From b887f0a68e38d18ec93ff9a0b3d2e57597bf8e83 Mon Sep 17 00:00:00 2001 From: Breno Lima Date: Thu, 22 Feb 2018 00:42:55 +0000 Subject: [PATCH] doc: mxc_hab: Move HAB related info to the appropriate doc Currently the High Assurance Boot procedure is documented in two places: - doc/README.imx6 - doc/README.mxc_hab It is better to consolidate all HAB related information into README.mxc_hab file, so move the content from README.imx6 to README.mxc_hab. Signed-off-by: Breno Lima Reviewed-by: Fabio Estevam --- doc/README.imx6 | 48 -------------------------------------- doc/README.mxc_hab | 57 +++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 54 insertions(+), 51 deletions(-) diff --git a/doc/README.imx6 b/doc/README.imx6 index 2e8f1d8a8a..b0644f8491 100644 --- a/doc/README.imx6 +++ b/doc/README.imx6 @@ -113,51 +113,3 @@ issue the command: In order to load SPL and u-boot.img via imx_usb_loader tool, please refer to doc/README.sdp. -3. Using Secure Boot on i.MX6 machines with SPL support -------------------------------------------------------- - -This version of U-Boot is able to build a signable version of the SPL -as well as a signable version of the U-Boot image. The signature can -be verified through High Assurance Boot (HAB). - -CONFIG_SECURE_BOOT is needed to build those two binaries. -After building, you need to create a command sequence file and use -Freescales Code Signing Tool to sign both binaries. After creation, -the mkimage tool outputs the required information about the HAB Blocks -parameter for the CSF. During the build, the information is preserved -in log files named as the binaries. (SPL.log and u-boot-ivt.log). - -More information about the CSF and HAB can be found in the AN4581. -https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf - -We don't want to explain how to create a PKI tree or SRK table as -this is well explained in the Application Note. - -Example Output of the SPL (imximage) creation: - Image Type: Freescale IMX Boot Image - Image Ver: 2 (i.MX53/6/7 compatible) - Mode: DCD - Data Size: 61440 Bytes = 60.00 kB = 0.06 MB - Load Address: 00907420 - Entry Point: 00908000 - HAB Blocks: 00907400 00000000 0000cc00 - -Example Output of the u-boot-ivt.img (firmware_ivt) creation: - Image Name: U-Boot 2016.11-rc1-31589-g2a4411 - Created: Sat Nov 5 21:53:28 2016 - Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) - Data Size: 352192 Bytes = 343.94 kB = 0.34 MB - Load Address: 17800000 - Entry Point: 00000000 - HAB Blocks: 0x177fffc0 0x0000 0x00054020 - -The CST (Code Signing Tool) can be downloaded from NXP. -# Compile CSF and create signature -./cst --o csf-u-boot.bin < command_sequence_uboot.csf -./cst --o csf-SPL.bin < command_sequence_spl.csf -# Append compiled CSF to Binary -cat SPL csf-SPL.bin > SPL-signed -cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img - -These two signed binaries can be used on an i.MX6 in closed -configuration when the according SRK Table Hash has been flashed. diff --git a/doc/README.mxc_hab b/doc/README.mxc_hab index 4bd07d3151..056ade7723 100644 --- a/doc/README.mxc_hab +++ b/doc/README.mxc_hab @@ -1,4 +1,5 @@ -High Assurance Boot (HAB) for i.MX6 CPUs +1. High Assurance Boot (HAB) for i.MX CPUs +------------------------------------------ To enable the authenticated or encrypted boot mode of U-Boot, it is required to set the proper configuration for the target board. This @@ -52,8 +53,58 @@ cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx NOTE: U-Boot_CSF.bin needs to be padded to the value specified in the imximage.cfg file. -Setup U-Boot Image for Encrypted Boot -------------------------------------- + +2. Using Secure Boot on i.MX6 machines with SPL support +------------------------------------------------------- + +This version of U-Boot is able to build a signable version of the SPL +as well as a signable version of the U-Boot image. The signature can +be verified through High Assurance Boot (HAB). + +CONFIG_SECURE_BOOT is needed to build those two binaries. +After building, you need to create a command sequence file and use +Freescales Code Signing Tool to sign both binaries. After creation, +the mkimage tool outputs the required information about the HAB Blocks +parameter for the CSF. During the build, the information is preserved +in log files named as the binaries. (SPL.log and u-boot-ivt.log). + +More information about the CSF and HAB can be found in the AN4581. +https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf + +We don't want to explain how to create a PKI tree or SRK table as +this is well explained in the Application Note. + +Example Output of the SPL (imximage) creation: + Image Type: Freescale IMX Boot Image + Image Ver: 2 (i.MX53/6/7 compatible) + Mode: DCD + Data Size: 61440 Bytes = 60.00 kB = 0.06 MB + Load Address: 00907420 + Entry Point: 00908000 + HAB Blocks: 00907400 00000000 0000cc00 + +Example Output of the u-boot-ivt.img (firmware_ivt) creation: + Image Name: U-Boot 2016.11-rc1-31589-g2a4411 + Created: Sat Nov 5 21:53:28 2016 + Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) + Data Size: 352192 Bytes = 343.94 kB = 0.34 MB + Load Address: 17800000 + Entry Point: 00000000 + HAB Blocks: 0x177fffc0 0x0000 0x00054020 + +The CST (Code Signing Tool) can be downloaded from NXP. +# Compile CSF and create signature +./cst --o csf-u-boot.bin < command_sequence_uboot.csf +./cst --o csf-SPL.bin < command_sequence_spl.csf +# Append compiled CSF to Binary +cat SPL csf-SPL.bin > SPL-signed +cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img + +These two signed binaries can be used on an i.MX6 in closed +configuration when the according SRK Table Hash has been flashed. + +3. Setup U-Boot Image for Encrypted Boot +----------------------------------------- An authenticated U-Boot image is used as starting point for Encrypted Boot. The image is encrypted by Freescale's Code Signing Tool (CST). The CST replaces only the image data of -- 2.39.5