mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-11-12 16:07:30 +00:00
d714a75fd4
CONFIG_SECURE_BOOT is too generic and forbids to use it for cross architecture purposes. If Secure Boot is required for imx, this means to enable and use the HAB processor in the soc. Signed-off-by: Stefano Babic <sbabic@denx.de>
43 lines
1.7 KiB
Text
43 lines
1.7 KiB
Text
1. Setup U-Boot Image for Encrypted Boot
|
|
----------------------------------------
|
|
An authenticated U-Boot image is used as starting point for
|
|
Encrypted Boot. The image is encrypted by i.MX Code Signing
|
|
Tool (CST). The CST replaces only the image data of
|
|
u-boot-dtb.imx with the encrypted data. The Initial Vector Table,
|
|
DCD, and Boot data, remains in plaintext.
|
|
|
|
The image data is encrypted with a Encryption Key (DEK).
|
|
Therefore, this key is needed to decrypt the data during the
|
|
booting process. The DEK is protected by wrapping it in a Blob,
|
|
which needs to be appended to the U-Boot image and specified in
|
|
the CSF file.
|
|
|
|
The DEK blob is generated by an authenticated U-Boot image with
|
|
the dek_blob cmd enabled. The image used for DEK blob generation
|
|
needs to have the following configurations enabled in Kconfig:
|
|
|
|
CONFIG_IMX_HAB=y
|
|
CONFIG_CMD_DEKBLOB=y
|
|
|
|
Note: The encrypted boot feature is only supported by HABv4 or
|
|
greater.
|
|
|
|
The dek_blob command then can be used to generate the DEK blob of
|
|
a DEK previously loaded in memory. The command is used as follows:
|
|
|
|
dek_blob <DEK address> <Output Address> <Key Size in Bits>
|
|
example: dek_blob 0x10800000 0x10801000 192
|
|
|
|
The resulting DEK blob then is used to construct the encrypted
|
|
U-Boot image. Note that the blob needs to be transferred back
|
|
to the host.Then the following commands are used to construct
|
|
the final image.
|
|
|
|
cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx
|
|
objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \
|
|
u-boot-signed.imx u-boot-signed-pad.bin
|
|
cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx
|
|
|
|
NOTE: u-boot-signed.bin needs to be padded to the value
|
|
equivalent to the address in which the DEK blob is specified
|
|
in the CSF.
|