Commit 4886ec745e0ac8c38f2d61546eebca8cd0dfeb17
Committed by
Ye Li
1 parent
e7e56da835
Exists in
smarc_8mm-imx_v2019.04_4.19.35_1.1.0
and in
1 other branch
MLK-22570-2 doc: habv4: Add encrypted boot documentation for i.MX8M, i.MX8MM and i.MX8MN devices
Add HABv4 encrypted boot documentation for i.MX8M, i.MX8MM and i.MX8MN family devices covering the following topics: - How to encrypt and sign a flash.bin image. - How to manage CAAM PRIBLOBs when using encrypted boot - Add 4 CSF examples. Reviewed-by: Ye Li <ye.li@nxp.com> Reviewed-by: Marius Grigoras <marius.grigoras@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> (cherry picked from commit eee57255e0b0ea3a2808d3a2c19c8685afbac39b)
Showing 5 changed files with 700 additions and 0 deletions Inline Diff
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_fit_enc.txt
File was created | 1 | [Header] | |
2 | Version = 4.3 | ||
3 | Hash Algorithm = sha256 | ||
4 | Engine = CAAM | ||
5 | Engine Configuration = 0 | ||
6 | Certificate Format = X509 | ||
7 | Signature Format = CMS | ||
8 | |||
9 | [Install SRK] | ||
10 | File = "../crts/SRK_1_2_3_4_table.bin" | ||
11 | Source index = 0 | ||
12 | |||
13 | [Install CSFK] | ||
14 | File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | ||
15 | |||
16 | [Authenticate CSF] | ||
17 | |||
18 | [Unlock] | ||
19 | Engine = CAAM | ||
20 | Features = MID | ||
21 | |||
22 | [Install Key] | ||
23 | Verification index = 0 | ||
24 | Target index = 2 | ||
25 | File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | ||
26 | |||
27 | [Authenticate Data] | ||
28 | Verification index = 2 | ||
29 | Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-enc.bin" | ||
30 | |||
31 | [Install Secret Key] | ||
32 | # Install the blob | ||
33 | Verification Index = 0 | ||
34 | Target Index = 0 | ||
35 | Key = "dek_fit.bin" | ||
36 | Key Length = 128 | ||
37 | # Fixed address defined in imx-mkimage project in iMX8M/soc.mak file | ||
38 | # DEK_BLOB_LOAD_ADDR = 0x40400000 | ||
39 | Blob Address = 0x40400000 | ||
40 | |||
41 | [Decrypt Data] | ||
42 | # The decrypt data command below causes CST to modify the input | ||
43 | # file and encrypt the specified block of data. This image file | ||
44 | # is a copy of the file used for the authentication command above | ||
45 | Verification Index = 0 | ||
46 | Mac Bytes = 16 | ||
47 | Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | ||
48 | 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | ||
49 | 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" | ||
50 |
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_fit_sign_enc.txt
File was created | 1 | [Header] | |
2 | Version = 4.3 | ||
3 | Hash Algorithm = sha256 | ||
4 | Engine = CAAM | ||
5 | Engine Configuration = 0 | ||
6 | Certificate Format = X509 | ||
7 | Signature Format = CMS | ||
8 | |||
9 | [Install SRK] | ||
10 | File = "../crts/SRK_1_2_3_4_table.bin" | ||
11 | Source index = 0 | ||
12 | |||
13 | [Install CSFK] | ||
14 | File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | ||
15 | |||
16 | [Authenticate CSF] | ||
17 | |||
18 | [Unlock] | ||
19 | Engine = CAAM | ||
20 | Features = MID | ||
21 | |||
22 | [Install Key] | ||
23 | Verification index = 0 | ||
24 | Target index = 2 | ||
25 | File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | ||
26 | |||
27 | [Authenticate Data] | ||
28 | Verification index = 2 | ||
29 | Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-fit-enc.bin", \ | ||
30 | 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | ||
31 | 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | ||
32 | 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" | ||
33 | |||
34 | [Install Secret Key] | ||
35 | # Install the blob | ||
36 | Verification Index = 0 | ||
37 | Target Index = 0 | ||
38 | Key = "dek_fit_dummy.bin" | ||
39 | Key Length = 128 | ||
40 | # Fixed address defined in imx-mkimage project in iMX8M/soc.mak file | ||
41 | # DEK_BLOB_LOAD_ADDR = 0x40400000 | ||
42 | Blob Address = 0x40400000 | ||
43 | |||
44 | [Decrypt Data] | ||
45 | # The decrypt data command below causes CST to modify the input | ||
46 | # file and encrypt the specified block of data. This image file | ||
47 | # is a copy of the file used for the authentication command above | ||
48 | Verification Index = 0 | ||
49 | Mac Bytes = 16 | ||
50 | Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \ | ||
51 | 0x920000 0x113540 0xA160 "flash-spl-fit-enc-dummy.bin", \ | ||
52 | 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc-dummy.bin" | ||
53 | |||
54 |
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_spl_enc.txt
File was created | 1 | [Header] | |
2 | Version = 4.3 | ||
3 | Hash Algorithm = sha256 | ||
4 | Engine = CAAM | ||
5 | Engine Configuration = 0 | ||
6 | Certificate Format = X509 | ||
7 | Signature Format = CMS | ||
8 | |||
9 | [Install SRK] | ||
10 | File = "../crts/SRK_1_2_3_4_table.bin" | ||
11 | Source index = 0 | ||
12 | |||
13 | [Install CSFK] | ||
14 | File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | ||
15 | |||
16 | [Authenticate CSF] | ||
17 | |||
18 | [Unlock] | ||
19 | Engine = CAAM | ||
20 | Features = MID | ||
21 | |||
22 | [Install Key] | ||
23 | Verification index = 0 | ||
24 | Target index = 2 | ||
25 | File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | ||
26 | |||
27 | [Authenticate Data] | ||
28 | Verification index = 2 | ||
29 | Blocks = 0x7e0fc0 0x0 0x40 "flash.bin" | ||
30 | |||
31 | [Install Secret Key] | ||
32 | # Install the blob | ||
33 | Verification Index = 0 | ||
34 | Target Index = 0 | ||
35 | Key = "dek_spl.bin" | ||
36 | Key Length = 128 | ||
37 | # Authenticate Start Address + SPL & DDR FW image length + CSF Padding | ||
38 | # 0x7E0FC0 + 0x2c400 + 0x2000 | ||
39 | Blob Address = 0x80F3C0 | ||
40 | |||
41 | [Decrypt Data] | ||
42 | # The decrypt data command below causes CST to modify the input | ||
43 | # file and encrypt the specified block of data. This image file | ||
44 | # is a copy of the file used for the authentication command above | ||
45 | Verification Index = 0 | ||
46 | Mac Bytes = 16 | ||
47 | # Start Address = Start Address + SPL header = 0x7E0FC0 + 0x40 = 0x7E1000 | ||
48 | # Offset = Image offset (image_off) = 0x40 | ||
49 | # Decrypt size = Image length - SPL header = 0x2c400 - 0x40 = 0x2C3C0 | ||
50 | Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc.bin" | ||
51 |
doc/imx/habv4/csf_examples/mx8m_mx8mm/csf_spl_sign_enc.txt
File was created | 1 | [Header] | |
2 | Version = 4.3 | ||
3 | Hash Algorithm = sha256 | ||
4 | Engine = CAAM | ||
5 | Engine Configuration = 0 | ||
6 | Certificate Format = X509 | ||
7 | Signature Format = CMS | ||
8 | |||
9 | [Install SRK] | ||
10 | File = "../crts/SRK_1_2_3_4_table.bin" | ||
11 | Source index = 0 | ||
12 | |||
13 | [Install CSFK] | ||
14 | File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | ||
15 | |||
16 | [Authenticate CSF] | ||
17 | |||
18 | [Unlock] | ||
19 | Engine = CAAM | ||
20 | Features = MID | ||
21 | |||
22 | [Install Key] | ||
23 | Verification index = 0 | ||
24 | Target index = 2 | ||
25 | File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | ||
26 | |||
27 | [Authenticate Data] | ||
28 | Verification index = 2 | ||
29 | Blocks = 0x7E0FC0 0x0 0x2C400 "flash-spl-enc.bin" | ||
30 | |||
31 | [Install Secret Key] | ||
32 | # Install the blob | ||
33 | Verification Index = 0 | ||
34 | Target Index = 0 | ||
35 | Key = "dek_spl_dummy.bin" | ||
36 | Key Length = 128 | ||
37 | # Authenticate Start Address + Image length + CSF Padding | ||
