Commit 5cf826345d21f11c745c78df55af8cec29ec4779
Committed by
Ye Li
Ye Li
1 parent
aedc4dfa08
Exists in
smarc_8mm-imx_v2018.03_4.14.98_2.0.0_ga
and in
5 other branches
MLK-19970-2 doc: imx: habv4: Add Secure Boot documentation for i.MX6 and i.MX7 family devices
Add HABv4 documentation for u-boot-dtb.imx targets covering the following topics: - How to sign an securely boot an u-boot-dtb.imx image. - How to extend the root of trust for additional boot images. - Add 3 CSF examples. - Add IVT generation script example. Reviewed-by: Ye Li <ye.li@nxp.com> Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com>
Showing 5 changed files with 503 additions and 0 deletions Side-by-side Diff
doc/imx/hab/habv4/csf_examples/additional_images/csf_additional_images.txt
| 1 | +[Header] | |
| 2 | + Version = 4.2 | |
| 3 | + Hash Algorithm = sha256 | |
| 4 | + Engine Configuration = 0 | |
| 5 | + Certificate Format = X509 | |
| 6 | + Signature Format = CMS | |
| 7 | + Engine = CAAM | |
| 8 | + | |
| 9 | +[Install SRK] | |
| 10 | + # Index of the key location in the SRK table to be installed | |
| 11 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
| 12 | + Source index = 0 | |
| 13 | + | |
| 14 | +[Install CSFK] | |
| 15 | + # Key used to authenticate the CSF data | |
| 16 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 17 | + | |
| 18 | +[Authenticate CSF] | |
| 19 | + | |
| 20 | +[Install Key] | |
| 21 | + # Key slot index used to authenticate the key to be installed | |
| 22 | + Verification index = 0 | |
| 23 | + # Target key slot in HAB key store where key will be installed | |
| 24 | + Target Index = 2 | |
| 25 | + # Key to install | |
| 26 | + File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 27 | + | |
| 28 | +[Authenticate Data] | |
| 29 | + # Key slot index used to authenticate the image data | |
| 30 | + Verification index = 2 | |
| 31 | + # Authenticate Start Address, Offset, Length and file | |
| 32 | + Blocks = 0x80800000 0x00000000 0x80EEA020 "zImage", \ | |
| 33 | + 0x83800000 0x00000000 0x8380B927 "imx7d-sdb.dtb", \ | |
| 34 | + 0x84000000 0x00000000 0x840425B8 "uTee-7dsdb" |
doc/imx/hab/habv4/csf_examples/mx6_mx7/csf_uboot.txt
| 1 | +[Header] | |
| 2 | + Version = 4.2 | |
| 3 | + Hash Algorithm = sha256 | |
| 4 | + Engine Configuration = 0 | |
| 5 | + Certificate Format = X509 | |
| 6 | + Signature Format = CMS | |
| 7 | + Engine = CAAM | |
| 8 | + | |
| 9 | +[Install SRK] | |
| 10 | + # Index of the key location in the SRK table to be installed | |
| 11 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
| 12 | + Source index = 0 | |
| 13 | + | |
| 14 | +[Install CSFK] | |
| 15 | + # Key used to authenticate the CSF data | |
| 16 | + File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 17 | + | |
| 18 | +[Authenticate CSF] | |
| 19 | + | |
| 20 | +[Install Key] | |
| 21 | + # Key slot index used to authenticate the key to be installed | |
| 22 | + Verification index = 0 | |
| 23 | + # Target key slot in HAB key store where key will be installed | |
| 24 | + Target Index = 2 | |
| 25 | + # Key to install | |
| 26 | + File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" | |
| 27 | + | |
| 28 | +[Authenticate Data] | |
| 29 | + # Key slot index used to authenticate the image data | |
| 30 | + Verification index = 2 | |
