Commit bf8dbd0c103635b43bb19202c4f99be4ae8b9e91
Committed by
Ye Li
1 parent
b3fd045c1d
Exists in
smarc_8mm-imx_v2018.03_4.14.98_2.0.0_ga
and in
4 other branches
MLK-20935-4 doc: imx: ahab: Fix typo in mx8_mx8x_secure_boot.txt guide
Fix a typo in path provided for imx-mkimage iMX8QM and iMX8QXP directories. Reported-by: Marius Grigoras <marius.grigoras@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Ye Li <ye.li@nxp.com> (cherry picked from commit c75243c1a87a10f003377d9c144bcf412ba80440)
Showing 1 changed file with 2 additions and 2 deletions Inline Diff
doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt
1 | +=========================================================+ | 1 | +=========================================================+ |
2 | + i.MX 8, i.MX 8X Secure Boot guide using AHAB + | 2 | + i.MX 8, i.MX 8X Secure Boot guide using AHAB + |
3 | +=========================================================+ | 3 | +=========================================================+ |
4 | 4 | ||
5 | 1. AHAB secure boot process | 5 | 1. AHAB secure boot process |
6 | ---------------------------- | 6 | ---------------------------- |
7 | 7 | ||
8 | This document describes a step-by-step procedure on how to sign and | 8 | This document describes a step-by-step procedure on how to sign and |
9 | securely boot a flash.bin image. It is assumed that the reader is | 9 | securely boot a flash.bin image. It is assumed that the reader is |
10 | familiar with basic AHAB concepts and with the PKI tree generation. | 10 | familiar with basic AHAB concepts and with the PKI tree generation. |
11 | 11 | ||
12 | It is also assumed that the reader is familiar with all pieces of | 12 | It is also assumed that the reader is familiar with all pieces of |
13 | software needed. The procedure to built SCFW, ATF and download the | 13 | software needed. The procedure to built SCFW, ATF and download the |
14 | firmwares are out of scope of this document, please refer to the Linux | 14 | firmwares are out of scope of this document, please refer to the Linux |
15 | BSP Release Notes and AN12212[1] for further details. | 15 | BSP Release Notes and AN12212[1] for further details. |
16 | 16 | ||
17 | Details about AHAB can be found in the introduction_ahab.txt document | 17 | Details about AHAB can be found in the introduction_ahab.txt document |
18 | and in processors Security Reference Manual Document (SRM). | 18 | and in processors Security Reference Manual Document (SRM). |
19 | 19 | ||
20 | 1.1 Preparing the environment to build a secure boot image | 20 | 1.1 Preparing the environment to build a secure boot image |
21 | ----------------------------------------------------------- | 21 | ----------------------------------------------------------- |
22 | 22 | ||
23 | Before continuing, be sure to have already downloaded and built the | 23 | Before continuing, be sure to have already downloaded and built the |
24 | following: | 24 | following: |
25 | 25 | ||
26 | - imx-mkimage downloaded and built with i.MX 8 container support. | 26 | - imx-mkimage downloaded and built with i.MX 8 container support. |
27 | - SECO firmware downloaded. | 27 | - SECO firmware downloaded. |
28 | - U-Boot downloaded and built. Please check section 1.2. | 28 | - U-Boot downloaded and built. Please check section 1.2. |
29 | - ARM Trusted Firmware (ATF) downloaded and built for your target. | 29 | - ARM Trusted Firmware (ATF) downloaded and built for your target. |
30 | - System Controller Firmware (SCFW). | 30 | - System Controller Firmware (SCFW). |
31 | - Kernel image. | 31 | - Kernel image. |
32 | 32 | ||
