Commit 4886ec745e0ac8c38f2d61546eebca8cd0dfeb17
Committed by
Ye Li
1 parent
e7e56da835
Exists in
smarc_8mm-imx_v2019.04_4.19.35_1.1.0
and in
1 other branch
MLK-22570-2 doc: habv4: Add encrypted boot documentation for i.MX8M, i.MX8MM and i.MX8MN devices
Add HABv4 encrypted boot documentation for i.MX8M, i.MX8MM and i.MX8MN family devices covering the following topics: - How to encrypt and sign a flash.bin image. - How to manage CAAM PRIBLOBs when using encrypted boot - Add 4 CSF examples. Reviewed-by: Ye Li <ye.li@nxp.com> Reviewed-by: Marius Grigoras <marius.grigoras@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> (cherry picked from commit eee57255e0b0ea3a2808d3a2c19c8685afbac39b)
Showing 5 changed files with 700 additions and 0 deletions Side-by-side Diff
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_fit_enc.txt
1 | +[Header] | |
2 | + Version = 4.3 | |
3 | + Hash Algorithm = sha256 | |
4 | + Engine = CAAM | |
5 | + Engine Configuration = 0 | |
6 | + Certificate Format = X509 | |
7 | + Signature Format = CMS | |
8 | + | |
9 | +[Install SRK] | |
10 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
11 | + Source index = 0 | |
12 | + | |
13 | +[Install CSFK] | |
14 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
15 | + | |
16 | +[Authenticate CSF] | |
17 | + | |
18 | +[Unlock] | |
19 | + Engine = CAAM | |
20 | + Features = MID | |
21 | + | |
22 | +[Install Key] | |
23 | + Verification index = 0 | |
24 | + Target index = 2 | |
25 | + File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
26 | + | |
27 | +[Authenticate Data] | |
28 | + Verification index = 2 | |
29 | + Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-enc.bin" | |
30 | + | |
31 | +[Install Secret Key] | |
32 | + # Install the blob | |
33 | + Verification Index = 0 | |
34 | + Target Index = 0 | |
35 | + Key = "dek_fit.bin" | |
36 | + Key Length = 128 | |
37 | + # Fixed address defined in imx-mkimage project in iMX8M/soc.mak file | |
38 | + # DEK_BLOB_LOAD_ADDR = 0x40400000 | |
39 | + Blob Address = 0x40400000 | |
40 | + | |
41 | +[Decrypt Data] | |
42 | + # The decrypt data command below causes CST to modify the input | |
43 | + # file and encrypt the specified block of data. This image file | |
44 | + # is a copy of the file used for the authentication command above | |
45 | + Verification Index = 0 | |
46 | + Mac Bytes = 16 | |
47 | + Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | |
48 | + 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | |
49 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" |
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_fit_sign_enc.txt
1 | +[Header] | |
2 | + Version = 4.3 | |
3 | + Hash Algorithm = sha256 | |
4 | + Engine = CAAM | |
5 | + Engine Configuration = 0 | |
6 | + Certificate Format = X509 | |
7 | + Signature Format = CMS | |
8 | + | |
9 | +[Install SRK] | |
10 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
11 | + Source index = 0 | |
12 | + | |
13 | +[Install CSFK] | |
14 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
15 | + | |
16 | +[Authenticate CSF] | |
17 | + | |
18 | +[Unlock] | |
19 | + Engine = CAAM | |
20 | + Features = MID | |
21 | + | |
22 | +[Install Key] | |
23 | + Verification index = 0 | |
24 | + Target index = 2 | |
25 | + File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
26 | + | |
27 | +[Authenticate Data] | |
28 | + Verification index = 2 | |
29 | + Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-fit-enc.bin", \ | |
30 | + 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | |
31 | + 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | |
32 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" | |
33 | + | |
34 | +[Install Secret Key] | |
35 | + # Install the blob | |
36 | + Verification Index = 0 | |
37 | + Target Index = 0 | |
