https://community.nxp.com/t5/Other-NXP-Products/Layerscape-secure-boot-with-Yocto-for-1028A-family/m-p/1654547#M17822 <P>Hi,</P><P>I am currently trying to get acquainted with the secure boot implementation on Layerscape processors. I have been reading a lot in the <A href="https://docs.nxp.com/bundle/GUID-3FFCCD77-5220-414D-8664-09E6FB1B02C6/page/GUID-C920A8C4-3D1E-448F-9D1C-016B27FCB767.html" target="_self">documentation</A> in the last days, but it is still not clear to me how everything works.</P><P>From what I understand these are the boot stages:</P><P>BL1 &nbsp; : BootROM code<BR />BL2 &nbsp; : Pre-Bootloader<BR />BL31 : EL3 runtime firmware<BR />BL32 : OP-TEE (optional)<BR />BL33 : U-Boot</P><P><A href="https://docs.nxp.com/bundle/GUID-3FFCCD77-5220-414D-8664-09E6FB1B02C6/page/GUID-819A6D70-AAED-4B6C-BDA6-7A1B98B77784.html" target="_self">All stages seem to be verified with a CSF header</A> that contains the commands, pointers and checksums of the images to be verified. Is the same CSF header used for all stages?<BR /><BR /><A href="https://github.com/Freescale/meta-freescale/blob/master/recipes-bsp/atf/qoriq-atf_2.6.bb" target="_self">The Bitbake recipe here</A> seems to take care of the signing and fusing process. I don't fully understand all parts of the recipe, but is it sufficient to provide your own SRK files to automatically sign the images and build the fuse provisioning image?</P> Mon, 22 May 2023 07:53:01 GMT jclsn 2023-05-22T07:53:01Z https://community.nxp.com/t5/Other-NXP-Products/Layerscape-secure-boot-with-Yocto-for-1028A-family/m-p/1654547#M17822 <P>Hi,</P><P>I am currently trying to get acquainted with the secure boot implementation on Layerscape processors. I have been reading a lot in the <A href="https://docs.nxp.com/bundle/GUID-3FFCCD77-5220-414D-8664-09E6FB1B02C6/page/GUID-C920A8C4-3D1E-448F-9D1C-016B27FCB767.html" target="_self">documentation</A> in the last days, but it is still not clear to me how everything works.</P><P>From what I understand these are the boot stages:</P><P>BL1 &nbsp; : BootROM code<BR />BL2 &nbsp; : Pre-Bootloader<BR />BL31 : EL3 runtime firmware<BR />BL32 : OP-TEE (optional)<BR />BL33 : U-Boot</P><P><A href="https://docs.nxp.com/bundle/GUID-3FFCCD77-5220-414D-8664-09E6FB1B02C6/page/GUID-819A6D70-AAED-4B6C-BDA6-7A1B98B77784.html" target="_self">All stages seem to be verified with a CSF header</A> that contains the commands, pointers and checksums of the images to be verified. Is the same CSF header used for all stages?<BR /><BR /><A href="https://github.com/Freescale/meta-freescale/blob/master/recipes-bsp/atf/qoriq-atf_2.6.bb" target="_self">The Bitbake recipe here</A> seems to take care of the signing and fusing process. I don't fully understand all parts of the recipe, but is it sufficient to provide your own SRK files to automatically sign the images and build the fuse provisioning image?</P> Mon, 22 May 2023 07:53:01 GMT https://community.nxp.com/t5/Other-NXP-Products/Layerscape-secure-boot-with-Yocto-for-1028A-family/m-p/1654547#M17822 jclsn 2023-05-22T07:53:01Z https://community.nxp.com/t5/Other-NXP-Products/Layerscape-secure-boot-with-Yocto-for-1028A-family/m-p/1658261#M17898 So I could progress a bit. Seems like you need to copy the srk.pri and srk.pub into the work directory of the qoriq-atf recipe to sign the images.<BR /><BR />Only thing left is the fuse_fip.bin. Seems like you need to provide the input_fuse_file and add the OTMPK and SRKH. I am still not quite sure if I am doing this right. The gen_otpmk_drbg command can generate you the OTPMK and the SRKH can be generated by the uni_pbi command provided the input_pbi_flexspi_nor_secure file. In the documentation it says that the SRKH is merely a SHA-256 sum calculated over the srk.pub, but it I run<BR /><BR />$ sha256sum srk.pub<BR /><BR />I get a different hash than with the uni_pbi command. Can you please clarify why that happens? Fri, 26 May 2023 09:12:42 GMT https://community.nxp.com/t5/Other-NXP-Products/Layerscape-secure-boot-with-Yocto-for-1028A-family/m-p/1658261#M17898 jclsn 2023-05-26T09:12:42Z