doc: mxc_hab: Move HAB related info to the appropriate doc

Currently the High Assurance Boot procedure is documented in two places: - doc/README.imx6 - doc/README.mxc_hab It is better to consolidate all HAB related information into README.mxc_hab file, so move the content from README.imx6 to README.mxc_hab. Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>

doc: mxc_hab: Move HAB related info to the appropriate doc
Currently the High Assurance Boot procedure is documented in two places: - doc/README.imx6 - doc/README.mxc_hab It is better to consolidate all HAB related information into README.mxc_hab file, so move the content from README.imx6 to README.mxc_hab. Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Breno Lima · Stefano Babic
1 parent f0d5bd4ba5
Showing 2 changed files with 54 additions and 51 deletions Side-by-side Diff
doc/README.imx6
doc/README.mxc_hab
@@ -112,53 +112,4 @@
  
 In order to load SPL and u-boot.img via imx_usb_loader tool,
 please refer to doc/README.sdp.
-
-3. Using Secure Boot on i.MX6 machines with SPL support
--------------------------------------------------------
-
-This version of U-Boot is able to build a signable version of the SPL
-as well as a signable version of the U-Boot image. The signature can
-be verified through High Assurance Boot (HAB).
-
-CONFIG_SECURE_BOOT is needed to build those two binaries.
-After building, you need to create a command sequence file and use
-Freescales Code Signing Tool to sign both binaries. After creation,
-the mkimage tool outputs the required information about the HAB Blocks
-parameter for the CSF. During the build, the information is preserved
-in log files named as the binaries. (SPL.log and u-boot-ivt.log).
-
-More information about the CSF and HAB can be found in the AN4581.
-https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
-
-We don't want to explain how to create a PKI tree or SRK table as
-this is well explained in the Application Note.
-
-Example Output of the SPL (imximage) creation:
- Image Type:   Freescale IMX Boot Image
- Image Ver:    2 (i.MX53/6/7 compatible)
- Mode:         DCD
- Data Size:    61440 Bytes = 60.00 kB = 0.06 MB
- Load Address: 00907420
- Entry Point:  00908000
- HAB Blocks:   00907400 00000000 0000cc00
-
-Example Output of the u-boot-ivt.img (firmware_ivt) creation:
- Image Name:   U-Boot 2016.11-rc1-31589-g2a4411
- Created:      Sat Nov  5 21:53:28 2016
- Image Type:   ARM U-Boot Firmware with HABv4 IVT (uncompressed)
- Data Size:    352192 Bytes = 343.94 kB = 0.34 MB
- Load Address: 17800000
- Entry Point:  00000000
- HAB Blocks:   0x177fffc0   0x0000   0x00054020
-
-The CST (Code Signing Tool) can be downloaded from NXP.
-# Compile CSF and create signature
-./cst --o csf-u-boot.bin < command_sequence_uboot.csf
-./cst --o csf-SPL.bin < command_sequence_spl.csf
-# Append compiled CSF to Binary
-cat SPL csf-SPL.bin > SPL-signed
-cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
-
-These two signed binaries can be used on an i.MX6 in closed
-configuration when the according SRK Table Hash has been flashed.
-High Assurance Boot (HAB) for i.MX6 CPUs
+1. High Assurance Boot (HAB) for i.MX CPUs
+------------------------------------------
  
 To enable the authenticated or encrypted boot mode of U-Boot, it is
 required to set the proper configuration for the target board. This
@@ -52,8 +53,58 @@
 NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
 the imximage.cfg file.
  