38 | + Key = "dek_fit_dummy.bin" | |
39 | + Key Length = 128 | |
40 | + # Fixed address defined in imx-mkimage project in iMX8M/soc.mak file | |
41 | + # DEK_BLOB_LOAD_ADDR = 0x40400000 | |
42 | + Blob Address = 0x40400000 | |
43 | + | |
44 | +[Decrypt Data] | |
45 | + # The decrypt data command below causes CST to modify the input | |
46 | + # file and encrypt the specified block of data. This image file | |
47 | + # is a copy of the file used for the authentication command above | |
48 | + Verification Index = 0 | |
49 | + Mac Bytes = 16 | |
50 | + Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \ | |
51 | + 0x920000 0x113540 0xA160 "flash-spl-fit-enc-dummy.bin", \ | |
52 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc-dummy.bin" |
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_spl_enc.txt
1 | +[Header] | |
2 | + Version = 4.3 | |
3 | + Hash Algorithm = sha256 | |
4 | + Engine = CAAM | |
5 | + Engine Configuration = 0 | |
6 | + Certificate Format = X509 | |
7 | + Signature Format = CMS | |
8 | + | |
9 | +[Install SRK] | |
10 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
11 | + Source index = 0 | |
12 | + | |
13 | +[Install CSFK] | |
14 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
15 | + | |
16 | +[Authenticate CSF] | |
17 | + | |
18 | +[Unlock] | |
19 | + Engine = CAAM | |
20 | + Features = MID | |
21 | + | |
22 | +[Install Key] | |
23 | + Verification index = 0 | |
24 | + Target index = 2 | |
25 | + File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
26 | + | |
27 | +[Authenticate Data] | |
28 | + Verification index = 2 | |
29 | + Blocks = 0x7e0fc0 0x0 0x40 "flash.bin" | |
30 | + | |
31 | +[Install Secret Key] | |
32 | + # Install the blob | |
33 | + Verification Index = 0 | |
34 | + Target Index = 0 | |
35 | + Key = "dek_spl.bin" | |
36 | + Key Length = 128 | |
37 | + # Authenticate Start Address + SPL & DDR FW image length + CSF Padding | |
38 | + # 0x7E0FC0 + 0x2c400 + 0x2000 | |
39 | + Blob Address = 0x80F3C0 | |
40 | + | |
41 | +[Decrypt Data] | |
42 | + # The decrypt data command below causes CST to modify the input | |
43 | + # file and encrypt the specified block of data. This image file | |
44 | + # is a copy of the file used for the authentication command above | |
45 | + Verification Index = 0 | |
46 | + Mac Bytes = 16 | |
47 | + # Start Address = Start Address + SPL header = 0x7E0FC0 + 0x40 = 0x7E1000 | |
48 | + # Offset = Image offset (image_off) = 0x40 | |
49 | + # Decrypt size = Image length - SPL header = 0x2c400 - 0x40 = 0x2C3C0 | |
50 | + Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc.bin" |
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_spl_sign_enc.txt
1 | +[Header] | |
2 | + Version = 4.3 | |
3 | + Hash Algorithm = sha256 | |
4 | + Engine = CAAM | |
5 | + Engine Configuration = 0 | |
6 | + Certificate Format = X509 | |
7 | + Signature Format = CMS | |
8 | + | |
9 | +[Install SRK] | |
10 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
11 | + Source index = 0 | |
12 | + | |
13 | +[Install CSFK] | |
14 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
15 | + | |
16 | +[Authenticate CSF] | |
17 | + | |
18 | +[Unlock] | |
19 | + Engine = CAAM | |
20 | + Features = MID | |
21 | + | |
22 | +[Install Key] | |
23 | + Verification index = 0 | |
24 | + Target index = 2 | |
25 | + File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
26 | + | |
27 | +[Authenticate Data] | |
28 | + Verification index = 2 | |
29 | + Blocks = 0x7E0FC0 0x0 0x2C400 "flash-spl-enc.bin" | |
30 | + | |
31 | +[Install Secret Key] | |
32 | + # Install the blob | |
33 | + Verification Index = 0 | |
34 | + Target Index = 0 | |
35 | + Key = "dek_spl_dummy.bin" | |
36 | + Key Length = 128 | |
37 | + # Authenticate Start Address + Image length + CSF Padding | |
38 | + # 0x7E0FC0 + 0x2c400 + 0x2000 | |
