sysmo-bts
/
u-boot
9
0
Fork 0
Code Pull Requests Releases Activity

doc: imx6: add section for secure boot with SPL 

Cc: sbabic@denx.de

Signed-off-by: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Reviewed-by: George McCollister <george.mccollister@gmail.com>
This commit is contained in:
Sven Ebenfeld 2016-11-06 16:37:57 +01:00 committed by Stefano Babic
parent d21bd69b6e
commit 3de6c7fc00
1 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
doc/README.imx6
View File

@ -138,3 +138,51 @@ c
The last "c" command tells kermit (from ckermit package in most distros)
to switch from command line mode to communication mode, and when the
script is finished, the U-Boot prompt is shown in the same shell.
3. Using Secure Boot on i.MX6 machines with SPL support
-------------------------------------------------------
This version of U-Boot is able to build a signable version of the SPL
as well as a signable version of the U-Boot image. The signature can
be verified through High Assurance Boot (HAB).
CONFIG_SECURE_BOOT is needed to build those two binaries.
After building, you need to create a command sequence file and use
Freescales Code Signing Tool to sign both binaries. After creation,
the mkimage tool outputs the required information about the HAB Blocks
parameter for the CSF.
More information about the CSF and HAB can be found in the AN4581.
https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
We don't want to explain how to create a PKI tree or SRK table as
this is well explained in the Application Note.
Example Output of the SPL (imximage) creation:
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 61440 Bytes = 60.00 kB = 0.06 MB
Load Address: 00907420
Entry Point: 00908000
HAB Blocks: 00907400 00000000 0000cc00
Example Output of the u-boot-ivt.img (firmware_ivt) creation:
Image Name: U-Boot 2016.11-rc1-31589-g2a4411
Created: Sat Nov 5 21:53:28 2016
Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
Data Size: 352192 Bytes = 343.94 kB = 0.34 MB
Load Address: 17800000
Entry Point: 00000000
HAB Blocks: 0x177fffc0 0x0000 0x00054020
The CST (Code Signing Tool) can be downloaded from NXP.
# Compile CSF and create signature
./cst --o csf-u-boot.bin < command_sequence_uboot.csf
./cst --o csf-SPL.bin < command_sequence_spl.csf
# Append compiled CSF to Binary
cat SPL csf-SPL.bin > SPL-signed
cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
These two signed binaries can be used on an i.MX6 in closed
configuration when the according SRK Table Hash has been flashed.