High Assurance Boot (HAB) for i.MX6 CPUs
-To authenticate U-Boot only by the CPU there is no code required in
-U-Boot itself. However, the U-Boot image to be programmed into the
+To enable the authenticated or encrypted boot mode of U-Boot, it is
+required to set the proper configuration for the target board. This
+is done by adding the following configuration in in the proper config
+file (e.g. include/configs/mx6qarm2.h)
+
+#define CONFIG_SECURE_BOOT
+
+In addition, the U-Boot image to be programmed into the
boot media needs to be properly constructed, i.e. it must contain a
proper Command Sequence File (CSF).
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 177ff400 00000000 0004dc00
- ^^^^^^^^ ^^^^^^^^ ^^^^^^^^
+ ^^^^^^^^ ^^^^^^^^ ^^^^^^^^
| | |
| | -------- (1)
| |
NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
the imximage.cfg file.
+
+Setup U-Boot Image for Encrypted Boot
+-------------------------------------
+An authenticated U-Boot image is used as starting point for
+Encrypted Boot. The image is encrypted by Freescale's Code
+Signing Tool (CST). The CST replaces only the image data of
+u-boot.imx with the encrypted data. The Initial Vector Table,
+DCD, and Boot data, remains in plaintext.
+
+The image data is encrypted with a Encryption Key (DEK).
+Therefore, this key is needed to decrypt the data during the
+booting process. The DEK is protected by wrapping it in a Blob,
+which needs to be appended to the U-Boot image and specified in
+the CSF file.
+
+The DEK blob is generated by an authenticated U-Boot image with
+the dek_blob cmd enabled. The image used for DEK blob generation
+needs to have the following configurations enabled:
+
+CONFIG_SECURE_BOOT
+CONFIG_SYS_FSL_SEC_COMPAT 4 /* HAB version */
+CONFIG_FSL_CAAM
+CONFIG_CMD_DEKBLOB
+CONFIG_SYS_FSL_SEC_LE
+
+Note: The encrypted boot feature is only supported by HABv4 or
+greater.
+
+The dek_blob command then can be used to generate the DEK blob of
+a DEK previously loaded in memory. The command is used as follows:
+
+dek_blob <DEK address> <Output Address> <Key Size in Bits>
+example: dek_blob 0x10800000 0x10801000 192
+
+The resulting DEK blob then is used to construct the encrypted
+U-Boot image. Note that the blob needs to be transferred back
+to the host.Then the following commands are used to construct
+the final image.
+
+objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
+ U-Boot_CSF.bin U-Boot_CSF_pad.bin
+cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
+objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \
+ u-boot-signed.imx u-boot-signed-pad.bin
+cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx
+
+ NOTE: u-boot-signed.bin needs to be padded to the value
+ equivalent to the address in which the DEK blob is specified
+ in the CSF.
projects / karo-tx-uboot.git / blobdiff