39 | + Blob Address = 0x80F3C0 | |
40 | + | |
41 | +[Decrypt Data] | |
42 | + # The decrypt data command below causes CST to modify the input | |
43 | + # file and encrypt the specified block of data. This image file | |
44 | + # is a copy of the file used for the authentication command above | |
45 | + Verification Index = 0 | |
46 | + Mac Bytes = 16 | |
47 | + Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc-dummy.bin" |
doc/imx/habv4/guides/mx8m_mx8mm_encrypted_boot.txt
1 | + +======================================================+ | |
2 | + + i.MX8M, i.MX8MM Encrypted Boot guide using HABv4 + | |
3 | + +======================================================+ | |
4 | + | |
5 | +1. HABv4 Encrypted Boot process | |
6 | +------------------------------- | |
7 | + | |
8 | +This document describes a step-by-step procedure on how to encrypt and sign a | |
9 | +bootloader image for i.MX8M, i.MX8MM, i.MX8MN family devices. It is assumed | |
10 | +that the reader is familiar with basic HAB concepts and has already closed | |
11 | +the device, step-by-step procedure can be found in mx8m_mx8mm_secure_boot.txt | |
12 | +guide. | |
13 | + | |
14 | +Details about encrypted boot can be found in application note AN12056[1] and | |
15 | +in the introduction_habv4.txt document. | |
16 | + | |
17 | +The steps described in this document were based in i.MX8MM device, the same | |
18 | +concept can be applied to i.MX8M and i.MX8MN family devices. | |
19 | + | |
20 | +1.1 Understanding the encrypted flash.bin image layout | |
21 | +------------------------------------------------------ | |
22 | + | |
23 | +As described in mx8m_mx8mm_secure_boot.txt guide a single binary is used | |
24 | +to boot the device, the imx-mkimage tool combines all the input images in | |
25 | +a FIT structure, generating a flash.bin binary. | |
26 | + | |
27 | +The encrypted boot image requires a DEK (Data Encryption Key) blob on each time | |
28 | +HABv4 is used to decrypt an image. The DEK blob is used as a security layer to | |
29 | +wrap and store the DEK off-chip using the OTPMK which is unique per device. | |
30 | +More details can be found in AN12056 application note. | |
31 | + | |
32 | +The diagram below illustrates an encrypted flash.bin image layout: | |
33 | + | |
34 | + +-----------------------------+ | |
35 | + | | | |
36 | + | *Signed HDMI/DP FW | | |
37 | + | | | |
38 | + +-----------------------------+ | |
39 | + | Padding | | |
40 | + ------------------ +-----------------------------+ -------- | |
41 | + ^ | IVT - SPL | ^ | |
42 | + Signed | ------- +-----------------------------+ | | |
43 | + Data | Enc ^ | u-boot-spl.bin | | | |
44 | + | Data | | + | | SPL | |
45 | + v v | DDR FW | | Image | |
46 | + ------------------ +-----------------------------+ | | |
47 | + | CSF - SPL + DDR FW | v | |
48 | + +-----------------------------+ -------- | |
49 | + | DEK Blob | | |
50 | + +-----------------------------+ | |
51 | + | Padding | | |
52 | + ------- +-----------------------------+ -------- | |
53 | + Signed ^ | FDT - FIT | ^ | |
54 | + Data | +-----------------------------+ | | |
55 | + v | IVT - FIT | | | |
56 | + ------- +-----------------------------+ | | |
57 | + | CSF - FIT | | | |
58 | + ------------------ +-----------------------------+ | | |
59 | + ^ | u-boot-nodtb.bin | | FIT | |
60 | + | +-----------------------------+ | Image | |
61 | + Signed and | | u-boot.dtb | | | |
62 | + Encrypted | +-----------------------------+ | | |
63 | + Data | | bl31.bin (ATF) | | | |
64 | + | +-----------------------------+ | | |
65 | + v | OP-TEE | | | |
66 | + ------------------ +-----------------------------+ | | |
67 | + | DEK Blob | v | |
68 | + +-----------------------------+ -------- | |
69 | + * Only supported on i.MX8M series | |
70 | + | |
