Commit graph

10 commits

Author SHA1 Message Date
Rasmus Villemoes
8519c9c98a tools/imximage: use 0x prefix in HAB Blocks line
The u-boot-ivt.img.log file contains 0x prefixes in the HAB Blocks line,
while the SPL.log does not. For consistency, and to make it easier to
extract and put into a .csf file for use with NXP's code signing tool,
add 0x prefixes here.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
2018-04-15 11:35:21 +02:00
Breno Lima
6d7403bf72 doc: mxc_hab: Update i.MX HAB documentation
The README.mxc_hab is outdated and need improvements, add the following
modifications:

- Reorganize document and remove duplicate content
- Add CST download link
- Update CST package name
- Align command lines with CST v2.3.3
- Update U-Boot binary name
- Remove CSF padding since is not documented in AN4581

Signed-off-by: Breno Lima <breno.lima@nxp.com>
2018-03-11 16:00:21 +01:00
Breno Lima
b887f0a68e doc: mxc_hab: Move HAB related info to the appropriate doc
Currently the High Assurance Boot procedure is documented in two
places:

- doc/README.imx6
- doc/README.mxc_hab

It is better to consolidate all HAB related information into
README.mxc_hab file, so move the content from README.imx6 to
README.mxc_hab.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2018-03-11 16:00:16 +01:00
Fabio Estevam
79d0802953 doc: mxc_hab: Improve the config option list
The original text is from the time that the config options were not
converted to Kconfig.

After the conversion to Kconfig only CONFIG_SECURE_BOOT and
CONFIG_CMD_DEKBLOB need to be selected by the user.

The other config options are automatically selected by the Kconfig
logic.

Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Breno Lima <breno.lima@nxp.com>
2018-02-04 12:14:10 +01:00
Fabio Estevam
7a037cc91f README: mxc_hab: Adapt the CONFIG_SECURE_BOOT text to Kconfig
Commit 6e1f4d2652 ("arm: imx-common: add SECURE_BOOT option to
Kconfig") moved the CONFIG_SECURE_BOOT option to Kconfig, so update
the mxc_hab README file to reflect that.

Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Gary Bisson <gary.bisson@boundarydevices.com>
2017-01-27 10:34:14 +01:00
Ulises Cardenas
8148b82449 Fix mxc_hab documenation
It is necessary to modify the configuration file for the target
board. It wasn't well documented that to enable any of the secure
boot modes, it is required to add CONFIG_SECURE_BOOT to the board
configuration file.

Also, fixed a typo in the encrypted boot section.

Signed-off-by: Ulises Cardenas <Ulises.Cardenas@freescale.com>
2015-05-15 19:20:46 +02:00
Ulises Cardenas
f97d112eb6 Fix mxc_hab documenation for DEK blob generation
Include/fsl_sec.h defines sec_in and sec_out, according to the
platform's endianess. Therefore, CONFIG_SYS_FSL_LE needs to be
declared in the configuration file of the target, in order to use
enable the DEK blob generation command. This requirement is not
explicit in the README.mxc_hab.

Signed-off-by: Ulises Cardenas <Ulises.Cardenas@freescale.com>
2015-04-08 10:54:10 +02:00
Raul Cardenas
0200020bc2 imx6: Added DEK blob generator command
Freescale's SEC block has built-in Data Encryption
Key(DEK) Blob Protocol which provides a method for
protecting a DEK for non-secure memory storage.
SEC block protects data in a data structure called
a Secret Key Blob, which provides both confidentiality
and integrity protection.
Every time the blob encapsulation is executed,
a AES-256 key is randomly generated to encrypt the DEK.
This key is encrypted with the OTP Secret key
from SoC. The resulting blob consists of the encrypted
AES-256 key, the encrypted DEK, and a 16-bit MAC.

During decapsulation, the reverse process is performed
to get back the original DEK. A caveat to the blob
decapsulation process,  is that the DEK is decrypted
in secure-memory and can only be read by FSL SEC HW.
The DEK is used to decrypt data during encrypted boot.

Commands added
--------------
  dek_blob - encapsulating DEK as a cryptgraphic blob

Commands Syntax
---------------
  dek_blob src dst len

    Encapsulate and create blob of a len-bits DEK at
    address src and store the result at address dst.

Signed-off-by: Raul Cardenas <Ulises.Cardenas@freescale.com>
Signed-off-by: Nitin Garg <nitin.garg@freescale.com>

Signed-off-by: Ulises Cardenas <ulises.cardenas@freescale.com>

Signed-off-by: Ulises Cardenas-B45798 <Ulises.Cardenas@freescale.com>
2015-03-02 09:57:06 +01:00
Wolfgang Denk
93e1459641 Coding Style cleanup: replace leading SPACEs by TABs
Signed-off-by: Wolfgang Denk <wd@denx.de>
[trini: Drop changes for PEP 4 following python tools]
Signed-off-by: Tom Rini <trini@ti.com>
2013-10-14 16:06:54 -04:00
Stefano Babic
0187c985aa tools: add support for setting the CSF into imximage
Add support for setting the CSF (Command Sequence File) pointer
which is used for HAB (High Assurance Boot) in the imximage by
adding e.g.

CSF 0x2000

in the imximage.cfg file.

This will set the CSF pointer accordingly just after the padded
data image area. The boot_data.length is adjusted with the
value from the imximage.cfg config file.

The resulting u-boot.imx can be signed with the FSL HAB tooling.
The generated CSF block needs to be appended to the u-boot.imx.

Signed-off-by: Stefano Babic <sbabic@denx.de>
2013-08-31 15:06:29 +02:00