Commit 6d7403bf72b5ea46497fe8222d0303cb79563379
Committed by
Stefano Babic
1 parent
b887f0a68e
Exists in
smarc_8mq_lf_v2020.04
and in
17 other branches
doc: mxc_hab: Update i.MX HAB documentation
The README.mxc_hab is outdated and need improvements, add the following modifications: - Reorganize document and remove duplicate content - Add CST download link - Update CST package name - Align command lines with CST v2.3.3 - Update U-Boot binary name - Remove CSF padding since is not documented in AN4581 Signed-off-by: Breno Lima <breno.lima@nxp.com>
Showing 1 changed file with 33 additions and 39 deletions Side-by-side Diff
doc/README.mxc_hab
... | ... | @@ -11,15 +11,23 @@ |
11 | 11 | boot media needs to be properly constructed, i.e. it must contain a |
12 | 12 | proper Command Sequence File (CSF). |
13 | 13 | |
14 | -The Initial Vector Table contains a pointer to the CSF. Please see | |
15 | -doc/README.imximage for how to prepare u-boot.imx. | |
14 | +The CSF itself is generated by the i.MX High Assurance Boot Reference | |
15 | +Code Signing Tool. | |
16 | +https://www.nxp.com/webapp/sps/download/license.jsp?colCode=IMX_CST_TOOL | |
16 | 17 | |
17 | -The CSF itself is being generated by Freescale HAB tools. | |
18 | +More information about the CSF and HAB can be found in the AN4581. | |
19 | +https://www.nxp.com/docs/en/application-note/AN4581.pdf | |
18 | 20 | |
19 | -mkimage will output additional information about "HAB Blocks" | |
20 | -which can be used in the Freescale tooling to authenticate U-Boot | |
21 | -(entries in the CSF file). | |
21 | +We don't want to explain how to create a PKI tree or SRK table as | |
22 | +this is well explained in the Application Note. | |
22 | 23 | |
24 | +2. Secure Boot on non-SPL targets | |
25 | +--------------------------------- | |
26 | + | |
27 | +On non-SPL targets a singe U-Boot binary is generated, mkimage will | |
28 | +output additional information about "HAB Blocks" which can be used | |
29 | +in the CST to authenticate the U-Boot image (entries in the CSF file). | |
30 | + | |
23 | 31 | Image Type: Freescale IMX Boot Image |
24 | 32 | Image Ver: 2 (i.MX53/6 compatible) |
25 | 33 | Data Size: 327680 Bytes = 320.00 kB = 0.31 MB |
26 | 34 | |
27 | 35 | |
28 | 36 | |
29 | 37 | |
30 | 38 | |
31 | 39 | |
32 | 40 | |
... | ... | @@ -34,46 +42,35 @@ |
34 | 42 | | |
35 | 43 | --------------------------- (3) |
36 | 44 | |
37 | -(1) Size of area in file u-boot.imx to sign | |
45 | +(1) Size of area in file u-boot-dtb.imx to sign | |
38 | 46 | This area should include the IVT, the Boot Data the DCD |
39 | 47 | and U-Boot itself. |
40 | -(2) Start of area in u-boot.imx to sign | |
48 | +(2) Start of area in u-boot-dtb.imx to sign | |
41 | 49 | (3) Start of area in RAM to authenticate |
42 | 50 | |
43 | 51 | CONFIG_SECURE_BOOT currently enables only an additional command |
44 | 52 | 'hab_status' in U-Boot to retrieve the HAB status and events. This |
45 | 53 | can be useful while developing and testing HAB. |
46 | 54 | |
47 | -Commands to generate a signed U-Boot using Freescale HAB tools: | |
48 | -cst --o U-Boot_CSF.bin < U-Boot.CSF | |
49 | -objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ | |
50 | - U-Boot_CSF.bin U-Boot_CSF_pad.bin | |
51 | -cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx | |
55 | +Commands to generate a signed U-Boot using i.MX HAB CST tool: | |
56 | +# Compile CSF and create signature | |
57 | +cst --o csf-u-boot.bin --i command_sequence_uboot.csf | |
58 | +# Append compiled CSF to Binary | |
59 | +cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx | |
52 | 60 | |
53 | -NOTE: U-Boot_CSF.bin needs to be padded to the value specified in | |
54 | -the imximage.cfg file. | |
61 | +3. Secure Boot on SPL targets | |
62 | +----------------------------- | |
