C8117 | |
| 357 | + 0x1190FD4D | |
| 358 | + | |
| 359 | +- Program SRK_HASH[255:0] fuses on i.MX8MQ and i.MX8MM devices: | |
| 360 | + | |
| 361 | + => fuse prog 6 0 0x20593752 | |
| 362 | + => fuse prog 6 1 0x6ACE6962 | |
| 363 | + => fuse prog 6 2 0x26E0D06C | |
| 364 | + => fuse prog 6 3 0xFC600661 | |
| 365 | + => fuse prog 7 0 0x1240E88F | |
| 366 | + => fuse prog 7 1 0x1209F144 | |
| 367 | + => fuse prog 7 2 0x831C8117 | |
| 368 | + => fuse prog 7 3 0x1190FD4D | |
| 369 | + | |
| 370 | + | |
| 371 | +1.8 Verifying HAB events | |
| 372 | +------------------------- | |
| 373 | + | |
| 374 | +The next step is to verify that the signatures included in flash.bin image is | |
| 375 | +successfully processed without errors. HAB generates events when processing | |
| 376 | +the commands if it encounters issues. | |
| 377 | + | |
| 378 | +The hab_status U-Boot command call the hab_report_event() and hab_status() | |
| 379 | +HAB API functions to verify the processor security configuration and status. | |
| 380 | +This command displays any events that were generated during the process. | |
| 381 | + | |
| 382 | +Prior to closing the device users should ensure no HAB events were found, as | |
| 383 | +the example below: | |
| 384 | + | |
| 385 | +- Verify HAB events: | |
| 386 | + | |
| 387 | + => hab_status | |
| 388 | + | |
| 389 | + Secure boot disabled | |
| 390 | + | |
| 391 | + HAB Configuration: 0xf0, HAB State: 0x66 | |
| 392 | + | |
| 393 | +1.9 Closing the device | |
| 394 | +----------------------- | |
| 395 | + | |
| 396 | +After the device successfully boots a signed image without generating any HAB | |
| 397 | +events, it is safe to close the device. This is the last step in the HAB | |
| 398 | +process, and is achieved by programming the SEC_CONFIG[1] fuse bit. | |
| 399 | + | |
| 400 | +Once the fuse is programmed, the chip does not load an image that has not been | |
| 401 | +signed using the correct PKI tree. | |
| 402 | + | |
| 403 | +- Program SEC_CONFIG[1] fuse on i.MX8MQ and i.MX8MM devices: | |
| 404 | + | |
| 405 | + => fuse prog 1 3 0x2000000 | |
| 406 | + | |
| 407 | +1.10 Completely secure the device | |
| 408 | +---------------------------------- | |
| 409 | + | |
| 410 | +Additional fuses can be programmed for completely secure the device, more | |
| 411 | +details about these fuses and their possible impact can be found at AN4581[1]. | |
| 412 | + | |
| 413 | +- Program SRK_LOCK: | |
| 414 | + | |
| 415 | + => fuse prog 0 0 0x200 | |
| 416 | + | |
| 417 | +- Program DIR_BT_DIS: | |
| 418 | + | |
| 419 | + => fuse prog 1 3 0x8000000 | |
| 420 | + | |
| 421 | +- Program SJC_DISABLE: | |
| 422 | + | |
| 423 | + => fuse prog 1 3 0x200000 | |
| 424 | + | |
| 425 | +- JTAG_SMODE: | |
| 426 | + | |
| 427 | + => fuse prog 1 3 0xC00000 | |
| 428 | + | |
| 429 | +2. Authenticating additional boot images | |
| 430 | +----------------------------------------- | |
| 431 | + | |
| 432 | +The High Assurance Boot (HAB) code located in the on-chip ROM provides an | |
| 433 | +Application Programming Interface (API) making it possible to call back | |
| 434 | +into the HAB code for authenticating additional boot images. | |
| 435 | + | |
| 436 | +The U-Boot is running in non-secure TrustZone world and to make use of this | |
| 437 | +feature it's necessary to use a SIP call to the ATF, this is already | |
| 438 | +implemented in hab.c code and it's transparent to the user. | |
| 439 | + | |
| 440 | +The process of signing an additional image is similar as in i.MX6 and i.MX7 | |
| 441 | +series devices, the steps below are using the Linux Kernel image as example. | |
| 442 | + | |
| 443 | +The diagram below illustrate the Image layout: | |
| 444 | + | |
| 445 | + ------- +-----------------------------+ <-- *load_address | |