33 | You should also have downloaded the Code Signing Tool, available on NXP | 33 | You should also have downloaded the Code Signing Tool, available on NXP |
34 | website. | 34 | website. |
35 | 35 | ||
36 | In the following sections, <work> designates the repository where all | 36 | In the following sections, <work> designates the repository where all |
37 | parts have been downloaded and built. | 37 | parts have been downloaded and built. |
38 | 38 | ||
39 | 1.2 Preparing U-Boot to support AHAB secure boot features | 39 | 1.2 Preparing U-Boot to support AHAB secure boot features |
40 | ---------------------------------------------------------- | 40 | ---------------------------------------------------------- |
41 | 41 | ||
42 | The U-Boot provides extra functions for AHAB, such as the ability to | 42 | The U-Boot provides extra functions for AHAB, such as the ability to |
43 | authenticate additional container images by calling the SCU API | 43 | authenticate additional container images by calling the SCU API |
44 | sc_misc_seco_authenticate() function. | 44 | sc_misc_seco_authenticate() function. |
45 | 45 | ||
46 | The support is enabled by adding CONFIG_AHAB_BOOT to the defconfig file used | 46 | The support is enabled by adding CONFIG_AHAB_BOOT to the defconfig file used |
47 | for your target: | 47 | for your target: |
48 | 48 | ||
49 | - Defconfig: | 49 | - Defconfig: |
50 | CONFIG_AHAB_BOOT=y | 50 | CONFIG_AHAB_BOOT=y |
51 | - Kconfig: | 51 | - Kconfig: |
52 | ARM architecture -> Support i.MX 8 AHAB features | 52 | ARM architecture -> Support i.MX 8 AHAB features |
53 | 53 | ||
54 | 1.3 Building an image supporting secure boot | 54 | 1.3 Building an image supporting secure boot |
55 | --------------------------------------------- | 55 | --------------------------------------------- |
56 | 56 | ||
57 | The boot image is composed of different layers: | 57 | The boot image is composed of different layers: |
58 | 58 | ||
59 | +---------------------------+ <-- *start | 59 | +---------------------------+ <-- *start |
60 | | 1st Container header | | 60 | | 1st Container header | |
61 | | and signature | | 61 | | and signature | |
62 | +---------------------------+ | 62 | +---------------------------+ |
63 | | Padding for 1kB alignment | | 63 | | Padding for 1kB alignment | |
64 | +---------------------------+ <-- *start + 0x400 | 64 | +---------------------------+ <-- *start + 0x400 |
65 | | 2nd Container header | | 65 | | 2nd Container header | |
66 | | and signature | | 66 | | and signature | |
67 | +---------------------------+ | 67 | +---------------------------+ |
68 | | Padding | | 68 | | Padding | |
69 | +---------------------------+ | 69 | +---------------------------+ |
70 | | SECO FW | | 70 | | SECO FW | |
71 | +---------------------------+ | 71 | +---------------------------+ |
72 | | Padding | | 72 | | Padding | |
73 | +---------------------------+ | 73 | +---------------------------+ |
74 | | SCU FW with DDR | | 74 | | SCU FW with DDR | |
75 | | initialization Image | | 75 | | initialization Image | |
76 | | embedded | | 76 | | embedded | |
77 | +---------------------------+ | 77 | +---------------------------+ |
78 | | Cortex-M4 Image | | 78 | | Cortex-M4 Image | |
79 | +---------------------------+ | 79 | +---------------------------+ |
80 | | Cortex-A bootloader | | 80 | | Cortex-A bootloader | |
81 | +---------------------------+ | 81 | +---------------------------+ |
82 | 82 | ||
83 | It contains two containers, one for the SECO firmware (AHAB), and one for | 83 | It contains two containers, one for the SECO firmware (AHAB), and one for |
84 | the SCFW, the ATF, U-Boot and M4 Image. They are preceded by their headers. | 84 | the SCFW, the ATF, U-Boot and M4 Image. They are preceded by their headers. |