38 | # 0x7E0FC0 + 0x2c400 + 0x2000 | ||
39 | Blob Address = 0x80F3C0 | ||
40 | |||
41 | [Decrypt Data] | ||
42 | # The decrypt data command below causes CST to modify the input | ||
43 | # file and encrypt the specified block of data. This image file | ||
44 | # is a copy of the file used for the authentication command above | ||
45 | Verification Index = 0 | ||
46 | Mac Bytes = 16 | ||
47 | Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc-dummy.bin" | ||
48 |
doc/imx/habv4/guides/mx8m_mx8mm_encrypted_boot.txt
File was created | 1 | +======================================================+ | |
2 | + i.MX8M, i.MX8MM Encrypted Boot guide using HABv4 + | ||
3 | +======================================================+ | ||
4 | |||
5 | 1. HABv4 Encrypted Boot process | ||
6 | ------------------------------- | ||
7 | |||
8 | This document describes a step-by-step procedure on how to encrypt and sign a | ||
9 | bootloader image for i.MX8M, i.MX8MM, i.MX8MN family devices. It is assumed | ||
10 | that the reader is familiar with basic HAB concepts and has already closed | ||
11 | the device, step-by-step procedure can be found in mx8m_mx8mm_secure_boot.txt | ||
12 | guide. | ||
13 | |||
14 | Details about encrypted boot can be found in application note AN12056[1] and | ||
15 | in the introduction_habv4.txt document. | ||
16 | |||
17 | The steps described in this document were based in i.MX8MM device, the same | ||
18 | concept can be applied to i.MX8M and i.MX8MN family devices. | ||
19 | |||
20 | 1.1 Understanding the encrypted flash.bin image layout | ||
21 | ------------------------------------------------------ | ||
22 | |||
23 | As described in mx8m_mx8mm_secure_boot.txt guide a single binary is used | ||
24 | to boot the device, the imx-mkimage tool combines all the input images in | ||
25 | a FIT structure, generating a flash.bin binary. | ||
26 | |||
27 | The encrypted boot image requires a DEK (Data Encryption Key) blob on each time | ||
28 | HABv4 is used to decrypt an image. The DEK blob is used as a security layer to | ||
29 | wrap and store the DEK off-chip using the OTPMK which is unique per device. | ||
30 | More details can be found in AN12056 application note. | ||
31 | |||
32 | The diagram below illustrates an encrypted flash.bin image layout: | ||
33 | |||
34 | +-----------------------------+ | ||
35 | | | | ||
36 | | *Signed HDMI/DP FW | | ||
37 | | | | ||
38 | +-----------------------------+ | ||
39 | | Padding | | ||
40 | ------------------ +-----------------------------+ -------- | ||
41 | ^ | IVT - SPL | ^ | ||
42 | Signed | ------- +-----------------------------+ | | ||
43 | Data | Enc ^ | u-boot-spl.bin | | | ||
44 | | Data | | + | | SPL | ||
45 | v v | DDR FW | | Image | ||
46 | ------------------ +-----------------------------+ | | ||
47 | | CSF - SPL + DDR FW | v | ||
48 | +-----------------------------+ -------- | ||
49 | | DEK Blob | | ||
50 | +-----------------------------+ | ||
51 | | Padding | | ||
52 | ------- +-----------------------------+ -------- | ||
53 | Signed ^ | FDT - FIT | ^ | ||
54 | Data | +-----------------------------+ | | ||
55 | v | IVT - FIT | | | ||
56 | ------- +-----------------------------+ | | ||
57 | | CSF - FIT | | | ||
58 | ------------------ +-----------------------------+ | | ||
59 | ^ | u-boot-nodtb.bin | | FIT | ||
60 | | +-----------------------------+ | Image | ||
61 | Signed and | | u-boot.dtb | | | ||
62 | Encrypted | +-----------------------------+ | | ||
63 | Data | | bl31.bin (ATF) | | | ||
64 | | +-----------------------------+ | | ||
65 | v | OP-TEE | | | ||
66 | ------------------ +-----------------------------+ | | ||
67 | | DEK Blob | v | ||
68 | +-----------------------------+ -------- | ||
