U-boot custom command in Yocto to invoke HSE API

Jayashree · ‎11-26-2024

Hello,

I am currently working on implementing secure boot using HSE APIs to perform kernel image verification before loading. At present, U-Boot loads the kernel image without leveraging any cryptographic algorithms, relying solely on a U-Boot environment script.

I am considering including a custom U-Boot command within the environment script to invoke the HSE APIs (SMR and CR) for kernel verification. However, I am unsure about where and how to implement this in my yocto package or whether this approach is appropriate. If this method is not recommended, I would appreciate any suggestions for a better alternative.

Thank you.

AshutoshNama · ‎11-27-2024

@Jayashree, Great initiative!

Implementing HSE APIs via a custom U-Boot command is viable.
Consider integrating it in cmd/ and patching via a Yocto bbappend. Alternatively, embed verification in U-Boot's boot sequence for tighter security.
Ensure mandatory checks and thorough testing. Happy to discuss further if you hit roadblocks!

BR,
Ashutosh Nama.

chenyin_h · ‎11-27-2024

Hello, @Jayashree

Thanks for your post.

May I know which version BSP you are working with?

From BSP42.0 UM, Kernel image authentication is provided by U-Boot, using the upstream verified boot method, it is described in chapter 10.6, may I know if the method described could help on your case?

BR

Chenyin

AshutoshNama · ‎11-27-2024

Great initiative!
Implementing HSE APIs via a custom U-Boot command is viable. Consider integrating it in cmd/ and patching via a Yocto bbappend. Alternatively, embed verification in U-Boot's boot sequence for tighter security.
Ensure mandatory checks and thorough testing.
Happy to discuss further if you hit roadblocks!

BR,
Ashutosh Nama