71 | +1.2 Enabling the encrypted boot support in U-Boot | |
72 | +-------------------------------------------------- | |
73 | + | |
74 | +For deploying an encrypted boot image additional U-Boot tools are needed, | |
75 | +please be sure to have the following features enabled, this can be achieved | |
76 | +by following one of the methods below: | |
77 | + | |
78 | +- Defconfig | |
79 | + | |
80 | + CONFIG_SECURE_BOOT=y | |
81 | + CONFIG_FAT_WRITE=y | |
82 | + CONFIG_CMD_DEKBLOB=y | |
83 | + CONFIG_IMX_OPTEE_DEK_ENCAP=y | |
84 | + CONFIG_CMD_PRIBLOB=y | |
85 | + | |
86 | +- Kconfig | |
87 | + | |
88 | + ARM architecture -> Support i.MX HAB features | |
89 | + ARM architecture -> Support the 'dek_blob' command | |
90 | + ARM architecture -> Support the set_priblob_bitfield command | |
91 | + File systems -> Enable FAT filesystem support-> Enable FAT filesystem | |
92 | + write support | |
93 | + | |
94 | +1.3 Enabling the encrypted boot support in CST | |
95 | +----------------------------------------------- | |
96 | + | |
97 | +The encryption feature is not enabled by default in Code Signing tools (CST). | |
98 | +The CST backend must be recompiled, execute the following commands to enable | |
99 | +encryption support in CST: | |
100 | + | |
101 | + $ sudo apt-get install libssl-dev openssl | |
102 | + $ cd <CST install directory>/code/back_end/src | |
103 | + $ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c | |
104 | + -lfrontend -lcrypto | |
105 | + $ cp cst_encrypted ../../../linux64/bin/ | |
106 | + | |
107 | +1.4 Building OP-TEE and ATF to support DEK blob tool | |
108 | +----------------------------------------------------- | |
109 | + | |
110 | +The DEK blob must be created by a software running in Arm TrustZone Secure | |
111 | +World, the CAAM block takes into consideration the TrustZone configuration | |
112 | +when encapsulating the DEK and the resulting blob can be only decapsulated | |
113 | +by a SW running in the same configuration. As ROM code is running in ARM | |
114 | +TrustZone secure world we must encapsulate the blobs using OP-TEE. | |
115 | + | |
116 | +- Building ATF to support OP-TEE: | |
117 | + | |
118 | + $ make PLAT=<SoC Name> SPD=opteed bl31 | |
119 | + | |
120 | +- Building OP-TEE to support DEK blob encapsulation: | |
121 | + | |
122 | + $ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name> | |
123 | + | |
124 | +* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in | |
125 | + command line above. | |
126 | + | |
127 | +1.5 Preparing the fit image | |
128 | +---------------------------- | |
129 | + | |
130 | +As explained in mx8m_mx8mm_secure_boot.txt document the imx-mkimage project is | |
131 | +used to combine all the images in a single flash.bin binary. | |
132 | + | |
133 | +Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) | |
134 | +into iMX8M directory and run the following commands according to the target | |
135 | +device: | |
136 | + | |
137 | +- Create a dummy DEK blob: | |
138 | + | |
139 | + $ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync | |
140 | + | |
141 | +- Assembly flash.bin binary: | |
142 | + | |
143 | + $ make SOC=<SoC Name> flash_spl_uboot | |
144 | + | |
145 | +The mkimage log will be used during the encrypted boot procedure to create the | |
146 | +Command Sequence File (CSF): | |
147 | + | |
148 | +- imx-mkimage build log: | |
149 | + | |
150 | + Loader IMAGE: | |
151 | + header_image_off 0x0 | |
152 | + dcd_off 0x0 | |
153 | + image_off 0x40 | |
154 | + csf_off 0x2c400 | |
155 | + spl hab block: 0x7e0fc0 0x0 0x2c400 | |
156 | + | |
157 | + Second Loader IMAGE: | |
158 | + sld_header_off 0x57c00 | |
159 | + sld_csf_off 0x58c20 | |
160 | + sld hab block: 0x401fcdc0 0x57c00 0x1020 | |
161 | + | |
162 | +- Additional HAB information is provided by running the following command: | |
