Encrypted U-boot Example

Document created by Joan Xie Employee on Jun 29, 2016
Version 1Show Document
  • View in full screen mode

This example makes use of a U-Boot image as a bootloader. U-Boot is commonly used as a bootloader for Linux devices and is provide by the Freescale Linux BSP.

The default memory layout of the Freescale U-Boot port can be modified to meet the encrypted boot requirements. This is shown in figure 5. As it can be seen, this layout is similar to any other U-Boot port, with the addition of the security mechanisms appended at the end of the image.


                         Figure  Chosen memory layout of the encrypted u-boot


In designing a U-Boot image as an encrypted boot solution, there are three assumptions which accelerate and simplify the construction process.

. The U-boot image can be build for multiple board configuration, but for demonstration purposes this example uses i.MX6 Solo X

. The user is familiar with the secure configuration for U-Boot and is able to properly sign and boot a U-Boot image.

. The encrypted image will be constructed by an individual party, and there is no need to worry about provisioning the DEK.



The components required to build an encrypted image are shown below. Note that the majority of these components are the product of following the signing U-Boot image procedure.

   a)Code Signing Tool in encryption mode

o To build the CST in encryption mode, run the following command

make OSTYPE=linux ENCRYPTION=yes HAB_RELEASE=~/hab/hab_release release

o Note: that CST is not in encryption mode by default. This feature needs to be enabled before encrypting the bootloader image. The performance of the CST might be affected, due to its dependency on the host entropy. Refer to the CST User Guide for more details.

  b) iMX6 Solo X device in secure mode

  c) U-Boot image with secure boot support enabled.

o To configure U-Boot to be built with secure boot support, CONFIG_SECURE_BOOT will need to be defined in the board header file (i.e. at include/configs/mx6q_arm2.h)

  d) Signed U-Boot image

o A U-Boot image with a CSF and digital signature attached.

3) Implementation

Many different implementations for constructing a encrypted U-boot image are possible. The right implementation depends on the solution’s requirement. The presented implementation is intended to provide the foundation principles; it can be modified to meet different needs.

7 people found this helpful