Commit e3f6b0778284bc42faf940caaf0d7292b44a1852
Committed by
Ye Li
Ye Li
1 parent
0b7fedc171
Exists in
smarc-imx_v2018.03_4.14.78_1.0.0_ga
MLK-20270-2 doc: imx: habv4: Remove old HABv4 secure boot documentation
The HABv4 secure boot procedure is now documented in different files:
.
└── habv4
├── csf_examples
│ ├── additional_images
│ │ └── csf_additional_images.txt
│ ├── mx6_mx7
│ │ ├── csf_uboot_fast_authentication.txt
│ │ └── csf_uboot.txt
│ └── mx8m_mx8mm
│ ├── csf_fit.txt
│ └── csf_spl.txt
├── guides
│ ├── mx6_mx7_secure_boot.txt
│ ├── mx8m_mx8mm_secure_boot.pdf
│ └── mx8m_mx8mm_secure_boot.txt
├── introduction_habv4.txt
└── script_examples
└── genIVT.pl
The old documentation secure_boot.txt can be removed.
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
(cherry picked from commit b0300fcf732ff1e79e771c386bf083e79eacc36a)
Showing 1 changed file with 0 additions and 100 deletions Side-by-side Diff
doc/imx/hab/habv4/secure_boot.txt
| 1 | -1. High Assurance Boot (HAB) for i.MX CPUs | |
| 2 | ------------------------------------------- | |
| 3 | - | |
| 4 | -To enable the authenticated or encrypted boot mode of U-Boot, it is | |
| 5 | -required to set the proper configuration for the target board. This | |
| 6 | -is done by adding the following configuration in the defconfig file: | |
| 7 | - | |
| 8 | -CONFIG_SECURE_BOOT=y | |
| 9 | - | |
| 10 | -In addition, the U-Boot image to be programmed into the | |
| 11 | -boot media needs to be properly constructed, i.e. it must contain a | |
| 12 | -proper Command Sequence File (CSF). | |
| 13 | - | |
| 14 | -The CSF itself is generated by the i.MX High Assurance Boot Reference | |
| 15 | -Code Signing Tool. | |
| 16 | -https://www.nxp.com/webapp/sps/download/license.jsp?colCode=IMX_CST_TOOL | |
| 17 | - | |
| 18 | -More information about the CSF and HAB can be found in the AN4581. | |
| 19 | -https://www.nxp.com/docs/en/application-note/AN4581.pdf | |
| 20 | - | |
| 21 | -We don't want to explain how to create a PKI tree or SRK table as | |
| 22 | -this is well explained in the Application Note. | |
| 23 | - | |
| 24 | -2. Secure Boot on non-SPL targets | |
| 25 | ---------------------------------- | |
| 26 | - | |
| 27 | -On non-SPL targets a singe U-Boot binary is generated, mkimage will | |
| 28 | -output additional information about "HAB Blocks" which can be used | |
| 29 | -in the CST to authenticate the U-Boot image (entries in the CSF file). | |
| 30 | - | |
| 31 | -Image Type: Freescale IMX Boot Image | |
| 32 | -Image Ver: 2 (i.MX53/6 compatible) | |
| 33 | -Data Size: 327680 Bytes = 320.00 kB = 0.31 MB | |
| 34 | -Load Address: 177ff420 | |
| 35 | -Entry Point: 17800000 | |
| 36 | -HAB Blocks: 177ff400 00000000 0004dc00 | |
| 37 | - ^^^^^^^^ ^^^^^^^^ ^^^^^^^^ | |
| 38 | - | | | | |
| 39 | - | | -------- (1) | |
| 40 | - | | | |
| 41 | - | ------------------- (2) | |
| 42 | - | | |
| 43 | - --------------------------- (3) | |
| 44 | - | |
| 45 | -(1) Size of area in file u-boot-dtb.imx to sign | |
| 46 | - This area should include the IVT, the Boot Data the DCD | |
| 47 | - and U-Boot itself. | |
| 48 | -(2) Start of area in u-boot-dtb.imx to sign | |
| 49 | -(3) Start of area in RAM to authenticate | |
| 50 | - | |
| 51 | -CONFIG_SECURE_BOOT currently enables only an additional command | |
| 52 | -'hab_status' in U-Boot to retrieve the HAB status and events. This | |
| 53 | -can be useful while developing and testing HAB. | |
| 54 | - | |
| 55 | -Commands to generate a signed U-Boot using i.MX HAB CST tool: | |
| 56 | -# Compile CSF and create signature | |
| 57 | -cst --o csf-u-boot.bin --i command_sequence_uboot.csf | |
| 58 | -# Append compiled CSF to Binary | |
| 59 | -cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx | |
| 60 | - | |
| 61 | -3. Secure Boot on SPL targets | |
| 62 | ------------------------------ | |
| 63 | - | |
| 64 | -This version of U-Boot is able to build a signable version of the SPL | |
| 65 | -as well as a signable version of the U-Boot image. The signature can | |
| 66 | -be verified through High Assurance Boot (HAB). | |
| 67 | - | |
| 68 | -After building, you need to create a command sequence file and use | |
| 69 | -i.MX HAB Code Signing Tool to sign both binaries. After creation, | |
| 70 | -the mkimage tool outputs the required information about the HAB Blocks | |
| 71 | -parameter for the CSF. During the build, the information is preserved | |
| 72 | -in log files named as the binaries. (SPL.log and u-boot-ivt.log). | |
| 73 | - | |
| 74 | -Example Output of the SPL (imximage) creation: | |
| 75 | - Image Type: Freescale IMX Boot Image | |
| 76 | - Image Ver: 2 (i.MX53/6/7 compatible) | |
| 77 | - Mode: DCD | |
| 78 | - Data Size: 61440 Bytes = 60.00 kB = 0.06 MB | |
| 79 | - Load Address: 00907420 | |
| 80 | - Entry Point: 00908000 | |
| 81 | - HAB Blocks: 00907400 00000000 0000cc00 | |
| 82 | - | |
| 83 | -Example Output of the u-boot-ivt.img (firmware_ivt) creation: | |
| 84 | - Image Name: U-Boot 2016.11-rc1-31589-g2a4411 | |
| 85 | - Created: Sat Nov 5 21:53:28 2016 | |
| 86 | - Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) | |
| 87 | - Data Size: 352192 Bytes = 343.94 kB = 0.34 MB | |
| 88 | - Load Address: 17800000 | |
| 89 | - Entry Point: 00000000 | |
| 90 | - HAB Blocks: 0x177fffc0 0x0000 0x00054020 | |
| 91 | - | |
| 92 | -# Compile CSF and create signature | |
| 93 | -cst --o csf-u-boot.bin --i command_sequence_uboot.csf | |
| 94 | -cst --o csf-SPL.bin --i command_sequence_spl.csf | |
| 95 | -# Append compiled CSF to Binary | |
| 96 | -cat SPL csf-SPL.bin > SPL-signed | |
| 97 | -cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img | |
| 98 | - | |
| 99 | -These two signed binaries can be used on an i.MX in closed | |
| 100 | -configuration when the according SRK Table Hash has been flashed. |