| 31 | + # Authenticate Start Address, Offset, Length and file | |
| 32 | + Blocks = 0x877ff400 0x00000000 0x0009ec00 "u-boot-dtb.imx" |
doc/imx/hab/habv4/csf_examples/mx6_mx7/csf_uboot_fast_authentication.txt
| 1 | +[Header] | |
| 2 | + Version = 4.2 | |
| 3 | + Hash Algorithm = sha256 | |
| 4 | + Engine Configuration = 0 | |
| 5 | + Certificate Format = X509 | |
| 6 | + Signature Format = CMS | |
| 7 | + Engine = CAAM | |
| 8 | + | |
| 9 | +[Install SRK] | |
| 10 | + # Index of the key location in the SRK table to be installed | |
| 11 | + File = "../crts/SRK_1_2_3_4_table.bin" | |
| 12 | + Source index = 0 | |
| 13 | + | |
| 14 | +[Install NOCAK] | |
| 15 | + File = "../crts/SRK1_sha256_2048_65537_v3_usr_crt.pem" | |
| 16 | + | |
| 17 | +[Authenticate CSF] | |
| 18 | + | |
| 19 | +[Authenticate Data] | |
| 20 | + # Key slot index 0 used to authenticate the image data | |
| 21 | + Verification index = 0 | |
| 22 | + # Authenticate Start Address, Offset, Length and file | |
| 23 | + Blocks = 0x877ff400 0x00000000 0x0009ec00 "u-boot-dtb.imx" |
doc/imx/hab/habv4/guides/mx6_mx7_secure_boot.txt
| 1 | + +=======================================================+ | |
| 2 | + + i.MX6, i.MX7 U-Boot Secure Boot guide using HABv4 + | |
| 3 | + +=======================================================+ | |
| 4 | + | |
| 5 | +1. HABv4 secure boot process | |
| 6 | +----------------------------- | |
| 7 | + | |
| 8 | +This document describes a step-by-step procedure on how to sign and securely | |
| 9 | +boot an U-Boot image. It is assumed that the reader is familiar with basic | |
| 10 | +HAB concepts and with the PKI tree generation. | |
| 11 | + | |
| 12 | +Details about HAB can be found in the application note AN4581[1] and in the | |
| 13 | +introduction_habv4.txt document. | |
| 14 | + | |
| 15 | +1.1 Building a u-boot-dtb.imx image supporting secure boot | |
| 16 | +----------------------------------------------------------- | |
| 17 | + | |
| 18 | +The U-Boot provides support to secure boot configuration and also provide | |
| 19 | +access to the HAB APIs exposed by the ROM vector table, the support is | |
| 20 | +enabled by selecting the CONFIG_SECURE_BOOT option. | |
| 21 | + | |
| 22 | +When built with this configuration, the U-Boot provides extra functions for | |
| 23 | +HAB, such as the HAB status logs retrievement through the hab_status command | |
| 24 | +and support for extending the root of trust. | |
| 25 | + | |
| 26 | +The U-Boot also correctly pads the final image by aligning to the next 0xC00 | |
| 27 | +address, so the CSF signature data generated by CST can be concatenated to | |
| 28 | +image. | |
| 29 | + | |
| 30 | +The diagram below illustrate a signed u-boot-dtb.imx image layout: | |
| 31 | + | |
| 32 | + ------- +-----------------------------+ <-- *start | |
| 33 | + ^ | Image Vector Table | | |
| 34 | + | +-----------------------------+ <-- *boot_data | |
| 35 | + | | Boot Data | | |
| 36 | + | +-----------------------------+ <-- *dcd | |
| 37 | + | | DCD Table | | |
| 38 | + | +-----------------------------+ | |
| 39 | + Signed | | Padding | | |
| 40 | + Data | +-----------------------------+ <-- *entry | |
| 41 | + | | | | |
| 42 | + | | | | |
| 43 | + | | u-boot-dtb.bin | | |
| 44 | + | | | | |
| 45 | + | | | | |
| 46 | + | +-----------------------------+ | |
| 47 | + v | Padding | | |
| 48 | + ------- +-----------------------------+ <-- *csf | |
| 49 | + | | | |
| 50 | + | Command Sequence File (CSF) | | |
| 51 | + | | | |
| 52 | + +-----------------------------+ | |
| 53 | + | Padding (optional) | | |
| 54 | + +-----------------------------+ | |
| 55 | + | |
| 56 | +1.2 Enabling the secure boot support | |
| 57 | +------------------------------------- | |
| 58 | + | |
| 59 | +The first step is to generate an U-Boot image supporting the HAB features | |
| 60 | +mentioned above, this can be achieved by adding CONFIG_SECURE_BOOT to the | |
| 61 | +build configuration: | |
| 62 | + | |
| 63 | +- Defconfig: | |
| 64 | + | |
| 65 | + CONFIG_SECURE_BOOT=y | |
| 66 | + | |
| 67 | +- Kconfig: | |
| 68 | + | |
| 69 | + ARM architecture -> Support i.MX HAB features | |
| 70 | + | |
| 71 | +1.3 Creating the CSF description file | |
| 72 | +-------------------------------------- | |
| 73 | + | |
| 74 | +The CSF contains all the commands that the ROM executes during the secure | |
| 75 | +boot. These commands instruct the HAB on which memory areas of the image | |
| 76 | +to authenticate, which keys to install, use and etc. | |
| 77 | + | |
| 78 | +CSF examples are available under doc/imx/hab/habv4/csf_examples/ directory. | |
| 79 | + | |
| 80 | +A build log containing the "Authenticate Data" parameters is available after | |
| 81 | +the U-Boot build, the example below is a log for mx7dsabresd_defconfig target: | |
| 82 | + | |
| 83 | +- mkimage build log: | |
| 84 | + | |
| 85 | + $ cat u-boot-dtb.imx.log | |
| 86 | + | |
| 87 | + Image Type: Freescale IMX Boot Image | |
| 88 | + Image Ver: 2 (i.MX53/6/7 compatible) | |
| 89 | + Mode: DCD | |
| 90 | + Data Size: 667648 Bytes = 652.00 KiB = 0.64 MiB | |
| 91 | + Load Address: 877ff420 | |
| 92 | + Entry Point: 87800000 | |
| 93 | + HAB Blocks: 877ff400 00000000 0009ec00 | |
| 94 | + ^^^^^^^^ ^^^^^^^^ ^^^^^^^^ | |
| 95 | + | | | | |
| 96 | + | | ------- (1) | |
| 97 | + | | | |
| 98 | + | ---------------- (2) | |
| 99 | + | | |
| 100 | + ------------------------- (3) | |
| 101 | + | |
| 102 | + (1) Size of area in file u-boot-dtb.imx to sign. | |
| 103 | + This area should include the IVT, the Boot Data the DCD | |
| 104 | + and the U-Boot itself. | |
| 105 | + (2) Start of area in u-boot-dtb.imx to sign. | |
| 106 | + (3) Start of area in RAM to authenticate. | |
| 107 | + | |
| 108 | +- In "Authenticate Data" CSF command users can copy and past the output | |
| 109 | + addresses: | |
| 110 | + | |
| 111 | + Block = 0x877ff400 0x00000000 0x0009ec00 "u-boot-dtb.imx" | |
| 112 | + | |
| 113 | +1.4 Signing the U-Boot binary | |
| 114 | +------------------------------ | |
| 115 | + | |
| 116 | +The CST tool is used for singing the U-Boot binary and generating a CSF binary, | |
| 117 | +users should input the CSF description file created in the step above and | |
| 118 | +should receive a CSF binary, which contains the CSF commands, SRK table, | |
| 119 | +signatures and certificates. | |
| 120 | + | |
| 121 | +- Create CSF binary file: | |
| 122 | + | |
| 123 | + $ ./cst -i csf_uboot.txt -o csf_uboot.bin | |
| 124 | + | |
| 125 | +- Append CSF signature to the end of U-Boot image: | |
| 126 | + | |
| 127 | + $ cat u-boot-dtb.imx csf_uboot.bin > u-boot-signed.imx | |
| 128 | + | |
| 129 | +The u-boot-signed.imx is the signed binary and should be flashed into the boot | |
