Commit 4886ec745e0ac8c38f2d61546eebca8cd0dfeb17
Committed by
Ye Li
Ye Li
1 parent
e7e56da835
Exists in
smarc_8mm-imx_v2019.04_4.19.35_1.1.0
and in
1 other branch
MLK-22570-2 doc: habv4: Add encrypted boot documentation for i.MX8M, i.MX8MM and i.MX8MN devices
Add HABv4 encrypted boot documentation for i.MX8M, i.MX8MM and i.MX8MN family devices covering the following topics: - How to encrypt and sign a flash.bin image. - How to manage CAAM PRIBLOBs when using encrypted boot - Add 4 CSF examples. Reviewed-by: Ye Li <ye.li@nxp.com> Reviewed-by: Marius Grigoras <marius.grigoras@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> (cherry picked from commit eee57255e0b0ea3a2808d3a2c19c8685afbac39b)
Showing 5 changed files with 700 additions and 0 deletions Side-by-side Diff
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_fit_enc.txt
| 1 | +[Header] | |
| 2 | + Version = 4.3 | |
| 3 | + Hash Algorithm = sha256 | |
| 4 | + Engine = CAAM | |
| 5 | + Engine Configuration = 0 | |
| 6 | + Certificate Format = X509 | |
| 7 | + Signature Format = CMS | |
| 8 | + | |
| 9 | +[Install SRK] | |
| 10 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
| 11 | + Source index = 0 | |
| 12 | + | |
| 13 | +[Install CSFK] | |
| 14 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 15 | + | |
| 16 | +[Authenticate CSF] | |
| 17 | + | |
| 18 | +[Unlock] | |
| 19 | + Engine = CAAM | |
| 20 | + Features = MID | |
| 21 | + | |
| 22 | +[Install Key] | |
| 23 | + Verification index = 0 | |
| 24 | + Target index = 2 | |
| 25 | + File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 26 | + | |
| 27 | +[Authenticate Data] | |
| 28 | + Verification index = 2 | |
| 29 | + Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-enc.bin" | |
| 30 | + | |
| 31 | +[Install Secret Key] | |
| 32 | + # Install the blob | |
| 33 | + Verification Index = 0 | |
| 34 | + Target Index = 0 | |
| 35 | + Key = "dek_fit.bin" | |
| 36 | + Key Length = 128 | |
| 37 | + # Fixed address defined in imx-mkimage project in iMX8M/soc.mak file | |
| 38 | + # DEK_BLOB_LOAD_ADDR = 0x40400000 | |
| 39 | + Blob Address = 0x40400000 | |
| 40 | + | |
| 41 | +[Decrypt Data] | |
| 42 | + # The decrypt data command below causes CST to modify the input | |
| 43 | + # file and encrypt the specified block of data. This image file | |
| 44 | + # is a copy of the file used for the authentication command above | |
| 45 | + Verification Index = 0 | |
| 46 | + Mac Bytes = 16 | |
| 47 | + Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | |
| 48 | + 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | |
| 49 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" |
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_fit_sign_enc.txt
| 1 | +[Header] | |
| 2 | + Version = 4.3 | |
| 3 | + Hash Algorithm = sha256 | |
| 4 | + Engine = CAAM | |
| 5 | + Engine Configuration = 0 | |
| 6 | + Certificate Format = X509 | |
| 7 | + Signature Format = CMS | |
| 8 | + | |
| 9 | +[Install SRK] | |
| 10 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
| 11 | + Source index = 0 | |
| 12 | + | |
| 13 | +[Install CSFK] | |
| 14 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 15 | + | |
| 16 | +[Authenticate CSF] | |
| 17 | + | |
| 18 | +[Unlock] | |
| 19 | + Engine = CAAM | |
| 20 | + Features = MID | |
| 21 | + | |
| 22 | +[Install Key] | |
| 23 | + Verification index = 0 | |
| 24 | + Target index = 2 | |
| 25 | + File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 26 | + | |
| 27 | +[Authenticate Data] | |
| 28 | + Verification index = 2 | |
| 29 | + Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-fit-enc.bin", \ | |
| 30 | + 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | |
| 31 | + 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | |
| 32 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" | |
| 33 | + | |
| 34 | +[Install Secret Key] | |
| 35 | + # Install the blob | |
| 36 | + Verification Index = 0 | |
| 37 | + Target Index = 0 | |
