Commit graph

14 commits

Author SHA1 Message Date
Tim Harvey
ff1dd52024 mx8m: csf.sh: use vars for keys to avoid file edits when signing
The csf_spl.txt and csf_fit.txt templates contain file paths which must
be edited for the location of your NXP CST generated key files.

Streamline the process of signing an image by assigning unique var names
to these which can be expended from env variables in the csf.sh script.

The following vars are used:
 SRK_TABLE - full path to SRK_1_2_3_4_table.bin
 CSF_KEY - full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem
 IMG_KEY - full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem

Additionally provide an example of running the csf.sh script.

Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
2023-07-13 11:29:40 +02:00
Fabio Estevam
f5d98b01e1 doc: imx: habv4: Fix typo in 'signing'
Fix two occurrences where 'signing' is misspelled.

Signed-off-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Tim Harvey <tharvey@gateworks.com>
2023-07-03 10:20:13 -04:00
Marek Vasut
6039e0edc8 imx: hab: Simplify the mechanism
The current mechanism is unnecessarily complex. Simplify the whole mechanism
such that the entire fitImage is signed, IVT is placed at the end, followed
by CSF, and this entire bundle is also authenticated. This makes the signing
scripting far simpler.

Signed-off-by: Marek Vasut <marex@denx.de>
2023-06-24 13:47:02 -04:00
Simon Glass
984639039f Rename CONFIG_SYS_TEXT_BASE to CONFIG_TEXT_BASE
The current name is inconsistent with SPL which uses CONFIG_SPL_TEXT_BASE
and this makes it imposible to use CONFIG_VAL().

Rename it to resolve this problem.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-10-31 11:01:31 -04:00
Fabio Estevam
8b9d90d634 mx8m: csf.sh: Fix the calculation of fit_block_size
When running the script to sign SPL/U-Boot on a kontron-sl-mx8mm board,
the fit_block_size was calculated as 0x1000 instead of 0x1020.

Add an extra parenthesis pair to fix it.

Signed-off-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Marek Vasut <marex@denx.de>
2022-09-21 16:19:45 +02:00
Marek Vasut
0c2c1c9415 doc: imx: habv4: Add Secure Boot guide for i.MX8M SPL targets
Add HABv4 documentation extension for SPL targets covering the
following topics:

- How to sign an securely boot an flash.bin container image.
- How to extend the root of trust for additional boot images.
- Add SPL and fitImage CSF examples.
- Add signature generation script example.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Breno Lima <breno.lima@nxp.com>
Cc: Fabio Estevam <festevam@denx.de>
Cc: Heiko Schocher <hs@denx.de>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Cc: Ye Li <ye.li@nxp.com>
2022-09-18 20:42:56 +02:00
Breno Lima
58f75efeaf mx7ulp: hab: Add hab_status command for HABv4 M4 boot
When booting in low power or dual boot modes the M4 binary is
authenticated by the M4 ROM code.

Add an option in hab_status command so users can retrieve M4 HAB
failure and warning events.

=> hab_status m4

   Secure boot disabled

   HAB Configuration: 0xf0, HAB State: 0x66
   No HAB Events Found!

Add command documentation in mx6_mx7_secure_boot.txt guide.

As HAB M4 API cannot be called from A7 core the code is parsing
the M4 HAB persistent memory region. The HAB persistent memory
stores HAB events, public keys and others HAB related information.

The HAB persistent memory region addresses and sizes can be found
in AN12263 "HABv4 RVT Guidelines and Recommendations".

Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
2021-04-08 09:18:29 +02:00
Stefano Babic
d714a75fd4 imx: replace CONFIG_SECURE_BOOT with CONFIG_IMX_HAB
CONFIG_SECURE_BOOT is too generic and forbids to use it for cross
architecture purposes. If Secure Boot is required for imx, this means to
enable and use the HAB processor in the soc.

Signed-off-by: Stefano Babic <sbabic@denx.de>
2019-10-08 16:36:37 +02:00
Breno Matheus Lima
2dd652e665 doc: imx: habv4: Remove secure_boot.txt guide
The secure_boot.txt guide was replaced by mx6_mx7_secure_boot.txt and
mx6_mx7_spl_secure_boot.txt documents.

Both documents covers all steps needed for SPL and non-SPL tagets,
so remove secure_boot.txt file to avoid duplicated content.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:55:39 +01:00
Breno Matheus Lima
364c0a89bc doc: imx: habv4: Move encrypted boot guide
All guides are currently located at doc/imx/habv4/guides/ directory.

Move encrypted_boot.txt document to guides directory.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:47:13 +01:00
Breno Matheus Lima
cfb50207e5 doc: imx: habv4: Add Secure Boot guide for i.MX6 and i.MX7 SPL targets
The current U-Boot implementation includes SPL targets for
some NXP development boards:

- mx6sabreauto_defconfig
- mx6sabresd_defconfig
- mx6ul_14x14_evk_defconfig
- mx6ul_9x9_evk_defconfig

Add additional steps needed to completly secure the
bootloader image.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:46:59 +01:00
Breno Matheus Lima
872cfa20cd doc: imx: habv4: Add Secure Boot guide for i.MX6 and i.MX7 non-SPL targets
Add HABv4 documentation for non-SPL targets covering the
following topics:

- How to sign an securely boot an u-boot-dtb.imx image.
- How to extend the root of trust for additional boot images.
- Add 3 CSF examples.
- Add IVT generation script example.

Reviewed-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:46:45 +01:00
Breno Matheus Lima
cbc4b0418c doc: imx: habv4: Add HABv4 introduction
The HABv4 is supported in i.MX50, i.MX53, i.MX6, i.MX7,
series and i.MX 8M, i.MX8MM devices.

Add an introductory document containing the following topics:

- HABv4 Introduction
- HABv4 Secure Boot
- HABv4 Encrypted Boot
- HAB PKI tree generation
- HAB Fast Authentication PKI tree generation
- SRK Table and SRK Hash generation

Reviewed-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:46:31 +01:00
Breno Matheus Lima
8a23fc9c94 doc: imx: habv4: Remove extra hab directory for a cleaner documentation structure
There is no need to have an extra hab directory under doc/imx/.

Habv4 and AHAB documentation can be added directly in doc/imx/ for a
cleaner documentation structure.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2019-02-15 12:46:18 +01:00