-Setup U-Boot Image for Encrypted Boot
--------------------------------------
+
+2. Using Secure Boot on i.MX6 machines with SPL support
+-------------------------------------------------------
+
+This version of U-Boot is able to build a signable version of the SPL
+as well as a signable version of the U-Boot image. The signature can
+be verified through High Assurance Boot (HAB).
+
+CONFIG_SECURE_BOOT is needed to build those two binaries.
+After building, you need to create a command sequence file and use
+Freescales Code Signing Tool to sign both binaries. After creation,
+the mkimage tool outputs the required information about the HAB Blocks
+parameter for the CSF. During the build, the information is preserved
+in log files named as the binaries. (SPL.log and u-boot-ivt.log).
+
+More information about the CSF and HAB can be found in the AN4581.
+https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
+
+We don't want to explain how to create a PKI tree or SRK table as
+this is well explained in the Application Note.
+
+Example Output of the SPL (imximage) creation:
+ Image Type:   Freescale IMX Boot Image
+ Image Ver:    2 (i.MX53/6/7 compatible)
+ Mode:         DCD
+ Data Size:    61440 Bytes = 60.00 kB = 0.06 MB
+ Load Address: 00907420
+ Entry Point:  00908000
+ HAB Blocks:   00907400 00000000 0000cc00
+
+Example Output of the u-boot-ivt.img (firmware_ivt) creation:
+ Image Name:   U-Boot 2016.11-rc1-31589-g2a4411
+ Created:      Sat Nov  5 21:53:28 2016
+ Image Type:   ARM U-Boot Firmware with HABv4 IVT (uncompressed)
+ Data Size:    352192 Bytes = 343.94 kB = 0.34 MB
+ Load Address: 17800000
+ Entry Point:  00000000
+ HAB Blocks:   0x177fffc0   0x0000   0x00054020
+
+The CST (Code Signing Tool) can be downloaded from NXP.
+# Compile CSF and create signature
+./cst --o csf-u-boot.bin < command_sequence_uboot.csf
+./cst --o csf-SPL.bin < command_sequence_spl.csf
+# Append compiled CSF to Binary
+cat SPL csf-SPL.bin > SPL-signed
+cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
+
+These two signed binaries can be used on an i.MX6 in closed
+configuration when the according SRK Table Hash has been flashed.
+
+3. Setup U-Boot Image for Encrypted Boot
+-----------------------------------------
 An authenticated U-Boot image is used as starting point for
 Encrypted Boot. The image is encrypted by Freescale's Code
 Signing Tool (CST). The CST replaces only the image data of
...	...	@@ -112,53 +112,4 @@
112	112
113	113	In order to load SPL and u-boot.img via imx_usb_loader tool,
114	114	please refer to doc/README.sdp.
115		-
116		-3. Using Secure Boot on i.MX6 machines with SPL support
117		--------------------------------------------------------
118		-
119		-This version of U-Boot is able to build a signable version of the SPL
120		-as well as a signable version of the U-Boot image. The signature can
121		-be verified through High Assurance Boot (HAB).
122		-
123		-CONFIG_SECURE_BOOT is needed to build those two binaries.
124		-After building, you need to create a command sequence file and use
125		-Freescales Code Signing Tool to sign both binaries. After creation,
126		-the mkimage tool outputs the required information about the HAB Blocks
127		-parameter for the CSF. During the build, the information is preserved
128		-in log files named as the binaries. (SPL.log and u-boot-ivt.log).
129		-
130		-More information about the CSF and HAB can be found in the AN4581.
131		-https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
132		-
133		-We don't want to explain how to create a PKI tree or SRK table as
134		-this is well explained in the Application Note.
135		-
136		-Example Output of the SPL (imximage) creation:
137		- Image Type: Freescale IMX Boot Image
138		- Image Ver: 2 (i.MX53/6/7 compatible)
139		- Mode: DCD
140		- Data Size: 61440 Bytes = 60.00 kB = 0.06 MB
141		- Load Address: 00907420
142		- Entry Point: 00908000
143		- HAB Blocks: 00907400 00000000 0000cc00