163 | + | |
164 | + $ make SOC=<SoC Name> print_fit_hab | |
165 | + | |
166 | + ./../scripts/pad_image.sh bl31.bin | |
167 | + ./../scripts/pad_image.sh u-boot-nodtb.bin fsl-imx8mm-evk.dtb | |
168 | + TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 \ | |
169 | + ./print_fit_hab.sh 0x60000 fsl-imx8mm-evk.dtb | |
170 | + 0x40200000 0x5AC00 0xB0318 | |
171 | + 0x402B0318 0x10AF18 0x8628 | |
172 | + 0x920000 0x113540 0xA160 | |
173 | + 0xBE000000 0x11D6A0 0x48520 | |
174 | + | |
175 | +1.6 Creating the CSF description file for SPL + DDR FW image | |
176 | +------------------------------------------------------------- | |
177 | + | |
178 | +The CSF contains all the commands that the ROM executes during the secure boot. | |
179 | +These commands instruct the HAB on which memory areas of the image to | |
180 | +authenticate and/or decrypt, which keys to install, use, etc... | |
181 | + | |
182 | +CSF examples for encrypted boot are available under | |
183 | +doc/imx/hab/habv4/csf_examples/ directory. | |
184 | + | |
185 | +With current CST implementation is not possible to encrypt and sign an image | |
186 | +at the same time, hence two CSF files are required on each time HAB is used. | |
187 | + | |
188 | +1.6.1 csf_spl_enc.txt | |
189 | +---------------------- | |
190 | + | |
191 | +The first CSF is used to encrypt the SPL and DDR FW images and generate the | |
192 | +dek_spl.bin file. The Authenticate Data command has to cover only the image | |
193 | +header and two commands have to be added to encrypt the image. | |
194 | + | |
195 | +- Add the Authenticate Data command to only cover SPL IVT and boot data: | |
196 | + | |
197 | + Blocks = 0x7E0FC0 0x0 0x40 "flash.bin" | |
198 | + | |
199 | +- Add the Install Secret Key command to generate the dek_spl.bin file and | |
200 | + install the blob. The Blob Address depends on your image layout and can | |
201 | + be calculated as following: | |
202 | + | |
203 | + Key = "dek_spl.bin" | |
204 | + Blob Address = Authenticate Start Address + Image length + CSF Padding | |
205 | + = 0x7E0FC0 + 0x2c400 + 0x2000 = 0x80F3C0 | |
206 | + | |
207 | +- Add the Decrypt Data command to encrypt the file. As SPL image header | |
208 | + cannot be encrypted we need to calculate the Block as following: | |
209 | + | |
210 | + Start Address = Start Address + SPL header = 0x7E0FC0 + 0x40 = 0x7E1000 | |
211 | + Offset = Image offset (image_off) = 0x40 | |
212 | + Decrypt size = Image length - SPL header = 0x2C400 - 0x40 = 0x2C3C0 | |
213 | + | |
214 | + Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc.bin" | |
215 | + | |
216 | +1.6.2 csf_spl_sign_enc.txt | |
217 | +--------------------------- | |
218 | + | |
219 | +The second CSF is used to sign the encrypted SPL image previously generated | |
220 | +(flash-spl-enc.bin). | |
221 | + | |
222 | +- The Authenticate Data command should cover the entire SPL and DDR FW image, | |
223 | + the file parameter is the encrypted image flash-spl-enc.bin: | |
224 | + | |
225 | + Blocks = 0x7E0FC0 0x0 0x2C400 "flash-spl-enc.bin" | |
226 | + | |
227 | +- Add the Install Secret Key command to generate a dummy DEK blob file, | |
228 | + the blob address should be the same as used in csf_spl_enc.txt: | |
229 | + | |
230 | + Key = "dek_spl_dummy.bin" | |
231 | + | |
232 | +- Add the Decrypt Data command to encrypt the file. As image was encrypted | |
233 | + in CSF above we need to encrypt a dummy file, the block addresses should be | |
234 | + the same as used in csf_spl_enc.txt: | |
235 | + | |
236 | + Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc-dummy.bin" | |
237 | + | |
238 | +1.7 Encrypting and signing the SPL + DDR FW image | |
239 | +-------------------------------------------------- | |
240 | + | |
