IMX8QXP secure boot

gravity_one — Fri, 25 Feb 2022 02:51:00 GMT

Hi,

After reading the IMX8QXP secure boot document, it is found that only uboot is signed.

How does the KERNEL sign and boot? Is there any document?

Re: IMX8QXP secure boot

Yuri — Fri, 25 Feb 2022 04:05:24 GMT

@gravity_one
Hello,

please refer to the following:

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab/guides/sign_os_cntr.txt?h=lf_v2021.04

Regards,
Yuri.

Re: IMX8QXP secure boot

gravity_one — Wed, 02 Mar 2022 02:33:24 GMT

Hi Yuri，

But when FOTA is upgraded, only KERNEL IMAGE and DTB are upgraded, how to boot safely?
How do I verify that KERNEL IMAGE and DTB are signed?

Brs，

Gravity

Re: IMX8QXP secure boot

BiyongSUN — Wed, 02 Mar 2022 14:59:17 GMT

Have you ever read the doc yuri provided?

Have you ?

If you read it, you will find

The OS container needs to be prepared with proper container header in order to
sign the OS image. Using imx-mkimage tool provided by NXP, the OS image can be
wrapped into a container format.

- Build the kernel image for the target

  $ make SOC=<SoC name> flash_kernel
  $ mv <SoC name>/flash.bin <SoC name>/flash_os.bin

https://source.codeaurora.org/external/imx/imx-mkimage/tree/iMX8QX/soc.mak?h=lf-5.10.52-2.1.0

flash_kernel: $(MKIMG) Image fsl-imx8qxp-mek.dtb
	./$(MKIMG) -soc QX -rev B0 -c -ap Image a35 0x80280000 --data fsl-imx8qxp-mek.dtb 0x83000000 -out flash.bin

If you want, you can modify to add a ramdisk to sign.

If you want, you can modify anything to sign.

That is to say, anything you need for boot without authentication. Just add to the os container by imx-mkimge then you can use the athentication boot.

The BSP example is use the Image, fsl-imx8qxp-mek.dtb to do none athentication.

and just put the Image, fsl-imx8qxp-mek.dtb to os container by imx-mkimage and sign it, then can do anthentication boot.

It is container, Image0 ~ ImageN.

authenticate_os_container will help you copy the image for example the Image(kernel) to the loader address 0x80280000 (-ap Image a35 0x80280000 in imx-mkimage).

Before, you use the fatload to load the Image to the 0x80280000.

loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}

#define CONFIG_LOADADDR 0x80280000

dr_mode with "peripheral"

"fi; " \

"if test ${sec_boot} = yes; then " \

"${get_cmd} ${cntr_addr} ${cntr_file}; " \

"if run auth_os; then " \

"run boot_os; " \

"else " \

"echo ERR: failed to authenticate; " \

"fi; " \

"else " \

"${get_cmd} ${loadaddr} ${image}; " \

"if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \

"if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \

"run boot_os; " \

"else " \

"echo WARN: Cannot load the DT; " \

"fi; " \

int authenticate_os_container(ulong addr)

{

..........

/* Copy images to dest address */

for (i = 0; i < phdr->num_images; i++) {

img = (struct boot_img_t *)(addr +

sizeof(struct container_hdr) +

i * sizeof(struct boot_img_t));

debug("img %d, dst 0x%x, src 0x%lux, size 0x%x\n",

i, (uint32_t) img->dst, img->offset + addr, img->size);

memcpy((void *)img->dst, (const void *)(img->offset + addr),

img->size);

s = img->dst & ~(CONFIG_SYS_CACHELINE_SIZE - 1);

e = ALIGN(img->dst + img->size, CONFIG_SYS_CACHELINE_SIZE) - 1;

flush_dcache_range(s, e);

Re: IMX8QXP secure boot

gravity_one — Sat, 05 Mar 2022 09:27:19 GMT

Hi，

Thank you for your reply!

The information made me understand！

Gravity

i.MX ProcessorsのトピックRe: IMX8QXP secure boot

IMX8QXP secure boot

Re: IMX8QXP secure boot

Re: IMX8QXP secure boot

Re: IMX8QXP secure boot

Re: IMX8QXP secure boot