55 | 63 | |
56 | - | |
57 | -2. Using Secure Boot on i.MX6 machines with SPL support | |
58 | -------------------------------------------------------- | |
59 | - | |
60 | 64 | This version of U-Boot is able to build a signable version of the SPL |
61 | 65 | as well as a signable version of the U-Boot image. The signature can |
62 | 66 | be verified through High Assurance Boot (HAB). |
63 | 67 | |
64 | -CONFIG_SECURE_BOOT is needed to build those two binaries. | |
65 | 68 | After building, you need to create a command sequence file and use |
66 | -Freescales Code Signing Tool to sign both binaries. After creation, | |
69 | +i.MX HAB Code Signing Tool to sign both binaries. After creation, | |
67 | 70 | the mkimage tool outputs the required information about the HAB Blocks |
68 | 71 | parameter for the CSF. During the build, the information is preserved |
69 | 72 | in log files named as the binaries. (SPL.log and u-boot-ivt.log). |
70 | 73 | |
71 | -More information about the CSF and HAB can be found in the AN4581. | |
72 | -https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf | |
73 | - | |
74 | -We don't want to explain how to create a PKI tree or SRK table as | |
75 | -this is well explained in the Application Note. | |
76 | - | |
77 | 74 | Example Output of the SPL (imximage) creation: |
78 | 75 | Image Type: Freescale IMX Boot Image |
79 | 76 | Image Ver: 2 (i.MX53/6/7 compatible) |
80 | 77 | |
81 | 78 | |
82 | 79 | |
83 | 80 | |
... | ... | @@ -92,23 +89,22 @@ |
92 | 89 | Entry Point: 00000000 |
93 | 90 | HAB Blocks: 0x177fffc0 0x0000 0x00054020 |
94 | 91 | |
95 | -The CST (Code Signing Tool) can be downloaded from NXP. | |
96 | 92 | # Compile CSF and create signature |
97 | -./cst --o csf-u-boot.bin < command_sequence_uboot.csf | |
98 | -./cst --o csf-SPL.bin < command_sequence_spl.csf | |
93 | +cst --o csf-u-boot.bin --i command_sequence_uboot.csf | |
94 | +cst --o csf-SPL.bin --i command_sequence_spl.csf | |
99 | 95 | # Append compiled CSF to Binary |
100 | 96 | cat SPL csf-SPL.bin > SPL-signed |
101 | 97 | cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img |
102 | 98 | |
103 | -These two signed binaries can be used on an i.MX6 in closed | |
99 | +These two signed binaries can be used on an i.MX in closed | |
104 | 100 | configuration when the according SRK Table Hash has been flashed. |
105 | 101 | |
106 | -3. Setup U-Boot Image for Encrypted Boot | |
107 | ------------------------------------------ | |
102 | +4. Setup U-Boot Image for Encrypted Boot | |
103 | +---------------------------------------- | |
108 | 104 | An authenticated U-Boot image is used as starting point for |
109 | -Encrypted Boot. The image is encrypted by Freescale's Code | |
110 | -Signing Tool (CST). The CST replaces only the image data of | |
111 | -u-boot.imx with the encrypted data. The Initial Vector Table, | |
105 | +Encrypted Boot. The image is encrypted by i.MX Code Signing | |
106 | +Tool (CST). The CST replaces only the image data of | |
107 | +u-boot-dtb.imx with the encrypted data. The Initial Vector Table, | |
112 | 108 | DCD, and Boot data, remains in plaintext. |
113 | 109 | |
114 | 110 | The image data is encrypted with a Encryption Key (DEK). |
... | ... | @@ -138,9 +134,7 @@ |
138 | 134 | to the host.Then the following commands are used to construct |
139 | 135 | the final image. |
140 | 136 | |
141 | -objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ | |
142 | - U-Boot_CSF.bin U-Boot_CSF_pad.bin | |
143 | -cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx | |
137 | +cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx | |
144 | 138 | objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \ |
145 | 139 | u-boot-signed.imx u-boot-signed-pad.bin |
146 | 140 | cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx |