Eric Lee / smarc-uboot

Download as
Browse Code ยป

Commit bf8dbd0c103635b43bb19202c4f99be4ae8b9e91

Authored by Breno Lima
Committed by Ye Li
1 parent b3fd045c1d
Exists in smarc_8mm-imx_v2018.03_4.14.98_2.0.0_ga and in 4 other branches smarc-imx6_v2018.03_4.14.98_2.0.0_ga, smarc-imx7_v2018.03_4.14.98_2.0.0_ga, smarc_8m-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8m_00d0-imx_v2018.03_4.14.98_2.0.0_ga

MLK-20935-4 doc: imx: ahab: Fix typo in mx8_mx8x_secure_boot.txt guide 

Fix a typo in path provided for imx-mkimage iMX8QM and iMX8QXP directories.

Reported-by: Marius Grigoras <marius.grigoras@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit c75243c1a87a10f003377d9c144bcf412ba80440)

Showing 1 changed file with 2 additions and 2 deletions Inline Diff

doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt
Diff comments   View file @ bf8dbd0
1 +=========================================================+ 1 +=========================================================+
2 + i.MX 8, i.MX 8X Secure Boot guide using AHAB + 2 + i.MX 8, i.MX 8X Secure Boot guide using AHAB +
3 +=========================================================+ 3 +=========================================================+
4 4
5 1. AHAB secure boot process 5 1. AHAB secure boot process
6 ---------------------------- 6 ----------------------------
7 7
8 This document describes a step-by-step procedure on how to sign and 8 This document describes a step-by-step procedure on how to sign and
9 securely boot a flash.bin image. It is assumed that the reader is 9 securely boot a flash.bin image. It is assumed that the reader is
10 familiar with basic AHAB concepts and with the PKI tree generation. 10 familiar with basic AHAB concepts and with the PKI tree generation.
11 11
12 It is also assumed that the reader is familiar with all pieces of 12 It is also assumed that the reader is familiar with all pieces of
13 software needed. The procedure to built SCFW, ATF and download the 13 software needed. The procedure to built SCFW, ATF and download the
14 firmwares are out of scope of this document, please refer to the Linux 14 firmwares are out of scope of this document, please refer to the Linux
15 BSP Release Notes and AN12212[1] for further details. 15 BSP Release Notes and AN12212[1] for further details.
16 16
17 Details about AHAB can be found in the introduction_ahab.txt document 17 Details about AHAB can be found in the introduction_ahab.txt document
18 and in processors Security Reference Manual Document (SRM). 18 and in processors Security Reference Manual Document (SRM).
19 19
20 1.1 Preparing the environment to build a secure boot image 20 1.1 Preparing the environment to build a secure boot image
21 ----------------------------------------------------------- 21 -----------------------------------------------------------
22 22
23 Before continuing, be sure to have already downloaded and built the 23 Before continuing, be sure to have already downloaded and built the
24 following: 24 following:
25 25
26 - imx-mkimage downloaded and built with i.MX 8 container support. 26 - imx-mkimage downloaded and built with i.MX 8 container support.
27 - SECO firmware downloaded. 27 - SECO firmware downloaded.
28 - U-Boot downloaded and built. Please check section 1.2. 28 - U-Boot downloaded and built. Please check section 1.2.
29 - ARM Trusted Firmware (ATF) downloaded and built for your target. 29 - ARM Trusted Firmware (ATF) downloaded and built for your target.
30 - System Controller Firmware (SCFW). 30 - System Controller Firmware (SCFW).
31 - Kernel image. 31 - Kernel image.
32 32
33 You should also have downloaded the Code Signing Tool, available on NXP 33 You should also have downloaded the Code Signing Tool, available on NXP
34 website. 34 website.
35 35
36 In the following sections, <work> designates the repository where all 36 In the following sections, <work> designates the repository where all
37 parts have been downloaded and built. 37 parts have been downloaded and built.