| 130 | +media. | |
| 131 | + | |
| 132 | +- Flash signed U-Boot binary: | |
| 133 | + | |
| 134 | + $ sudo dd if=u-boot-signed.imx of=/dev/sd<x> bs=1K seek=1 && sync | |
| 135 | + | |
| 136 | +1.5 Programming SRK Hash | |
| 137 | +------------------------- | |
| 138 | + | |
| 139 | +As explained in AN4581[1] and in introduction_habv4.txt document the SRK Hash | |
| 140 | +fuse values are generated by the srktool and should be programmed in the | |
| 141 | +SoC SRK_HASH[255:0] fuses. | |
| 142 | + | |
| 143 | +Be careful when programming these values, as this data is the basis for the | |
| 144 | +root of trust. An error in SRK Hash results in a part that does not boot. | |
| 145 | + | |
| 146 | +The U-Boot fuse tool can be used for programming eFuses on i.MX SoCs. | |
| 147 | + | |
| 148 | +- Dump SRK Hash fuses values in host machine: | |
| 149 | + | |
| 150 | + $ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin | |
| 151 | + 0x20593752 | |
| 152 | + 0x6ACE6962 | |
| 153 | + 0x26E0D06C | |
| 154 | + 0xFC600661 | |
| 155 | + 0x1240E88F | |
| 156 | + 0x1209F144 | |
| 157 | + 0x831C8117 | |
| 158 | + 0x1190FD4D | |
| 159 | + | |
| 160 | +- Program SRK_HASH[255:0] fuses, using i.MX6 series as example: | |
| 161 | + | |
| 162 | + => fuse prog 3 0 0x20593752 | |
| 163 | + => fuse prog 3 1 0x6ACE6962 | |
| 164 | + => fuse prog 3 2 0x26E0D06C | |
| 165 | + => fuse prog 3 3 0xFC600661 | |
| 166 | + => fuse prog 3 4 0x1240E88F | |
| 167 | + => fuse prog 3 5 0x1209F144 | |
| 168 | + => fuse prog 3 6 0x831C8117 | |
| 169 | + => fuse prog 3 7 0x1190FD4D | |
| 170 | + | |
| 171 | +The table below lists the SRK_HASH bank and word according to the i.MX device: | |
| 172 | + | |
| 173 | + +-------------------+---------------+---------------+---------------+ | |
| 174 | + | | i.MX6 Series | i.MX7D/S | i.MX7ULP | | |
| 175 | + +-------------------+---------------+---------------+---------------+ | |
| 176 | + | SRK_HASH[31:00] | bank 3 word 0 | bank 6 word 0 | bank 5 word 0 | | |
| 177 | + +-------------------+---------------+---------------+---------------+ | |
| 178 | + | SRK_HASH[63:32] | bank 3 word 1 | bank 6 word 1 | bank 5 word 1 | | |
| 179 | + +-------------------+---------------+---------------+---------------+ | |
| 180 | + | SRK_HASH[95:64] | bank 3 word 2 | bank 6 word 2 | bank 5 word 2 | | |
| 181 | + +-------------------+---------------+---------------+---------------+ | |
| 182 | + | SRK_HASH[127:96] | bank 3 word 3 | bank 6 word 3 | bank 5 word 3 | | |
| 183 | + +-------------------+---------------+---------------+---------------+ | |
| 184 | + | SRK_HASH[159:128] | bank 3 word 4 | bank 7 word 0 | bank 5 word 4 | | |
| 185 | + +-------------------+---------------+---------------+---------------+ | |
| 186 | + | SRK_HASH[191:160] | bank 3 word 5 | bank 7 word 1 | bank 5 word 5 | | |
| 187 | + +-------------------+---------------+---------------+---------------+ | |
| 188 | + | SRK_HASH[223:192] | bank 3 word 6 | bank 7 word 2 | bank 5 word 6 | | |
| 189 | + +-------------------+---------------+---------------+---------------+ | |
| 190 | + | SRK_HASH[255:224] | bank 3 word 7 | bank 7 word 3 | bank 5 word 7 | | |
| 191 | + +-------------------+---------------+---------------+---------------+ | |
| 192 | + | |
| 193 | +1.6 Verifying HAB events | |