| 38 | + Key = "dek_fit_dummy.bin" | |
| 39 | + Key Length = 128 | |
| 40 | + # Fixed address defined in imx-mkimage project in iMX8M/soc.mak file | |
| 41 | + # DEK_BLOB_LOAD_ADDR = 0x40400000 | |
| 42 | + Blob Address = 0x40400000 | |
| 43 | + | |
| 44 | +[Decrypt Data] | |
| 45 | + # The decrypt data command below causes CST to modify the input | |
| 46 | + # file and encrypt the specified block of data. This image file | |
| 47 | + # is a copy of the file used for the authentication command above | |
| 48 | + Verification Index = 0 | |
| 49 | + Mac Bytes = 16 | |
| 50 | + Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \ | |
| 51 | + 0x920000 0x113540 0xA160 "flash-spl-fit-enc-dummy.bin", \ | |
| 52 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc-dummy.bin" |
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_spl_enc.txt
| 1 | +[Header] | |
| 2 | + Version = 4.3 | |
| 3 | + Hash Algorithm = sha256 | |
| 4 | + Engine = CAAM | |
| 5 | + Engine Configuration = 0 | |
| 6 | + Certificate Format = X509 | |
| 7 | + Signature Format = CMS | |
| 8 | + | |
| 9 | +[Install SRK] | |
| 10 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
| 11 | + Source index = 0 | |
| 12 | + | |
| 13 | +[Install CSFK] | |
| 14 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 15 | + | |
| 16 | +[Authenticate CSF] | |
| 17 | + | |
| 18 | +[Unlock] | |
| 19 | + Engine = CAAM | |
| 20 | + Features = MID | |
| 21 | + | |
| 22 | +[Install Key] | |
| 23 | + Verification index = 0 | |
| 24 | + Target index = 2 | |
| 25 | + File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 26 | + | |
| 27 | +[Authenticate Data] | |
| 28 | + Verification index = 2 | |
| 29 | + Blocks = 0x7e0fc0 0x0 0x40 "flash.bin" | |
| 30 | + | |
| 31 | +[Install Secret Key] | |
| 32 | + # Install the blob | |
| 33 | + Verification Index = 0 | |
| 34 | + Target Index = 0 | |
| 35 | + Key = "dek_spl.bin" | |
| 36 | + Key Length = 128 | |
| 37 | + # Authenticate Start Address + SPL & DDR FW image length + CSF Padding | |
| 38 | + # 0x7E0FC0 + 0x2c400 + 0x2000 | |
| 39 | + Blob Address = 0x80F3C0 | |
| 40 | + | |
| 41 | +[Decrypt Data] | |
| 42 | + # The decrypt data command below causes CST to modify the input | |
| 43 | + # file and encrypt the specified block of data. This image file | |
| 44 | + # is a copy of the file used for the authentication command above | |
| 45 | + Verification Index = 0 | |
| 46 | + Mac Bytes = 16 | |
| 47 | + # Start Address = Start Address + SPL header = 0x7E0FC0 + 0x40 = 0x7E1000 | |
| 48 | + # Offset = Image offset (image_off) = 0x40 | |
| 49 | + # Decrypt size = Image length - SPL header = 0x2c400 - 0x40 = 0x2C3C0 | |
| 50 | + Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc.bin" |
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_spl_sign_enc.txt
| 1 | +[Header] | |
| 2 | + Version = 4.3 | |
| 3 | + Hash Algorithm = sha256 | |
| 4 | + Engine = CAAM | |
| 5 | + Engine Configuration = 0 | |
| 6 | + Certificate Format = X509 | |
| 7 | + Signature Format = CMS | |
| 8 | + | |
| 9 | +[Install SRK] | |
| 10 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
| 11 | + Source index = 0 | |
| 12 | + | |
| 13 | +[Install CSFK] | |
| 14 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 15 | + | |
| 16 | +[Authenticate CSF] | |
| 17 | + | |
| 18 | +[Unlock] | |
| 19 | + Engine = CAAM | |
| 20 | + Features = MID | |
| 21 | + | |
| 22 | +[Install Key] | |
| 23 | + Verification index = 0 | |
| 24 | + Target index = 2 | |
| 25 | + File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 26 | + | |
| 27 | +[Authenticate Data] | |
| 28 | + Verification index = 2 | |
| 29 | + Blocks = 0x7E0FC0 0x0 0x2C400 "flash-spl-enc.bin" | |
| 30 | + | |
| 31 | +[Install Secret Key] | |
| 32 | + # Install the blob | |
| 33 | + Verification Index = 0 | |
| 34 | + Target Index = 0 | |
| 35 | + Key = "dek_spl_dummy.bin" | |
| 36 | + Key Length = 128 | |
| 37 | + # Authenticate Start Address + Image length + CSF Padding | |