38 38
39 1.2 Preparing U-Boot to support AHAB secure boot features 39 1.2 Preparing U-Boot to support AHAB secure boot features
40 ---------------------------------------------------------- 40 ----------------------------------------------------------
41 41
42 The U-Boot provides extra functions for AHAB, such as the ability to 42 The U-Boot provides extra functions for AHAB, such as the ability to
43 authenticate additional container images by calling the SCU API 43 authenticate additional container images by calling the SCU API
44 sc_misc_seco_authenticate() function. 44 sc_misc_seco_authenticate() function.
45 45
46 The support is enabled by adding CONFIG_AHAB_BOOT to the defconfig file used 46 The support is enabled by adding CONFIG_AHAB_BOOT to the defconfig file used
47 for your target: 47 for your target:
48 48
49 - Defconfig: 49 - Defconfig:
50 CONFIG_AHAB_BOOT=y 50 CONFIG_AHAB_BOOT=y
51 - Kconfig: 51 - Kconfig:
52 ARM architecture -> Support i.MX 8 AHAB features 52 ARM architecture -> Support i.MX 8 AHAB features
53 53
54 1.3 Building an image supporting secure boot 54 1.3 Building an image supporting secure boot
55 --------------------------------------------- 55 ---------------------------------------------
56 56
57 The boot image is composed of different layers: 57 The boot image is composed of different layers:
58 58
59 +---------------------------+ <-- *start 59 +---------------------------+ <-- *start
60 | 1st Container header | 60 | 1st Container header |
61 | and signature | 61 | and signature |
62 +---------------------------+ 62 +---------------------------+
63 | Padding for 1kB alignment | 63 | Padding for 1kB alignment |
64 +---------------------------+ <-- *start + 0x400 64 +---------------------------+ <-- *start + 0x400
65 | 2nd Container header | 65 | 2nd Container header |
66 | and signature | 66 | and signature |
67 +---------------------------+ 67 +---------------------------+
68 | Padding | 68 | Padding |
69 +---------------------------+ 69 +---------------------------+
70 | SECO FW | 70 | SECO FW |
71 +---------------------------+ 71 +---------------------------+
72 | Padding | 72 | Padding |
73 +---------------------------+ 73 +---------------------------+
74 | SCU FW with DDR | 74 | SCU FW with DDR |
75 | initialization Image | 75 | initialization Image |
76 | embedded | 76 | embedded |
77 +---------------------------+ 77 +---------------------------+
78 | Cortex-M4 Image | 78 | Cortex-M4 Image |
79 +---------------------------+ 79 +---------------------------+
80 | Cortex-A bootloader | 80 | Cortex-A bootloader |
81 +---------------------------+ 81 +---------------------------+
82 82
83 It contains two containers, one for the SECO firmware (AHAB), and one for 83 It contains two containers, one for the SECO firmware (AHAB), and one for
84 the SCFW, the ATF, U-Boot and M4 Image. They are preceded by their headers. 84 the SCFW, the ATF, U-Boot and M4 Image. They are preceded by their headers.
85 The first one, containing the SECO firmware image, is padded to 0x1000 to 85 The first one, containing the SECO firmware image, is padded to 0x1000 to
86 fix the start address of the second one, which can contain one or multiple 86 fix the start address of the second one, which can contain one or multiple
87 images. 87 images.