85 | The first one, containing the SECO firmware image, is padded to 0x1000 to | 85 | The first one, containing the SECO firmware image, is padded to 0x1000 to |
86 | fix the start address of the second one, which can contain one or multiple | 86 | fix the start address of the second one, which can contain one or multiple |
87 | images. | 87 | images. |
88 | 88 | ||
89 | If you are familiar with secure boot process with HABv4, you will notice | 89 | If you are familiar with secure boot process with HABv4, you will notice |
90 | there is no need for CSF in this architecture. The CST is responsible to | 90 | there is no need for CSF in this architecture. The CST is responsible to |
91 | handle the Signature block: | 91 | handle the Signature block: |
92 | 92 | ||
93 | +----------------------------+ ^ | 93 | +----------------------------+ ^ |
94 | | | | | 94 | | | | |
95 | | | | | 95 | | | | |
96 | | Container header | | | 96 | | Container header | | |
97 | | | | | 97 | | | | |
98 | | | | | 98 | | | | |
99 | +---+------------------------+ | | 99 | +---+------------------------+ | |
100 | | S | Signature block header | | Signed | 100 | | S | Signature block header | | Signed |
101 | | i +------------------------+ | | 101 | | i +------------------------+ | |
102 | | g | | | | 102 | | g | | | |
103 | | n | | | | 103 | | n | | | |
104 | | a | SRK table | | | 104 | | a | SRK table | | |
105 | | t | | | | 105 | | t | | | |
106 | | u | | | | 106 | | u | | | |
107 | | r +------------------------+ v | 107 | | r +------------------------+ v |
108 | | e | Signature | | 108 | | e | Signature | |
109 | | +------------------------+ | 109 | | +------------------------+ |
110 | | b | | | 110 | | b | | |
111 | | l | SGK Key | | 111 | | l | SGK Key | |
112 | | o | Certificate (optional) | | 112 | | o | Certificate (optional) | |
113 | | c | | | 113 | | c | | |
114 | | k | | | 114 | | k | | |
115 | +---+------------------------+ | 115 | +---+------------------------+ |
116 | 116 | ||
117 | The certificate block is divided into: | 117 | The certificate block is divided into: |
118 | 118 | ||
119 | +---------------+ ^ | 119 | +---------------+ ^ |
120 | | Public key | | Signed | 120 | | Public key | | Signed |
121 | | Permission | | | 121 | | Permission | | |
122 | +---------------+ v | 122 | +---------------+ v |
123 | | Signature | | 123 | | Signature | |
124 | +---------------+ | 124 | +---------------+ |
125 | 125 | ||
126 | The first block (public key permission) verify the Signature block | 126 | The first block (public key permission) verify the Signature block |
127 | preceding (between SRK table and Certificate blocks), while the second | 127 | preceding (between SRK table and Certificate blocks), while the second |
128 | block (signature) is verified by the SRK table block. | 128 | block (signature) is verified by the SRK table block. |
129 | 129 | ||
130 | 1.4 Prepare the boot image layout | 130 | 1.4 Prepare the boot image layout |
131 | ---------------------------------- | 131 | ---------------------------------- |
132 | 132 | ||
133 | To generate the flash.bin file: | 133 | To generate the flash.bin file: |
134 | 134 | ||
135 | - On i.MX 8 QXP: | 135 | - On i.MX 8 QXP: |
136 | 136 | ||
137 | $ cd <work>/imx-mkimage | 137 | $ cd <work>/imx-mkimage |
138 | $ make SOC=iMX8QX flash | 138 | $ make SOC=iMX8QX flash |
139 | 139 | ||
140 | - On i.MX 8 QM: | 140 | - On i.MX 8 QM: |
141 | 141 | ||
142 | $ cd <work>/imx-mkimage | 142 | $ cd <work>/imx-mkimage |
143 | $ make SOC=iMX8QM flash | 143 | $ make SOC=iMX8QM flash |
144 | 144 | ||
