Assemble, Sign, and Flash Secure Boot Container on Apalis iMX8x

Gandalf-kern · ‎02-08-2021

1) Please send a link or a document giving the specific steps to create a signed final boot container for iMX8x?

For secure boot on iMX8X, the boot container is built with the Yocto recipe imx-boot. On iMX8X the binaries for SCU Firmware, ARM Trusted Firmware, U-boot, etc. are located under build/deploy/images/imx8x/imx-boot-tools/

2) Having built the imx8x minimal bitbake with OpenEmbedded, all the needed artifacts to assemble the final boot container exist in the imx-boot... bin-flash image, correct?

3) Does the imx-boot Yocto recipe also do the csf signing? I don't see a signed image in the artifacts and I don't see the offsets. Instructions indicate:

To generate the flash.bin file:

- On i.MX 8 QXP:

$ cd <work>/imx-mkimage
$ make SOC=iMX8QX flash

If the command ends successfully, the end of the result should look
like:

CST: CONTAINER 0 offset: 0x400
CST: CONTAINER 0: Signature Block: offset is at 0x590
DONE.
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET

Keep in mind the offsets above to be used with CST/CSF.

Once this flash has been created, then it needs to be signed using the CSF and a signed image created as below, correct?

1.5.1 Creating the CSF description file for the second container
-----------------------------------------------------------------

The CSF contains all the commands that the AHAB executes during the secure
boot. These commands instruct the AHAB on which memory areas of the image
to authenticate, which keys to install, use and etc.

CSF examples are available under doc/imx/hab/ahab/csf_examples/
directory.

This csf_boot_image.txt file example should be updated with the offset values
of the 1.4 section and the path to your flash.bin file. It is the last part
of the file:

[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash.bin"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x400 0x590

1.5.2 Signing the boot image
-----------------------------

Now you use the CST to generate the signed boot image from the previously
created csf_boot_image.txt Commands Sequence File:

$ cd <work>
$ ./release/linux64/bin/cst -i csf_boot_image.txt -o flash.signed.bin

1.5.3 Flash the signed image
-----------------------------

Write the signed U-Boot image:

$ sudo dd if=flash.signed.bin of=/dev/sdX bs=1k seek=32 ; sync

Then insert the SD Card into the board and plug your device to your computer
with an USB serial cable.

igorpadykov · ‎02-08-2021

Hi tlsmith3777

this board was developed by toradex and one can request from its support : https://www.toradex.com/locations

specific for that board documentation. In general one can look at:

https://developer.toradex.com/knowledge-base/build-u-boot-and-linux-kernel-from-source-code#tab-imx8...

Secure build guidelines and app notes from links:

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab?h=imx_v2020.04_5.4.70_2.3.0

https://www.nxp.com/products/processors-and-microcontrollers/arm-processors/i-mx-applications-proces...

Best regards
igor

Gandalf-kern · ‎02-09-2021

I don't have direct access to the documents. Are you able to send me public links or attach the documents you recommended?

Yocto bibake for the iMX8x doesn't appear to

1) NXP does not enable AHAB in uboot by default. That is, NXP does not set CONFIG_AHAB_BOOT=y in the u-boot defconfig by default. This forces customers to have to download u-boot and build it separately after setting the defconfig properly.

2) NXP does not configure the ARM Architecture Support for AHAB features in the Kconfig. So, the container that is built does not by default have AHAB. This forces customers to have to invoke a separate kernel build with the change to the Kconfig to add AHAB support.

AHAB support is required for the imx8x to check SECO events and to close the device. This means the yocto bitbake for iMX8x is not sufficient for signing once the image is bitbaked, correct? It does not have AHAB support in u-boot nor the kernel by default even though it has final boot container, correct?

igorpadykov · ‎02-09-2021

all mentioned links are public links, with free access. In particuar one can look at AN12312

Secure Boot on i.MX 8 and i.MX 8X Families using AHAB

other useful web links:

https://translate.google.com/translate?sl=zh-CN&tl=en&u=https://wowothink.com/258082eb/

Best regards
igor

Gandalf-kern · ‎02-10-2021

Where specifically is AHAB enabled in the meta layers or bb files if not in .config and defconfig?

igorpadykov · ‎02-10-2021

please look at i.MX Yocto Project User’s Guide

I am afraid there are no metalayers or recipes enabling AHAB.

Best regards
igor

Gandalf-kern · ‎02-11-2021

Where can I find the AHAB Application Programming Interface Reference Manual?

How does uboot get configured so one can use the AHAB commands? Is there a defconfig needed, or what is required?

igorpadykov · ‎02-11-2021

>AHAB Application Programming Interface Reference Manual?

I am afraid it is not available as it is part of SECO ROM and FW, which are confidential

and proprietary.

Secure Boot on i.MX 8 and i.MX 8X Families using AHAB

Best regards
igor

Gandalf-kern · ‎02-09-2021

Thank you. On NXP i.MX8x boards, if I do a bitbake virtual/kernel -c menuconfig, where is the ARM architecture->Support i.MX 8 AHAB features located in the configuration? Does it exist in the NXP i.MX8X menuconfig?

igorpadykov · ‎02-09-2021

> if I do a bitbake virtual/kernel -c menuconfig, where is the ARM architecture->

>Support i.MX 8 AHAB features located in the configuration?

what do you mean exactly as per p.7 AN12312 there are several changes should be done

compared to usual image (they are not performed by bitbake and with menuconfig):

Best regards
igor

Gandalf-kern · ‎02-10-2021

The details of enabling AHAB are in the attachments from NXP. What you sent is too high level.

See the attached slides beginning with Secure Boot - U-Boot. The step by step guide is found under section 3.4 Examples in AN12312.pdf. The Step by Step Guide has the following under section 1.2 Preparing U-boot to support AHAB:

CONFIG_AHAB_BOOT=y
- Kconfig:
ARM architecture -> Support i.MX 8 AHAB features"

Again, I don't find these in either the u-boot defconfig nor in the Kernel .config. I can add it to the U-boot defconfig and see if I see the AHAB commands, but not able to configure the kernel config using menuconfig. The following is from the attached slides.

U-Boot configuration
• Bootloader provides additional commands for AHAB
• Allows authentication of additional container images
• CONFIG_AHAB_BOOT enables SCU API in U-Boot

Also in the NXP slides under "Secure Boot Easy Method," I do not find these in any metalayers or recipes enabling AHAB. What enables AHAB in the recipes?

* Standardized approach to enabling security features

* Enablement through additional Yocto metalayers

* Simple AHAB enablement

# Advanced High Assurance Boot

AHAB_ENABLE = "1"

AHAB_SIGN_SRKTABLE =

AHAB_SIGN_PUBLIC_CRT =

Gandalf-kern · ‎02-10-2021

thank you. Please allow me to ask, how does uboot get configured so one can use the AHAB commands?