| 38 | + # 0x7E0FC0 + 0x2c400 + 0x2000 | |
| 39 | + Blob Address = 0x80F3C0 | |
| 40 | + | |
| 41 | +[Decrypt Data] | |
| 42 | + # The decrypt data command below causes CST to modify the input | |
| 43 | + # file and encrypt the specified block of data. This image file | |
| 44 | + # is a copy of the file used for the authentication command above | |
| 45 | + Verification Index = 0 | |
| 46 | + Mac Bytes = 16 | |
| 47 | + Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc-dummy.bin" |
doc/imx/habv4/guides/mx8m_mx8mm_encrypted_boot.txt
| 1 | + +======================================================+ | |
| 2 | + + i.MX8M, i.MX8MM Encrypted Boot guide using HABv4 + | |
| 3 | + +======================================================+ | |
| 4 | + | |
| 5 | +1. HABv4 Encrypted Boot process | |
| 6 | +------------------------------- | |
| 7 | + | |
| 8 | +This document describes a step-by-step procedure on how to encrypt and sign a | |
| 9 | +bootloader image for i.MX8M, i.MX8MM, i.MX8MN family devices. It is assumed | |
| 10 | +that the reader is familiar with basic HAB concepts and has already closed | |
| 11 | +the device, step-by-step procedure can be found in mx8m_mx8mm_secure_boot.txt | |
| 12 | +guide. | |
| 13 | + | |
| 14 | +Details about encrypted boot can be found in application note AN12056[1] and | |
| 15 | +in the introduction_habv4.txt document. | |
| 16 | + | |
| 17 | +The steps described in this document were based in i.MX8MM device, the same | |
| 18 | +concept can be applied to i.MX8M and i.MX8MN family devices. | |
| 19 | + | |
| 20 | +1.1 Understanding the encrypted flash.bin image layout | |
| 21 | +------------------------------------------------------ | |
| 22 | + | |
| 23 | +As described in mx8m_mx8mm_secure_boot.txt guide a single binary is used | |
| 24 | +to boot the device, the imx-mkimage tool combines all the input images in | |
| 25 | +a FIT structure, generating a flash.bin binary. | |
| 26 | + | |
| 27 | +The encrypted boot image requires a DEK (Data Encryption Key) blob on each time | |
| 28 | +HABv4 is used to decrypt an image. The DEK blob is used as a security layer to | |
| 29 | +wrap and store the DEK off-chip using the OTPMK which is unique per device. | |
| 30 | +More details can be found in AN12056 application note. | |
| 31 | + | |
| 32 | +The diagram below illustrates an encrypted flash.bin image layout: | |
| 33 | + | |
| 34 | + +-----------------------------+ | |
| 35 | + | | | |
| 36 | + | *Signed HDMI/DP FW | | |
| 37 | + | | | |
| 38 | + +-----------------------------+ | |
| 39 | + | Padding | | |
| 40 | + ------------------ +-----------------------------+ -------- | |
| 41 | + ^ | IVT - SPL | ^ | |
| 42 | + Signed | ------- +-----------------------------+ | | |
| 43 | + Data | Enc ^ | u-boot-spl.bin | | | |
| 44 | + | Data | | + | | SPL | |
| 45 | + v v | DDR FW | | Image | |
| 46 | + ------------------ +-----------------------------+ | | |
| 47 | + | CSF - SPL + DDR FW | v | |
| 48 | + +-----------------------------+ -------- | |
| 49 | + | DEK Blob | | |
| 50 | + +-----------------------------+ | |
| 51 | + | Padding | | |
| 52 | + ------- +-----------------------------+ -------- | |
| 53 | + Signed ^ | FDT - FIT | ^ | |
| 54 | + Data | +-----------------------------+ | | |
| 55 | + v | IVT - FIT | | | |
| 56 | + ------- +-----------------------------+ | | |
| 57 | + | CSF - FIT | | | |
| 58 | + ------------------ +-----------------------------+ | | |
| 59 | + ^ | u-boot-nodtb.bin | | FIT | |
| 60 | + | +-----------------------------+ | Image | |
| 61 | + Signed and | | u-boot.dtb | | | |
| 62 | + Encrypted | +-----------------------------+ | | |
| 63 | + Data | | bl31.bin (ATF) | | | |
| 64 | + | +-----------------------------+ | | |
| 65 | + v | OP-TEE | | | |
| 66 | + ------------------ +-----------------------------+ | | |
| 67 | + | DEK Blob | v | |
| 68 | + +-----------------------------+ -------- | |
| 69 | + * Only supported on i.MX8M series | |
| 70 | + | |
| 71 | +1.2 Enabling the encrypted boot support in U-Boot | |
| 72 | +-------------------------------------------------- | |
| 73 | + | |
| 74 | +For deploying an encrypted boot image additional U-Boot tools are needed, | |
| 75 | +please be sure to have the following features enabled, this can be achieved | |
| 76 | +by following one of the methods below: | |
| 77 | + | |
| 78 | +- Defconfig | |
| 79 | + | |
| 80 | + CONFIG_SECURE_BOOT=y | |
| 81 | + CONFIG_FAT_WRITE=y | |
| 82 | + CONFIG_CMD_DEKBLOB=y | |
| 83 | + CONFIG_IMX_OPTEE_DEK_ENCAP=y | |
| 84 | + CONFIG_CMD_PRIBLOB=y | |
| 85 | + | |
| 86 | +- Kconfig | |
| 87 | + | |
| 88 | + ARM architecture -> Support i.MX HAB features | |
| 89 | + ARM architecture -> Support the 'dek_blob' command | |
| 90 | + ARM architecture -> Support the set_priblob_bitfield command | |
| 91 | + File systems -> Enable FAT filesystem support-> Enable FAT filesystem | |
| 92 | + write support | |
| 93 | + | |
| 94 | +1.3 Enabling the encrypted boot support in CST | |
| 95 | +----------------------------------------------- | |
| 96 | + | |
| 97 | +The encryption feature is not enabled by default in Code Signing tools (CST). | |
| 98 | +The CST backend must be recompiled, execute the following commands to enable | |
| 99 | +encryption support in CST: | |
| 100 | + | |
| 101 | + $ sudo apt-get install libssl-dev openssl | |
| 102 | + $ cd <CST install directory>/code/back_end/src | |
| 103 | + $ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c | |
| 104 | + -lfrontend -lcrypto | |
| 105 | + $ cp cst_encrypted ../../../linux64/bin/ | |
| 106 | + | |
| 107 | +1.4 Building OP-TEE and ATF to support DEK blob tool | |
| 108 | +----------------------------------------------------- | |
| 109 | + | |
| 110 | +The DEK blob must be created by a software running in Arm TrustZone Secure | |
| 111 | +World, the CAAM block takes into consideration the TrustZone configuration | |
| 112 | +when encapsulating the DEK and the resulting blob can be only decapsulated | |
| 113 | +by a SW running in the same configuration. As ROM code is running in ARM | |
| 114 | +TrustZone secure world we must encapsulate the blobs using OP-TEE. | |
| 115 | + | |
| 116 | +- Building ATF to support OP-TEE: | |
| 117 | + | |
| 118 | + $ make PLAT=<SoC Name> SPD=opteed bl31 | |
| 119 | + | |
| 120 | +- Building OP-TEE to support DEK blob encapsulation: | |
| 121 | + | |
| 122 | + $ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name> | |
| 123 | + | |
| 124 | +* OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in | |
| 125 | + command line above. | |
| 126 | + | |
| 127 | +1.5 Preparing the fit image | |
| 128 | +---------------------------- | |
| 129 | + | |
| 130 | +As explained in mx8m_mx8mm_secure_boot.txt document the imx-mkimage project is | |
| 131 | +used to combine all the images in a single flash.bin binary. | |
| 132 | + | |
| 133 | +Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) | |
| 134 | +into iMX8M directory and run the following commands according to the target | |
| 135 | +device: | |
| 136 | + | |
| 137 | +- Create a dummy DEK blob: | |
| 138 | + | |
| 139 | + $ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync | |
| 140 | + | |
| 141 | +- Assembly flash.bin binary: | |
| 142 | + | |
| 143 | + $ make SOC=<SoC Name> flash_spl_uboot | |
| 144 | + | |
| 145 | +The mkimage log will be used during the encrypted boot procedure to create the | |
| 146 | +Command Sequence File (CSF): | |
| 147 | + | |
| 148 | +- imx-mkimage build log: | |
| 149 | + | |
| 150 | + Loader IMAGE: | |
| 151 | + header_image_off 0x0 | |
| 152 | + dcd_off 0x0 | |
| 153 | + image_off 0x40 | |
| 154 | + csf_off 0x2c400 | |
| 155 | + spl hab block: 0x7e0fc0 0x0 0x2c400 | |
| 156 | + | |
| 157 | + Second Loader IMAGE: | |
| 158 | + sld_header_off 0x57c00 | |
| 159 | + sld_csf_off 0x58c20 | |
| 160 | + sld hab block: 0x401fcdc0 0x57c00 0x1020 | |
| 161 | + | |