145 | If the command ends successfully, the end of the result should look | 145 | If the command ends successfully, the end of the result should look |
146 | like: | 146 | like: |
147 | 147 | ||
148 | CST: CONTAINER 0 offset: 0x400 | 148 | CST: CONTAINER 0 offset: 0x400 |
149 | CST: CONTAINER 0: Signature Block: offset is at 0x590 | 149 | CST: CONTAINER 0: Signature Block: offset is at 0x590 |
150 | DONE. | 150 | DONE. |
151 | Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET | 151 | Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET |
152 | 152 | ||
153 | Keep in mind the offsets above to be used with CST/CSF. | 153 | Keep in mind the offsets above to be used with CST/CSF. |
154 | 154 | ||
155 | Please note that on this example we not including an Cortex-M4 Image, on | 155 | Please note that on this example we not including an Cortex-M4 Image, on |
156 | i.MX8/8x MEK boards the SCU console may be replaced by the M4 console not | 156 | i.MX8/8x MEK boards the SCU console may be replaced by the M4 console not |
157 | being possible to run the steps documented in section "1.5.5 Verify SECO | 157 | being possible to run the steps documented in section "1.5.5 Verify SECO |
158 | events". | 158 | events". |
159 | 159 | ||
160 | 1.5 Secure boot setup with the CST | 160 | 1.5 Secure boot setup with the CST |
161 | ----------------------------------- | 161 | ----------------------------------- |
162 | 162 | ||
163 | 1.5.1 Creating the CSF description file for the second container | 163 | 1.5.1 Creating the CSF description file for the second container |
164 | ----------------------------------------------------------------- | 164 | ----------------------------------------------------------------- |
165 | 165 | ||
166 | The CSF contains all the commands that the AHAB executes during the secure | 166 | The CSF contains all the commands that the AHAB executes during the secure |
167 | boot. These commands instruct the AHAB on which memory areas of the image | 167 | boot. These commands instruct the AHAB on which memory areas of the image |
168 | to authenticate, which keys to install, use and etc. | 168 | to authenticate, which keys to install, use and etc. |
169 | 169 | ||
170 | CSF examples are available under doc/imx/ahab/csf_examples/ | 170 | CSF examples are available under doc/imx/ahab/csf_examples/ |
171 | directory. | 171 | directory. |
172 | 172 | ||
173 | This csf_boot_image.txt file example should be updated with the offset values | 173 | This csf_boot_image.txt file example should be updated with the offset values |
174 | of the 1.4 section and the path to your flash.bin file. It is the last part | 174 | of the 1.4 section and the path to your flash.bin file. It is the last part |
175 | of the file: | 175 | of the file: |
176 | 176 | ||
177 | [Authenticate Data] | 177 | [Authenticate Data] |
178 | # Binary to be signed generated by mkimage | 178 | # Binary to be signed generated by mkimage |
179 | File = "flash.bin" | 179 | File = "flash.bin" |
180 | # Offsets = Container header Signature block (printed out by mkimage) | 180 | # Offsets = Container header Signature block (printed out by mkimage) |
181 | Offsets = 0x400 0x590 | 181 | Offsets = 0x400 0x590 |
182 | 182 | ||
183 | 1.5.2 Signing the boot image | 183 | 1.5.2 Signing the boot image |
184 | ----------------------------- | 184 | ----------------------------- |
185 | 185 | ||
186 | Now you use the CST to generate the signed boot image from the previously | 186 | Now you use the CST to generate the signed boot image from the previously |
187 | created csf_boot_image.txt Commands Sequence File: | 187 | created csf_boot_image.txt Commands Sequence File: |
188 | 188 | ||
