https://community.nxp.com/t5/i-MX-Processors/i-MX6-secure-boot-of-Linux-kernel/m-p/306352#M39459 <HTML><HEAD></HEAD><BODY><P>As described in <A href="https://community.nxp.com/thread/323891">Secure boot on Wandboard</A>, I have manged to use CST to sign my U-Boot image, and have my Wandboard verify the authenticity of U-Boot before executing it. </P><P></P><P>Now, I want to extend this to have the Linux kernel signed and to have U-Boot authenticate the image, as described in "i.MX 6 Linux High Assurance Boot (HAB) User's Guide". However, it appears that this document is based on a different U-Boot branch, than the one I am using (U-Boot 2013.10 from Yocto). I would prefer to use this recent U-Boot, because of device tree support, etc.</P><P></P><P>According to&nbsp; <A href="https://community.nxp.com/message/401163">Re: i.MX6 HAB support in U-Boot 2013 and later</A> HAB is supported in later U-Boot, but after digging for some time, it appears that only support for reading out HAB event status (using the "hab_status" command) is available, and the raw HAB API functions. The infrastructure to actually have U-Boot call HAB to authenticate the Linux image seems to be missing.</P><P></P><P>Is there a patch available for U-boot 2013.10, which enables authentication of the Linux kernel image before continuing boot?</P><P></P><P>Best regards,</P><P> Mikkel Holm Olsen</P></BODY></HTML> Tue, 27 May 2014 11:47:35 GMT spacemanspiff 2014-05-27T11:47:35Z https://community.nxp.com/t5/i-MX-Processors/i-MX6-secure-boot-of-Linux-kernel/m-p/306352#M39459 <HTML><HEAD></HEAD><BODY><P>As described in <A href="https://community.nxp.com/thread/323891">Secure boot on Wandboard</A>, I have manged to use CST to sign my U-Boot image, and have my Wandboard verify the authenticity of U-Boot before executing it. </P><P></P><P>Now, I want to extend this to have the Linux kernel signed and to have U-Boot authenticate the image, as described in "i.MX 6 Linux High Assurance Boot (HAB) User's Guide". However, it appears that this document is based on a different U-Boot branch, than the one I am using (U-Boot 2013.10 from Yocto). I would prefer to use this recent U-Boot, because of device tree support, etc.</P><P></P><P>According to&nbsp; <A href="https://community.nxp.com/message/401163">Re: i.MX6 HAB support in U-Boot 2013 and later</A> HAB is supported in later U-Boot, but after digging for some time, it appears that only support for reading out HAB event status (using the "hab_status" command) is available, and the raw HAB API functions. The infrastructure to actually have U-Boot call HAB to authenticate the Linux image seems to be missing.</P><P></P><P>Is there a patch available for U-boot 2013.10, which enables authentication of the Linux kernel image before continuing boot?</P><P></P><P>Best regards,</P><P> Mikkel Holm Olsen</P></BODY></HTML> Tue, 27 May 2014 11:47:35 GMT https://community.nxp.com/t5/i-MX-Processors/i-MX6-secure-boot-of-Linux-kernel/m-p/306352#M39459 spacemanspiff 2014-05-27T11:47:35Z https://community.nxp.com/t5/i-MX-Processors/i-MX6-secure-boot-of-Linux-kernel/m-p/306353#M39460 <HTML><HEAD></HEAD><BODY><P>Hi Mikkel,</P><P>had you checked V2012 Uboot security scripts, below</P><P>link. Also they are included in ../mxc_secureboot folder imx-test-3.10.17-1.0.0</P><P>package</P><P></P><P><A href="https://github.com/boundarydevices/imx-linux-test/commit/4eecc7d61daad50e5ce5cc87bdf8d526fcff3c97" title="https://github.com/boundarydevices/imx-linux-test/commit/4eecc7d61daad50e5ce5cc87bdf8d526fcff3c97">ENGR00000000 secure boot:add support for V2012 Secure U-Boot · 4eecc7d · boundarydevices/imx-linux-test · GitHub</A></P><P><A href="http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=i.MX6Q&amp;nodeId=018rH3ZrDRB24A&amp;fpsp=1&amp;tab=Design_Tools_Tab">L3.10.17_1.0.0_IMX6QDLS_BUNDLE</A> <IMG alt="" class="jiveImage" src="http://www.freescale.com/files/graphic/SECURITYINFOIMAGE.gif" /> : Source Code Download Steps Documentation and Demo Images. </P><P></P><P>Best regards</P><P>chip</P></BODY></HTML> Thu, 29 May 2014 11:10:39 GMT https://community.nxp.com/t5/i-MX-Processors/i-MX6-secure-boot-of-Linux-kernel/m-p/306353#M39460 igorpadykov 2014-05-29T11:10:39Z https://community.nxp.com/t5/i-MX-Processors/i-MX6-secure-boot-of-Linux-kernel/m-p/306354#M39461 <HTML><HEAD></HEAD><BODY><P>Sorry about the late reply.</P><P></P><P>Thank you! Those links are very helpful, although at the moment I am investigating using U-Boot "verified boot" to sign the kernel.</P><P></P><P>Best regards,</P><P> Mikkel Holm Olsen</P></BODY></HTML> Tue, 17 Jun 2014 11:21:18 GMT https://community.nxp.com/t5/i-MX-Processors/i-MX6-secure-boot-of-Linux-kernel/m-p/306354#M39461 spacemanspiff 2014-06-17T11:21:18Z https://community.nxp.com/t5/i-MX-Processors/i-MX6-secure-boot-of-Linux-kernel/m-p/306355#M39462 <HTML><HEAD></HEAD><BODY><P>Hi <A class="jx-jive-macro-user" href="https://community.nxp.com/people/igorpadykov">igorpadykov</A>‌</P><P>I have a requirement to check the HAB status of uImage and if no HAB events to load the uImage. So how to do that checking in u-boot ?</P><P></P><P>Thanks in Advance</P></BODY></HTML> Wed, 22 Nov 2017 03:26:43 GMT https://community.nxp.com/t5/i-MX-Processors/i-MX6-secure-boot-of-Linux-kernel/m-p/306355#M39462 tengri 2017-11-22T03:26:43Z