241 | +The CST is used to encrypt the image and regenerate a random DEK. During this | |
242 | +step two CSF binaries are generated but only one will be included in final | |
243 | +image. | |
244 | + | |
245 | +- Encrypt the SPL + DDR FW image: | |
246 | + | |
247 | + $ cp flash.bin flash-spl-enc.bin | |
248 | + $ ./cst_encrypted -i csf_spl_enc.txt -o csf_spl_enc.bin | |
249 | + | |
250 | +- Sign the encrypted SPL + DDR FW image: | |
251 | + | |
252 | + $ cp flash-spl-enc.bin flash-spl-enc-dummy.bin | |
253 | + $ ./cst_encrypted -i csf_spl_sign_enc.txt -o csf_spl_sign_enc.bin | |
254 | + | |
255 | +1.7.1 Create final CSF binary for SPL + DDR FW image | |
256 | +----------------------------------------------------- | |
257 | + | |
258 | +As only one CSF binary will be included in final image it's necessary to | |
259 | +swap Nonce/MAC from csf_spl_enc.bin to csf_spl_sign_enc.bin. | |
260 | + | |
261 | +- Calculate Nonce/MAC size based on MAC bytes value in CSF: | |
262 | + | |
263 | + Nonce/MAC size = Nonce size + MAC bytes + CSF header for Nonce/Mac | |
264 | + = 12 + 16 + 8 = 36 bytes | |
265 | + | |
266 | +- Calculate Nonce/MAC offset in CSF: | |
267 | + | |
268 | + MAC offset = csf_spl_enc.bin size - Nonce/MAC size | |
269 | + = 3980 - 36 = 3944 Bytes | |
270 | + | |
271 | +- Extract Nonce/MAC from csf_spl_enc.bin: | |
272 | + | |
273 | + $ dd if=csf_spl_enc.bin of=noncemac.bin bs=1 skip=3944 count=36 | |
274 | + | |
275 | +- Replace the MAC of csf_spl_sign_enc with the one extracted above: | |
276 | + | |
277 | + $ dd if=noncemac.bin of=csf_spl_sign_enc.bin bs=1 seek=3944 count=36 | |
278 | + | |
279 | +1.8 Creating the CSF description file for FIT image | |
280 | +---------------------------------------------------- | |
281 | + | |
282 | +Similar to SPL image two CSF files are required encrypt and sign the FIT | |
283 | +image. | |
284 | + | |
285 | +Please note that the steps below are using the flash-spl-enc.bin image created | |
286 | +in steps above. | |
287 | + | |
288 | +1.8.1 csf_fit_enc.txt | |
289 | +---------------------- | |
290 | + | |
291 | +The first CSF is used to encrypt the FIT image and generate the dek_fit.bin | |
292 | +file. | |
293 | + | |
294 | +- Modify the Authenticate Data command to only cover FIT image FDT header: | |
295 | + | |
296 | + Blocks = 0x401FCDC0 0x57C00 0x1020 "flash-spl-enc.bin" | |
297 | + | |
298 | +- Add the Install Secret Key command to generate the dek_fit.bin file and | |
299 | + install the blob. The Blob Address is a fixed address defined in imx-mkimage | |
300 | + project in iMX8M/soc.mak file: | |
301 | + | |
302 | + iMX8M/soc.mak: | |
303 | + DEK_BLOB_LOAD_ADDR = 0x40400000 | |
304 | + | |
305 | + Key = "dek_fit.bin" | |
306 | + Blob Address = 0x40400000 | |
307 | + | |
308 | +- Add the Decrypt Data command to encrypt the file. | |
309 | + | |
310 | + The CST can only encrypt images that are 16 bytes aligned, as u-boot-nodtb.bin | |
311 | + and u-boot.dtb are together 16 bytes aligned we should consider the first two | |
312 | + lines provided in print_fit_hab as a single block. | |
313 | + | |
314 | + imx-mkimage output: | |
315 | + | |
316 | + 0x40200000 0x5AC00 0xB0318 โโโฌโโ Total length = 0xB0318 + 0x8628 = 0xB8940 | |
317 | + 0x402B0318 0x10AF18 0x8628 โโโ | |
318 | + 0x920000 0x113540 0xA160 | |
319 | + 0xBE000000 0x11D6A0 0x48520 | |
320 | + | |
321 | + Decrypt data in csf_fit_enc.txt: | |
322 | + | |
323 | + Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | |
324 | + 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | |
325 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" | |
326 | + | |
327 | +1.8.2 csf_fit_sign_enc.txt | |
328 | +--------------------------- | |
329 | + | |
330 | +The second CSF is used to sign the encrypted FIT image previously generated | |