189 | $ cd <work> | 189 | $ cd <work> |
190 | $ ./release/linux64/bin/cst -i csf_boot_image.txt -o flash.signed.bin | 190 | $ ./release/linux64/bin/cst -i csf_boot_image.txt -o flash.signed.bin |
191 | 191 | ||
192 | 1.5.3 Flash the signed image | 192 | 1.5.3 Flash the signed image |
193 | ----------------------------- | 193 | ----------------------------- |
194 | 194 | ||
195 | Write the signed U-Boot image: | 195 | Write the signed U-Boot image: |
196 | 196 | ||
197 | $ sudo dd if=flash.signed.bin of=/dev/sdX bs=1k seek=32 ; sync | 197 | $ sudo dd if=flash.signed.bin of=/dev/sdX bs=1k seek=32 ; sync |
198 | 198 | ||
199 | Then insert the SD Card into the board and plug your device to your computer | 199 | Then insert the SD Card into the board and plug your device to your computer |
200 | with an USB serial cable. | 200 | with an USB serial cable. |
201 | 201 | ||
202 | 1.5.4 Programming SRK Hash | 202 | 1.5.4 Programming SRK Hash |
203 | --------------------------- | 203 | --------------------------- |
204 | 204 | ||
205 | As explained in introduction_ahab.txt document the SRK Hash fuse values are | 205 | As explained in introduction_ahab.txt document the SRK Hash fuse values are |
206 | generated by the srktool and should be programmed in the SoC SRK_HASH[511:0] | 206 | generated by the srktool and should be programmed in the SoC SRK_HASH[511:0] |
207 | fuses. | 207 | fuses. |
208 | 208 | ||
209 | Be careful when programming these values, as this data is the basis for the | 209 | Be careful when programming these values, as this data is the basis for the |
210 | root of trust. An error in SRK Hash results in a part that does not boot. | 210 | root of trust. An error in SRK Hash results in a part that does not boot. |
211 | 211 | ||
212 | The U-Boot fuse tool can be used for programming eFuses on i.MX SoCs. | 212 | The U-Boot fuse tool can be used for programming eFuses on i.MX SoCs. |
213 | 213 | ||
214 | - Dump SRK Hash fuses values in host machine: | 214 | - Dump SRK Hash fuses values in host machine: |
215 | 215 | ||
216 | $ od -t x4 SRK_1_2_3_4_fuse.bin | 216 | $ od -t x4 SRK_1_2_3_4_fuse.bin |
217 | 0000000 d436cc46 8ecccda9 b89e1601 5fada3db | 217 | 0000000 d436cc46 8ecccda9 b89e1601 5fada3db |
218 | 0000020 d454114a b6cd51f4 77384870 c50ee4b2 | 218 | 0000020 d454114a b6cd51f4 77384870 c50ee4b2 |
219 | 0000040 a27e5132 eba887cf 592c1e2b bb501799 | 219 | 0000040 a27e5132 eba887cf 592c1e2b bb501799 |
220 | 0000060 ee702e07 cf8ce73e fb55e2d5 eba6bbd2 | 220 | 0000060 ee702e07 cf8ce73e fb55e2d5 eba6bbd2 |
221 | 221 | ||
222 | - Program SRK_HASH[511:0] fuses: | 222 | - Program SRK_HASH[511:0] fuses: |
223 | 223 | ||
224 | * On i.MX 8 QXP: | 224 | * On i.MX 8 QXP: |
225 | 225 | ||
226 | => fuse prog 0 730 0xd436cc46 | 226 | => fuse prog 0 730 0xd436cc46 |
227 | => fuse prog 0 731 0x8ecccda9 | 227 | => fuse prog 0 731 0x8ecccda9 |
228 | => fuse prog 0 732 0xb89e1601 | 228 | => fuse prog 0 732 0xb89e1601 |
229 | => fuse prog 0 733 0x5fada3db | 229 | => fuse prog 0 733 0x5fada3db |
230 | => fuse prog 0 734 0xd454114a | 230 | => fuse prog 0 734 0xd454114a |
231 | => fuse prog 0 735 0xb6cd51f4 | 231 | => fuse prog 0 735 0xb6cd51f4 |
232 | => fuse prog 0 736 0x77384870 | 232 | => fuse prog 0 736 0x77384870 |
233 | => fuse prog 0 737 0xc50ee4b2 | 233 | => fuse prog 0 737 0xc50ee4b2 |
234 | => fuse prog 0 738 0xa27e5132 | 234 | => fuse prog 0 738 0xa27e5132 |
235 | => fuse prog 0 739 0xeba887cf | 235 | => fuse prog 0 739 0xeba887cf |
236 | => fuse prog 0 740 0x592c1e2b | 236 | => fuse prog 0 740 0x592c1e2b |
237 | => fuse prog 0 741 0xbb501799 | 237 | => fuse prog 0 741 0xbb501799 |
238 | => fuse prog 0 742 0xee702e07 | 238 | => fuse prog 0 742 0xee702e07 |
