HAB enable for RTOS kernel inplcace of uImage

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HAB enable for RTOS kernel inplcace of uImage

Jump to solution
1,404 Views
dhanunjay
Contributor III

Dear Nxp Team,

Greetings!!

We are enabling secure boot feature on imx6 DL device. I have few queries in implementation level:

1. How to authenticate RTOS kernel image in-place of uImage? like in Linux, can we use authenticate_binary() API?

     any example implementation available for RTOS kind of kernel authentication?

2. How to enable CAAM clocks.

3. The RTOS kernel was mapped to virtual DDR address range, do i need to add ivt.bin and csf.bin file as per vitual maaping?

4. How to improve boot performance using hardware engines, can you brief about it? what are available hardware           engines?

Thank you in advance!!

Labels (3)
Tags (1)
0 Kudos
Reply
1 Solution
1,011 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Please look at my comments below.

1.
  You may use HAB API, described in “HAB4_API.pdf” in CST documentation.
It is recommended “using the hab_rvt.authenticate_image() whenever possible. This is instead of calling the other APIs separately ensuring all the proper authentication steps are performed.”

NXP Code Signing Tool for the High Assurance Boot library. Provides software code signing support de... 

2.
  Please refer to the following

CAAM features

3.

  IVT and CSF should be provided for the image for checking.

When using MMU, virtual and physical addresses should be the same.

4.

  Please refer to the i.MX6 Security RM and the CST documentation.

https://www.nxp.com/webapp/Download?colCode=IMX6DQ6SDLSRM&appType=moderatedWithoutFAE&fpsp=1&WT_TYPE... 

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

0 Kudos
Reply
3 Replies
1,012 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Please look at my comments below.

1.
  You may use HAB API, described in “HAB4_API.pdf” in CST documentation.
It is recommended “using the hab_rvt.authenticate_image() whenever possible. This is instead of calling the other APIs separately ensuring all the proper authentication steps are performed.”

NXP Code Signing Tool for the High Assurance Boot library. Provides software code signing support de... 

2.
  Please refer to the following

CAAM features

3.

  IVT and CSF should be provided for the image for checking.

When using MMU, virtual and physical addresses should be the same.

4.

  Please refer to the i.MX6 Security RM and the CST documentation.

https://www.nxp.com/webapp/Download?colCode=IMX6DQ6SDLSRM&appType=moderatedWithoutFAE&fpsp=1&WT_TYPE... 

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply
1,011 Views
dhanunjay
Contributor III

Hi Yuri,

Thanks for reply.

Can you please explain how to add IVT table for RTOS application? Based on IVT table, Bootloader need to verfy the CSF file am i correct?

Is it possible to create signed image for .elf file using CST tool?

0 Kudos
Reply
1,011 Views
Yuri
NXP Employee
NXP Employee

Hello,

1.

as for IVT table, You may use approach, described in "i.MX 6 Linux High
Assurance Boot (HAB) User's Guide"  (enclosed):

File genIVT

------------- file content begin -------------

#! /usr/bin/perl -w

use strict;

open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";

print $out pack("V", 0x402000D1); # Signature

print $out pack("V", 0x10801000); # Jump Location

print $out pack("V", 0x0); # Reserved

print $out pack("V", 0x0); # DCD pointer

print $out pack("V", 0x0); # Boot Data

print $out pack("V", 0x10BFDFE0); # Self Pointer

print $out pack("V", 0x10BFE000); # CSF Pointer

print $out pack("V", 0x0); # Reserved

close($out);

------------- file content end -------------

2.
> Bootloader need to verfy the CSF file am i correct?

Yes.

3.

> Is it possible to create signed image for .elf file using CST tool?

Boot ROM, during HAB process, works with "plain" image in RAM.

.elf files are intended to be loaded by a loader, which can understand

ELF file / image structure in order to provide "plain" memory image.

Regards,

Yuri.