mirror of
https://github.com/AsahiLinux/u-boot
synced 2025-01-11 20:59:01 +00:00
294 lines
10 KiB
Text
294 lines
10 KiB
Text
|
+=========================================================+
|
||
|
+ i.MX 8, i.MX 8X Encrypted Boot guide using AHAB +
|
||
|
+=========================================================+
|
||
|
|
||
|
1. AHAB Encrypted Boot process
|
||
|
-------------------------------
|
||
|
|
||
|
This document describes a step-by-step procedure on how to encrypt and sign a
|
||
|
bootloader image for i.MX8/8x family devices. It is assumed that the reader
|
||
|
is familiar with basic AHAB concepts and has already closed the device,
|
||
|
step-by-step procedure can be found in mx8_mx8x_secure_boot.txt and
|
||
|
mx8_mx8x_spl_secure_boot.txt guides.
|
||
|
|
||
|
The steps described in this document were based in i.MX8QM device, the same
|
||
|
concept can be applied to others processors in i.MX8/8X family devices.
|
||
|
|
||
|
1.1 Understanding the encrypted image signature block
|
||
|
------------------------------------------------------
|
||
|
|
||
|
As described in mx8_mx8x_secure_boot.txt guide a single binary is used to boot
|
||
|
the device. The imx-mkimage tool combines all the input images in a container
|
||
|
structure, generating a flash.bin binary.
|
||
|
|
||
|
AHAB is able to decrypt image containers by calling SECO authentication
|
||
|
functions, the image must be encrypted by CST and the resulting DEK (Data
|
||
|
Encryption Key) must be encapsulated and included into the container signature
|
||
|
block:
|
||
|
|
||
|
+----------------------------+
|
||
|
| | ^
|
||
|
| | |
|
||
|
| Container header | |
|
||
|
| | |
|
||
|
| | |
|
||
|
+---+------------------------+ |
|
||
|
| S | Signature block header | | Signed
|
||
|
| i +------------------------+ |
|
||
|
| g | | |
|
||
|
| n | | |
|
||
|
| a | SRK table | |
|
||
|
| t | | |
|
||
|
| u | | v
|
||
|
| r +------------------------+
|
||
|
| e | Signature |
|
||
|
| +------------------------+
|
||
|
| B | |
|
||
|
| l | SGK Key |
|
||
|
| o | Certificate (optional) |
|
||
|
| c | |
|
||
|
| k +------------------------+
|
||
|
| | DEK Blob |
|
||
|
+---+------------------------+
|
||
|
|
||
|
1.1.1 Understanding and generating the DEK blob
|
||
|
------------------------------------------------
|
||
|
|
||
|
The encrypted boot image requires a DEK blob on each time AHAB is used to
|
||
|
decrypt an image. The DEK blob is used as a security layer to wrap and store
|
||
|
the DEK off-chip using the OTPMK which is unique per device.
|
||
|
|
||
|
On i.MX8/8x devices the DEK blob is generated using the SECO API, the following
|
||
|
funtion is available in U-Boot and can be executed through dek_blob command:
|
||
|
|
||
|
- sc_seco_gen_key_blob(sc_ipc_t ipc, uint32_t id, sc_faddr_t load_addr,
|
||
|
sc_faddr_t export_addr, uint16_t max_size)
|
||
|
|
||
|
Details in API usage can be found in SCFW API guide [1].
|
||
|
|
||
|
1.2 Enabling the encrypted boot support in U-Boot
|
||
|
--------------------------------------------------
|
||
|
|
||
|
For deploying an encrypted boot image additional U-Boot tools are needed,
|
||
|
please be sure to have the following features enabled, this can be achieved
|
||
|
by following one of the methods below:
|
||
|
|
||
|
- Defconfig:
|
||
|
|
||
|
CONFIG_AHAB_BOOT=y
|
||
|
CONFIG_CMD_DEKBLOB=y
|
||
|
CONFIG_IMX_SECO_DEK_ENCAP=y
|
||
|
CONFIG_FAT_WRITE=y
|
||
|
|
||
|
- Kconfig:
|
||
|
|
||
|
ARM architecture -> Support i.MX8 AHAB features
|
||
|
ARM architecture -> Support the 'dek_blob' command
|
||
|
File systems -> Enable FAT filesystem support-> Enable FAT filesystem
|
||
|
write support
|
||
|
|
||
|
1.3 Enabling the encrypted boot support in CST
|
||
|
-----------------------------------------------
|
||
|
|
||
|
The encryption feature is not enabled by default in Code Signing tools (CST).
|
||
|
The CST backend must be recompiled, execute the following commands to enable
|
||
|
encryption support in CST:
|
||
|
|
||
|
$ sudo apt-get install libssl-dev openssl
|
||
|
$ cd <CST install directory>/code/back_end/src
|
||
|
$ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c
|
||
|
-lfrontend -lcrypto
|
||
|
$ cp cst_encrypted ../../../linux64/bin/
|
||
|
|
||
|
1.4 Preparing the image container
|
||
|
----------------------------------
|
||
|
|
||
|
The container generation is explained in and mx8_mx8x_secure_boot.txt and
|
||
|
mx8_mx8x_spl_secure_boot.txt guides. This document is based in imx-mkimage
|
||
|
flash target (2 containers in flash.bin).
|
||
|
|
||
|
- Assembly flash.bin binary:
|
||
|
|
||
|
$ make SOC=<SoC Name> flash
|
||
|
|
||
|
The mkimage log is used during the encrypted boot procedure to create the
|
||
|
Command Sequence File (CSF):
|
||
|
|
||
|
CST: CONTAINER 0 offset: 0x400
|
||
|
CST: CONTAINER 0: Signature Block: offset is at 0x590
|
||
|
DONE.
|
||
|
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET
|
||
|
|
||
|
1.6 Creating the CSF description to encrypt the 2nd container
|
||
|
--------------------------------------------------------------
|
||
|
|
||
|
The csf_enc_boot_image.txt available under ahab/csf_examples/ can be used as
|
||
|
example for encrypting the flash.bin binary, the main change is the Install
|
||
|
Secret Key command that must be added after Authenticate Data command.
|
||
|
|
||
|
[Install Secret Key]
|
||
|
Key = "dek.bin"
|
||
|
Key Length = 128
|
||
|
#Key Identifier = 0x1234CAFE
|
||
|
Image Indexes = 0xFFFFFFFE
|
||
|
|
||
|
By default all images are encrypted and image indexes parameter can be used
|
||
|
to mask the images indexes that must be encrypted, on this example only the
|
||
|
2nd container will be encrypted.
|
||
|
|
||
|
Optionally users can provide a key identifier that must match the value
|
||
|
provided during the blob generation, by default its value is zero.
|
||
|
|
||
|
1.7 Encrypting the 2nd container
|
||
|
---------------------------------
|
||
|
|
||
|
The image is encrypted using the Code Signing Tool. The tool generates the
|
||
|
encrypted image and a random dek.bin file.
|
||
|
|
||
|
- Encrypt flash.bin binary:
|
||
|
|
||
|
$ ./cst_encrypted -i csf_enc_boot_image.txt -o enc_flash.bin
|
||
|
The DEK BLOB must be inserted at offset 0x7c0 (its expected size is 72 bytes)
|
||
|
CSF Processed successfully and signed image available in enc_boot_image.bin
|
||
|
|
||
|
The output log will be used in a later step to insert the DEK blob into the
|
||
|
signature block.
|
||
|
|
||
|
1.8 Generating the DEK Blob
|
||
|
----------------------------
|
||
|
|
||
|
The DEK must be encapsulated into a CAAM blob so it can be included into the
|
||
|
final encrypted binary. The U-Boot provides a tool called dek_blob which is
|
||
|
calling the SECO blob encapsulation API.
|
||
|
|
||
|
Copy the dek.bin in SDCard FAT partition and run the following commands from
|
||
|
U-Boot prompt:
|
||
|
|
||
|
=> mmc list
|
||
|
FSL_SDHC: 1 (SD)
|
||
|
FSL_SDHC: 2
|
||
|
=> fatload mmc 1:1 0x80280000 dek.bin
|
||
|
=> dek_blob 0x80280000 0x80280100 128
|
||
|
=> fatwrite mmc 1:1 0x80280100 dek_blob.bin 0x48
|
||
|
|
||
|
In host PC copy the generated dek_blob.bin to the CST directory.
|
||
|
|
||
|
1.9 Assembling the encrypted image
|
||
|
-----------------------------------
|
||
|
|
||
|
The DEK blob generated in the step above have to be inserted into the container
|
||
|
signature block.
|
||
|
|
||
|
The CSF log is used to determine the DEK Blob offset:
|
||
|
|
||
|
The DEK BLOB must be inserted at offset 0x7c0 (its expected size is 72 bytes)
|
||
|
CSF Processed successfully and signed image available in enc_boot_image.bin
|
||
|
|
||
|
- Insert DEK Blob into container signature block:
|
||
|
|
||
|
$ dd if=dek_blob.bin of=enc_flash.bin bs=1 seek=$((0x7c0)) conv=notrunc
|
||
|
|
||
|
1.10 Flashing the encrypted boot image
|
||
|
---------------------------------------
|
||
|
|
||
|
The same offset is used for encrypted boot images, in case booting from
|
||
|
eMMC/SDCard the offset is 32K.