331 | +(flash-spl-fit-enc.bin). | |
332 | + | |
333 | +- The Authenticate Data command should cover the entire FIT image, | |
334 | + the file parameter is the encrypted FIT image flash-spl-fit-enc.bin: | |
335 | + | |
336 | + Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-fit-enc.bin" | |
337 | + 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | |
338 | + 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | |
339 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" | |
340 | + | |
341 | + | |
342 | +- Add the Install Secret Key command to generate a dummy DEK blob file, | |
343 | + the blob address should be the same as used in csf_spl_enc.txt: | |
344 | + | |
345 | + Key = "dek_fit_dummy.bin" | |
346 | + | |
347 | +- Add the Decrypt Data command to encrypt the file. As image was encrypted | |
348 | + in CSF above we need to encrypt a dummy file, the block address should be | |
349 | + the same as used in csf_spl_enc.txt: | |
350 | + | |
351 | + Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \ | |
352 | + 0x920000 0x113540 0xA160"flash-spl-fit-enc-dummy.bin", \ | |
353 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc-dummy.bin" | |
354 | + | |
355 | +1.9 Encrypting and signing the FIT image | |
356 | +----------------------------------------- | |
357 | + | |
358 | +The CST is used to encrypt the image and regenerate a random DEK. During this | |
359 | +step two CSF binaries are generated but only one will be included in final | |
360 | +image. | |
361 | + | |
362 | +- Encrypt the FIT image: | |
363 | + | |
364 | + $ cp flash-spl-enc.bin flash-spl-fit-enc.bin | |
365 | + $ ./cst_encrypted -i csf_fit_enc.txt -o csf_fit_enc.bin | |
366 | + | |
367 | +- Sign the encrypted FIT image: | |
368 | + | |
369 | + $ cp flash-spl-fit-enc.bin flash-spl-fit-enc-dummy.bin | |
370 | + $ ./cst_encrypted -i csf_fit_sign_enc.txt -o csf_fit_sign_enc.bin | |
371 | + | |
372 | +1.9.1 Create final CSF binary for FIT image | |
373 | +----------------------------------------------------- | |
374 | + | |
375 | +As only one CSF binary will be included in final image it's necessary to swap | |
376 | +Nonce/MAC from csf_fit_enc.bin to csf_fit_sign_enc.bin. | |
377 | + | |
378 | +- Calculate Nonce/MAC size based on MAC bytes value in CSF: | |
379 | + | |
380 | + Nonce/MAC size = Nonce size + MAC bytes + CSF header for Nonce/Mac | |
381 | + = 12 + 16 + 8 = 36 bytes | |
382 | + | |
383 | +- Calculate Nonce/MAC offset in csf_fit_enc.bin: | |
384 | + | |
385 | + MAC offset = csf_fit_enc.bin size - Nonce/MAC size | |
386 | + = 3996 - 36 = 3960 Bytes | |
387 | + | |
388 | +- Extract Nonce/MAC from csf_fit_enc.bin: | |
389 | + | |
390 | + $ dd if=csf_fit_enc.bin of=noncemac.bin bs=1 skip=3960 count=36 | |
391 | + | |
392 | +- Calculate Nonce/MAC offset in csf_fit_sign_enc.bin: | |
393 | + | |
394 | + MAC offset = csf_fit_enc.bin size - Nonce/MAC size | |
395 | + = 4020 - 36 = 3984 Bytes | |
396 | + | |
397 | +- Replace the MAC of csf_fit_sign_enc.bin with the one extracted above: | |
398 | + | |
399 | + $ dd if=noncemac.bin of=csf_fit_sign_enc.bin bs=1 seek=3984 count=36 | |
400 | + | |
401 | +1.10 Generate the DEK Blob | |
402 | +--------------------------- | |
403 | + | |
404 | +The DEK must be encapsulated into a CAAM blob so it can be included into | |
405 | +the final encrypted binary. The U-Boot provides a tool called dek_blob | |
406 | +which is calling the CAAM implementation included in OP-TEE. | |
407 | + | |
408 | +Copy the dek_spl.bin and dek_fit.bin in SDCard FAT partition and run | |
409 | +the following commands from U-Boot prompt: | |
410 | + | |
411 | + => mmc list | |
412 | + FSL_SDHC: 1 (SD) | |
413 | + FSL_SDHC: 2 | |
414 | + => fatload mmc 1:1 0x40400000 dek_spl.bin | |
415 | + => dek_blob 0x40400000 0x40401000 128 | |
