FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HAB enable for RTOS kernel inplcace of uImage

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

HAB enable for RTOS kernel inplcace of uImage

Jump to solution
‎06-22-2016 03:52 AM
1,246 Views
dhanunjay
Contributor III

Dear Nxp Team,

Greetings!!

We are enabling secure boot feature on imx6 DL device. I have few queries in implementation level:

1. How to authenticate RTOS kernel image in-place of uImage? like in Linux, can we use authenticate_binary() API?

     any example implementation available for RTOS kind of kernel authentication?

2. How to enable CAAM clocks.

3. The RTOS kernel was mapped to virtual DDR address range, do i need to add ivt.bin and csf.bin file as per vitual maaping?

4. How to improve boot performance using hardware engines, can you brief about it? what are available hardware           engines?

Thank you in advance!!

Labels (3)
Labels
Tags (1)
0 Kudos
Reply
1 Solution

Jump to solution
‎06-23-2016 01:54 AM
853 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Please look at my comments below.

1.
  You may use HAB API, described in “HAB4_API.pdf” in CST documentation.
It is recommended “using the hab_rvt.authenticate_image() whenever possible. This is instead of calling the other APIs separately ensuring all the proper authentication steps are performed.”

NXP Code Signing Tool for the High Assurance Boot library. Provides software code signing support de... 

2.
  Please refer to the following

CAAM features

3.

  IVT and CSF should be provided for the image for checking.

When using MMU, virtual and physical addresses should be the same.

4.

  Please refer to the i.MX6 Security RM and the CST documentation.

https://www.nxp.com/webapp/Download?colCode=IMX6DQ6SDLSRM&appType=moderatedWithoutFAE&fpsp=1&WT_TYPE... 

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

0 Kudos
Reply
3 Replies

Jump to solution
‎06-23-2016 01:54 AM
854 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Please look at my comments below.

1.
  You may use HAB API, described in “HAB4_API.pdf” in CST documentation.
It is recommended “using the hab_rvt.authenticate_image() whenever possible. This is instead of calling the other APIs separately ensuring all the proper authentication steps are performed.”

NXP Code Signing Tool for the High Assurance Boot library. Provides software code signing support de... 

2.
  Please refer to the following

CAAM features

3.

  IVT and CSF should be provided for the image for checking.

When using MMU, virtual and physical addresses should be the same.

4.

  Please refer to the i.MX6 Security RM and the CST documentation.

https://www.nxp.com/webapp/Download?colCode=IMX6DQ6SDLSRM&appType=moderatedWithoutFAE&fpsp=1&WT_TYPE... 

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply

Jump to solution
‎07-01-2016 02:25 AM
853 Views
dhanunjay
Contributor III

Hi Yuri,

Thanks for reply.

Can you please explain how to add IVT table for RTOS application? Based on IVT table, Bootloader need to verfy the CSF file am i correct?

Is it possible to create signed image for .elf file using CST tool?

0 Kudos
Reply

Jump to solution
‎07-20-2016 09:30 PM
853 Views
Yuri
NXP Employee
NXP Employee

Hello,

1.

as for IVT table, You may use approach, described in "i.MX 6 Linux High
Assurance Boot (HAB) User's Guide"  (enclosed):

File genIVT

------------- file content begin -------------

#! /usr/bin/perl -w

use strict;

open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";

print $out pack("V", 0x402000D1); # Signature

print $out pack("V", 0x10801000); # Jump Location

print $out pack("V", 0x0); # Reserved

print $out pack("V", 0x0); # DCD pointer

print $out pack("V", 0x0); # Boot Data

print $out pack("V", 0x10BFDFE0); # Self Pointer

print $out pack("V", 0x10BFE000); # CSF Pointer

print $out pack("V", 0x0); # Reserved

close($out);

------------- file content end -------------

2.
> Bootloader need to verfy the CSF file am i correct?

Yes.

3.

> Is it possible to create signed image for .elf file using CST tool?

Boot ROM, during HAB process, works with "plain" image in RAM.

.elf files are intended to be loaded by a loader, which can understand

ELF file / image structure in order to provide "plain" memory image.

Regards,

Yuri.

Preview file
303 KB
Reply