1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
|
+=========================================================+
+ i.MX8M U-Boot HABv4 Secure Boot guide for SPL targets +
+=========================================================+
1. HABv4 secure boot process
-----------------------------
This document is an addendum of mx6_mx7_spl_secure_boot.txt guide describing
a step-by-step procedure on how to sign and securely boot an U-Boot image for
SPL targets on i.MX8M, i.MX8M Mini, i.MX8M Nano, i.MX8M Plus.
Details about HAB can be found in the application note AN4581[1] and in the
introduction_habv4.txt document.
1.1 Building a SPL target supporting secure boot
-------------------------------------------------
The U-Boot build for i.MX8M SoC makes use of Second Program Loader (SPL)
support, fitImage support and custom i.MX8M specific flash.bin container.
This leads to a generation of multiple intermediate build artifacts, the
U-Boot SPL, U-Boot binary, DT blob. These later two artifacts are bundled
with external ATF BL31 blob to form a fitImage. The fitImage is bundled
with SPL and external DDR and optional HDMI PHY initialization blobs to
form the final flash.bin container. The HABv4 can be used to authenticate
all of the input binaries separately.
Out of reset the ROM code authenticates the SPL and PHY initialization
blobs, combination of which is responsible for initializing essential
features such as DDR, UART, PMIC and clock enablement. Once the DDR is
available, the SPL code loads the secondary fitImage to its specific
address and call the HAB APIs to extend the root of trust on its
components.
The U-Boot SPL provides support to secure boot configuration and also
provide access to the HAB APIs exposed by the ROM vector table, the
U-Boot provides access to HAB APIs via SMC calls to ATF. The support
is enabled by selecting the CONFIG_IMX_HAB option.
When built with this configuration the U-Boot correctly pads combined
SPL and PHY initialization blob image, called u-boot-spl-ddr.bin, by
aligning to the next 0xC00 address, so the CSF signature data generated
by CST can be concatenated to the image.
The U-Boot also reserves space in the fitImage binary (u-boot.itb) between
the fitImage tree and external blobs included in it, so it can be used to
inject IVT and CST signatures used by SPL HAB calls to authenticate the
fitImage components.
The diagram below illustrate a signed SPL combined with DDR PHY
initialization firmware blobs part of flash.bin container layout.
This part is loaded to memory address ( CONFIG_SPL_TEXT_BASE - 0x40 ) and
authenticated the BootROM. The reason for the offset is so that the *entry
would be at memory address CONFIG_SPL_TEXT_BASE when BootROM executes the
code within it:
------- +-----------------------------+ <-- *start
^ | Image Vector Table |
| | (0x20 bytes) |
| +-----------------------------+ <-- *boot_data
| | Boot Data |
| +-----------------------------+
| | Padding |
Signed | | to 0x40 bytes from *start |
Data | +-----------------------------+ <-- *entry
| | |
| | SPL combined with DDR PHY |
| | initialization blobs |
| | (u-boot-spl-ddr.bin) |
| | |
| +-----------------------------+
v | Padding |
------- +-----------------------------+ <-- *csf
| |
| Command Sequence File (CSF) |
| |
+-----------------------------+
| Padding (optional) |
+-----------------------------+
The diagram below illustrate a signed U-Boot binary, DT blob and external
ATF BL31 blob combined to form fitImage part of flash.bin container layout.
The *load_address is CONFIG_SPL_LOAD_FIT_ADDRESS, the fitImage is loaded
including all of its embedded data, authenticated using IVT+CSF concatenated
at the end of the fitImage at offset aligned to 4 kiB. The fitImage with
external data is not supported.
------- +-----------------------------+ <-- *load_address
^ | |
| | fitImage tree |
| | with embedded data |
| | (cca. 1 MiB) |
Signed | | |
.----- Tree | +-----------------------------+
| Data | | Padding to next 4k aligned |
| | | from *load_address |
| | +-----------------------------+ <-- *ivt
| | | Image Vector Table |
| v | (0x20 bytes) |
| ------- +-----------------------------+ <-- *csf
| | Command Sequence File (CSF) |
| | for all signed entries in |
'---------------->| the fitImage, tree and data |
| (cca 6-7 kiB) |
+-----------------------------+
The diagram below illustrate a combined flash.bin container layout:
+-----------------------------+
| Signed SPL part |
+-----------------------------+
| Signed fitImage part |
+-----------------------------+
1.2 Enabling the secure boot support
-------------------------------------
The first step is to generate an U-Boot image supporting the HAB features
mentioned above, this can be achieved by adding CONFIG_IMX_HAB to the
build configuration:
- Defconfig:
CONFIG_IMX_HAB=y
CONFIG_FSL_CAAM=y
CONFIG_ARCH_MISC_INIT=y
CONFIG_SPL_CRYPTO=y
- Kconfig:
ARM architecture -> Support i.MX HAB features
1.3 Signing the images
-----------------------
The CSF contains all the commands that the HAB executes during the secure
boot. These commands instruct the HAB code on which memory areas of the image
to authenticate, which keys to install, use and etc. The CSF is generated
using the CST Code Signing Tool based on input configuration file. This tool
input configuration file is generated using binman, and the tool is invoked
from binman as well.
The SPL and fitImage sections of the generated image are signed separately.
The signing is activated by wrapping SPL and fitImage sections into nxp-imx8mcst
etype, which is done automatically in arch/arm/dts/imx8m{m,n,p,q}-u-boot.dtsi
in case CONFIG_IMX_HAB Kconfig symbol is enabled.
Build of flash.bin target then produces a signed flash.bin automatically.
The nxp-imx8mcst etype is configurable using either DT properties or environment
variables. The following DT properties and environment variables are supported.
Note that environment variables override DT properties.
+--------------------+-----------+------------------------------------------------------------------+
| DT property | Variable | Description |
+====================+===========+==================================================================+
| nxp,loader-address | | SPL base address |
+--------------------+-----------+------------------------------------------------------------------+
| nxp,srk-table | SRK_TABLE | full path to SRK_1_2_3_4_table.bin |
+--------------------+-----------+------------------------------------------------------------------+
| nxp,csf-crt | CSF_KEY | full path to the CSF Key CSF1_1_sha256_4096_65537_v3_usr_crt.pem |
+--------------------+-----------+------------------------------------------------------------------+
| nxp,img-crt | IMG_KEY | full path to the IMG Key IMG1_1_sha256_4096_65537_v3_usr_crt.pem |
+--------------------+-----------+------------------------------------------------------------------+
Environment variables can be set as follows to point the build process
to external key material:
```
export CST_DIR=/usr/src/cst-3.3.1/
export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
make flash.bin
```
1.4 Closing the device
-----------------------
The procedure for closing the device is similar as in Non-SPL targets, for a
complete procedure please refer to section "1.5 Programming SRK Hash" in
mx6_mx7_secure_boot.txt document available under doc/imx/habv4/guides/
directory.
References:
[1] AN4581: "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using
HABv4" - Rev 2.
|