69 | * Only supported on i.MX8M series | ||
70 | |||
71 | 1.2 Enabling the encrypted boot support in U-Boot | ||
72 | -------------------------------------------------- | ||
73 | |||
74 | For deploying an encrypted boot image additional U-Boot tools are needed, | ||
75 | please be sure to have the following features enabled, this can be achieved | ||
76 | by following one of the methods below: | ||
77 | |||
78 | - Defconfig | ||
79 | |||
80 | CONFIG_SECURE_BOOT=y | ||
81 | CONFIG_FAT_WRITE=y | ||
82 | CONFIG_CMD_DEKBLOB=y | ||
83 | CONFIG_IMX_OPTEE_DEK_ENCAP=y | ||
84 | CONFIG_CMD_PRIBLOB=y | ||
85 | |||
86 | - Kconfig | ||
87 | |||
88 | ARM architecture -> Support i.MX HAB features | ||
89 | ARM architecture -> Support the 'dek_blob' command | ||
90 | ARM architecture -> Support the set_priblob_bitfield command | ||
91 | File systems -> Enable FAT filesystem support-> Enable FAT filesystem | ||
92 | write support | ||
93 | |||
94 | 1.3 Enabling the encrypted boot support in CST | ||
95 | ----------------------------------------------- | ||
96 | |||
97 | The encryption feature is not enabled by default in Code Signing tools (CST). | ||
98 | The CST backend must be recompiled, execute the following commands to enable | ||
99 | encryption support in CST: | ||
100 | |||
101 | $ sudo apt-get install libssl-dev openssl | ||
102 | $ cd <CST install directory>/code/back_end/src | ||
103 | $ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c | ||
104 | -lfrontend -lcrypto | ||
105 | $ cp cst_encrypted ../../../linux64/bin/ | ||
106 | |||
107 | 1.4 Building OP-TEE and ATF to support DEK blob tool | ||
108 | ----------------------------------------------------- | ||
109 | |||
110 | The DEK blob must be created by a software running in Arm TrustZone Secure | ||
111 | World, the CAAM block takes into consideration the TrustZone configuration | ||
112 | when encapsulating the DEK and the resulting blob can be only decapsulated | ||
113 | by a SW running in the same configuration. As ROM code is running in ARM | ||
114 | TrustZone secure world we must encapsulate the blobs using OP-TEE. | ||
115 | |||
116 | - Building ATF to support OP-TEE: | ||
117 | |||
118 | $ make PLAT=<SoC Name> SPD=opteed bl31 | ||
119 | |||
120 | - Building OP-TEE to support DEK blob encapsulation: | ||
121 | |||
122 | $ CFG_NXPCRYPT=y CFG_GEN_DEK_BLOB=y source ./scripts/nxp_build.sh <Board Name> | ||
123 | |||
124 | * OP-TEE debug logs can be enabled by adding CFG_TEE_CORE_LOG_LEVEL=4 in | ||
125 | command line above. | ||
126 | |||
127 | 1.5 Preparing the fit image | ||
128 | ---------------------------- | ||
129 | |||
130 | As explained in mx8m_mx8mm_secure_boot.txt document the imx-mkimage project is | ||
131 | used to combine all the images in a single flash.bin binary. | ||
132 | |||
133 | Copy all the binaries generated (U-Boot images, bl31.bin, tee.bin and Firmware) | ||
134 | into iMX8M directory and run the following commands according to the target | ||
135 | device: | ||
136 | |||
137 | - Create a dummy DEK blob: | ||
138 | |||
139 | $ dd if=/dev/zero of=iMX8M/dek_blob_fit_dummy.bin bs=96 count=1 && sync | ||
140 | |||
141 | - Assembly flash.bin binary: | ||
142 | |||
143 | $ make SOC=<SoC Name> flash_spl_uboot | ||
144 | |||
145 | The mkimage log will be used during the encrypted boot procedure to create the | ||
146 | Command Sequence File (CSF): | ||
147 | |||
148 | - imx-mkimage build log: | ||
149 | |||
150 | Loader IMAGE: | ||
151 | header_image_off 0x0 | ||
152 | dcd_off 0x0 | ||
153 | image_off 0x40 | ||
154 | csf_off 0x2c400 | ||
155 | spl hab block: 0x7e0fc0 0x0 0x2c400 | ||
156 | |||
157 | Second Loader IMAGE: | ||
158 | sld_header_off 0x57c00 | ||
159 | sld_csf_off 0x58c20 | ||
