Dear Nxp Team,
Greetings!!
We are enabling secure boot feature on imx6 DL device. I have few queries in implementation level:
1. How to authenticate RTOS kernel image in-place of uImage? like in Linux, can we use authenticate_binary() API?
any example implementation available for RTOS kind of kernel authentication?
2. How to enable CAAM clocks.
3. The RTOS kernel was mapped to virtual DDR address range, do i need to add ivt.bin and csf.bin file as per vitual maaping?
4. How to improve boot performance using hardware engines, can you brief about it? what are available hardware engines?
Thank you in advance!!
Solved! Go to Solution.
Hello,
Please look at my comments below.
1.
You may use HAB API, described in “HAB4_API.pdf” in CST documentation.
It is recommended “using the hab_rvt.authenticate_image() whenever possible. This is instead of calling the other APIs separately ensuring all the proper authentication steps are performed.”
2.
Please refer to the following
3.
IVT and CSF should be provided for the image for checking.
When using MMU, virtual and physical addresses should be the same.
4.
Please refer to the i.MX6 Security RM and the CST documentation.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hello,
Please look at my comments below.
1.
You may use HAB API, described in “HAB4_API.pdf” in CST documentation.
It is recommended “using the hab_rvt.authenticate_image() whenever possible. This is instead of calling the other APIs separately ensuring all the proper authentication steps are performed.”
2.
Please refer to the following
3.
IVT and CSF should be provided for the image for checking.
When using MMU, virtual and physical addresses should be the same.
4.
Please refer to the i.MX6 Security RM and the CST documentation.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Yuri,
Thanks for reply.
Can you please explain how to add IVT table for RTOS application? Based on IVT table, Bootloader need to verfy the CSF file am i correct?
Is it possible to create signed image for .elf file using CST tool?
Hello,
1.
as for IVT table, You may use approach, described in "i.MX 6 Linux High
Assurance Boot (HAB) User's Guide" (enclosed):
File genIVT
------------- file content begin -------------
#! /usr/bin/perl -w
use strict;
open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";
print $out pack("V", 0x402000D1); # Signature
print $out pack("V", 0x10801000); # Jump Location
print $out pack("V", 0x0); # Reserved
print $out pack("V", 0x0); # DCD pointer
print $out pack("V", 0x0); # Boot Data
print $out pack("V", 0x10BFDFE0); # Self Pointer
print $out pack("V", 0x10BFE000); # CSF Pointer
print $out pack("V", 0x0); # Reserved
close($out);
------------- file content end -------------
2.
> Bootloader need to verfy the CSF file am i correct?
Yes.
3.
> Is it possible to create signed image for .elf file using CST tool?
Boot ROM, during HAB process, works with "plain" image in RAM.
.elf files are intended to be loaded by a loader, which can understand
ELF file / image structure in order to provide "plain" memory image.
Regards,
Yuri.