https://community.nxp.com/t5/i-MX-Processors/Secure-Boot/m-p/1284981#M174779 <P>Hi Alvaro</P> <P>&nbsp;</P> <P>one can look at AN12812&nbsp; <A id="relatedDocsClick_19" href="https://www.nxp.com/webapp/Download?colCode=AN12812" target="_blank" rel="noopener"><STRONG>Using Code-Signing Tool with Hardware Security Module</STRONG></A></P> <P>&nbsp;</P> <P>Best regards<BR />igor</P> Tue, 01 Jun 2021 00:50:53 GMT igorpadykov 2021-06-01T00:50:53Z https://community.nxp.com/t5/i-MX-Processors/Secure-Boot/m-p/1282358#M174543 <P>Hi everyone,&nbsp;</P><P>&nbsp;</P><P>We are trying to implement a Secure boot on the NXP iMX8MP using a TPM ( SLB 9670VQ2.0).</P><P>I know that iMX8MP allows a secure boot using its HAB hw modules and also have explored that option but apart from that, we want to be able to verify a kernel before loading it.&nbsp;</P><P>So, currently I've got an u-boot with TPM commands enabled, these are the commands it offers:&nbsp;</P><UL><LI><FONT face="arial black,avant garde" color="#000000">STARTUP</FONT></LI><LI><FONT face="arial black,avant garde" color="#000000">SELF TEST</FONT></LI><LI><FONT face="arial black,avant garde" color="#000000">CLEAR</FONT></LI><LI><FONT face="arial black,avant garde" color="#000000">PCR EXTEND</FONT></LI><LI><FONT face="arial black,avant garde" color="#000000">PCR READ</FONT></LI><LI><FONT face="arial black,avant garde" color="#000000">GET CAPABILITY</FONT></LI><LI><FONT face="arial black,avant garde" color="#000000">DICTIONARY ATTACK LOCK RESET</FONT></LI><LI><FONT face="arial black,avant garde" color="#000000">DICTIONARY ATTACK CHANGE PARAMETERS</FONT></LI><LI><FONT face="arial black,avant garde" color="#000000">HIERARCHY CHANGE AUTH</FONT></LI></UL><H3><FONT face="arial,helvetica,sans-serif" size="4" color="#000000">As far as I understand, to verify the kernel I need to decrypt a hash of the kernel that was previously encrypted with a private key.&nbsp;</FONT></H3><P><FONT face="arial,helvetica,sans-serif" size="4" color="#000000">When using a TPM I know how to create keys and use them to sign the kernel from linux.&nbsp;</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="4" color="#000000">But, as long as the keys cannot leave the TPM I'm wondering how could the uboot verify the signed kernel. The first option that comes to my mind is that u-boot should ask the TPM to decrypt the hash of the kernel with its internal private key but from uboot and I don't have any commands to do that.&nbsp;<BR />The second option would be to ask the TPM for the private key, and this can't be done as the security of the TPM ( and the whole system ) would be compromised.&nbsp;</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="4" color="#000000">How can this step ( kernel verification ) of the secure boot be done? maybe by means of a measured boot ( PCRs)?</FONT></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="4" color="#000000">Thanks in advance, any idea will be much appreciated</FONT></P> Wed, 26 May 2021 07:48:06 GMT https://community.nxp.com/t5/i-MX-Processors/Secure-Boot/m-p/1282358#M174543 AlfTeleco 2021-05-26T07:48:06Z https://community.nxp.com/t5/i-MX-Processors/Secure-Boot/m-p/1284981#M174779 <P>Hi Alvaro</P> <P>&nbsp;</P> <P>one can look at AN12812&nbsp; <A id="relatedDocsClick_19" href="https://www.nxp.com/webapp/Download?colCode=AN12812" target="_blank" rel="noopener"><STRONG>Using Code-Signing Tool with Hardware Security Module</STRONG></A></P> <P>&nbsp;</P> <P>Best regards<BR />igor</P> Tue, 01 Jun 2021 00:50:53 GMT https://community.nxp.com/t5/i-MX-Processors/Secure-Boot/m-p/1284981#M174779 igorpadykov 2021-06-01T00:50:53Z https://community.nxp.com/t5/i-MX-Processors/Secure-Boot/m-p/1299442#M176160 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/37066">@igorpadykov</a>&nbsp;the CST would run on the PC, right? But we're interested in interfacing the TPM with the target hardware (i.MX processor). How that can be done?</P><P>&nbsp;</P><P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/186417">@AlfTeleco</a>&nbsp;Any updates on this one?</P> Tue, 29 Jun 2021 06:07:44 GMT https://community.nxp.com/t5/i-MX-Processors/Secure-Boot/m-p/1299442#M176160 kanimozhi_t 2021-06-29T06:07:44Z https://community.nxp.com/t5/i-MX-Processors/Secure-Boot/m-p/1299481#M176163 <P>Hi Kanimozhi</P> <P>&nbsp;</P> <P>for such case, as it is not supported in official BSPs may be recommended to proceed with</P> <P>help of NXP Professional Services:<BR /><A href="https://contact.nxp.com/new-prof-svcs-sw-tech" target="_blank">https://contact.nxp.com/new-prof-svcs-sw-tech</A></P> <P>&nbsp;</P> <P>Best regards<BR />igor</P> Tue, 29 Jun 2021 06:55:44 GMT https://community.nxp.com/t5/i-MX-Processors/Secure-Boot/m-p/1299481#M176163 igorpadykov 2021-06-29T06:55:44Z