chain of trust HAB imx6UL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

chain of trust HAB imx6UL

967 Views
giuliodominutti
Contributor III

Hi, I'm stuck in building a secure board imx6UL. At the moment I'm able to sign and encrypt the u-boot and run it from sd.

Now I want to continue the chain of trust validating every loaded image.

- I modified u-boot in order to use default environment.

- I prepared a bootscript signed that contains the remaining part of the boot

- I modify the automatic boot sequence bootcmd with my personal sequence that load from sd and verify the signature of bootscript with hab_auth_img command.

- From bootscript with a well defined sequence i load from sd a signed kernel and a signed device tree, verify their signature and if all ok start kernel.

1) First question is: the procedure is correct? There is a better way than modify uboot and using hab_auth_image? There are other ways? ( give me a clue)

2) Suppose that the sign verification I implemented is correct. I want that loaded images are also encrypted to have confidentiality. I enabled in u-boot CMD_BLOB, that i suppose able to encrypt my datas, but cmd blob enc doesn't work. There are other config to set before use this cmd?

Thanks

Labels (1)
0 Kudos
1 Reply

575 Views
igorpadykov
NXP Employee
NXP Employee

Hi Giulio

please refer to

Signed and encrypted boot in i.MX6UL 

Generate Blob Under Linux 

AN4581 Secure Boot on i.MX50, i.MX53, and i.MX6  Series using HABv4 

https://www.nxp.com/docs/en/application-note/AN4581.pdf 

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------