88 88
89 If you are familiar with secure boot process with HABv4, you will notice 89 If you are familiar with secure boot process with HABv4, you will notice
90 there is no need for CSF in this architecture. The CST is responsible to 90 there is no need for CSF in this architecture. The CST is responsible to
91 handle the Signature block: 91 handle the Signature block:
92 92
93 +----------------------------+ ^ 93 +----------------------------+ ^
94 | | | 94 | | |
95 | | | 95 | | |
96 | Container header | | 96 | Container header | |
97 | | | 97 | | |
98 | | | 98 | | |
99 +---+------------------------+ | 99 +---+------------------------+ |
100 | S | Signature block header | | Signed 100 | S | Signature block header | | Signed
101 | i +------------------------+ | 101 | i +------------------------+ |
102 | g | | | 102 | g | | |
103 | n | | | 103 | n | | |
104 | a | SRK table | | 104 | a | SRK table | |
105 | t | | | 105 | t | | |
106 | u | | | 106 | u | | |
107 | r +------------------------+ v 107 | r +------------------------+ v
108 | e | Signature | 108 | e | Signature |
109 | +------------------------+ 109 | +------------------------+
110 | b | | 110 | b | |
111 | l | SGK Key | 111 | l | SGK Key |
112 | o | Certificate (optional) | 112 | o | Certificate (optional) |
113 | c | | 113 | c | |
114 | k | | 114 | k | |
115 +---+------------------------+ 115 +---+------------------------+
116 116
117 The certificate block is divided into: 117 The certificate block is divided into:
118 118
119 +---------------+ ^ 119 +---------------+ ^
120 | Public key | | Signed 120 | Public key | | Signed
121 | Permission | | 121 | Permission | |
122 +---------------+ v 122 +---------------+ v
123 | Signature | 123 | Signature |
124 +---------------+ 124 +---------------+
125 125
126 The first block (public key permission) verify the Signature block 126 The first block (public key permission) verify the Signature block
127 preceding (between SRK table and Certificate blocks), while the second 127 preceding (between SRK table and Certificate blocks), while the second
128 block (signature) is verified by the SRK table block. 128 block (signature) is verified by the SRK table block.
129 129
130 1.4 Prepare the boot image layout 130 1.4 Prepare the boot image layout
131 ---------------------------------- 131 ----------------------------------
132 132
133 To generate the flash.bin file: 133 To generate the flash.bin file:
134 134
135 - On i.MX 8 QXP: 135 - On i.MX 8 QXP:
136 136
137 $ cd <work>/imx-mkimage 137 $ cd <work>/imx-mkimage
138 $ make SOC=iMX8QX flash 138 $ make SOC=iMX8QX flash
139 139
140 - On i.MX 8 QM: 140 - On i.MX 8 QM:
141 141
142 $ cd <work>/imx-mkimage 142 $ cd <work>/imx-mkimage
143 $ make SOC=iMX8QM flash 143 $ make SOC=iMX8QM flash
144 144
145 If the command ends successfully, the end of the result should look 145 If the command ends successfully, the end of the result should look
146 like: 146 like:
147 147
148 CST: CONTAINER 0 offset: 0x400 148 CST: CONTAINER 0 offset: 0x400
149 CST: CONTAINER 0: Signature Block: offset is at 0x590 149 CST: CONTAINER 0: Signature Block: offset is at 0x590
150 DONE. 150 DONE.
151 Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET 151 Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET
152 152
153 Keep in mind the offsets above to be used with CST/CSF. 153 Keep in mind the offsets above to be used with CST/CSF.
154 154
155 Please note that on this example we not including an Cortex-M4 Image, on 155 Please note that on this example we not including an Cortex-M4 Image, on
156 i.MX8/8x MEK boards the SCU console may be replaced by the M4 console not 156 i.MX8/8x MEK boards the SCU console may be replaced by the M4 console not
157 being possible to run the steps documented in section "1.5.5 Verify SECO 157 being possible to run the steps documented in section "1.5.5 Verify SECO
158 events". 158 events".
159 159
160 1.5 Secure boot setup with the CST 160 1.5 Secure boot setup with the CST
161 ----------------------------------- 161 -----------------------------------
162 162
163 1.5.1 Creating the CSF description file for the second container 163 1.5.1 Creating the CSF description file for the second container
164 ----------------------------------------------------------------- 164 -----------------------------------------------------------------
165 165
166 The CSF contains all the commands that the AHAB executes during the secure 166 The CSF contains all the commands that the AHAB executes during the secure
167 boot. These commands instruct the AHAB on which memory areas of the image 167 boot. These commands instruct the AHAB on which memory areas of the image
168 to authenticate, which keys to install, use and etc. 168 to authenticate, which keys to install, use and etc.
169 169
170 CSF examples are available under doc/imx/ahab/csf_examples/ 170 CSF examples are available under doc/imx/ahab/csf_examples/
171 directory. 171 directory.
