Commit b887f0a68e38d18ec93ff9a0b3d2e57597bf8e83
Committed by
Stefano Babic
1 parent
f0d5bd4ba5
Exists in
smarc_8mq_lf_v2020.04
and in
17 other branches
doc: mxc_hab: Move HAB related info to the appropriate doc
Currently the High Assurance Boot procedure is documented in two places: - doc/README.imx6 - doc/README.mxc_hab It is better to consolidate all HAB related information into README.mxc_hab file, so move the content from README.imx6 to README.mxc_hab. Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Showing 2 changed files with 54 additions and 51 deletions Side-by-side Diff
doc/README.imx6
... | ... | @@ -112,53 +112,4 @@ |
112 | 112 | |
113 | 113 | In order to load SPL and u-boot.img via imx_usb_loader tool, |
114 | 114 | please refer to doc/README.sdp. |
115 | - | |
116 | -3. Using Secure Boot on i.MX6 machines with SPL support | |
117 | -------------------------------------------------------- | |
118 | - | |
119 | -This version of U-Boot is able to build a signable version of the SPL | |
120 | -as well as a signable version of the U-Boot image. The signature can | |
121 | -be verified through High Assurance Boot (HAB). | |
122 | - | |
123 | -CONFIG_SECURE_BOOT is needed to build those two binaries. | |
124 | -After building, you need to create a command sequence file and use | |
125 | -Freescales Code Signing Tool to sign both binaries. After creation, | |
126 | -the mkimage tool outputs the required information about the HAB Blocks | |
127 | -parameter for the CSF. During the build, the information is preserved | |
128 | -in log files named as the binaries. (SPL.log and u-boot-ivt.log). | |
129 | - | |
130 | -More information about the CSF and HAB can be found in the AN4581. | |
131 | -https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf | |
132 | - | |
133 | -We don't want to explain how to create a PKI tree or SRK table as | |
134 | -this is well explained in the Application Note. | |
135 | - | |
136 | -Example Output of the SPL (imximage) creation: | |
137 | - Image Type: Freescale IMX Boot Image | |
138 | - Image Ver: 2 (i.MX53/6/7 compatible) | |
139 | - Mode: DCD | |
140 | - Data Size: 61440 Bytes = 60.00 kB = 0.06 MB | |
141 | - Load Address: 00907420 | |
142 | - Entry Point: 00908000 | |
143 | - HAB Blocks: 00907400 00000000 0000cc00 | |
144 | - | |
145 | -Example Output of the u-boot-ivt.img (firmware_ivt) creation: | |
146 | - Image Name: U-Boot 2016.11-rc1-31589-g2a4411 | |
147 | - Created: Sat Nov 5 21:53:28 2016 | |
148 | - Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) | |
149 | - Data Size: 352192 Bytes = 343.94 kB = 0.34 MB | |
150 | - Load Address: 17800000 | |
151 | - Entry Point: 00000000 | |
152 | - HAB Blocks: 0x177fffc0 0x0000 0x00054020 | |
153 | - | |
154 | -The CST (Code Signing Tool) can be downloaded from NXP. | |
155 | -# Compile CSF and create signature | |
156 | -./cst --o csf-u-boot.bin < command_sequence_uboot.csf | |
157 | -./cst --o csf-SPL.bin < command_sequence_spl.csf | |
158 | -# Append compiled CSF to Binary | |
159 | -cat SPL csf-SPL.bin > SPL-signed | |
160 | -cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img | |
161 | - | |
162 | -These two signed binaries can be used on an i.MX6 in closed | |
163 | -configuration when the according SRK Table Hash has been flashed. |
doc/README.mxc_hab
1 | -High Assurance Boot (HAB) for i.MX6 CPUs | |
1 | +1. High Assurance Boot (HAB) for i.MX CPUs | |
2 | +------------------------------------------ | |
2 | 3 | |
3 | 4 | To enable the authenticated or encrypted boot mode of U-Boot, it is |
4 | 5 | required to set the proper configuration for the target board. This |
... | ... | @@ -52,8 +53,58 @@ |
52 | 53 | NOTE: U-Boot_CSF.bin needs to be padded to the value specified in |
53 | 54 | the imximage.cfg file. |
54 | 55 | |
55 | -Setup U-Boot Image for Encrypted Boot | |
56 | -------------------------------------- | |
56 | + | |
57 | +2. Using Secure Boot on i.MX6 machines with SPL support | |
58 | +------------------------------------------------------- | |
59 | + | |
60 | +This version of U-Boot is able to build a signable version of the SPL | |
61 | +as well as a signable version of the U-Boot image. The signature can | |
62 | +be verified through High Assurance Boot (HAB). | |
63 | + | |
64 | +CONFIG_SECURE_BOOT is needed to build those two binaries. | |
65 | +After building, you need to create a command sequence file and use | |
66 | +Freescales Code Signing Tool to sign both binaries. After creation, | |
67 | +the mkimage tool outputs the required information about the HAB Blocks | |
68 | +parameter for the CSF. During the build, the information is preserved | |
69 | +in log files named as the binaries. (SPL.log and u-boot-ivt.log). | |
70 | + | |
71 | +More information about the CSF and HAB can be found in the AN4581. | |
72 | +https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf | |
73 | + | |
74 | +We don't want to explain how to create a PKI tree or SRK table as | |
75 | +this is well explained in the Application Note. | |
76 | + | |
77 | +Example Output of the SPL (imximage) creation: | |
78 | + Image Type: Freescale IMX Boot Image | |
79 | + Image Ver: 2 (i.MX53/6/7 compatible) | |
80 | + Mode: DCD | |
81 | + Data Size: 61440 Bytes = 60.00 kB = 0.06 MB | |
82 | + Load Address: 00907420 | |
83 | + Entry Point: 00908000 | |
84 | + HAB Blocks: 00907400 00000000 0000cc00 | |
85 | + | |
86 | +Example Output of the u-boot-ivt.img (firmware_ivt) creation: | |
87 | + Image Name: U-Boot 2016.11-rc1-31589-g2a4411 | |
88 | + Created: Sat Nov 5 21:53:28 2016 | |
89 | + Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) | |
90 | + Data Size: 352192 Bytes = 343.94 kB = 0.34 MB | |
91 | + Load Address: 17800000 | |
92 | + Entry Point: 00000000 | |
93 | + HAB Blocks: 0x177fffc0 0x0000 0x00054020 | |
94 | + | |
95 | +The CST (Code Signing Tool) can be downloaded from NXP. | |
96 | +# Compile CSF and create signature | |
97 | +./cst --o csf-u-boot.bin < command_sequence_uboot.csf | |
98 | +./cst --o csf-SPL.bin < command_sequence_spl.csf | |
99 | +# Append compiled CSF to Binary | |
100 | +cat SPL csf-SPL.bin > SPL-signed | |
101 | +cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img | |
102 | + | |
103 | +These two signed binaries can be used on an i.MX6 in closed | |
104 | +configuration when the according SRK Table Hash has been flashed. | |
105 | + | |
106 | +3. Setup U-Boot Image for Encrypted Boot | |
107 | +----------------------------------------- | |
57 | 108 | An authenticated U-Boot image is used as starting point for |
58 | 109 | Encrypted Boot. The image is encrypted by Freescale's Code |
59 | 110 | Signing Tool (CST). The CST replaces only the image data of |