topic Re: Secure boot on Wandboard in i.MX Processors

Secure boot on Wandboard

spacemanspiff — Thu, 15 May 2014 11:01:10 GMT

I am trying to get secure boot working on the Wandboard quad, based on AN4581 (Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4), HABCST_UG (HAB Code-Signing Tool User’s Guide) and a few other sources of information. In case it matters, I am currently experimenting with U-boot on the SD card, although in the end U-boot will be in a SPI flash.

I have compiled U-boot 2013.10 with CONFIG_SECURE_BOOT (to get hab_status) as well as CONFIG_CMD_FUSE and CONFIG_MXC_OCOTP (to access fuses from U-boot).

I have created the PKI and SRK table and eFuse hash according to HAB CST user guide chapter 3.2.

Based on a guide regarding secure boot on the Nitrogen 6X, I have attempted to write a CSF input file for CST, and created the binary CSF.

There are various guides on how to combine the U-Boot image with the CSF, but I think some things have changed since these guides were written. Maybe there is an easier way of putting everything together for secure booting on the i.MX6.

1) What is the easiest way to reserve space for the CSF before the BSS? In the guides, modifications are being done to the linker-script (i.e. u-boot.lds), but I am not quite sure what linker script is being used for the wandboard-quad, or if there is an easier way of reserving this region.

2) I have looked at the u-boot.imx, and see the IVT at the beginning, but the CSF-pointer is 0. What is the easiest way to set the CSF-pointer?

3) According to U-boots README.mxc_hab, mkimage should "output additional information about ''HAB Blocks'' which can be used in the Freescale tooling to authenticate U-Boot (entries in the CSF file)". However, this is not shown when I run mkimage -l u-boot.imx:

Image Type: Freescale IMX Boot Image

Image Ver: 2 (i.MX53/6 compatible)

Data Size: 290816 Bytes = 284.00 kB = 0.28 MB

Load Address: 177ff420

Entry Point: 17800000

4) Does anyone have any pointers to resources about writing the CSF input file, or other resources regarding secure boot on i.MX6?

Any help is greatly appreciated,

Mikkel Holm Olsen

Re: Secure boot on Wandboard

spacemanspiff — Tue, 20 May 2014 15:00:14 GMT

It seems all the documentation (application notes and examples) say that one should use older U-boot, except this recent question i.MX6 HAB support in U-Boot 2013 and later.

I would really prefer to use a recent U-boot, because we need to patch it to support various devices, and we need device tree support etc.

From my findings all that needs to be done before I have securely started U-boot is:

Patch U-boot to reserve space for the CSF.
Make the image consisting of the existing u-boot.imx + padding + CSF
Set the CSF pointer in the IVT.
Burn fuses

As for 1. it appears that there have been changes in the U-boot linker scripts. I am just wondering if there is an easy way (e.g. board specific configuration option or similar) to reserve this space.

Regarding 2. and 3. this was just my idea of how to get the needed result. There may be a cleaner way to achieve this. If you have a suggestion, please let me know.

Re: Secure boot on Wandboard

spacemanspiff — Thu, 22 May 2014 14:48:59 GMT

I managed to get secure boot of U-Boot 2013.10 working on the Wandboard (i.MX6), so for anyone struggling with this, here are some pointers:

1. Reserve space for CSF in U-boot. Edit u-boot.lds and add the following between "_end = .;" and ". = ALIGN(4096);":

. = ALIGN(0x1000);

.hab_section (OVERLAY) : {

__hab_data = .;

. = . + 0x2000; /* Reserve 8kB for CSF */

__hab_data_end = .;

}

This sets aside 8kB in the U-boot memory layout, where we can have the IVT load the CSF (appended to U-boot image).

2. In order to change the CSF pointer in IVT, edit the imximage configuration file. First find your board in u-boots boards.cfg, and locate the IMX_CONFIG variable. Now open this file (in my case board/boundary/nitrogen6x/nitrogen6q2g.cfg) and add the following (I added it after "BOOT_FROM":

/* Reserve 8kB for CSF */

CSF 0x2000

This will both set the CSF pointer in IVT, and also add 8kB to the length-field, so we get the CSF loded into memory along with the U-boot image.

3. Build the u-boot.imx file (you could verify with hexdump that CSF-pointer is populated).

4. Assuming you have created the PKI tree and SRK table (using hab4_pki_tree.sh and srktool), you now need to create the CSF source file (see attached u-boot.csf for inspiration). You need to set the size of u-boot.imx in the "Authenticate Data" section. In my case this was 0x46C00 (i.e. 289792 bytes).

5. Compile the CSF to binary form by using cst:

linux/cst --o u-boot_csf.bin < u-boot.csf

6. Pad the CST file to 8kB length:

objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0xAA u-boot_csf.bin u-boot_csf_padded.bin

7. Append the padded CSF to the IMX image:

cat u-boot.imx u-boot_csf_padded.bin > u-boot_csf.imx

8. Copy the combined image to SD card:

sudo dd if=u-boot_csf.imx of=/dev/sdc bs=512 seek=2

9. Program the SRK hash fuses.

Re: Secure boot on Wandboard

siah77 — Fri, 30 May 2014 09:00:58 GMT

Is the a way to unlock or remove the secure boot after burn fuse? The document didn't mention about the removal. Please advice and thank you

Re: Secure boot on Wandboard

igorpadykov — Fri, 30 May 2014 09:37:23 GMT

Hi Ricky

unfortunately these (and other) fuses are unreversable.

They can not be changed back to unsecure state, when programmed to

secure state. So once programmed, board stays secure forever.

Best regards

chip

Re: Secure boot on Wandboard

ganeshc — Fri, 29 May 2015 04:27:23 GMT

Hi,
Unknowingly I executed this command in my Wandboard Quad
echo 0x2 > /sys/fsl_otp/HW_OCOTP_CFG5
after executing this command my board is not booting up.
After that I read many documentation to get what actually happened and it shows I enabled chip security which is used for secure boot.

Now what should I do to get my board to boot /start ?