|
||
|
|
||
|
- Flash encrypted image in SDCard:
|
||
|
|
||
|
$ sudo dd if=enc_flash.bin of=/dev/sd<x> bs=1K seek=32 && sync
|
||
|
|
||
|
2.0 Encrypting a standalone container
|
||
|
--------------------------------------
|
||
|
|
||
|
CST is also able to encrypt additional images containers, the steps documented
|
||
|
in this section are based in OS container but can be also applied to SPL
|
||
|
targets and 3rd containers.
|
||
|
|
||
|
2.1 Creating the OS container
|
||
|
------------------------------
|
||
|
|
||
|
As explained in mx8_mx8x_secure_boot.txt guide the imx-mkimage tool is used to
|
||
|
generate an image container for OS images, the mkimage log is used during the
|
||
|
encrypted boot procedure to create the Command Sequence File (CSF).
|
||
|
|
||
|
- Creating OS container:
|
||
|
|
||
|
$ make SOC=<SoC Name> flash_kernel
|
||
|
...
|
||
|
CST: CONTAINER 0 offset: 0x0
|
||
|
CST: CONTAINER 0: Signature Block: offset is at 0x110
|
||
|
|
||
|
2.2 Creating the CSF description file for standalone container
|
||
|
---------------------------------------------------------------
|
||
|
|
||
|
The Image Indexes parameter is used to mask the images that are encrypted by
|
||
|
CST, as a single container is used for OS images the Image Indexes command can
|
||
|
be commented or set to 0xFFFFFFFF.
|
||
|
|
||
|
[Install Secret Key]
|
||
|
Key = "dek_os.bin"
|
||
|
Key Length = 128
|
||
|
#Key Identifier = 0x1234CAFE
|
||
|
Image Indexes = 0xFFFFFFFF
|
||
|
|
||
|
2.3 Encrypting the standalone container
|
||
|
----------------------------------------
|
||
|
|
||
|
As explained in section 1.7 the CST generates the encrypted image and a random
|
||
|
dek.bin file.
|
||
|
|
||
|
- Encrypt the standalone container:
|
||
|
|
||
|
$ ./cst_encrypted -i csf_linux_img.txt -o enc_flash_os.bin
|
||
|
The DEK BLOB must be inserted at offset 0x340 (its expected size is 72 bytes)
|
||
|
CSF Processed successfully and signed image available in enc_flash_os.bin
|
||
|
|
||
|
The output log will be used in a later step to insert the DEK blob into the
|
||
|
signature block.
|
||
|
|
||
|
2.4 Generating the DEK Blob for standalone container
|
||
|
----------------------------------------------------
|
||
|
|
||
|
Similar to section 1.8 the DEK must be encapsulated into a CAAM blob so it can
|
||
|
be included into the final encrypted binary.
|
||
|
|
||
|
Copy the dek_os.bin in SDCard FAT partition and run the following commands from
|
||
|
U-Boot prompt:
|
||
|
|
||
|
=> mmc list
|
||
|
FSL_SDHC: 1 (SD)
|
||
|
FSL_SDHC: 2
|
||
|
=> fatload mmc 1:1 0x80280000 dek_os.bin
|
||
|
=> dek_blob 0x80280000 0x80280100 128
|
||
|
=> fatwrite mmc 1:1 0x80280100 dek_blob_os.bin 0x48
|
||
|
|
||
|
In host PC copy the generated dek_blob_os.bin to the CST directory.
|
||
|
|
||
|
2.5 Assembling the encrypted image
|
||
|
-----------------------------------
|
||
|
|
||
|
The DEK blob generated in the step above have to be inserted into the container
|
||
|
signature block.
|
||
|
|
||
|
The CSF log is used to determine the DEK Blob offset:
|
||
|
|
||
|
The DEK BLOB must be inserted at offset 0x340 (its expected size is 72 bytes)
|
||
|
CSF Processed successfully and signed image available in enc_flash_os.bin
|
||
|
|
||
|
- Insert DEK Blob into container signature block:
|
||
|
|
||
|
$ dd if=dek_blob_os.bin of=enc_flash_os.bin bs=1 seek=$((0x340)) conv=notrunc
|
||
|
|
||
|
2.6 Copy encrypted image to SDCard
|
||
|
-----------------------------------
|
||
|
|
||
|
The encrypted container can be copied to SDCard FAT partition, please note
|
||
|
that U-Boot requires signed and encrypted containers to be named as
|
||
|
os_cntr_signed.bin.
|
||
|
|
||
|
$ sudo cp enc_flash_os.bin /media/UserID/Boot\ imx8/os_cntr_signed.bin
|
||
|
|
||
|
References:
|
||
|
[1] SCFW API guide: "System Controller Firmware API Reference Guide - Rev 1.5"
|