160 | sld hab block: 0x401fcdc0 0x57c00 0x1020 | ||
161 | |||
162 | - Additional HAB information is provided by running the following command: | ||
163 | |||
164 | $ make SOC=<SoC Name> print_fit_hab | ||
165 | |||
166 | ./../scripts/pad_image.sh bl31.bin | ||
167 | ./../scripts/pad_image.sh u-boot-nodtb.bin fsl-imx8mm-evk.dtb | ||
168 | TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 \ | ||
169 | ./print_fit_hab.sh 0x60000 fsl-imx8mm-evk.dtb | ||
170 | 0x40200000 0x5AC00 0xB0318 | ||
171 | 0x402B0318 0x10AF18 0x8628 | ||
172 | 0x920000 0x113540 0xA160 | ||
173 | 0xBE000000 0x11D6A0 0x48520 | ||
174 | |||
175 | 1.6 Creating the CSF description file for SPL + DDR FW image | ||
176 | ------------------------------------------------------------- | ||
177 | |||
178 | The CSF contains all the commands that the ROM executes during the secure boot. | ||
179 | These commands instruct the HAB on which memory areas of the image to | ||
180 | authenticate and/or decrypt, which keys to install, use, etc... | ||
181 | |||
182 | CSF examples for encrypted boot are available under | ||
183 | doc/imx/hab/habv4/csf_examples/ directory. | ||
184 | |||
185 | With current CST implementation is not possible to encrypt and sign an image | ||
186 | at the same time, hence two CSF files are required on each time HAB is used. | ||
187 | |||
188 | 1.6.1 csf_spl_enc.txt | ||
189 | ---------------------- | ||
190 | |||
191 | The first CSF is used to encrypt the SPL and DDR FW images and generate the | ||
192 | dek_spl.bin file. The Authenticate Data command has to cover only the image | ||
193 | header and two commands have to be added to encrypt the image. | ||
194 | |||
195 | - Add the Authenticate Data command to only cover SPL IVT and boot data: | ||
196 | |||
197 | Blocks = 0x7E0FC0 0x0 0x40 "flash.bin" | ||
198 | |||
199 | - Add the Install Secret Key command to generate the dek_spl.bin file and | ||
200 | install the blob. The Blob Address depends on your image layout and can | ||
201 | be calculated as following: | ||
202 | |||
203 | Key = "dek_spl.bin" | ||
204 | Blob Address = Authenticate Start Address + Image length + CSF Padding | ||
205 | = 0x7E0FC0 + 0x2c400 + 0x2000 = 0x80F3C0 | ||
206 | |||
207 | - Add the Decrypt Data command to encrypt the file. As SPL image header | ||
208 | cannot be encrypted we need to calculate the Block as following: | ||
209 | |||
210 | Start Address = Start Address + SPL header = 0x7E0FC0 + 0x40 = 0x7E1000 | ||
211 | Offset = Image offset (image_off) = 0x40 | ||
212 | Decrypt size = Image length - SPL header = 0x2C400 - 0x40 = 0x2C3C0 | ||
213 | |||
214 | Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc.bin" | ||
215 | |||
216 | 1.6.2 csf_spl_sign_enc.txt | ||
217 | --------------------------- | ||
218 | |||
219 | The second CSF is used to sign the encrypted SPL image previously generated | ||
220 | (flash-spl-enc.bin). | ||
221 | |||
222 | - The Authenticate Data command should cover the entire SPL and DDR FW image, | ||
223 | the file parameter is the encrypted image flash-spl-enc.bin: | ||
224 | |||
225 | Blocks = 0x7E0FC0 0x0 0x2C400 "flash-spl-enc.bin" | ||
226 | |||
227 | - Add the Install Secret Key command to generate a dummy DEK blob file, | ||
228 | the blob address should be the same as used in csf_spl_enc.txt: | ||
229 | |||
230 | Key = "dek_spl_dummy.bin" | ||
231 | |||
232 | - Add the Decrypt Data command to encrypt the file. As image was encrypted | ||
233 | in CSF above we need to encrypt a dummy file, the block addresses should be | ||
234 | the same as used in csf_spl_enc.txt: | ||
235 | |||
236 | Blocks = 0x7E1000 0x40 0x2C3C0 "flash-spl-enc-dummy.bin" | ||
237 | |||
238 | 1.7 Encrypting and signing the SPL + DDR FW image | ||