| 162 | +- Additional HAB information is provided by running the following command: | |
| 163 | + | |
| 164 | + $ make SOC=<SoC Name> print_fit_hab | |
| 165 | + | |
| 166 | + ./../scripts/pad_image.sh bl31.bin | |
| 167 | + ./../scripts/pad_image.sh u-boot-nodtb.bin fsl-imx8mm-evk.dtb | |
| 168 | + TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 \ | |
| 169 | + ./print_fit_hab.sh 0x60000 fsl-imx8mm-evk.dtb | |
| 170 | + 0x40200000 0x5AC00 0xB0318 | |
| 171 | + 0x402B0318 0x10AF18 0x8628 | |
| 172 | + 0x920000 0x113540 0xA160 | |
| 173 | + 0xBE000000 0x11D6A0 0x48520 | |
| 174 | + | |
| 175 | +1.6 Creating the CSF description file for SPL + DDR FW image | |
| 176 | +------------------------------------------------------------- | |
| 177 | + | |
| 178 | +The CSF contains all the commands that the ROM executes during the secure boot. | |
| 179 | +These commands instruct the HAB on which memory areas of the image to | |
| 180 | +authenticate and/or decrypt, which keys to install, use, etc... | |
| 181 | + | |
| 182 | +CSF examples for encrypted boot are available under | |
| 183 | +doc/imx/hab/habv4/csf_examples/ directory. | |
| 184 | + | |
| 185 | +With current CST implementation is not possible to encrypt and sign an image | |
| 186 | +at the same time, hence two CSF files are required on each time HAB is used. | |
| 187 | + | |
| 188 | +1.6.1 csf_spl_enc.txt | |
| 189 | +---------------------- | |
| 190 | + | |
| 191 | +The first CSF is used to encrypt the SPL and DDR FW images and generate the | |
| 192 | +dek_spl.bin file. The Authenticate Data command has to cover only the image | |
| 193 | +header and two commands have to be added to encrypt the image. | |
| 194 | + | |
| 195 | +- Add the Authenticate Data command to only cover SPL IVT and boot data: | |
| 196 | + | |
| 197 | + Blocks = 0x7E0FC0 0x0 0x40 "flash.bin" | |
| 198 | + | |
| 199 | +- Add the Install Secret Key command to generate the dek_spl.bin file and | |
| 200 | + install the blob. The Blob Address depends on your image layout and can | |
| 201 | + be calculated as following: | |
| 202 | + | |
| 203 | + Key = "dek_spl.bin" | |
| 204 | + Blob Address = Authenticate Start Address + Image length + CSF Padding | |
| 205 | + = 0x7E0FC0 + 0x2c400 + 0x2000 = 0x80F3C0 | |
| 206 | + | |
| 207 | +- Add the Decrypt Data command to encrypt the file. As SPL image header | |
| 208 | + cannot be encrypted we need to calculate the Block as following: | |
| 209 | + | |
| 210 | + Start Address = Start Address + SPL header = 0x7E0FC0 + 0x40 = 0x7E1000 | |
| 211 | + Offset = Image offset (image_off) = 0x40 | |
| 212 | + Decrypt size = Image length - SPL header = 0x2C400 - 0x40 = 0x2C3C0 | |
| 213 | + | |
| 214 | + Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc.bin" | |
| 215 | + | |
| 216 | +1.6.2 csf_spl_sign_enc.txt | |
| 217 | +--------------------------- | |
| 218 | + | |
| 219 | +The second CSF is used to sign the encrypted SPL image previously generated | |
| 220 | +(flash-spl-enc.bin). | |
| 221 | + | |
| 222 | +- The Authenticate Data command should cover the entire SPL and DDR FW image, | |
| 223 | + the file parameter is the encrypted image flash-spl-enc.bin: | |
| 224 | + | |
| 225 | + Blocks = 0x7E0FC0 0x0 0x2C400 "flash-spl-enc.bin" | |
| 226 | + | |
| 227 | +- Add the Install Secret Key command to generate a dummy DEK blob file, | |
| 228 | + the blob address should be the same as used in csf_spl_enc.txt: | |
| 229 | + | |
| 230 | + Key = "dek_spl_dummy.bin" | |
| 231 | + | |
| 232 | +- Add the Decrypt Data command to encrypt the file. As image was encrypted | |
| 233 | + in CSF above we need to encrypt a dummy file, the block addresses should be | |
| 234 | + the same as used in csf_spl_enc.txt: | |
| 235 | + | |
| 236 | + Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc-dummy.bin" | |
| 237 | + | |
| 238 | +1.7 Encrypting and signing the SPL + DDR FW image | |
| 239 | +-------------------------------------------------- | |
| 240 | + | |