172 172
173 This csf_boot_image.txt file example should be updated with the offset values 173 This csf_boot_image.txt file example should be updated with the offset values
174 of the 1.4 section and the path to your flash.bin file. It is the last part 174 of the 1.4 section and the path to your flash.bin file. It is the last part
175 of the file: 175 of the file:
176 176
177 [Authenticate Data] 177 [Authenticate Data]
178 # Binary to be signed generated by mkimage 178 # Binary to be signed generated by mkimage
179 File = "flash.bin" 179 File = "flash.bin"
180 # Offsets = Container header Signature block (printed out by mkimage) 180 # Offsets = Container header Signature block (printed out by mkimage)
181 Offsets = 0x400 0x590 181 Offsets = 0x400 0x590
182 182
183 1.5.2 Signing the boot image 183 1.5.2 Signing the boot image
184 ----------------------------- 184 -----------------------------
185 185
186 Now you use the CST to generate the signed boot image from the previously 186 Now you use the CST to generate the signed boot image from the previously
187 created csf_boot_image.txt Commands Sequence File: 187 created csf_boot_image.txt Commands Sequence File:
188 188
189 $ cd <work> 189 $ cd <work>
190 $ ./release/linux64/bin/cst -i csf_boot_image.txt -o flash.signed.bin 190 $ ./release/linux64/bin/cst -i csf_boot_image.txt -o flash.signed.bin
191 191
192 1.5.3 Flash the signed image 192 1.5.3 Flash the signed image
193 ----------------------------- 193 -----------------------------
194 194
195 Write the signed U-Boot image: 195 Write the signed U-Boot image:
196 196
197 $ sudo dd if=flash.signed.bin of=/dev/sdX bs=1k seek=32 ; sync 197 $ sudo dd if=flash.signed.bin of=/dev/sdX bs=1k seek=32 ; sync
198 198
199 Then insert the SD Card into the board and plug your device to your computer 199 Then insert the SD Card into the board and plug your device to your computer
200 with an USB serial cable. 200 with an USB serial cable.
201 201
202 1.5.4 Programming SRK Hash 202 1.5.4 Programming SRK Hash
203 --------------------------- 203 ---------------------------
204 204
205 As explained in introduction_ahab.txt document the SRK Hash fuse values are 205 As explained in introduction_ahab.txt document the SRK Hash fuse values are
206 generated by the srktool and should be programmed in the SoC SRK_HASH[511:0] 206 generated by the srktool and should be programmed in the SoC SRK_HASH[511:0]
207 fuses. 207 fuses.
208 208
209 Be careful when programming these values, as this data is the basis for the 209 Be careful when programming these values, as this data is the basis for the
210 root of trust. An error in SRK Hash results in a part that does not boot. 210 root of trust. An error in SRK Hash results in a part that does not boot.
211 211
212 The U-Boot fuse tool can be used for programming eFuses on i.MX SoCs. 212 The U-Boot fuse tool can be used for programming eFuses on i.MX SoCs.
213 213
214 - Dump SRK Hash fuses values in host machine: 214 - Dump SRK Hash fuses values in host machine:
215 215
216 $ od -t x4 SRK_1_2_3_4_fuse.bin 216 $ od -t x4 SRK_1_2_3_4_fuse.bin
217 0000000 d436cc46 8ecccda9 b89e1601 5fada3db 217 0000000 d436cc46 8ecccda9 b89e1601 5fada3db