239 | -------------------------------------------------- | ||
240 | |||
241 | The CST is used to encrypt the image and regenerate a random DEK. During this | ||
242 | step two CSF binaries are generated but only one will be included in final | ||
243 | image. | ||
244 | |||
245 | - Encrypt the SPL + DDR FW image: | ||
246 | |||
247 | $ cp flash.bin flash-spl-enc.bin | ||
248 | $ ./cst_encrypted -i csf_spl_enc.txt -o csf_spl_enc.bin | ||
249 | |||
250 | - Sign the encrypted SPL + DDR FW image: | ||
251 | |||
252 | $ cp flash-spl-enc.bin flash-spl-enc-dummy.bin | ||
253 | $ ./cst_encrypted -i csf_spl_sign_enc.txt -o csf_spl_sign_enc.bin | ||
254 | |||
255 | 1.7.1 Create final CSF binary for SPL + DDR FW image | ||
256 | ----------------------------------------------------- | ||
257 | |||
258 | As only one CSF binary will be included in final image it's necessary to | ||
259 | swap Nonce/MAC from csf_spl_enc.bin to csf_spl_sign_enc.bin. | ||
260 | |||
261 | - Calculate Nonce/MAC size based on MAC bytes value in CSF: | ||
262 | |||
263 | Nonce/MAC size = Nonce size + MAC bytes + CSF header for Nonce/Mac | ||
264 | = 12 + 16 + 8 = 36 bytes | ||
265 | |||
266 | - Calculate Nonce/MAC offset in CSF: | ||
267 | |||
268 | MAC offset = csf_spl_enc.bin size - Nonce/MAC size | ||
269 | = 3980 - 36 = 3944 Bytes | ||
270 | |||
271 | - Extract Nonce/MAC from csf_spl_enc.bin: | ||
272 | |||
273 | $ dd if=csf_spl_enc.bin of=noncemac.bin bs=1 skip=3944 count=36 | ||
274 | |||
275 | - Replace the MAC of csf_spl_sign_enc with the one extracted above: | ||
276 | |||
277 | $ dd if=noncemac.bin of=csf_spl_sign_enc.bin bs=1 seek=3944 count=36 | ||
278 | |||
279 | 1.8 Creating the CSF description file for FIT image | ||
280 | ---------------------------------------------------- | ||
281 | |||
282 | Similar to SPL image two CSF files are required encrypt and sign the FIT | ||
283 | image. | ||
284 | |||
285 | Please note that the steps below are using the flash-spl-enc.bin image created | ||
286 | in steps above. | ||
287 | |||
288 | 1.8.1 csf_fit_enc.txt | ||
289 | ---------------------- | ||
290 | |||
291 | The first CSF is used to encrypt the FIT image and generate the dek_fit.bin | ||
292 | file. | ||
293 | |||
294 | - Modify the Authenticate Data command to only cover FIT image FDT header: | ||
295 | |||
296 | Blocks = 0x401FCDC0 0x57C00 0x1020 "flash-spl-enc.bin" | ||
297 | |||
298 | - Add the Install Secret Key command to generate the dek_fit.bin file and | ||
299 | install the blob. The Blob Address is a fixed address defined in imx-mkimage | ||
300 | project in iMX8M/soc.mak file: | ||
301 | |||
302 | iMX8M/soc.mak: | ||
303 | DEK_BLOB_LOAD_ADDR = 0x40400000 | ||
304 | |||
305 | Key = "dek_fit.bin" | ||
306 | Blob Address = 0x40400000 | ||
307 | |||
308 | - Add the Decrypt Data command to encrypt the file. | ||
309 | |||
310 | The CST can only encrypt images that are 16 bytes aligned, as u-boot-nodtb.bin | ||
311 | and u-boot.dtb are together 16 bytes aligned we should consider the first two | ||
312 | lines provided in print_fit_hab as a single block. | ||
313 | |||
314 | imx-mkimage output: | ||
315 | |||
316 | 0x40200000 0x5AC00 0xB0318 ──┬── Total length = 0xB0318 + 0x8628 = 0xB8940 | ||
317 | 0x402B0318 0x10AF18 0x8628 ──┘ | ||
318 | 0x920000 0x113540 0xA160 | ||
319 | 0xBE000000 0x11D6A0 0x48520 | ||
320 | |||
321 | Decrypt data in csf_fit_enc.txt: | ||
322 | |||
323 | Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | ||
324 | 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | ||
325 | 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" | ||
326 | |||
327 | 1.8.2 csf_fit_sign_enc.txt | ||
328 | --------------------------- | ||
329 | |||
330 | The second CSF is used to sign the encrypted FIT image previously generated | ||
