Commit 6d7403bf72b5ea46497fe8222d0303cb79563379
Committed by
Stefano Babic
Stefano Babic
1 parent
b887f0a68e
Exists in
smarc_8mq_lf_v2020.04
and in
17 other branches
doc: mxc_hab: Update i.MX HAB documentation
The README.mxc_hab is outdated and need improvements, add the following modifications: - Reorganize document and remove duplicate content - Add CST download link - Update CST package name - Align command lines with CST v2.3.3 - Update U-Boot binary name - Remove CSF padding since is not documented in AN4581 Signed-off-by: Breno Lima <breno.lima@nxp.com>
Showing 1 changed file with 33 additions and 39 deletions Side-by-side Diff
doc/README.mxc_hab
| ... | ... | @@ -11,15 +11,23 @@ |
| 11 | 11 | boot media needs to be properly constructed, i.e. it must contain a |
| 12 | 12 | proper Command Sequence File (CSF). |
| 13 | 13 | |
| 14 | -The Initial Vector Table contains a pointer to the CSF. Please see | |
| 15 | -doc/README.imximage for how to prepare u-boot.imx. | |
| 14 | +The CSF itself is generated by the i.MX High Assurance Boot Reference | |
| 15 | +Code Signing Tool. | |
| 16 | +https://www.nxp.com/webapp/sps/download/license.jsp?colCode=IMX_CST_TOOL | |
| 16 | 17 | |
| 17 | -The CSF itself is being generated by Freescale HAB tools. | |
| 18 | +More information about the CSF and HAB can be found in the AN4581. | |
| 19 | +https://www.nxp.com/docs/en/application-note/AN4581.pdf | |
| 18 | 20 | |
| 19 | -mkimage will output additional information about "HAB Blocks" | |
| 20 | -which can be used in the Freescale tooling to authenticate U-Boot | |
| 21 | -(entries in the CSF file). | |
| 21 | +We don't want to explain how to create a PKI tree or SRK table as | |
| 22 | +this is well explained in the Application Note. | |
| 22 | 23 | |
| 24 | +2. Secure Boot on non-SPL targets | |
| 25 | +--------------------------------- | |
| 26 | + | |
| 27 | +On non-SPL targets a singe U-Boot binary is generated, mkimage will | |
| 28 | +output additional information about "HAB Blocks" which can be used | |
| 29 | +in the CST to authenticate the U-Boot image (entries in the CSF file). | |
| 30 | + | |
| 23 | 31 | Image Type: Freescale IMX Boot Image |
| 24 | 32 | Image Ver: 2 (i.MX53/6 compatible) |
| 25 | 33 | Data Size: 327680 Bytes = 320.00 kB = 0.31 MB |
| 26 | 34 | |
| 27 | 35 | |
| 28 | 36 | |
| 29 | 37 | |
| 30 | 38 | |
| 31 | 39 | |
| 32 | 40 | |
| ... | ... | @@ -34,46 +42,35 @@ |
| 34 | 42 | | |
| 35 | 43 | --------------------------- (3) |
| 36 | 44 | |
| 37 | -(1) Size of area in file u-boot.imx to sign | |
| 45 | +(1) Size of area in file u-boot-dtb.imx to sign | |
| 38 | 46 | This area should include the IVT, the Boot Data the DCD |
| 39 | 47 | and U-Boot itself. |
| 40 | -(2) Start of area in u-boot.imx to sign | |
| 48 | +(2) Start of area in u-boot-dtb.imx to sign | |
| 41 | 49 | (3) Start of area in RAM to authenticate |
| 42 | 50 | |
| 43 | 51 | CONFIG_SECURE_BOOT currently enables only an additional command |
| 44 | 52 | 'hab_status' in U-Boot to retrieve the HAB status and events. This |
| 45 | 53 | can be useful while developing and testing HAB. |
| 46 | 54 | |
| 47 | -Commands to generate a signed U-Boot using Freescale HAB tools: | |
| 48 | -cst --o U-Boot_CSF.bin < U-Boot.CSF | |
| 49 | -objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ | |
| 50 | - U-Boot_CSF.bin U-Boot_CSF_pad.bin | |
| 51 | -cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx | |
| 55 | +Commands to generate a signed U-Boot using i.MX HAB CST tool: | |
| 56 | +# Compile CSF and create signature | |
| 57 | +cst --o csf-u-boot.bin --i command_sequence_uboot.csf | |
| 58 | +# Append compiled CSF to Binary | |
| 59 | +cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx | |
| 52 | 60 | |
| 53 | -NOTE: U-Boot_CSF.bin needs to be padded to the value specified in | |
| 54 | -the imximage.cfg file. | |
| 61 | +3. Secure Boot on SPL targets | |
| 62 | +----------------------------- | |