| 194 | +------------------------- | |
| 195 | + | |
| 196 | +The next step is to verify that the signature attached to U-Boot is | |
| 197 | +successfully processed without errors. HAB generates events when processing | |
| 198 | +the commands if it encounters issues. | |
| 199 | + | |
| 200 | +The hab_status U-Boot command call the hab_report_event() and hab_status() | |
| 201 | +HAB API functions to verify the processor security configuration and status. | |
| 202 | +This command displays any events that were generated during the process. | |
| 203 | + | |
| 204 | +Prior to closing the device users should ensure no HAB events were found, as | |
| 205 | +the example below: | |
| 206 | + | |
| 207 | +- Verify HAB events: | |
| 208 | + | |
| 209 | + => hab_status | |
| 210 | + | |
| 211 | + Secure boot disabled | |
| 212 | + | |
| 213 | + HAB Configuration: 0xf0, HAB State: 0x66 | |
| 214 | + No HAB Events Found! | |
| 215 | + | |
| 216 | +1.7 Closing the device | |
| 217 | +----------------------- | |
| 218 | + | |
| 219 | +After the device successfully boots a signed image without generating any HAB | |
| 220 | +events, it is safe to close the device. This is the last step in the HAB | |
| 221 | +process, and is achieved by programming the SEC_CONFIG[1] fuse bit. | |
| 222 | + | |
| 223 | +Once the fuse is programmed, the chip does not load an image that has not been | |
| 224 | +signed using the correct PKI tree. | |
| 225 | + | |
| 226 | +- Program SEC_CONFIG[1] fuse, using i.MX6 series as example: | |
| 227 | + | |
| 228 | + => fuse prog 0 6 0x00000002 | |
| 229 | + | |
| 230 | +The table below list the SEC_CONFIG[1] bank and word according to the i.MX | |
| 231 | +device: | |
| 232 | + | |
| 233 | + +--------------+-----------------+------------+ | |
| 234 | + | Device | Bank and Word | Value | | |
| 235 | + +--------------+-----------------+------------+ | |
| 236 | + | i.MX6 Series | bank 0 word 6 | 0x00000002 | | |
| 237 | + +--------------+-----------------+------------+ | |
| 238 | + | i.MX7D/S | bank 1 word 3 | 0x02000000 | | |
| 239 | + +--------------+-----------------+------------+ | |
| 240 | + | i.MX7ULP | bank 29 word 6 | 0x80000000 | | |
| 241 | + +--------------+-----------------+------------+ | |
| 242 | + | |
| 243 | +1.8 Completely secure the device | |
| 244 | +--------------------------------- | |
| 245 | + | |
| 246 | +Additional fuses can be programmed for completely secure the device, more | |
| 247 | +details about these fuses and their possible impact can be found at AN4581[1]. | |
| 248 | + | |
| 249 | +- Program SRK_LOCK, using i.MX6 series as example: | |
| 250 | + | |
| 251 | + => fuse prog 0 0 0x4000 | |
| 252 | + | |
| 253 | +- Program DIR_BT_DIS, using i.MX6 series as example: | |
| 254 | + | |
| 255 | + => fuse prog 0 6 0x8 | |
| 256 | + | |
| 257 | +- Program SJC_DISABLE, using i.MX6 series as example: | |
| 258 | + | |
| 259 | + => fuse prog 0 6 0x100000 | |
| 260 | + | |
| 261 | +- JTAG_SMODE, using i.MX6 series as example: | |
| 262 | + | |
| 263 | + => fuse prog 0 6 0xC00000 | |
| 264 | + | |
| 265 | +The table below list the SRK_LOCK, DIR_BT_DIS, SJC_DISABLE, and JTAG_SMODE bank | |
| 266 | +and word according to the i.MX device: | |
| 267 | + | |
| 268 | + +--------------+---------------+------------+ | |
| 269 | + | Device | Bank and Word | Value | | |
| 270 | + +--------------+---------------+------------+ | |
| 271 | + | SRK_LOCK | | |
| 272 | + +-------------------------------------------+ | |
| 273 | + | i.MX6 Series | bank 0 word 0 | 0x00004000 | | |
| 274 | + +--------------+---------------+------------+ | |
| 275 | + | i.MX7D/S | bank 0 word 0 | 0x00000200 | | |
| 276 | + +--------------+---------------+------------+ | |
| 277 | + | i.MX7ULP | bank 1 word 1 | 0x00000080 | | |
| 278 | + +--------------+---------------+------------+ | |
| 279 | + | DIR_BT_DIS | | |
| 280 | + +-------------------------------------------+ | |
| 281 | + | i.MX6 Series | bank 0 word 6 | 0x00000008 | | |
| 282 | + +--------------+---------------+------------+ | |
| 283 | + | i.MX7D/S | bank 1 word 3 | 0x08000000 | | |
| 284 | + +--------------+---------------+------------+ | |
| 285 | + | i.MX7ULP | bank 1 word 1 | 0x00002000 | | |
| 286 | + +--------------+---------------+------------+ | |
| 287 | + | SJC_DISABLE | | |
| 288 | + +-------------------------------------------+ | |
| 289 | + | i.MX6 Series | bank 0 word 6 | 0x00100000 | | |
| 290 | + +--------------+---------------+------------+ | |
| 291 | + | i.MX7D/S | bank 1 word 3 | 0x00200000 | | |
| 292 | + +--------------+---------------+------------+ | |
| 293 | + | i.MX7ULP | bank 1 word 1 | 0x00000020 | | |
| 294 | + +--------------+---------------+------------+ | |
| 295 | + | JTAG_SMODE | | |
| 296 | + +-------------------------------------------+ | |
| 297 | + | i.MX6 Series | bank 0 word 6 | 0x00C00000 | | |
| 298 | + +--------------+---------------+------------+ | |
| 299 | + | i.MX7D/S | bank 1 word 3 | 0x00C00000 | | |
| 300 | + +--------------+---------------+------------+ | |
| 301 | + | i.MX7ULP | bank 1 word 1 | 0x000000C0 | | |
| 302 | + +--------------+---------------+------------+ | |
| 303 | + | |
| 304 | +2. Extending the root of trust | |
| 305 | +------------------------------- | |
| 306 | + | |
| 307 | +The High Assurance Boot (HAB) code located in the on-chip ROM provides an | |
| 308 | +Application Programming Interface (API) making it possible to call back | |
| 309 | +into the HAB code for authenticating additional boot images. | |
| 310 | + | |
| 311 | +The U-Boot supports this feature and can be used to authenticate the Linux | |
| 312 | +Kernel Image. | |
| 313 | + | |
| 314 | +The process of signing an additional image is similar to the U-Boot. | |
| 315 | +The diagram below illustrate the zImage layout: | |
| 316 | + | |
| 317 | + ------- +-----------------------------+ <-- *load_address | |
| 318 | + ^ | | | |
| 319 | + | | | | |
| 320 | + | | | | |
| 321 | + | | | | |
| 322 | + | | zImage | | |
| 323 | + Signed | | | | |
| 324 | + Data | | | | |
| 325 | + | | | | |
| 326 | + | +-----------------------------+ | |
| 327 | + | | Padding Next Boundary | | |
| 328 | + | +-----------------------------+ <-- *ivt | |
| 329 | + v | Image Vector Table | | |
| 330 | + ------- +-----------------------------+ <-- *csf | |
| 331 | + | | | |
| 332 | + | Command Sequence File (CSF) | | |
| 333 | + | | | |
| 334 | + +-----------------------------+ | |
| 335 | + | Padding (optional) | | |
| 336 | + +-----------------------------+ | |
| 337 | + | |
| 338 | +2.1 Padding the image | |
| 339 | +---------------------- | |
| 340 | + | |
