Steps to enable secure boot in i.MX8M Nano

5 件の賞賛

Below mentioned are the step to enable secure boot in imx8m nano board. Mentioned each step log and address for imx8m nano board tested with LPDDR4.

secure boot feature uses digital signatures to prevent unauthorized software execution during the device boot sequence. In case a malware takes control of the boot sequence, sensitive data, services and network can be impacted.

Download the CST(code signing tool) from the below mentioned link
https://www.nxp.com/webapp/sps/download/preDownload.jsp?render=true

1. Generating a PKI tree

The Code Signing Tools package contains an OpenSSL based key generation script under keys/ directory. The hab4_pki_tree.sh script is able to generate a PKI tree containing up to 4 Super Root Keys (SRK) as well as their subordinated IMG and CSF keys.
$ ./hab4_pki_tree.sh
...
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 5
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

2. Generating a SRK Table and SRK Hash

The next step is to generated the SRK Table and its respective SRK Table Hash
from the SRK public key certificates created in one of the steps above.

The srktool can be used for generating the SRK Table and its respective SRK
Table Hash.

- Generating SRK Table and SRK Hash in Linux 64-bit machines:

$ ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e \
SRK_1_2_3_4_fuse.bin -d sha256 -c \
SRK1_sha256_2048_65537_v3_ca_crt.pem,\
SRK2_sha256_2048_65537_v3_ca_crt.pem,\
SRK3_sha256_2048_65537_v3_ca_crt.pem,\
SRK4_sha256_2048_65537_v3_ca_crt.pem

The SRK_1_2_3_4_table.bin and SRK_1_2_3_4_fuse.bin files can be used in further
steps as explained in HAB guides available under doc/imx/habv4/guides/
directory.

3. step-by-step procedure on how to sign and securely boot a bootloader image on i.MX8M Nano devices

3.1 Enabling the secure boot support in U-Boot
clone the u-boot from the git link https://source.codeaurora.org/external/imx/uboot-imx

Enable the secure boot support in u-boot
- Defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y from 2020.04 u-boot

Build images

$ make imx8mn_evk_defconfig
$ make
Output images
$(UBOOT_SRC)/u-boot-nodtb.bin
$(UBOOT_SRC)/spl/u-boot-spl.bin
$(UBOOT_SRC)/arch/arm/dts/fsl-imx8mm-evk.dtb‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

3.2 ARM Trusted Firmware
Get the ATF from the below mentioned source link
https://source.codeaurora.org/external/imx/imx-atf

Build images

$ make PLAT=imx8mn bl31

Output images

$(ATF_SRC)/build/imx8mn/release/bl31.bin‍‍‍‍‍‍‍‍‍‍‍‍

3.3 Get DDR FW images
$ wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/firmware-imx-8.0.bin
$ chmod 777 firmware-imx-8.0.bin
$ ./firmware-imx-8.0.bin

Accept the LICENSE AGREEMENT
$ cd firmware-imx-8.0.bin‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍/firmware/ddr/synopsys‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Output images
$(DDRFW_SRC)/lpddr4_*

3.4 Get IMX-MKIMAGE source
https://source.codeaurora.org/external/imx/imx-mkimage

Below mentioned are the steps to generate bootloder using mkimage

Gather necessary images

SPL and U-boot images
- u-boot-nodtb.bin
- u-boot-spl.bin
- fsl-imx8mm-evk.dtb‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

ATF image
- bl31.bin

DDR firmware images
- lpddr4_pmu_train_1d_dmem.bin
- lpddr4_pmu_train_1d_imem.bin
- lpddr4_pmu_train_2d_dmem.bin
- lpddr4_pmu_train_2d_imem.bin

Copy these files to imx-mkimage/iMX8M directory

3.5 Build i.MX8MN boot image flash.bin
$ make SOC=iMX8MN flash_evk
========= OFFSET dump =========
Loader IMAGE:
header_image_off 0x0
dcd_off 0x0
image_off 0x40
csf_off 0x24a00
spl hab block: 0x911fc0 0x0 0x24a00

Second Loader IMAGE:
sld_header_off 0x58000
sld_csf_off 0x59020
sld hab block: 0x401fcdc0 0x58000 0x1020

$ make SOC=iMX8MN print_fit_hab
./print_fit_hab.sh 0x60000 evk.dtb
0x40200000 0x5B000 0xC3AB0
0x402C3AB0 0x11EAB0 0x78F0
0x960000 0x1263A0 0xA1B0
0xBE000000 0x130550 0x10

3.6 Creating the CSF description file

The build log provided by imx-mkimage can be used to define the "Authenticate
Data" parameter in CSF.