| 55 | 63 | |
| 56 | - | |
| 57 | -2. Using Secure Boot on i.MX6 machines with SPL support | |
| 58 | -------------------------------------------------------- | |
| 59 | - | |
| 60 | 64 | This version of U-Boot is able to build a signable version of the SPL |
| 61 | 65 | as well as a signable version of the U-Boot image. The signature can |
| 62 | 66 | be verified through High Assurance Boot (HAB). |
| 63 | 67 | |
| 64 | -CONFIG_SECURE_BOOT is needed to build those two binaries. | |
| 65 | 68 | After building, you need to create a command sequence file and use |
| 66 | -Freescales Code Signing Tool to sign both binaries. After creation, | |
| 69 | +i.MX HAB Code Signing Tool to sign both binaries. After creation, | |
| 67 | 70 | the mkimage tool outputs the required information about the HAB Blocks |
| 68 | 71 | parameter for the CSF. During the build, the information is preserved |
| 69 | 72 | in log files named as the binaries. (SPL.log and u-boot-ivt.log). |
| 70 | 73 | |
| 71 | -More information about the CSF and HAB can be found in the AN4581. | |
| 72 | -https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf | |
| 73 | - | |
| 74 | -We don't want to explain how to create a PKI tree or SRK table as | |
| 75 | -this is well explained in the Application Note. | |
| 76 | - | |
| 77 | 74 | Example Output of the SPL (imximage) creation: |
| 78 | 75 | Image Type: Freescale IMX Boot Image |
| 79 | 76 | Image Ver: 2 (i.MX53/6/7 compatible) |
| 80 | 77 | |
| 81 | 78 | |
| 82 | 79 | |
| 83 | 80 | |
| ... | ... | @@ -92,23 +89,22 @@ |
| 92 | 89 | Entry Point: 00000000 |
| 93 | 90 | HAB Blocks: 0x177fffc0 0x0000 0x00054020 |
| 94 | 91 | |
| 95 | -The CST (Code Signing Tool) can be downloaded from NXP. | |
| 96 | 92 | # Compile CSF and create signature |
| 97 | -./cst --o csf-u-boot.bin < command_sequence_uboot.csf | |
| 98 | -./cst --o csf-SPL.bin < command_sequence_spl.csf | |
| 93 | +cst --o csf-u-boot.bin --i command_sequence_uboot.csf | |
| 94 | +cst --o csf-SPL.bin --i command_sequence_spl.csf | |
| 99 | 95 | # Append compiled CSF to Binary |
| 100 | 96 | cat SPL csf-SPL.bin > SPL-signed |
| 101 | 97 | cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img |
| 102 | 98 | |
| 103 | -These two signed binaries can be used on an i.MX6 in closed | |
| 99 | +These two signed binaries can be used on an i.MX in closed | |
| 104 | 100 | configuration when the according SRK Table Hash has been flashed. |
| 105 | 101 | |
| 106 | -3. Setup U-Boot Image for Encrypted Boot | |
| 107 | ------------------------------------------ | |
| 102 | +4. Setup U-Boot Image for Encrypted Boot | |
| 103 | +---------------------------------------- | |
| 108 | 104 | An authenticated U-Boot image is used as starting point for |
| 109 | -Encrypted Boot. The image is encrypted by Freescale's Code | |
| 110 | -Signing Tool (CST). The CST replaces only the image data of | |
| 111 | -u-boot.imx with the encrypted data. The Initial Vector Table, | |
| 105 | +Encrypted Boot. The image is encrypted by i.MX Code Signing | |
| 106 | +Tool (CST). The CST replaces only the image data of | |
| 107 | +u-boot-dtb.imx with the encrypted data. The Initial Vector Table, | |
| 112 | 108 | DCD, and Boot data, remains in plaintext. |
| 113 | 109 | |
| 114 | 110 | The image data is encrypted with a Encryption Key (DEK). |
| ... | ... | @@ -138,9 +134,7 @@ |
| 138 | 134 | to the host.Then the following commands are used to construct |
| 139 | 135 | the final image. |
| 140 | 136 | |
| 141 | -objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ | |
| 142 | - U-Boot_CSF.bin U-Boot_CSF_pad.bin | |
| 143 | -cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx | |
| 137 | +cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx | |
| 144 | 138 | objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \ |
| 145 | 139 | u-boot-signed.imx u-boot-signed-pad.bin |
| 146 | 140 | cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx |