- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: HAB and encrypted boot (Linux)
HAB and encrypted boot (Linux)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
HAB and encrypted boot (Linux)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
after reading the reference manual chapters 12, 13 and 20 (Boot Modes, DCP and OCOTP) I'm still unsure how an encrypted and signed boot process would be set up.
My idea is that I have a uImage of the Linux Kernel. Signing that with the Freescale code signing tool will generate a HAB.ELF file. Then 'elftosb' takes HAB.ELF and uImage as input and produces a SB file which represents a signed boot stream.
If this image is flashed and the HAB_CONFIG OTP bits are set to HAB_CLOSED the CPU will boot this image resp. fail to do so if the image in flash is not signed (of course the SRK OTP has to be programmed too).
Is this correct so far?
So, on the next step I programm the CRYPTO_KEY OTP and use the DCP to encrypt my image with CRYPTO_KEY. Now I have an encrypted image, but how do I tell the boot ROM that the image is encrypted and not just garbage?
Can someone enlighten me?
Christoph
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer Rod. I have that app note but there are still great holes in the documentation. I heard about a VM which came with your presentations?
Kind Regards,
Matthias
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matthias,
A Linux image does exist that provides a secure/encrypted Linux boot on i.MX28. However, this image is not available publicly and requires an NDA. The AN4555 application note is intended to provide all the information required to perform both a secure boot with HAB as well as an encrypted boot on i.MX28. Is there a specific problem you are having? If so, the Freescale team can address your questions here.
Thanks,
-Rod
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Rod,
thank you for your reply.
If you would add me as your friend I could send you a PM. I am sorry to ask you this but unfortunately there is really no choice to contact you via this forum. Due to that fact I post my answer here and hope you see it.
My university is in coorperation with silica The Engineers of Distribution - An Avnet Company which is a hardware vendor of yours. We already have a non-disclosure agreement with them.
The interesting thing is that it took us months to receive the presentation of yours just to find out that it is obsolete? Can you tell me exactly for what I should ask? It would be very helpful for me to see the code changes.
And yes there are questions. I hope I can adress them to you because I did not found any contact information in the app note.
on page 15 .. about what linker file are you talking? can you tell me the exact name? if it is uboots linker file where do i find them? can I use the board supports package uboot or do i have to use the official one from denx' git repository?
is the IVT image vector table created automatically? I found something in /rootfs/boot which ended with ivt. this is created by the updater-script which is invoked by the ltib script. do I have to change anything to produce the correct ivt?
From where do I get the adress spaces I would like to sign? these values must be known if I would like to produce a correct csf.
It would be great if you or someone else could answer me these questions!
Thank you in advance,
Matthias
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Matthias,
The linker script is an example, as the syntax and content is likely related to the compiler/linker.
If it is the one in u-boot, then you will need to get the u-boot from a git repository or the linux BSP that you can download from the Freescale web site.
I guess that you need to get familiar with u-boot first, and then you will be able to add the necessary pieces required for a secure boot. You can surely find support on u-boot in the related community.
Typically, the linker script is here:
./board/freescale/mx28_evk/u-boot.lds
The idea with the linker script is to reserve some space for the security related data used during boot. By adding this, it is therefore possible to automatically resolve the address that must be provided to the Image Vector Table (IVT).
That is the entry point for the ROM code of the i.MX28 to find each elements needed for the boot.
You can get more information in the chapter "Boot modes", and "program image" of the reference manual.
If you look at the figure 5 in the app note, the signed part is typically from start of the IVT to the end of the image data. That gives you the start address and size of the code.
./board/freescale/mx28_evk/config.mk (start address where u-boot will be linked).
Florent
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I'm trying to solve kind of the same problem here. The u-boot that comes with the ltib has both a non-secured and secured (_ivt_) bootstream as output. However, if I download the latest u-boot-imx.git and build that in a separate folder, the only output I get is a non-secured u-boot.sb. Doesn't the u-boot imx-tree provide in adding this security? Or can it be added afterwards with the u-boot.bin as input, without changing linker scripts and all (as described in AN4555)?
I did request a download for the Freescale code signing tool. Perhaps this can be the solution, but I would prefer a "built-in" solution from the Linux command line.
Regards,
Ruud
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I think I solved this myself by using the "./ltib -p boot_stream.spec -f" command from ltib. By copying the generated u-boot file from the separate project dir to ltib/roots/boot and using this command, a secured bootstream is created for the new u-boot. This u-boot is not working properly yet, but at least it starts....
Regards,
Ruud
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Christoph,
Have you read through the application note posted at: http://cache.freescale.com/files/32bit/doc/app_note/AN4555.pdf?fsrch=1&sr=1?
-Rod
