|
|
|
@ -138,3 +138,51 @@ c |
|
|
|
|
The last "c" command tells kermit (from ckermit package in most distros) |
|
|
|
|
to switch from command line mode to communication mode, and when the |
|
|
|
|
script is finished, the U-Boot prompt is shown in the same shell. |
|
|
|
|
|
|
|
|
|
3. Using Secure Boot on i.MX6 machines with SPL support |
|
|
|
|
------------------------------------------------------- |
|
|
|
|
|
|
|
|
|
This version of U-Boot is able to build a signable version of the SPL |
|
|
|
|
as well as a signable version of the U-Boot image. The signature can |
|
|
|
|
be verified through High Assurance Boot (HAB). |
|
|
|
|
|
|
|
|
|
CONFIG_SECURE_BOOT is needed to build those two binaries. |
|
|
|
|
After building, you need to create a command sequence file and use |
|
|
|
|
Freescales Code Signing Tool to sign both binaries. After creation, |
|
|
|
|
the mkimage tool outputs the required information about the HAB Blocks |
|
|
|
|
parameter for the CSF. |
|
|
|
|
|
|
|
|
|
More information about the CSF and HAB can be found in the AN4581. |
|
|
|
|
https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf |
|
|
|
|
|
|
|
|
|
We don't want to explain how to create a PKI tree or SRK table as |
|
|
|
|
this is well explained in the Application Note. |
|
|
|
|
|
|
|
|
|
Example Output of the SPL (imximage) creation: |
|
|
|
|
Image Type: Freescale IMX Boot Image |
|
|
|
|
Image Ver: 2 (i.MX53/6/7 compatible) |
|
|
|
|
Mode: DCD |
|
|
|
|
Data Size: 61440 Bytes = 60.00 kB = 0.06 MB |
|
|
|
|
Load Address: 00907420 |
|
|
|
|
Entry Point: 00908000 |
|
|
|
|
HAB Blocks: 00907400 00000000 0000cc00 |
|
|
|
|
|
|
|
|
|
Example Output of the u-boot-ivt.img (firmware_ivt) creation: |
|
|
|
|
Image Name: U-Boot 2016.11-rc1-31589-g2a4411 |
|
|
|
|
Created: Sat Nov 5 21:53:28 2016 |
|
|
|
|
Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) |
|
|
|
|
Data Size: 352192 Bytes = 343.94 kB = 0.34 MB |
|
|
|
|
Load Address: 17800000 |
|
|
|
|
Entry Point: 00000000 |
|
|
|
|
HAB Blocks: 0x177fffc0 0x0000 0x00054020 |
|
|
|
|
|
|
|
|
|
The CST (Code Signing Tool) can be downloaded from NXP. |
|
|
|
|
# Compile CSF and create signature |
|
|
|
|
./cst --o csf-u-boot.bin < command_sequence_uboot.csf |
|
|
|
|
./cst --o csf-SPL.bin < command_sequence_spl.csf |
|
|
|
|
# Append compiled CSF to Binary |
|
|
|
|
cat SPL csf-SPL.bin > SPL-signed |
|
|
|
|
cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img |
|
|
|
|
|
|
|
|
|
These two signed binaries can be used on an i.MX6 in closed |
|
|
|
|
configuration when the according SRK Table Hash has been flashed. |