331 | (flash-spl-fit-enc.bin). | ||
332 | |||
333 | - The Authenticate Data command should cover the entire FIT image, | ||
334 | the file parameter is the encrypted FIT image flash-spl-fit-enc.bin: | ||
335 | |||
336 | Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-fit-enc.bin" | ||
337 | 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ | ||
338 | 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ | ||
339 | 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" | ||
340 | |||
341 | |||
342 | - Add the Install Secret Key command to generate a dummy DEK blob file, | ||
343 | the blob address should be the same as used in csf_spl_enc.txt: | ||
344 | |||
345 | Key = "dek_fit_dummy.bin" | ||
346 | |||
347 | - Add the Decrypt Data command to encrypt the file. As image was encrypted | ||
348 | in CSF above we need to encrypt a dummy file, the block address should be | ||
349 | the same as used in csf_spl_enc.txt: | ||
350 | |||
351 | Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \ | ||
352 | 0x920000 0x113540 0xA160"flash-spl-fit-enc-dummy.bin", \ | ||
353 | 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc-dummy.bin" | ||
354 | |||
355 | 1.9 Encrypting and signing the FIT image | ||
356 | ----------------------------------------- | ||
357 | |||
358 | The CST is used to encrypt the image and regenerate a random DEK. During this | ||
359 | step two CSF binaries are generated but only one will be included in final | ||
360 | image. | ||
361 | |||
362 | - Encrypt the FIT image: | ||
363 | |||
364 | $ cp flash-spl-enc.bin flash-spl-fit-enc.bin | ||
365 | $ ./cst_encrypted -i csf_fit_enc.txt -o csf_fit_enc.bin | ||
366 | |||
367 | - Sign the encrypted FIT image: | ||
368 | |||
369 | $ cp flash-spl-fit-enc.bin flash-spl-fit-enc-dummy.bin | ||
370 | $ ./cst_encrypted -i csf_fit_sign_enc.txt -o csf_fit_sign_enc.bin | ||
371 | |||
372 | 1.9.1 Create final CSF binary for FIT image | ||
373 | ----------------------------------------------------- | ||
374 | |||
375 | As only one CSF binary will be included in final image it's necessary to swap | ||
376 | Nonce/MAC from csf_fit_enc.bin to csf_fit_sign_enc.bin. | ||
377 | |||
378 | - Calculate Nonce/MAC size based on MAC bytes value in CSF: | ||
379 | |||
380 | Nonce/MAC size = Nonce size + MAC bytes + CSF header for Nonce/Mac | ||
381 | = 12 + 16 + 8 = 36 bytes | ||
382 | |||
383 | - Calculate Nonce/MAC offset in csf_fit_enc.bin: | ||
384 | |||
385 | MAC offset = csf_fit_enc.bin size - Nonce/MAC size | ||
386 | = 3996 - 36 = 3960 Bytes | ||
387 | |||
388 | - Extract Nonce/MAC from csf_fit_enc.bin: | ||
389 | |||
390 | $ dd if=csf_fit_enc.bin of=noncemac.bin bs=1 skip=3960 count=36 | ||
391 | |||
392 | - Calculate Nonce/MAC offset in csf_fit_sign_enc.bin: | ||
393 | |||
394 | MAC offset = csf_fit_enc.bin size - Nonce/MAC size | ||
395 | = 4020 - 36 = 3984 Bytes | ||
396 | |||
397 | - Replace the MAC of csf_fit_sign_enc.bin with the one extracted above: | ||
398 | |||
399 | $ dd if=noncemac.bin of=csf_fit_sign_enc.bin bs=1 seek=3984 count=36 | ||
400 | |||
401 | 1.10 Generate the DEK Blob | ||
402 | --------------------------- | ||
403 | |||
404 | The DEK must be encapsulated into a CAAM blob so it can be included into | ||
405 | the final encrypted binary. The U-Boot provides a tool called dek_blob | ||
406 | which is calling the CAAM implementation included in OP-TEE. | ||
407 | |||
408 | Copy the dek_spl.bin and dek_fit.bin in SDCard FAT partition and run | ||
409 | the following commands from U-Boot prompt: | ||
410 | |||
411 | => mmc list | ||
412 | FSL_SDHC: 1 (SD) | ||
413 | FSL_SDHC: 2 | ||
414 | => fatload mmc 1:1 0x40400000 dek_spl.bin | ||
415 | => dek_blob 0x40400000 0x40401000 128 | ||
416 | => fatwrite mmc 1:1 0x40401000 dek_spl_blob.bin 0x48 | ||
417 | => fatload mmc 1:1 0x40402000 dek_fit.bin | ||
418 | => dek_blob 0x40402000 0x40403000 128 | ||
419 | => fatwrite mmc 1:1 0x40403000 dek_fit_blob.bin 0x48 | ||
420 | |||
421 | In host PC copy the generated dek_spl_blob.bin and dek_fit_blob.bin to the | ||
422 | CST directory. | ||
423 | |||
424 | 1.11 Assembly the encrypted image | ||
425 | ---------------------------------- | ||
426 | |||
427 | The CSF binaries generated in the steps above have to be inserted into the | ||
428 | encrypted image. | ||
429 | |||
430 | The CSF offsets can be obtained from the flash.bin build log: | ||
431 | |||
432 | - SPL CSF offset: | ||
433 | |||
434 | csf_off 0x2c400 | ||
435 | |||
436 | - FIT CSF offset: | ||
437 | |||
438 | sld_csf_off 0x58c20 | ||
439 | |||
440 | The encrypted flash.bin image can be then assembled: | ||
441 | |||
442 | - Create a flash-spl-fit-enc.bin copy: | ||
443 | |||
444 | $ cp flash-spl-fit-enc.bin encrypted-flash.bin | ||
445 | |||
446 | 1.11.1 Insert SPL CSF and DEK blob | ||
447 | ----------------------------------- | ||
448 | |||
449 | - Insert csf_spl_sign_enc.bin in encrypted-flash.bin at 0x2c400 offset: | ||
450 | |||
451 | $ dd if=csf_spl_sign_enc.bin of=encrypted-flash.bin seek=$((0x2c400)) bs=1 conv=notrunc | ||
452 | |||
453 | - Insert dek_spl_blob.bin in encrypted-flash.bin at 0x2c400 + 0x2000 offset: | ||
454 | |||
455 | $ dd if=dek_spl_blob.bin of=encrypted-flash.bin seek=$((0x2e400)) bs=1 conv=notrunc | ||
456 | |||
457 | 1.11.2 Insert FIT CSF and DEK blob | ||
458 | ----------------------------------- | ||
459 | |||
460 | - Insert csf_fit_sign_enc.bin in encrypted-flash.bin at 0x58c20 offset: | ||
461 | |||
462 | $ dd if=csf_fit_sign_enc.bin of=encrypted-flash.bin seek=$((0x58c20)) bs=1 conv=notrunc | ||
463 | |||
464 | - The DEK blob must be inserted in last image entry on FIT image, the last line | ||
465 | provided by print_fit_hab taget log target can be used: | ||
466 | |||
467 | 0x40200000 0x5AC00 0xB0318 | ||
468 | 0x402B0318 0x10AF18 0x8628 | ||
469 | 0x920000 0x113540 0xA160 | ||
470 | 0xBE000000 0x11D6A0 0x48520 -> Last line in print_fit_hab log | ||
471 | |||
472 | - Insert dek_fit_blob.bin encrypted-flash.bin at 0x11D6A0 + 0x48520 offset: | ||
473 | |||
474 | $ dd if=dek_fit_blob.bin of=encrypted-flash.bin seek=$((0x165BC0)) bs=1 conv=notrunc | ||
475 | |||
476 | 1.11.3 Flash encrypted boot image | ||
477 | ----------------------------------- | ||
478 | |||
479 | - Flash encrypted image in SDCard: | ||
480 | |||
481 | $ sudo dd if=encrypted-flash.bin of=/dev/sd<x> bs=1K seek=33* && sync | ||
482 | * Offset in i.MX8MN device is 32K. | ||
483 | |||
484 | 2.0 Setting the PRIBLOB in CAAM SCFGR register | ||
485 | ----------------------------------------------- | ||
486 | |||
487 | It is highly recommended to advance the PRIBLOB field in CAAM SCFGR register to | ||
488 | 0x3, a command is available in U-Boot that should be called after all images in | ||
489 | boot flow has been decrypted by HAB: | ||
490 | |||
491 | => set_priblob_bitfield | ||
492 | |||
493 | The PRIBLOB configuration ensures cryptographic separation of private blob | ||
494 | types avoiding any modification or replacement of DEK blobs. Newly created | ||
495 | blobs will be incompatible with blobs required to decrypt an encrypted boot | ||
496 | image. When the HAB later executes the command to decrypt the DEK, an | ||
497 | incompatible DEK blob will be detected and cause an error. A substitute | ||
498 | encrypted boot image will not be decrypted, and will not be executed. | ||
499 | |||
500 | References: | ||
501 | [1] AN12056: "Encrypted Boot on HABv4 and CAAM Enabled Devices" - Rev. 1 | ||
502 |