218 0000020 d454114a b6cd51f4 77384870 c50ee4b2 218 0000020 d454114a b6cd51f4 77384870 c50ee4b2
219 0000040 a27e5132 eba887cf 592c1e2b bb501799 219 0000040 a27e5132 eba887cf 592c1e2b bb501799
220 0000060 ee702e07 cf8ce73e fb55e2d5 eba6bbd2 220 0000060 ee702e07 cf8ce73e fb55e2d5 eba6bbd2
221 221
222 - Program SRK_HASH[511:0] fuses: 222 - Program SRK_HASH[511:0] fuses:
223 223
224 * On i.MX 8 QXP: 224 * On i.MX 8 QXP:
225 225
226 => fuse prog 0 730 0xd436cc46 226 => fuse prog 0 730 0xd436cc46
227 => fuse prog 0 731 0x8ecccda9 227 => fuse prog 0 731 0x8ecccda9
228 => fuse prog 0 732 0xb89e1601 228 => fuse prog 0 732 0xb89e1601
229 => fuse prog 0 733 0x5fada3db 229 => fuse prog 0 733 0x5fada3db
230 => fuse prog 0 734 0xd454114a 230 => fuse prog 0 734 0xd454114a
231 => fuse prog 0 735 0xb6cd51f4 231 => fuse prog 0 735 0xb6cd51f4
232 => fuse prog 0 736 0x77384870 232 => fuse prog 0 736 0x77384870
233 => fuse prog 0 737 0xc50ee4b2 233 => fuse prog 0 737 0xc50ee4b2
234 => fuse prog 0 738 0xa27e5132 234 => fuse prog 0 738 0xa27e5132
235 => fuse prog 0 739 0xeba887cf 235 => fuse prog 0 739 0xeba887cf
236 => fuse prog 0 740 0x592c1e2b 236 => fuse prog 0 740 0x592c1e2b
237 => fuse prog 0 741 0xbb501799 237 => fuse prog 0 741 0xbb501799
238 => fuse prog 0 742 0xee702e07 238 => fuse prog 0 742 0xee702e07
239 => fuse prog 0 743 0xcf8ce73e 239 => fuse prog 0 743 0xcf8ce73e
240 => fuse prog 0 744 0xfb55e2d5 240 => fuse prog 0 744 0xfb55e2d5
241 => fuse prog 0 745 0xeba6bbd2 241 => fuse prog 0 745 0xeba6bbd2
242 242
243 * On i.MX 8 QM: 243 * On i.MX 8 QM:
244 244
245 => fuse prog 0 722 0xd436cc46 245 => fuse prog 0 722 0xd436cc46
246 => fuse prog 0 723 0x8ecccda9 246 => fuse prog 0 723 0x8ecccda9
247 => fuse prog 0 724 0xb89e1601 247 => fuse prog 0 724 0xb89e1601
248 => fuse prog 0 725 0x5fada3db 248 => fuse prog 0 725 0x5fada3db
249 => fuse prog 0 726 0xd454114a 249 => fuse prog 0 726 0xd454114a
250 => fuse prog 0 727 0xb6cd51f4 250 => fuse prog 0 727 0xb6cd51f4
251 => fuse prog 0 728 0x77384870 251 => fuse prog 0 728 0x77384870
252 => fuse prog 0 729 0xc50ee4b2 252 => fuse prog 0 729 0xc50ee4b2
253 => fuse prog 0 730 0xa27e5132 253 => fuse prog 0 730 0xa27e5132
254 => fuse prog 0 731 0xeba887cf 254 => fuse prog 0 731 0xeba887cf
255 => fuse prog 0 732 0x592c1e2b 255 => fuse prog 0 732 0x592c1e2b
256 => fuse prog 0 733 0xbb501799 256 => fuse prog 0 733 0xbb501799
257 => fuse prog 0 734 0xee702e07 257 => fuse prog 0 734 0xee702e07
258 => fuse prog 0 735 0xcf8ce73e 258 => fuse prog 0 735 0xcf8ce73e
259 => fuse prog 0 736 0xfb55e2d5 259 => fuse prog 0 736 0xfb55e2d5
260 => fuse prog 0 737 0xeba6bbd2 260 => fuse prog 0 737 0xeba6bbd2
261 261
262 1.5.5 Verify SECO events 262 1.5.5 Verify SECO events
263 ------------------------- 263 -------------------------
264 264
265 If the fuses have been written properly, there should be no SECO events after 265 If the fuses have been written properly, there should be no SECO events after
266 boot. To validate this, power on the board, and run ahab_status command on 266 boot. To validate this, power on the board, and run ahab_status command on