416 | + => fatwrite mmc 1:1 0x40401000 dek_spl_blob.bin 0x48 | |
417 | + => fatload mmc 1:1 0x40402000 dek_fit.bin | |
418 | + => dek_blob 0x40402000 0x40403000 128 | |
419 | + => fatwrite mmc 1:1 0x40403000 dek_fit_blob.bin 0x48 | |
420 | + | |
421 | +In host PC copy the generated dek_spl_blob.bin and dek_fit_blob.bin to the | |
422 | +CST directory. | |
423 | + | |
424 | +1.11 Assembly the encrypted image | |
425 | +---------------------------------- | |
426 | + | |
427 | +The CSF binaries generated in the steps above have to be inserted into the | |
428 | +encrypted image. | |
429 | + | |
430 | +The CSF offsets can be obtained from the flash.bin build log: | |
431 | + | |
432 | +- SPL CSF offset: | |
433 | + | |
434 | + csf_off 0x2c400 | |
435 | + | |
436 | +- FIT CSF offset: | |
437 | + | |
438 | + sld_csf_off 0x58c20 | |
439 | + | |
440 | +The encrypted flash.bin image can be then assembled: | |
441 | + | |
442 | +- Create a flash-spl-fit-enc.bin copy: | |
443 | + | |
444 | + $ cp flash-spl-fit-enc.bin encrypted-flash.bin | |
445 | + | |
446 | +1.11.1 Insert SPL CSF and DEK blob | |
447 | +----------------------------------- | |
448 | + | |
449 | +- Insert csf_spl_sign_enc.bin in encrypted-flash.bin at 0x2c400 offset: | |
450 | + | |
451 | + $ dd if=csf_spl_sign_enc.bin of=encrypted-flash.bin seek=$((0x2c400)) bs=1 conv=notrunc | |
452 | + | |
453 | +- Insert dek_spl_blob.bin in encrypted-flash.bin at 0x2c400 + 0x2000 offset: | |
454 | + | |
455 | + $ dd if=dek_spl_blob.bin of=encrypted-flash.bin seek=$((0x2e400)) bs=1 conv=notrunc | |
456 | + | |
457 | +1.11.2 Insert FIT CSF and DEK blob | |
458 | +----------------------------------- | |
459 | + | |
460 | +- Insert csf_fit_sign_enc.bin in encrypted-flash.bin at 0x58c20 offset: | |
461 | + | |
462 | + $ dd if=csf_fit_sign_enc.bin of=encrypted-flash.bin seek=$((0x58c20)) bs=1 conv=notrunc | |
463 | + | |
464 | +- The DEK blob must be inserted in last image entry on FIT image, the last line | |
465 | + provided by print_fit_hab taget log target can be used: | |
466 | + | |
467 | + 0x40200000 0x5AC00 0xB0318 | |
468 | + 0x402B0318 0x10AF18 0x8628 | |
469 | + 0x920000 0x113540 0xA160 | |
470 | + 0xBE000000 0x11D6A0 0x48520 -> Last line in print_fit_hab log | |
471 | + | |
472 | +- Insert dek_fit_blob.bin encrypted-flash.bin at 0x11D6A0 + 0x48520 offset: | |
473 | + | |
474 | + $ dd if=dek_fit_blob.bin of=encrypted-flash.bin seek=$((0x165BC0)) bs=1 conv=notrunc | |
475 | + | |
476 | +1.11.3 Flash encrypted boot image | |
477 | +----------------------------------- | |
478 | + | |
479 | +- Flash encrypted image in SDCard: | |
480 | + | |
481 | + $ sudo dd if=encrypted-flash.bin of=/dev/sd<x> bs=1K seek=33* && sync | |
482 | + * Offset in i.MX8MN device is 32K. | |
483 | + | |
484 | +2.0 Setting the PRIBLOB in CAAM SCFGR register | |
485 | +----------------------------------------------- | |
486 | + | |
487 | +It is highly recommended to advance the PRIBLOB field in CAAM SCFGR register to | |
488 | +0x3, a command is available in U-Boot that should be called after all images in | |
489 | +boot flow has been decrypted by HAB: | |
490 | + | |
491 | + => set_priblob_bitfield | |
492 | + | |
493 | +The PRIBLOB configuration ensures cryptographic separation of private blob | |
494 | +types avoiding any modification or replacement of DEK blobs. Newly created | |
495 | +blobs will be incompatible with blobs required to decrypt an encrypted boot | |
496 | +image. When the HAB later executes the command to decrypt the DEK, an | |
497 | +incompatible DEK blob will be detected and cause an error. A substitute | |
498 | +encrypted boot image will not be decrypted, and will not be executed. | |
499 | + | |
500 | +References: | |
501 | +[1] AN12056: "Encrypted Boot on HABv4 and CAAM Enabled Devices" - Rev. 1 |