239 | => fuse prog 0 743 0xcf8ce73e | 239 | => fuse prog 0 743 0xcf8ce73e |
240 | => fuse prog 0 744 0xfb55e2d5 | 240 | => fuse prog 0 744 0xfb55e2d5 |
241 | => fuse prog 0 745 0xeba6bbd2 | 241 | => fuse prog 0 745 0xeba6bbd2 |
242 | 242 | ||
243 | * On i.MX 8 QM: | 243 | * On i.MX 8 QM: |
244 | 244 | ||
245 | => fuse prog 0 722 0xd436cc46 | 245 | => fuse prog 0 722 0xd436cc46 |
246 | => fuse prog 0 723 0x8ecccda9 | 246 | => fuse prog 0 723 0x8ecccda9 |
247 | => fuse prog 0 724 0xb89e1601 | 247 | => fuse prog 0 724 0xb89e1601 |
248 | => fuse prog 0 725 0x5fada3db | 248 | => fuse prog 0 725 0x5fada3db |
249 | => fuse prog 0 726 0xd454114a | 249 | => fuse prog 0 726 0xd454114a |
250 | => fuse prog 0 727 0xb6cd51f4 | 250 | => fuse prog 0 727 0xb6cd51f4 |
251 | => fuse prog 0 728 0x77384870 | 251 | => fuse prog 0 728 0x77384870 |
252 | => fuse prog 0 729 0xc50ee4b2 | 252 | => fuse prog 0 729 0xc50ee4b2 |
253 | => fuse prog 0 730 0xa27e5132 | 253 | => fuse prog 0 730 0xa27e5132 |
254 | => fuse prog 0 731 0xeba887cf | 254 | => fuse prog 0 731 0xeba887cf |
255 | => fuse prog 0 732 0x592c1e2b | 255 | => fuse prog 0 732 0x592c1e2b |
256 | => fuse prog 0 733 0xbb501799 | 256 | => fuse prog 0 733 0xbb501799 |
257 | => fuse prog 0 734 0xee702e07 | 257 | => fuse prog 0 734 0xee702e07 |
258 | => fuse prog 0 735 0xcf8ce73e | 258 | => fuse prog 0 735 0xcf8ce73e |
259 | => fuse prog 0 736 0xfb55e2d5 | 259 | => fuse prog 0 736 0xfb55e2d5 |
260 | => fuse prog 0 737 0xeba6bbd2 | 260 | => fuse prog 0 737 0xeba6bbd2 |
261 | 261 | ||
262 | 1.5.5 Verify SECO events | 262 | 1.5.5 Verify SECO events |
263 | ------------------------- | 263 | ------------------------- |
264 | 264 | ||
265 | If the fuses have been written properly, there should be no SECO events after | 265 | If the fuses have been written properly, there should be no SECO events after |
266 | boot. To validate this, power on the board, and run ahab_status command on | 266 | boot. To validate this, power on the board, and run ahab_status command on |
267 | U-Boot terminal. | 267 | U-Boot terminal. |
268 | 268 | ||
269 | No events should be returned after this command: | 269 | No events should be returned after this command: |
270 | 270 | ||
271 | => ahab_status | 271 | => ahab_status |
272 | Lifecycle: 0x0020, NXP closed | 272 | Lifecycle: 0x0020, NXP closed |
273 | 273 | ||
274 | No SECO Events Found! | 274 | No SECO Events Found! |
275 | 275 | ||
276 | U-Boot will decode the SECO events and provide more details on the failure, | 276 | U-Boot will decode the SECO events and provide more details on the failure, |
277 | for example in case container image was signed with wrong keys and are not | 277 | for example in case container image was signed with wrong keys and are not |
278 | matching the OTP SRK hashes: | 278 | matching the OTP SRK hashes: |
279 | 279 | ||
280 | => ahab_status | 280 | => ahab_status |
281 | Lifecycle: 0x0020, NXP closed | 281 | Lifecycle: 0x0020, NXP closed |
282 | 282 | ||
283 | SECO Event[0] = 0x0087EE00 | 283 | SECO Event[0] = 0x0087EE00 |
284 | CMD = AHAB_AUTH_CONTAINER_REQ (0x87) | 284 | CMD = AHAB_AUTH_CONTAINER_REQ (0x87) |
285 | IND = AHAB_NO_AUTHENTICATION_IND (0xEE) | 285 | IND = AHAB_NO_AUTHENTICATION_IND (0xEE) |
286 | 286 | ||
287 | Note: In case your SRK fuses are not programmed yet the event 0x0087FA00 may | 287 | Note: In case your SRK fuses are not programmed yet the event 0x0087FA00 may |
288 | also be displayed. | 288 | also be displayed. |
289 | 289 | ||
290 | 1.5.6 Close the device | 290 | 1.5.6 Close the device |
291 | ----------------------- | 291 | ----------------------- |
292 | 292 | ||
