Layerscape secure boot with Yocto for 1028A family

jclsn · ‎05-22-2023

Hi,

I am currently trying to get acquainted with the secure boot implementation on Layerscape processors. I have been reading a lot in the documentation in the last days, but it is still not clear to me how everything works.

From what I understand these are the boot stages:

BL1 : BootROM code
BL2 : Pre-Bootloader
BL31 : EL3 runtime firmware
BL32 : OP-TEE (optional)
BL33 : U-Boot

All stages seem to be verified with a CSF header that contains the commands, pointers and checksums of the images to be verified. Is the same CSF header used for all stages?

The Bitbake recipe here seems to take care of the signing and fusing process. I don't fully understand all parts of the recipe, but is it sufficient to provide your own SRK files to automatically sign the images and build the fuse provisioning image?

jclsn · ‎05-26-2023

So I could progress a bit. Seems like you need to copy the srk.pri and srk.pub into the work directory of the qoriq-atf recipe to sign the images.

Only thing left is the fuse_fip.bin. Seems like you need to provide the input_fuse_file and add the OTMPK and SRKH. I am still not quite sure if I am doing this right. The gen_otpmk_drbg command can generate you the OTPMK and the SRKH can be generated by the uni_pbi command provided the input_pbi_flexspi_nor_secure file. In the documentation it says that the SRKH is merely a SHA-256 sum calculated over the srk.pub, but it I run

$ sha256sum srk.pub

I get a different hash than with the uni_pbi command. Can you please clarify why that happens?