- SPL "Authenticate Data" addresses in flash.bin build log:

spl hab block: 0x911fc0 0x0 0x24a00

- "Authenticate Data" command in csf_spl.txt file:

Blocks = 0x911fc0 0x0 0x24a00 "flash.bin"

- FIT image "Authenticate Data" addresses in flash.bin build log:

sld hab block: 0x401fcdc0 0x57c00 0x1020

- FIT image "Authenticate Data" addresses in print_fit_hab build log:

0x40200000 0x5B000 0xC3AB0
0x402C3AB0 0x11EAB0 0x78F0
0x960000 0x1263A0 0xA1B0
0xBE000000 0x130550 0x10

- "Authenticate Data" command in csf_fit.txt file:

Blocks = 0x401fcdc0 0x57c00 0x1020 "flash.bin", \
0x40200000 0x5B000 0xC3AB0 "flash.bin", \
0x402C3AB0 0x11EAB0 0x78F0 "flash.bin", \
0x960000 0x1263A0 0xA1B0 "flash.bin", \
0xBE000000 0x130550 0x10 "flash.bin"

3.7 Avoiding Kernel crash in closed devices
- Add Unlock MID command in csf_spl.txt:

[Unlock]
Engine = CAAM
Features = MID

3.8 Signing the flash.bin binary
The CST tool is used for singing the flash.bin image and generating the CSF
binary. Users should input the CSF description file created in the step above
and receive a CSF binary, which contains the CSF commands, SRK table,
signatures and certificates.

- Create SPL CSF binary file:

$ ./cst -i csf_spl.txt -o csf_spl.bin

- Create FIT CSF binary file:

$ ./cst -i csf_fit.txt -o csf_fit.bin

3.8 Assembling the CSF in flash.bin binary
-------------------------------------------

The CSF binaries generated in the step above have to be inserted into the
flash.bin image.

The CSF offsets can be obtained from the flash.bin build log:

- SPL CSF offset:

csf_off 0x24a00

- FIT CSF offset:

sld_csf_off 0x59020

The signed flash.bin image can be then assembled:

- Create a flash.bin copy:

$ cp flash.bin signed_flash.bin

- Insert csf_spl.bin in signed_flash.bin at 0x24a00 offset:

$ dd if=csf_spl.bin of=signed_flash.bin seek=$((0x24a00)) bs=1 conv=notrunc

- Insert csf_fit.bin in signed_flash.bin at 0x59020 offset:

$ dd if=csf_fit.bin of=signed_flash.bin seek=$((0x59020)) bs=1 conv=notrunc

- Flash signed flash.bin image:

$ sudo dd if=signed_flash.bin of=/dev/sd<x> bs=1K seek=33 && sync

3.9 Verifying HAB events
------------------------
The next step is to verify that the signatures included in flash.bin image is
successfully processed without errors. HAB generates events when processing
the commands if it encounters issues.

Prior to closing the device users should ensure no HAB events were found, as
the example below:

- Verify HAB events:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

3.10 Programming SRK Hash
-------------------------
The U-Boot fuse tool can be used for programming eFuses on i.MX SoCs.

- Dump SRK Hash fuses values in host machine:

$ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
0x20593752
0x6ACE6962
0x26E0D06C
0xFC600661
0x1240E88F
0x1209F144
0x831C8117
0x1190FD4D

- Program SRK_HASH[255:0] fuses on i.MX8MN devices:

=> fuse prog 6 0 0x20593752
=> fuse prog 6 1 0x6ACE6962
=> fuse prog 6 2 0x26E0D06C
=> fuse prog 6 3 0xFC600661
=> fuse prog 7 0 0x1240E88F
=> fuse prog 7 1 0x1209F144
=> fuse prog 7 2 0x831C8117
=> fuse prog 7 3 0x1190FD4D

3.10 Completely secure the device
----------------------------------

Additional fuses can be programmed for completely secure the device, more
details about these fuses and their possible impact can be found at AN4581[1].

- Program SRK_LOCK:

=> fuse prog 0 0 0x200

- Program DIR_BT_DIS:

=> fuse prog 1 3 0x8000000

- Program SJC_DISABLE:

=> fuse prog 1 3 0x200000

- JTAG_SMODE:

=> fuse prog 1 3 0xC00000