| 446 | + ^ | | | |
| 447 | + | | | | |
| 448 | + | | | | |
| 449 | + | | | | |
| 450 | + | | Image | | |
| 451 | + Signed | | | | |
| 452 | + Data | | | | |
| 453 | + | | | | |
| 454 | + | +-----------------------------+ | |
| 455 | + | | Padding to Image size | | |
| 456 | + | | in header | | |
| 457 | + | +-----------------------------+ <-- *ivt | |
| 458 | + v | Image Vector Table | | |
| 459 | + ------- +-----------------------------+ <-- *csf | |
| 460 | + | | | |
| 461 | + | Command Sequence File (CSF) | | |
| 462 | + | | | |
| 463 | + +-----------------------------+ | |
| 464 | + | Padding (optional) | | |
| 465 | + +-----------------------------+ | |
| 466 | + | |
| 467 | +2.1 Padding the image | |
| 468 | +---------------------- | |
| 469 | + | |
| 470 | +The Image must be padded to the size specified in the Image header, this can be | |
| 471 | +achieved by using the od command. | |
| 472 | + | |
| 473 | +- Read Image size: | |
| 474 | + | |
| 475 | + $ od -x -j 0x10 -N 0x4 --endian=little Image | |
| 476 | + 0000020 5000 0145 | |
| 477 | + 0000024 | |
| 478 | + | |
| 479 | +The tool objcopy can be used for padding the image. | |
| 480 | + | |
| 481 | +- Pad the Image: | |
| 482 | + | |
| 483 | + $ objcopy -I binary -O binary --pad-to 0x1455000 --gap-fill=0x00 \ | |
| 484 | + Image Image_pad.bin | |
| 485 | + | |
| 486 | +2.2 Generating Image Vector Table | |
| 487 | +---------------------------------- | |
| 488 | + | |
| 489 | +The HAB code requires an Image Vector Table (IVT) for determining the image | |
| 490 | +length and the CSF location. Since Image does not include an IVT this has | |
| 491 | +to be manually created and appended to the end of the padded Image, the | |
| 492 | +script genIVT.pl in script_examples directory can be used as reference. | |
| 493 | + | |
| 494 | +- Generate IVT: | |
| 495 | + | |
| 496 | + $ genIVT.pl | |
| 497 | + | |
| 498 | +Note: The load Address may change depending on the device. | |
| 499 | + | |
| 500 | +- Append the ivt.bin at the end of the padded Image: | |
| 501 | + | |
| 502 | + $ cat Image_pad.bin ivt.bin > Image_pad_ivt.bin | |
| 503 | + | |
| 504 | +2.3 Signing the image | |
| 505 | +---------------------- | |
| 506 | + | |
| 507 | +A CSF file has to be created to sign the image. HAB does not allow to change | |
| 508 | +the SRK once the first image is authenticated, so the same SRK key used in | |
| 509 | +the initial image must be used when extending the root of trust. | |
| 510 | + | |
| 511 | +CSF examples are available in ../csf_examples/additional_images/ directory. | |
| 512 | + | |
| 513 | +- Create CSF binary file: | |
| 514 | + | |
| 515 | + $ ./cst --i csf_additional_images.txt --o csf_Image.bin | |
| 516 | + | |
| 517 | +- Attach the CSF binary to the end of the image: | |
| 518 | + | |
| 519 | + $ cat Image_pad_ivt.bin csf_Image.bin > Image_signed.bin | |
| 520 | + | |
| 521 | +2.4 Verifying HAB events | |
| 522 | +------------------------- | |
| 523 | + | |
| 524 | +The U-Boot includes the hab_auth_img command which can be used for | |
| 525 | +authenticating and troubleshooting the signed image, the Image must be | |
| 526 | +loaded at the load address specified in the IVT. | |
| 527 | + | |
| 528 | +- Authenticate additional image: | |
| 529 | + | |
| 530 | + => hab_auth_img <Load Address> <Image Size> <IVT Offset> | |
| 531 | + | |
| 532 | +If no HAB events were found the Image is successfully signed. | |
| 533 | + | |
| 534 | +References: | |
| 535 | +[1] AN4581: "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using | |
| 536 | + HABv4" - Rev 2. | |
| 537 | +[2] AN12212: "Software Solutions for Migration Guide from Aarch32 to | |
| 538 | +Aarch64" - Rev 0. |
-
mentioned in commit 1b56ec
