blob: e9340dd14cd4a6f687116712f5cee86a7513f555 [file] [log] [blame]
Stefano Babic4aa97492013-06-27 11:42:38 +02001High Assurance Boot (HAB) for i.MX6 CPUs
2
3To authenticate U-Boot only by the CPU there is no code required in
4U-Boot itself. However, the U-Boot image to be programmed into the
5boot media needs to be properly constructed, i.e. it must contain a
6proper Command Sequence File (CSF).
7
8The Initial Vector Table contains a pointer to the CSF. Please see
9doc/README.imximage for how to prepare u-boot.imx.
10
11The CSF itself is being generated by Freescale HAB tools.
12
13mkimage will output additional information about "HAB Blocks"
14which can be used in the Freescale tooling to authenticate U-Boot
15(entries in the CSF file).
16
17Image Type: Freescale IMX Boot Image
18Image Ver: 2 (i.MX53/6 compatible)
19Data Size: 327680 Bytes = 320.00 kB = 0.31 MB
20Load Address: 177ff420
21Entry Point: 17800000
22HAB Blocks: 177ff400 00000000 0004dc00
Wolfgang Denkec7fbf52013-10-04 17:43:24 +020023 ^^^^^^^^ ^^^^^^^^ ^^^^^^^^
Stefano Babic4aa97492013-06-27 11:42:38 +020024 | | |
25 | | -------- (1)
26 | |
27 | ------------------- (2)
28 |
29 --------------------------- (3)
30
31(1) Size of area in file u-boot.imx to sign
32 This area should include the IVT, the Boot Data the DCD
33 and U-Boot itself.
34(2) Start of area in u-boot.imx to sign
35(3) Start of area in RAM to authenticate
36
37CONFIG_SECURE_BOOT currently enables only an additional command
38'hab_status' in U-Boot to retrieve the HAB status and events. This
39can be useful while developing and testing HAB.
40
41Commands to generate a signed U-Boot using Freescale HAB tools:
42cst --o U-Boot_CSF.bin < U-Boot.CSF
43objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
44 U-Boot_CSF.bin U-Boot_CSF_pad.bin
45cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
46
47NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
48the imximage.cfg file.
Raul Cardenasb5a36d82015-02-27 11:22:06 -060049
50Setup U-Boot Image for Encrypted Boot
51-------------------------------------
52An authenticated U-Boot image is used as starting point for
53Encrypted Boot. The image is encrypted by Freescale's Code
54Signing Tool (CST). The CST replaces only the image data of
55u-boot.imx with the encrypted data. The Initial Vector Table,
56DCD, and Boot data, remains in plaintext.
57
58The image data is encrypted with a Encryption Key (DEK).
59Therefore, this key is needed to decrypt the data during the
60booting process. The DEK is protected by wrapping it in a Blob,
61which needs to be appended to the U-Boot image and specified in
62the CSF file.
63
64The DEK blob is generated by an authenticated U-Boot image with
65the dek_blob cmd enabled. The image used for DEK blob generation
66needs to have the following configurations enabled:
67
68CONFIG_SECURE_BOOT
69CONFIG_SYS_FSL_SEC_COMPAT 4 /* HAB version */
70CONFIG_FSL_CAAM
71CONFIG_CMD_DEKBLOB
72
73Note: The encrypted boot feature is only supported by HABv4 or
74greater.
75
76The dek_blob command then can be used to generate the DEK blob of
77a DEK previously loaded in memory. The command is used as follows:
78
79dek_blob <DEK address> <Output Address> <Key Size in Bits>
80example: dek_blob 0x10800000 0x10801000 192
81
82The resulting DEK blob then is used to construct the encrypted
83U-Boot image. Note that the blob needs to be transferred back
84to the host.Then the following commands are used to construct
85the final image.
86
87objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
88 U-Boot_CSF.bin U-Boot_CSF_pad.bin
89cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
90objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \
91 u-boot-signed.imx u-boot-signed-pad.bin
92cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx
93
94 NOTE: u-boot-signed.bin needs to be padded to the value
95 equivalent to the address in which the DEK blob is specified
96 in the CSF.