X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2FREADME.imx6;h=2e8f1d8a8abd4ab4e7af48eeebe814a2bc85bc5a;hb=3ffa5288c86e4cd97940313ad408da88db841826;hp=1823fb2c9d9cf20263b5fe4fbcbaf8d6249f1a89;hpb=595af9db2422fa5ae734cfe615415b17a5098f34;p=u-boot diff --git a/doc/README.imx6 b/doc/README.imx6 index 1823fb2c9d..2e8f1d8a8a 100644 --- a/doc/README.imx6 +++ b/doc/README.imx6 @@ -91,7 +91,7 @@ Word 0x00000002: 9f027772 00000004 2. Using imx_usb_loader for first install with SPL -------------------------------------------------- -imx_usb_loader is a very nice tool by BoundaryDevice that +imx_usb_loader is a very nice tool by Boundary Devices that allow to install U-Boot without a JTAG debugger, using the USB boot mode as described in the manual. It is a replacement for Freescale's MFGTOOLS. @@ -110,31 +110,54 @@ issue the command: sudo ../imx_usb_loader/imx_usb -v u-boot.imx -Getting U-Boot when SPL support is active, it requires -two downloads. imx_usb_loader downloads the SPL into -OCRAM and starts it. SPL will check for a valid u-boot.img, and -because it is not found, it will wait for it using the y-modem -protocol via the console. - -A first install is then possible by combining imx_usb_loader with -another tool such as kermit. - -sudo ../imx_usb_loader/imx_usb -v SPL -kermit kermit_uboot - -and kermit_uboot contains something like this (set line should be adjusted): - -set line /dev/ttyUSB1 -set speed 115200 -SET CARRIER-WATCH OFF -set flow-control none -set handshake none -set prefixing all -set file type bin -set protocol ymodem -send u-boot.img -c - -The last "c" command tells kermit (from ckermit package in most distros) -to switch from command line mode to communication mode, and when the -script is finished, the U-Boot prompt is shown in the same shell. +In order to load SPL and u-boot.img via imx_usb_loader tool, +please refer to doc/README.sdp. + +3. Using Secure Boot on i.MX6 machines with SPL support +------------------------------------------------------- + +This version of U-Boot is able to build a signable version of the SPL +as well as a signable version of the U-Boot image. The signature can +be verified through High Assurance Boot (HAB). + +CONFIG_SECURE_BOOT is needed to build those two binaries. +After building, you need to create a command sequence file and use +Freescales Code Signing Tool to sign both binaries. After creation, +the mkimage tool outputs the required information about the HAB Blocks +parameter for the CSF. During the build, the information is preserved +in log files named as the binaries. (SPL.log and u-boot-ivt.log). + +More information about the CSF and HAB can be found in the AN4581. +https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf + +We don't want to explain how to create a PKI tree or SRK table as +this is well explained in the Application Note. + +Example Output of the SPL (imximage) creation: + Image Type: Freescale IMX Boot Image + Image Ver: 2 (i.MX53/6/7 compatible) + Mode: DCD + Data Size: 61440 Bytes = 60.00 kB = 0.06 MB + Load Address: 00907420 + Entry Point: 00908000 + HAB Blocks: 00907400 00000000 0000cc00 + +Example Output of the u-boot-ivt.img (firmware_ivt) creation: + Image Name: U-Boot 2016.11-rc1-31589-g2a4411 + Created: Sat Nov 5 21:53:28 2016 + Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) + Data Size: 352192 Bytes = 343.94 kB = 0.34 MB + Load Address: 17800000 + Entry Point: 00000000 + HAB Blocks: 0x177fffc0 0x0000 0x00054020 + +The CST (Code Signing Tool) can be downloaded from NXP. +# Compile CSF and create signature +./cst --o csf-u-boot.bin < command_sequence_uboot.csf +./cst --o csf-SPL.bin < command_sequence_spl.csf +# Append compiled CSF to Binary +cat SPL csf-SPL.bin > SPL-signed +cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img + +These two signed binaries can be used on an i.MX6 in closed +configuration when the according SRK Table Hash has been flashed.