267 U-Boot terminal. 267 U-Boot terminal.
268 268
269 No events should be returned after this command: 269 No events should be returned after this command:
270 270
271 => ahab_status 271 => ahab_status
272 Lifecycle: 0x0020, NXP closed 272 Lifecycle: 0x0020, NXP closed
273 273
274 No SECO Events Found! 274 No SECO Events Found!
275 275
276 U-Boot will decode the SECO events and provide more details on the failure, 276 U-Boot will decode the SECO events and provide more details on the failure,
277 for example in case container image was signed with wrong keys and are not 277 for example in case container image was signed with wrong keys and are not
278 matching the OTP SRK hashes: 278 matching the OTP SRK hashes:
279 279
280 => ahab_status 280 => ahab_status
281 Lifecycle: 0x0020, NXP closed 281 Lifecycle: 0x0020, NXP closed
282 282
283 SECO Event[0] = 0x0087EE00 283 SECO Event[0] = 0x0087EE00
284 CMD = AHAB_AUTH_CONTAINER_REQ (0x87) 284 CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
285 IND = AHAB_NO_AUTHENTICATION_IND (0xEE) 285 IND = AHAB_NO_AUTHENTICATION_IND (0xEE)
286 286
287 Note: In case your SRK fuses are not programmed yet the event 0x0087FA00 may 287 Note: In case your SRK fuses are not programmed yet the event 0x0087FA00 may
288 also be displayed. 288 also be displayed.
289 289
290 1.5.6 Close the device 290 1.5.6 Close the device
291 ----------------------- 291 -----------------------
292 292
293 After the device successfully boots a signed image without generating any 293 After the device successfully boots a signed image without generating any
294 SECO security events, it is safe to close the device. The SECO lifecycle 294 SECO security events, it is safe to close the device. The SECO lifecycle
295 should be changed from 0x20 NXP closed to 0x80 OEM closed. Be aware this 295 should be changed from 0x20 NXP closed to 0x80 OEM closed. Be aware this
296 step can damage your board if a previous step failed. It is also 296 step can damage your board if a previous step failed. It is also
297 irreversible. Run on the U-Boot terminal: 297 irreversible. Run on the U-Boot terminal:
298 298
299 => ahab_close 299 => ahab_close
300 300
301 Now reboot the target, and run: 301 Now reboot the target, and run:
302 302
303 => ahab_status 303 => ahab_status
304 304
305 The lifecycle value should now be 0x80 OEM closed. 305 The lifecycle value should now be 0x80 OEM closed.
306 306
307 2. Authenticating the OS container 307 2. Authenticating the OS container
308 ----------------------------------- 308 -----------------------------------
309 309
310 Note that the following section is not mandatory. If you do not plan to 310 Note that the following section is not mandatory. If you do not plan to
311 authenticate the kernel image, you can disable this behavior by setting 311 authenticate the kernel image, you can disable this behavior by setting
312 sec_boot=no in U-Boot environment variable. 312 sec_boot=no in U-Boot environment variable.
313 313
314 Note, you can also authenticate the OS image by running a U-Boot command: 314 Note, you can also authenticate the OS image by running a U-Boot command:
315 315
316 => auth_cntr <Container address> 316 => auth_cntr <Container address>
317 317
318 2.1 Prepare the OS container image 318 2.1 Prepare the OS container image
319 ----------------------------------- 319 -----------------------------------
320 320
321 You need to generate the OS container image. First, copy the binary previously 321 You need to generate the OS container image. First, copy the binary previously
322 generated to the <work> directory to save it for later: 322 generated to the <work> directory to save it for later:
323 323
324 - On i.MX 8 QXP 324 - On i.MX 8 QXP
325 325
326 $ cd <work>/imx-mkimage 326 $ cd <work>/imx-mkimage
327 $ cp iMX8QX/flash.bin .. 327 $ cp iMX8QX/flash.bin ..
328 $ make SOC=iMX8QX flash_linux 328 $ make SOC=iMX8QX flash_linux
329 $ mv i.MX8QX/flash.bin iMX8QX/flash_os.bin 329 $ mv iMX8QX/flash.bin iMX8QX/flash_os.bin
330 $ cp iMX8QX/flash_os.bin .. 330 $ cp iMX8QX/flash_os.bin ..
331 331
332 - On i.MX 8 QM 332 - On i.MX 8 QM
333 333
334 $ cd <work>/imx-mkimage 334 $ cd <work>/imx-mkimage
335 $ cp iMX8QM/flash.bin .. 335 $ cp iMX8QM/flash.bin ..