293 | After the device successfully boots a signed image without generating any | 293 | After the device successfully boots a signed image without generating any |
294 | SECO security events, it is safe to close the device. The SECO lifecycle | 294 | SECO security events, it is safe to close the device. The SECO lifecycle |
295 | should be changed from 0x20 NXP closed to 0x80 OEM closed. Be aware this | 295 | should be changed from 0x20 NXP closed to 0x80 OEM closed. Be aware this |
296 | step can damage your board if a previous step failed. It is also | 296 | step can damage your board if a previous step failed. It is also |
297 | irreversible. Run on the U-Boot terminal: | 297 | irreversible. Run on the U-Boot terminal: |
298 | 298 | ||
299 | => ahab_close | 299 | => ahab_close |
300 | 300 | ||
301 | Now reboot the target, and run: | 301 | Now reboot the target, and run: |
302 | 302 | ||
303 | => ahab_status | 303 | => ahab_status |
304 | 304 | ||
305 | The lifecycle value should now be 0x80 OEM closed. | 305 | The lifecycle value should now be 0x80 OEM closed. |
306 | 306 | ||
307 | 2. Authenticating the OS container | 307 | 2. Authenticating the OS container |
308 | ----------------------------------- | 308 | ----------------------------------- |
309 | 309 | ||
310 | Note that the following section is not mandatory. If you do not plan to | 310 | Note that the following section is not mandatory. If you do not plan to |
311 | authenticate the kernel image, you can disable this behavior by setting | 311 | authenticate the kernel image, you can disable this behavior by setting |
312 | sec_boot=no in U-Boot environment variable. | 312 | sec_boot=no in U-Boot environment variable. |
313 | 313 | ||
314 | Note, you can also authenticate the OS image by running a U-Boot command: | 314 | Note, you can also authenticate the OS image by running a U-Boot command: |
315 | 315 | ||
316 | => auth_cntr <Container address> | 316 | => auth_cntr <Container address> |
317 | 317 | ||
318 | 2.1 Prepare the OS container image | 318 | 2.1 Prepare the OS container image |
319 | ----------------------------------- | 319 | ----------------------------------- |
320 | 320 | ||
321 | You need to generate the OS container image. First, copy the binary previously | 321 | You need to generate the OS container image. First, copy the binary previously |
322 | generated to the <work> directory to save it for later: | 322 | generated to the <work> directory to save it for later: |
323 | 323 | ||
324 | - On i.MX 8 QXP | 324 | - On i.MX 8 QXP |
325 | 325 | ||
326 | $ cd <work>/imx-mkimage | 326 | $ cd <work>/imx-mkimage |
327 | $ cp iMX8QX/flash.bin .. | 327 | $ cp iMX8QX/flash.bin .. |
328 | $ make SOC=iMX8QX flash_linux | 328 | $ make SOC=iMX8QX flash_linux |
329 | $ mv i.MX8QX/flash.bin iMX8QX/flash_os.bin | 329 | $ mv iMX8QX/flash.bin iMX8QX/flash_os.bin |
330 | $ cp iMX8QX/flash_os.bin .. | 330 | $ cp iMX8QX/flash_os.bin .. |
331 | 331 | ||
332 | - On i.MX 8 QM | 332 | - On i.MX 8 QM |
333 | 333 | ||
334 | $ cd <work>/imx-mkimage | 334 | $ cd <work>/imx-mkimage |
335 | $ cp iMX8QM/flash.bin .. | 335 | $ cp iMX8QM/flash.bin .. |
336 | $ make SOC=iMX8QM flash_linux | 336 | $ make SOC=iMX8QM flash_linux |
337 | $ mv i.MX8QM/flash.bin iMX8QM/flash_os.bin | 337 | $ mv iMX8QM/flash.bin iMX8QM/flash_os.bin |
338 | $ cp iMX8QM/flash_os.bin .. | 338 | $ cp iMX8QM/flash_os.bin .. |
339 | 339 | ||
340 | If the make command ends successfully, the end of the result should look | 340 | If the make command ends successfully, the end of the result should look |
341 | like: | 341 | like: |
342 | 342 | ||
343 | CST: CONTAINER 0 offset: 0x0 | 343 | CST: CONTAINER 0 offset: 0x0 |
