u-boot/doc/README.mxc_hab
Ulises Cardenas 8148b82449 Fix mxc_hab documenation
It is necessary to modify the configuration file for the target
board. It wasn't well documented that to enable any of the secure
boot modes, it is required to add CONFIG_SECURE_BOOT to the board
configuration file.

Also, fixed a typo in the encrypted boot section.

Signed-off-by: Ulises Cardenas <Ulises.Cardenas@freescale.com>
2015-05-15 19:20:46 +02:00

103 lines
3.7 KiB
Text

High Assurance Boot (HAB) for i.MX6 CPUs
To enable the authenticated or encrypted boot mode of U-Boot, it is
required to set the proper configuration for the target board. This
is done by adding the following configuration in in the proper config
file (e.g. include/configs/mx6qarm2.h)
#define CONFIG_SECURE_BOOT
In addition, the U-Boot image to be programmed into the
boot media needs to be properly constructed, i.e. it must contain a
proper Command Sequence File (CSF).
The Initial Vector Table contains a pointer to the CSF. Please see
doc/README.imximage for how to prepare u-boot.imx.
The CSF itself is being generated by Freescale HAB tools.
mkimage will output additional information about "HAB Blocks"
which can be used in the Freescale tooling to authenticate U-Boot
(entries in the CSF file).
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Data Size: 327680 Bytes = 320.00 kB = 0.31 MB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 177ff400 00000000 0004dc00
^^^^^^^^ ^^^^^^^^ ^^^^^^^^
| | |
| | -------- (1)
| |
| ------------------- (2)
|
--------------------------- (3)
(1) Size of area in file u-boot.imx to sign
This area should include the IVT, the Boot Data the DCD
and U-Boot itself.
(2) Start of area in u-boot.imx to sign
(3) Start of area in RAM to authenticate
CONFIG_SECURE_BOOT currently enables only an additional command
'hab_status' in U-Boot to retrieve the HAB status and events. This
can be useful while developing and testing HAB.
Commands to generate a signed U-Boot using Freescale HAB tools:
cst --o U-Boot_CSF.bin < U-Boot.CSF
objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
U-Boot_CSF.bin U-Boot_CSF_pad.bin
cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
the imximage.cfg file.
Setup U-Boot Image for Encrypted Boot
-------------------------------------
An authenticated U-Boot image is used as starting point for
Encrypted Boot. The image is encrypted by Freescale's Code
Signing Tool (CST). The CST replaces only the image data of
u-boot.imx with the encrypted data. The Initial Vector Table,
DCD, and Boot data, remains in plaintext.
The image data is encrypted with a Encryption Key (DEK).
Therefore, this key is needed to decrypt the data during the
booting process. The DEK is protected by wrapping it in a Blob,
which needs to be appended to the U-Boot image and specified in
the CSF file.
The DEK blob is generated by an authenticated U-Boot image with
the dek_blob cmd enabled. The image used for DEK blob generation
needs to have the following configurations enabled:
CONFIG_SECURE_BOOT
CONFIG_SYS_FSL_SEC_COMPAT 4 /* HAB version */
CONFIG_FSL_CAAM
CONFIG_CMD_DEKBLOB
CONFIG_SYS_FSL_SEC_LE
Note: The encrypted boot feature is only supported by HABv4 or
greater.
The dek_blob command then can be used to generate the DEK blob of
a DEK previously loaded in memory. The command is used as follows:
dek_blob <DEK address> <Output Address> <Key Size in Bits>
example: dek_blob 0x10800000 0x10801000 192
The resulting DEK blob then is used to construct the encrypted
U-Boot image. Note that the blob needs to be transferred back
to the host.Then the following commands are used to construct
the final image.
objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
U-Boot_CSF.bin U-Boot_CSF_pad.bin
cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \
u-boot-signed.imx u-boot-signed-pad.bin
cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx
NOTE: u-boot-signed.bin needs to be padded to the value
equivalent to the address in which the DEK blob is specified
in the CSF.