336 $ make SOC=iMX8QM flash_linux 336 $ make SOC=iMX8QM flash_linux
337 $ mv i.MX8QM/flash.bin iMX8QM/flash_os.bin 337 $ mv iMX8QM/flash.bin iMX8QM/flash_os.bin
338 $ cp iMX8QM/flash_os.bin .. 338 $ cp iMX8QM/flash_os.bin ..
339 339
340 If the make command ends successfully, the end of the result should look 340 If the make command ends successfully, the end of the result should look
341 like: 341 like:
342 342
343 CST: CONTAINER 0 offset: 0x0 343 CST: CONTAINER 0 offset: 0x0
344 CST: CONTAINER 0: Signature Block: offset is at 0x110 344 CST: CONTAINER 0: Signature Block: offset is at 0x110
345 DONE. 345 DONE.
346 Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET 346 Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET
347 347
348 Keep in mind the offsets above to be used with CST/CSF 348 Keep in mind the offsets above to be used with CST/CSF
349 349
350 2.2 Creating the CSF description file for OS container image 350 2.2 Creating the CSF description file for OS container image
351 ------------------------------------------------------------- 351 -------------------------------------------------------------
352 352
353 CSF examples are available under doc/imx/ahab/csf_examples/ 353 CSF examples are available under doc/imx/ahab/csf_examples/
354 directory. 354 directory.
355 355
356 This csf_linux_img.txt file example should be updated with the offset values 356 This csf_linux_img.txt file example should be updated with the offset values
357 of the 2.1 chapter and the path to your flash_os.bin file. It it the last 357 of the 2.1 chapter and the path to your flash_os.bin file. It it the last
358 part of the file: 358 part of the file:
359 359
360 [Authenticate Data] 360 [Authenticate Data]
361 # Binary to be signed generated by mkimage 361 # Binary to be signed generated by mkimage
362 File = "flash_os.bin" 362 File = "flash_os.bin"
363 # Offsets = Container header Signature block (printed out by mkimage) 363 # Offsets = Container header Signature block (printed out by mkimage)
364 Offsets = 0x0 0x110 364 Offsets = 0x0 0x110
365 365
366 2.3 Authenticating container image 366 2.3 Authenticating container image
367 ----------------------------------- 367 -----------------------------------
368 368
369 Now you use the CST to signed the OS image using the previously 369 Now you use the CST to signed the OS image using the previously
370 created csf_linux_img.txt Commands Sequence File: 370 created csf_linux_img.txt Commands Sequence File:
371 371
372 $ cd <work> 372 $ cd <work>
373 $ ./release/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin 373 $ ./release/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin
374 374
375 2.4 Copy OS container 375 2.4 Copy OS container
376 ---------------------- 376 ----------------------
377 377
378 Mount the SD Card: 378 Mount the SD Card:
379 379
380 $ sudo mount /dev/sdX1 partition 380 $ sudo mount /dev/sdX1 partition
381 381
382 Copy the OS signed image on the SD Card: 382 Copy the OS signed image on the SD Card:
383 383
384 - For i.MX 8 QXP 384 - For i.MX 8 QXP
385 385
386 $ sudo cp os_cntr_signed.bin /media/UserID/Boot\ imx8qx 386 $ sudo cp os_cntr_signed.bin /media/UserID/Boot\ imx8qx
387 387
388 - For i.MX 8 QM 388 - For i.MX 8 QM
389 389
390 $ sudo cp os_cntr_signed.bin /media/UserID/Boot\ imx8qm 390 $ sudo cp os_cntr_signed.bin /media/UserID/Boot\ imx8qm
391 391
392 Finally: 392 Finally:
393 393
394 $ sudo umount partition 394 $ sudo umount partition
395 395
396 References: 396 References:
397 [1] AN12212: "Software Solutions for Migration Guide from Aarch32 to 397 [1] AN12212: "Software Solutions for Migration Guide from Aarch32 to
398 Aarch64" - Rev 0." 398 Aarch64" - Rev 0."
399 399