Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- +===============================================================+
- + i.MX6, i.MX7 U-Boot HABv4 Secure Boot guide for SPL targets +
- +===============================================================+
- 1. HABv4 secure boot process
- -----------------------------
- This document is an addendum of mx6_mx7_secure_boot.txt guide describing a
- step-by-step procedure on how to sign and securely boot an U-Boot image for
- SPL targets.
- Details about HAB can be found in the application note AN4581[1] and in the
- introduction_habv4.txt document.
- 1.1 Building a SPL target supporting secure boot
- -------------------------------------------------
- The U-Boot provides Second Program Loader (SPL) support which generates two
- final images, SPL and U-Boot proper. The HABv4 can be used to authenticate
- both binaries.
- Out of reset the ROM code authenticates the SPL which is responsible for
- initializing essential features such as DDR, UART, PMIC and clock
- enablement. Once the DDR is available, the SPL code loads the U-Boot proper
- image to its specific execution address and call the HAB APIs to extend the
- root of trust.
- The U-Boot provides support to secure boot configuration and also provide
- access to the HAB APIs exposed by the ROM vector table, the support is
- enabled by selecting the CONFIG_SECURE_BOOT option.
- When built with this configuration the U-Boot correctly pads the final SPL
- image by aligning to the next 0xC00 address, so the CSF signature data
- generated by CST can be concatenated to the image.
- The U-Boot also append an Image Vector Table (IVT) in the final U-Boot proper
- binary (u-boot-ivt.img) so it can be used by HAB API in a post ROM stage.
- The diagram below illustrate a signed SPL image layout:
- ------- +-----------------------------+ <-- *start
- ^ | Image Vector Table |
- | +-----------------------------+ <-- *boot_data
- | | Boot Data |
- | +-----------------------------+
- Signed | | Padding |
- Data | +-----------------------------+ <-- *entry
- | | |
- | | SPL |
- | | |
- | +-----------------------------+
- v | Padding |
- ------- +-----------------------------+ <-- *csf
- | |
- | Command Sequence File (CSF) |
- | |
- +-----------------------------+
- | Padding (optional) |
- +-----------------------------+
- The diagram below illustrate a signed u-boot-ivt.img image layout:
- ------- +-----------------------------+ <-- *load_address
- ^ | |
- | | |
- | | u-boot.img |
- Signed | | |
- Data | | |
- | +-----------------------------+
- | | Padding Next Boundary |
- | +-----------------------------+ <-- *ivt
- v | Image Vector Table |
- ------- +-----------------------------+ <-- *csf
- | |
- | Command Sequence File (CSF) |
- | |
- +-----------------------------+
- | Padding (optional) |
- +-----------------------------+
- 1.2 Enabling the secure boot support
- -------------------------------------
- The first step is to generate an U-Boot image supporting the HAB features
- mentioned above, this can be achieved by adding CONFIG_SECURE_BOOT to the
- build configuration:
- - Defconfig:
- CONFIG_SECURE_BOOT=y
- - Kconfig:
- ARM architecture -> Support i.MX HAB features
- 1.3 Creating the CSF description file
- --------------------------------------
- The CSF contains all the commands that the HAB executes during the secure
- boot. These commands instruct the HAB code on which memory areas of the image
- to authenticate, which keys to install, use and etc.
- CSF examples are available under doc/imx/habv4/csf_examples/ directory.
- Build logs containing the "Authenticate Data" parameters are available after
- the U-Boot build, the example below is a log for mx6sabresd_defconfig target:
- - SPL build log:
- $ cat SPL.log
- Image Type: Freescale IMX Boot Image
- Image Ver: 2 (i.MX53/6/7 compatible)
- Mode: DCD
- Data Size: 69632 Bytes = 68.00 KiB = 0.07 MiB
- Load Address: 00907420
- Entry Point: 00908000
- HAB Blocks: 0x00907400 0x00000000 0x0000ec00
- - u-boot-ivt.img build log:
- $ cat u-boot-ivt.img.log
- Image Name: U-Boot 2019.01-00003-g78ee492eb3
- Created: Mon Jan 14 17:58:10 2019
- Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
- Data Size: 458688 Bytes = 447.94 KiB = 0.44 MiB
- Load Address: 17800000
- Entry Point: 00000000
- HAB Blocks: 0x177fffc0 0x0000 0x0006e020
- As explained in section above the SPL is first authenticated by the ROM code
- and the root of trust is extended to the U-Boot image, hence two CSF files are
- necessary to completely sign a bootloader image.
- In "Authenticate Data" CSF command users can copy and past the output
- addresses, the csf_uboot.txt can be used as example:
- - In csf_SPL.txt:
- Block = 0x00907400 0x00000000 0x0000ec00 "SPL"
- - In csf_uboot-ivt.txt:
- Block = 0x177fffc0 0x0000 0x0006e020 "u-boot-ivt.img"
- 1.4 Signing the images
- -----------------------
- The CST tool is used for singing the U-Boot binary and generating a CSF binary,
- users should input the CSF description file created in the step above and
- receive a CSF binary, which contains the CSF commands, SRK table, signatures
- and certificates.
- - Create SPL CSF binary file:
- $ ./cst -i csf_SPL.txt -o csf_SPL.bin
- - Append CSF signature to the end of SPL image:
- $ cat SPL csf_SPL.bin > SPL-signed
- - Create U-Boot proper CSF binary file:
- $ ./cst -i csf_uboot-ivt.txt -o csf_uboot-ivt.bin
- - Append CSF signature to the end of U-Boot proper image:
- $ cat u-boot-ivt.img csf_uboot-ivt.bin > u-boot-signed.img
- The bootloader is signed and can be flashed into the boot media.
- 1.5 Closing the device
- -----------------------
- The procedure for closing the device is similar as in Non-SPL targets, for a
- complete procedure please refer to section "1.5 Programming SRK Hash" in
- mx6_mx7_secure_boot.txt document available under doc/imx/habv4/guides/
- directory.
- References:
- [1] AN4581: "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using
- HABv4" - Rev 2.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement