Commit e3f6b0778284bc42faf940caaf0d7292b44a1852
Committed by
Ye Li
1 parent
0b7fedc171
Exists in
smarc-imx_v2018.03_4.14.78_1.0.0_ga
MLK-20270-2 doc: imx: habv4: Remove old HABv4 secure boot documentation
The HABv4 secure boot procedure is now documented in different files: . └── habv4 ├── csf_examples │ ├── additional_images │ │ └── csf_additional_images.txt │ ├── mx6_mx7 │ │ ├── csf_uboot_fast_authentication.txt │ │ └── csf_uboot.txt │ └── mx8m_mx8mm │ ├── csf_fit.txt │ └── csf_spl.txt ├── guides │ ├── mx6_mx7_secure_boot.txt │ ├── mx8m_mx8mm_secure_boot.pdf │ └── mx8m_mx8mm_secure_boot.txt ├── introduction_habv4.txt └── script_examples └── genIVT.pl The old documentation secure_boot.txt can be removed. Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> (cherry picked from commit b0300fcf732ff1e79e771c386bf083e79eacc36a)
Showing 1 changed file with 0 additions and 100 deletions Side-by-side Diff
doc/imx/hab/habv4/secure_boot.txt
1 | -1. High Assurance Boot (HAB) for i.MX CPUs | |
2 | ------------------------------------------- | |
3 | - | |
4 | -To enable the authenticated or encrypted boot mode of U-Boot, it is | |
5 | -required to set the proper configuration for the target board. This | |
6 | -is done by adding the following configuration in the defconfig file: | |
7 | - | |
8 | -CONFIG_SECURE_BOOT=y | |
9 | - | |
10 | -In addition, the U-Boot image to be programmed into the | |
11 | -boot media needs to be properly constructed, i.e. it must contain a | |
12 | -proper Command Sequence File (CSF). | |
13 | - | |
14 | -The CSF itself is generated by the i.MX High Assurance Boot Reference | |
15 | -Code Signing Tool. | |
16 | -https://www.nxp.com/webapp/sps/download/license.jsp?colCode=IMX_CST_TOOL | |
17 | - | |
18 | -More information about the CSF and HAB can be found in the AN4581. | |
19 | -https://www.nxp.com/docs/en/application-note/AN4581.pdf | |
20 | - | |
21 | -We don't want to explain how to create a PKI tree or SRK table as | |
22 | -this is well explained in the Application Note. | |
23 | - | |
24 | -2. Secure Boot on non-SPL targets | |
25 | ---------------------------------- | |
26 | - | |
27 | -On non-SPL targets a singe U-Boot binary is generated, mkimage will | |
28 | -output additional information about "HAB Blocks" which can be used | |
29 | -in the CST to authenticate the U-Boot image (entries in the CSF file). | |
30 | - | |
31 | -Image Type: Freescale IMX Boot Image | |
32 | -Image Ver: 2 (i.MX53/6 compatible) | |
33 | -Data Size: 327680 Bytes = 320.00 kB = 0.31 MB | |
34 | -Load Address: 177ff420 | |
35 | -Entry Point: 17800000 | |
36 | -HAB Blocks: 177ff400 00000000 0004dc00 | |
37 | - ^^^^^^^^ ^^^^^^^^ ^^^^^^^^ | |
38 | - | | | | |
39 | - | | -------- (1) | |
40 | - | | | |
41 | - | ------------------- (2) | |
42 | - | | |
43 | - --------------------------- (3) | |
44 | - | |
45 | -(1) Size of area in file u-boot-dtb.imx to sign | |
46 | - This area should include the IVT, the Boot Data the DCD | |
47 | - and U-Boot itself. | |
48 | -(2) Start of area in u-boot-dtb.imx to sign | |
49 | -(3) Start of area in RAM to authenticate | |
50 | - | |
51 | -CONFIG_SECURE_BOOT currently enables only an additional command | |
52 | -'hab_status' in U-Boot to retrieve the HAB status and events. This | |
53 | -can be useful while developing and testing HAB. | |
54 | - | |
55 | -Commands to generate a signed U-Boot using i.MX HAB CST tool: | |
56 | -# Compile CSF and create signature | |
57 | -cst --o csf-u-boot.bin --i command_sequence_uboot.csf | |
58 | -# Append compiled CSF to Binary | |
59 | -cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx | |
60 | - | |
61 | -3. Secure Boot on SPL targets | |
62 | ------------------------------ | |
63 | - | |
64 | -This version of U-Boot is able to build a signable version of the SPL | |
65 | -as well as a signable version of the U-Boot image. The signature can | |
66 | -be verified through High Assurance Boot (HAB). | |
67 | - | |
68 | -After building, you need to create a command sequence file and use | |
69 | -i.MX HAB Code Signing Tool to sign both binaries. After creation, | |
70 | -the mkimage tool outputs the required information about the HAB Blocks | |
71 | -parameter for the CSF. During the build, the information is preserved | |
72 | -in log files named as the binaries. (SPL.log and u-boot-ivt.log). | |
73 | - | |
74 | -Example Output of the SPL (imximage) creation: | |
75 | - Image Type: Freescale IMX Boot Image | |
76 | - Image Ver: 2 (i.MX53/6/7 compatible) | |
77 | - Mode: DCD | |
78 | - Data Size: 61440 Bytes = 60.00 kB = 0.06 MB | |
79 | - Load Address: 00907420 | |
80 | - Entry Point: 00908000 | |
81 | - HAB Blocks: 00907400 00000000 0000cc00 | |
82 | - | |
83 | -Example Output of the u-boot-ivt.img (firmware_ivt) creation: | |
84 | - Image Name: U-Boot 2016.11-rc1-31589-g2a4411 | |
85 | - Created: Sat Nov 5 21:53:28 2016 | |
86 | - Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) | |
87 | - Data Size: 352192 Bytes = 343.94 kB = 0.34 MB | |
88 | - Load Address: 17800000 | |
89 | - Entry Point: 00000000 | |
90 | - HAB Blocks: 0x177fffc0 0x0000 0x00054020 | |
91 | - | |
92 | -# Compile CSF and create signature | |
93 | -cst --o csf-u-boot.bin --i command_sequence_uboot.csf | |
94 | -cst --o csf-SPL.bin --i command_sequence_spl.csf | |
95 | -# Append compiled CSF to Binary | |
96 | -cat SPL csf-SPL.bin > SPL-signed | |
97 | -cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img | |
98 | - | |
99 | -These two signed binaries can be used on an i.MX in closed | |
100 | -configuration when the according SRK Table Hash has been flashed. |