| 241 | +The CST is used to encrypt the image and regenerate a random DEK. During this | |
| 242 | +step two CSF binaries are generated but only one will be included in final | |
| 243 | +image. | |
| 244 | + | |
| 245 | +- Encrypt the SPL + DDR FW image: | |
| 246 | + | |
| 247 | + $ cp flash.bin flash-spl-enc.bin | |
| 248 | + $ ./cst_encrypted -i csf_spl_enc.txt -o csf_spl_enc.bin | |
| 249 | + | |
| 250 | +- Sign the encrypted SPL + DDR FW image: | |
| 251 | + | |
| 252 | + $ cp flash-spl-enc.bin flash-spl-enc-dummy.bin | |
| 253 | + $ ./cst_encrypted -i csf_spl_sign_enc.txt -o csf_spl_sign_enc.bin | |
| 254 | + | |
| 255 | +1.7.1 Create final CSF binary for SPL + DDR FW image | |
| 256 | +----------------------------------------------------- | |
| 257 | + | |
| 258 | +As only one CSF binary will be included in final image it's necessary to | |
| 259 | +swap Nonce/MAC from csf_spl_enc.bin to csf_spl_sign_enc.bin. | |
| 260 | + | |
| 261 | +- Calculate Nonce/MAC size based on MAC bytes value in CSF: | |
| 262 | + | |
| 263 | + Nonce/MAC size = Nonce size + MAC bytes + CSF header for Nonce/Mac | |
| 264 | + = 12 + 16 + 8 = 36 bytes | |
| 265 | + | |
| 266 | +- Calculate Nonce/MAC offset in CSF: | |
| 267 | + | |
| 268 | + MAC offset = csf_spl_enc.bin size - Nonce/MAC size | |
| 269 | + = 3980 - 36 = 3944 Bytes | |
| 270 | + | |
| 271 | +- Extract Nonce/MAC from csf_spl_enc.bin: | |
| 272 | + | |
| 273 | + $ dd if=csf_spl_enc.bin of=noncemac.bin bs=1 skip=3944 count=36 | |
| 274 | + | |
| 275 | +- Replace the MAC of csf_spl_sign_enc with the one extracted above: | |
| 276 | + | |
| 277 | + $ dd if=noncemac.bin of=csf_spl_sign_enc.bin bs=1 seek=3944 count=36 | |
| 278 | + | |
| 279 | +1.8 Creating the CSF description file for FIT image | |
| 280 | +---------------------------------------------------- | |
| 281 | + | |
| 282 | +Similar to SPL image two CSF files are required encrypt and sign the FIT | |
| 283 | +image. | |
| 284 | + | |
| 285 | +Please note that the steps below are using the flash-spl-enc.bin image created | |
| 286 | +in steps above. | |
| 287 | + | |
| 288 | +1.8.1 csf_fit_enc.txt | |
| 289 | +---------------------- | |
| 290 | + | |
| 291 | +The first CSF is used to encrypt the FIT image and generate the dek_fit.bin | |
| 292 | +file. | |
| 293 | + | |
| 294 | +- Modify the Authenticate Data command to only cover FIT image FDT header: | |
| 295 | + | |
| 296 | + Blocks = 0x401FCDC0 0x57C00 0x1020 "flash-spl-enc.bin" | |
| 297 | + | |
| 298 | +- Add the Install Secret Key command to generate the dek_fit.bin file and | |
| 299 | + install the blob. The Blob Address is a fixed address defined in imx-mkimage | |
| 300 | + project in iMX8M/soc.mak file: | |
| 301 | + | |
| 302 | + iMX8M/soc.mak: | |
| 303 | + DEK_BLOB_LOAD_ADDR = 0x40400000 | |
| 304 | + | |
| 305 | + Key = "dek_fit.bin" | |
| 306 | + Blob Address = 0x40400000 | |
| 307 | + | |
| 308 | +- Add the Decrypt Data command to encrypt the file. | |
| 309 | + | |
| 310 | + The CST can only encrypt images that are 16 bytes aligned, as u-boot-nodtb.bin | |
| 311 | + and u-boot.dtb are together 16 bytes aligned we should consider the first two | |
| 312 | + lines provided in print_fit_hab as a single block. | |
| 313 | + | |
| 314 | + imx-mkimage output: | |
| 315 | + | |
| 316 | + 0x40200000 0x5AC00 0xB0318 โโโฌโโ Total length = 0xB0318 + 0x8628 = 0xB8940 | |
| 317 | + 0x402B0318 0x10AF18 0x8628 โโโ | |
| 318 | + 0x920000 0x113540 0xA160 | |
| 319 | + 0xBE000000 0x11D6A0 0x48520 | |
| 320 | + | |
| 321 | + Decrypt data in csf_fit_enc.txt: | |
| 322 | + | |
| 323 | + Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | |
| 324 | + 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | |
| 325 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" | |
| 326 | + | |
| 327 | +1.8.2 csf_fit_sign_enc.txt | |
| 328 | +--------------------------- | |
| 329 | + | |
| 330 | +The second CSF is used to sign the encrypted FIT image previously generated | |