144		-
145		-Example Output of the u-boot-ivt.img (firmware_ivt) creation:
146		- Image Name: U-Boot 2016.11-rc1-31589-g2a4411
147		- Created: Sat Nov 5 21:53:28 2016
148		- Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
149		- Data Size: 352192 Bytes = 343.94 kB = 0.34 MB
150		- Load Address: 17800000
151		- Entry Point: 00000000
152		- HAB Blocks: 0x177fffc0 0x0000 0x00054020
153		-
154		-The CST (Code Signing Tool) can be downloaded from NXP.
155		-# Compile CSF and create signature
156		-./cst --o csf-u-boot.bin < command_sequence_uboot.csf
157		-./cst --o csf-SPL.bin < command_sequence_spl.csf
158		-# Append compiled CSF to Binary
159		-cat SPL csf-SPL.bin > SPL-signed
160		-cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
161		-
162		-These two signed binaries can be used on an i.MX6 in closed
163		-configuration when the according SRK Table Hash has been flashed.
1		-High Assurance Boot (HAB) for i.MX6 CPUs
	1	+1. High Assurance Boot (HAB) for i.MX CPUs
	2	+------------------------------------------
2	3
3	4	To enable the authenticated or encrypted boot mode of U-Boot, it is
4	5	required to set the proper configuration for the target board. This
...	...	@@ -52,8 +53,58 @@
52	53	NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
53	54	the imximage.cfg file.
54	55
55		-Setup U-Boot Image for Encrypted Boot
56		--------------------------------------
	56	+
	57	+2. Using Secure Boot on i.MX6 machines with SPL support
	58	+-------------------------------------------------------
	59	+
	60	+This version of U-Boot is able to build a signable version of the SPL
	61	+as well as a signable version of the U-Boot image. The signature can
	62	+be verified through High Assurance Boot (HAB).
	63	+
	64	+CONFIG_SECURE_BOOT is needed to build those two binaries.
	65	+After building, you need to create a command sequence file and use
	66	+Freescales Code Signing Tool to sign both binaries. After creation,
	67	+the mkimage tool outputs the required information about the HAB Blocks
	68	+parameter for the CSF. During the build, the information is preserved
	69	+in log files named as the binaries. (SPL.log and u-boot-ivt.log).
	70	+
	71	+More information about the CSF and HAB can be found in the AN4581.
	72	+https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
	73	+
	74	+We don't want to explain how to create a PKI tree or SRK table as
	75	+this is well explained in the Application Note.
	76	+
	77	+Example Output of the SPL (imximage) creation:
	78	+ Image Type: Freescale IMX Boot Image
	79	+ Image Ver: 2 (i.MX53/6/7 compatible)
	80	+ Mode: DCD
	81	+ Data Size: 61440 Bytes = 60.00 kB = 0.06 MB
	82	+ Load Address: 00907420
	83	+ Entry Point: 00908000
	84	+ HAB Blocks: 00907400 00000000 0000cc00
	85	+
	86	+Example Output of the u-boot-ivt.img (firmware_ivt) creation:
	87	+ Image Name: U-Boot 2016.11-rc1-31589-g2a4411
	88	+ Created: Sat Nov 5 21:53:28 2016
	89	+ Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
	90	+ Data Size: 352192 Bytes = 343.94 kB = 0.34 MB
	91	+ Load Address: 17800000
	92	+ Entry Point: 00000000
	93	+ HAB Blocks: 0x177fffc0 0x0000 0x00054020
	94	+
	95	+The CST (Code Signing Tool) can be downloaded from NXP.
	96	+# Compile CSF and create signature
	97	+./cst --o csf-u-boot.bin < command_sequence_uboot.csf
	98	+./cst --o csf-SPL.bin < command_sequence_spl.csf
	99	+# Append compiled CSF to Binary
	100	+cat SPL csf-SPL.bin > SPL-signed
	101	+cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
	102	+
	103	+These two signed binaries can be used on an i.MX6 in closed
	104	+configuration when the according SRK Table Hash has been flashed.
	105	+
	106	+3. Setup U-Boot Image for Encrypted Boot
	107	+-----------------------------------------
57	108	An authenticated U-Boot image is used as starting point for
58	109	Encrypted Boot. The image is encrypted by Freescale's Code
59	110	Signing Tool (CST). The CST replaces only the image data of