| 341 | +The zImage must be padded to the next boundary address (0x1000), for instance | |
| 342 | +if the image size is 0x649920 it must be padded to 0x64A000. | |
| 343 | + | |
| 344 | +The tool objcopy can be used for padding the image. | |
| 345 | + | |
| 346 | +- Pad the zImage: | |
| 347 | + | |
| 348 | + $ objcopy -I binary -O binary --pad-to 0x6EA000 --gap-fill=0x00 \ | |
| 349 | + zImage zImage_pad.bin | |
| 350 | + | |
| 351 | +2.2 Generating Image Vector Table | |
| 352 | +---------------------------------- | |
| 353 | + | |
| 354 | +The HAB code requires an Image Vector Table (IVT) for determining the image | |
| 355 | +length and the CSF location. Since zImage does not include an IVT this has | |
| 356 | +to be manually created and appended to the end of the padded zImage, the | |
| 357 | +script genIVT.pl in script_examples directory can be used as reference. | |
| 358 | + | |
| 359 | +- Generate IVT: | |
| 360 | + | |
| 361 | + $ genIVT.pl | |
| 362 | + | |
| 363 | +Note: The load Address may change depending on the device. | |
| 364 | + | |
| 365 | +- Append the ivt.bin at the end of the padded zImage: | |
| 366 | + | |
| 367 | + $ cat zImage_pad.bin ivt.bin > zImage_pad_ivt.bin | |
| 368 | + | |
| 369 | +2.3 Signing the image | |
| 370 | +---------------------- | |
| 371 | + | |
| 372 | +A CSF file has to be created to sign the image. HAB does not allow to change | |
| 373 | +the SRK once the first image is authenticated, so the same SRK key used in | |
| 374 | +U-Boot must be used when extending the root of trust. | |
| 375 | + | |
| 376 | +CSF examples are available in ../csf_examples/additional_images/ | |
| 377 | +directory. | |
| 378 | + | |
| 379 | +- Create CSF binary file: | |
| 380 | + | |
| 381 | + $ ./cst --i csf_additional_images.txt --o csf_zImage.bin | |
| 382 | + | |
| 383 | +- Attach the CSF binary to the end of the image: | |
| 384 | + | |
| 385 | + $ cat zImage_pad_ivt.bin csf_zImage.bin > zImage_signed.bin | |
| 386 | + | |
| 387 | +2.4 Verifying HAB events | |
| 388 | +------------------------- | |
| 389 | + | |
| 390 | +The U-Boot includes the hab_auth_img command which can be used for | |
| 391 | +authenticating and troubleshooting the signed image, zImage must be | |
| 392 | +loaded at the load address specified in the IVT. | |
| 393 | + | |
| 394 | +- Authenticate additional image: | |
| 395 | + | |
| 396 | + => hab_auth_img <Load Address> <Image Size> <IVT Offset> | |
| 397 | + | |
| 398 | +If no HAB events were found the zImage is successfully signed. | |
| 399 | + | |
| 400 | +References: | |
| 401 | +[1] AN4581: "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using | |
| 402 | + HABv4" - Rev 2. |
doc/imx/hab/habv4/script_examples/genIVT.pl
| 1 | +#! /usr/bin/perl -w | |
| 2 | +use strict; | |
| 3 | +open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!"; | |
| 4 | +print $out pack("V", 0x412000D1); # Signature | |
| 5 | +print $out pack("V", 0x80800000); # Load Address (*load_address) | |
| 6 | +print $out pack("V", 0x0); # Reserved | |
| 7 | +print $out pack("V", 0x0); # DCD pointer | |
| 8 | +print $out pack("V", 0x0); # Boot Data | |
| 9 | +print $out pack("V", 0x80EEA000); # Self Pointer (*ivt) | |
| 10 | +print $out pack("V", 0x80EEA020); # CSF Pointer (*csf) | |
| 11 | +print $out pack("V", 0x0); # Reserved | |
| 12 | +close($out); |