344 | CST: CONTAINER 0: Signature Block: offset is at 0x110 | 344 | CST: CONTAINER 0: Signature Block: offset is at 0x110 |
345 | DONE. | 345 | DONE. |
346 | Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET | 346 | Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET |
347 | 347 | ||
348 | Keep in mind the offsets above to be used with CST/CSF | 348 | Keep in mind the offsets above to be used with CST/CSF |
349 | 349 | ||
350 | 2.2 Creating the CSF description file for OS container image | 350 | 2.2 Creating the CSF description file for OS container image |
351 | ------------------------------------------------------------- | 351 | ------------------------------------------------------------- |
352 | 352 | ||
353 | CSF examples are available under doc/imx/ahab/csf_examples/ | 353 | CSF examples are available under doc/imx/ahab/csf_examples/ |
354 | directory. | 354 | directory. |
355 | 355 | ||
356 | This csf_linux_img.txt file example should be updated with the offset values | 356 | This csf_linux_img.txt file example should be updated with the offset values |
357 | of the 2.1 chapter and the path to your flash_os.bin file. It it the last | 357 | of the 2.1 chapter and the path to your flash_os.bin file. It it the last |
358 | part of the file: | 358 | part of the file: |
359 | 359 | ||
360 | [Authenticate Data] | 360 | [Authenticate Data] |
361 | # Binary to be signed generated by mkimage | 361 | # Binary to be signed generated by mkimage |
362 | File = "flash_os.bin" | 362 | File = "flash_os.bin" |
363 | # Offsets = Container header Signature block (printed out by mkimage) | 363 | # Offsets = Container header Signature block (printed out by mkimage) |
364 | Offsets = 0x0 0x110 | 364 | Offsets = 0x0 0x110 |
365 | 365 | ||
366 | 2.3 Authenticating container image | 366 | 2.3 Authenticating container image |
367 | ----------------------------------- | 367 | ----------------------------------- |
368 | 368 | ||
369 | Now you use the CST to signed the OS image using the previously | 369 | Now you use the CST to signed the OS image using the previously |
370 | created csf_linux_img.txt Commands Sequence File: | 370 | created csf_linux_img.txt Commands Sequence File: |
371 | 371 | ||
372 | $ cd <work> | 372 | $ cd <work> |
373 | $ ./release/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin | 373 | $ ./release/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin |
374 | 374 | ||
375 | 2.4 Copy OS container | 375 | 2.4 Copy OS container |
376 | ---------------------- | 376 | ---------------------- |
377 | 377 | ||
378 | Mount the SD Card: | 378 | Mount the SD Card: |
379 | 379 | ||
380 | $ sudo mount /dev/sdX1 partition | 380 | $ sudo mount /dev/sdX1 partition |
381 | 381 | ||
382 | Copy the OS signed image on the SD Card: | 382 | Copy the OS signed image on the SD Card: |
383 | 383 | ||
384 | - For i.MX 8 QXP | 384 | - For i.MX 8 QXP |
385 | 385 | ||
386 | $ sudo cp os_cntr_signed.bin /media/UserID/Boot\ imx8qx | 386 | $ sudo cp os_cntr_signed.bin /media/UserID/Boot\ imx8qx |
387 | 387 | ||
388 | - For i.MX 8 QM | 388 | - For i.MX 8 QM |
389 | 389 | ||
390 | $ sudo cp os_cntr_signed.bin /media/UserID/Boot\ imx8qm | 390 | $ sudo cp os_cntr_signed.bin /media/UserID/Boot\ imx8qm |
391 | 391 | ||
392 | Finally: | 392 | Finally: |
393 | 393 | ||
394 | $ sudo umount partition | 394 | $ sudo umount partition |
395 | 395 | ||
396 | References: | 396 | References: |
397 | [1] AN12212: "Software Solutions for Migration Guide from Aarch32 to | 397 | [1] AN12212: "Software Solutions for Migration Guide from Aarch32 to |
398 | Aarch64" - Rev 0." | 398 | Aarch64" - Rev 0." |
399 | 399 |