| 331 | +(flash-spl-fit-enc.bin). | |
| 332 | + | |
| 333 | +- The Authenticate Data command should cover the entire FIT image, | |
| 334 | + the file parameter is the encrypted FIT image flash-spl-fit-enc.bin: | |
| 335 | + | |
| 336 | + Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-fit-enc.bin" | |
| 337 | + 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | |
| 338 | + 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | |
| 339 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" | |
| 340 | + | |
| 341 | + | |
| 342 | +- Add the Install Secret Key command to generate a dummy DEK blob file, | |
| 343 | + the blob address should be the same as used in csf_spl_enc.txt: | |
| 344 | + | |
| 345 | + Key = "dek_fit_dummy.bin" | |
| 346 | + | |
| 347 | +- Add the Decrypt Data command to encrypt the file. As image was encrypted | |
| 348 | + in CSF above we need to encrypt a dummy file, the block address should be | |
| 349 | + the same as used in csf_spl_enc.txt: | |
| 350 | + | |
| 351 | + Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \ | |
| 352 | + 0x920000 0x113540 0xA160"flash-spl-fit-enc-dummy.bin", \ | |
| 353 | + 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc-dummy.bin" | |
| 354 | + | |
| 355 | +1.9 Encrypting and signing the FIT image | |
| 356 | +----------------------------------------- | |
| 357 | + | |
| 358 | +The CST is used to encrypt the image and regenerate a random DEK. During this | |
| 359 | +step two CSF binaries are generated but only one will be included in final | |
| 360 | +image. | |
| 361 | + | |
| 362 | +- Encrypt the FIT image: | |
| 363 | + | |
| 364 | + $ cp flash-spl-enc.bin flash-spl-fit-enc.bin | |
| 365 | + $ ./cst_encrypted -i csf_fit_enc.txt -o csf_fit_enc.bin | |
| 366 | + | |
| 367 | +- Sign the encrypted FIT image: | |
| 368 | + | |
| 369 | + $ cp flash-spl-fit-enc.bin flash-spl-fit-enc-dummy.bin | |
| 370 | + $ ./cst_encrypted -i csf_fit_sign_enc.txt -o csf_fit_sign_enc.bin | |
| 371 | + | |
| 372 | +1.9.1 Create final CSF binary for FIT image | |
| 373 | +----------------------------------------------------- | |
| 374 | + | |
| 375 | +As only one CSF binary will be included in final image it's necessary to swap | |
| 376 | +Nonce/MAC from csf_fit_enc.bin to csf_fit_sign_enc.bin. | |
| 377 | + | |
| 378 | +- Calculate Nonce/MAC size based on MAC bytes value in CSF: | |
| 379 | + | |
| 380 | + Nonce/MAC size = Nonce size + MAC bytes + CSF header for Nonce/Mac | |
| 381 | + = 12 + 16 + 8 = 36 bytes | |
| 382 | + | |
| 383 | +- Calculate Nonce/MAC offset in csf_fit_enc.bin: | |
| 384 | + | |
| 385 | + MAC offset = csf_fit_enc.bin size - Nonce/MAC size | |
| 386 | + = 3996 - 36 = 3960 Bytes | |
| 387 | + | |
| 388 | +- Extract Nonce/MAC from csf_fit_enc.bin: | |
| 389 | + | |
| 390 | + $ dd if=csf_fit_enc.bin of=noncemac.bin bs=1 skip=3960 count=36 | |
| 391 | + | |
| 392 | +- Calculate Nonce/MAC offset in csf_fit_sign_enc.bin: | |
| 393 | + | |
| 394 | + MAC offset = csf_fit_enc.bin size - Nonce/MAC size | |
| 395 | + = 4020 - 36 = 3984 Bytes | |
| 396 | + | |
| 397 | +- Replace the MAC of csf_fit_sign_enc.bin with the one extracted above: | |
| 398 | + | |
| 399 | + $ dd if=noncemac.bin of=csf_fit_sign_enc.bin bs=1 seek=3984 count=36 | |
| 400 | + | |
| 401 | +1.10 Generate the DEK Blob | |
| 402 | +--------------------------- | |
| 403 | + | |
| 404 | +The DEK must be encapsulated into a CAAM blob so it can be included into | |
| 405 | +the final encrypted binary. The U-Boot provides a tool called dek_blob | |
| 406 | +which is calling the CAAM implementation included in OP-TEE. | |
| 407 | + | |
| 408 | +Copy the dek_spl.bin and dek_fit.bin in SDCard FAT partition and run | |
| 409 | +the following commands from U-Boot prompt: | |
| 410 | + | |
| 411 | + => mmc list | |
| 412 | + FSL_SDHC: 1 (SD) | |
| 413 | + FSL_SDHC: 2 | |
| 414 | + => fatload mmc 1:1 0x40400000 dek_spl.bin | |
| 415 | + => dek_blob 0x40400000 0x40401000 128 | |
| 416 | + => fatwrite mmc 1:1 0x40401000 dek_spl_blob.bin 0x48 | |
| 417 | + => fatload mmc 1:1 0x40402000 dek_fit.bin | |
| 418 | + => dek_blob 0x40402000 0x40403000 128 | |
| 419 | + => fatwrite mmc 1:1 0x40403000 dek_fit_blob.bin 0x48 | |
| 420 | + | |
| 421 | +In host PC copy the generated dek_spl_blob.bin and dek_fit_blob.bin to the | |
| 422 | +CST directory. | |
| 423 | + | |
| 424 | +1.11 Assembly the encrypted image | |
| 425 | +---------------------------------- | |
| 426 | + | |
| 427 | +The CSF binaries generated in the steps above have to be inserted into the | |
| 428 | +encrypted image. | |
| 429 | + | |
| 430 | +The CSF offsets can be obtained from the flash.bin build log: | |
| 431 | + | |
| 432 | +- SPL CSF offset: | |
| 433 | + | |
| 434 | + csf_off 0x2c400 | |
| 435 | + | |
| 436 | +- FIT CSF offset: | |
| 437 | + | |
| 438 | + sld_csf_off 0x58c20 | |
| 439 | + | |
| 440 | +The encrypted flash.bin image can be then assembled: | |
| 441 | + | |
| 442 | +- Create a flash-spl-fit-enc.bin copy: | |
| 443 | + | |
| 444 | + $ cp flash-spl-fit-enc.bin encrypted-flash.bin | |
| 445 | + | |
| 446 | +1.11.1 Insert SPL CSF and DEK blob | |
| 447 | +----------------------------------- | |
| 448 | + | |
| 449 | +- Insert csf_spl_sign_enc.bin in encrypted-flash.bin at 0x2c400 offset: | |
| 450 | + | |
| 451 | + $ dd if=csf_spl_sign_enc.bin of=encrypted-flash.bin seek=$((0x2c400)) bs=1 conv=notrunc | |
| 452 | + | |
| 453 | +- Insert dek_spl_blob.bin in encrypted-flash.bin at 0x2c400 + 0x2000 offset: | |
| 454 | + | |
| 455 | + $ dd if=dek_spl_blob.bin of=encrypted-flash.bin seek=$((0x2e400)) bs=1 conv=notrunc | |
| 456 | + | |
| 457 | +1.11.2 Insert FIT CSF and DEK blob | |
| 458 | +----------------------------------- | |
| 459 | + | |
| 460 | +- Insert csf_fit_sign_enc.bin in encrypted-flash.bin at 0x58c20 offset: | |
| 461 | + | |
| 462 | + $ dd if=csf_fit_sign_enc.bin of=encrypted-flash.bin seek=$((0x58c20)) bs=1 conv=notrunc | |
| 463 | + | |
| 464 | +- The DEK blob must be inserted in last image entry on FIT image, the last line | |
| 465 | + provided by print_fit_hab taget log target can be used: | |
| 466 | + | |
| 467 | + 0x40200000 0x5AC00 0xB0318 | |
| 468 | + 0x402B0318 0x10AF18 0x8628 | |
| 469 | + 0x920000 0x113540 0xA160 | |
| 470 | + 0xBE000000 0x11D6A0 0x48520 -> Last line in print_fit_hab log | |
| 471 | + | |
| 472 | +- Insert dek_fit_blob.bin encrypted-flash.bin at 0x11D6A0 + 0x48520 offset: | |
| 473 | + | |
| 474 | + $ dd if=dek_fit_blob.bin of=encrypted-flash.bin seek=$((0x165BC0)) bs=1 conv=notrunc | |
| 475 | + | |
| 476 | +1.11.3 Flash encrypted boot image | |
| 477 | +----------------------------------- | |
| 478 | + | |
| 479 | +- Flash encrypted image in SDCard: | |
| 480 | + | |
| 481 | + $ sudo dd if=encrypted-flash.bin of=/dev/sd<x> bs=1K seek=33* && sync | |
| 482 | + * Offset in i.MX8MN device is 32K. | |
| 483 | + | |
| 484 | +2.0 Setting the PRIBLOB in CAAM SCFGR register | |
| 485 | +----------------------------------------------- | |
| 486 | + | |
| 487 | +It is highly recommended to advance the PRIBLOB field in CAAM SCFGR register to | |
| 488 | +0x3, a command is available in U-Boot that should be called after all images in | |
| 489 | +boot flow has been decrypted by HAB: | |
| 490 | + | |
| 491 | + => set_priblob_bitfield | |
| 492 | + | |
| 493 | +The PRIBLOB configuration ensures cryptographic separation of private blob | |
| 494 | +types avoiding any modification or replacement of DEK blobs. Newly created | |
| 495 | +blobs will be incompatible with blobs required to decrypt an encrypted boot | |
| 496 | +image. When the HAB later executes the command to decrypt the DEK, an | |
| 497 | +incompatible DEK blob will be detected and cause an error. A substitute | |
| 498 | +encrypted boot image will not be decrypted, and will not be executed. | |
| 499 | + | |
| 500 | +References: | |
| 501 | +[1] AN12056: "Encrypted Boot on HABv4 and CAAM Enabled Devices" - Rev. 1 |