How to sign code for uboot 2014-04 for imx28 ? This version of uboot integrate code signing for imx28.

jérômedusautois · ‎02-26-2015

Hi

I Try to use u-boot-signed.sb target to sign bootloader.

Does somebody already use this ?

Best regards,

Jérôme

alejandrolozan1 · ‎03-09-2015

Hi,

Generally the U-boot in itself does not handle the secure boot, since

there is HAB functionality of the internal (ROM) bootloader of the i.MX28.

Please look at Chapter 12 (Boot Modes) of the i.MX28 Reference Manual.

More details may be found in so called the i.MX28 Security Reference Manual,

which should be published soon on the Web.

Basically for the HAB we have to provide some valid information (in addition to the application) :

- a command sequence file (CSF) ;

- the super root key structure (public key is shown there, and hash of

this key is provided in the fuses).

General sequence of HAB checking is as following :

1. Install Super_Root_Key.

For fuse SRK processors, the SRK is supplied in external memory. The SRK data is

first copied to internal memory for better integrity protection, and the SRK

fingerprint is verified against the SRK hash present in the OTP fuses to ensure

that the supplied SRK data is correct.

2. Verify CSF Certificate with Super-Root Key.

3. Verify CSF with CSF Key.

4. Verify App Certificates (CSF Key)

5. Verify App Signatures (App Keys)

If all verifications are OK the application starts.

Now You may request the Code Signing Tools.

i.MX Design Tools|Freescale

Best Regards,

Alejandro

jérômedusautois · ‎03-11-2015

Hi,

Thanks for your response,

I found in u-boot a target to make signed u-boot.sb.

After some correction in makefile it works.

I try to encrypt with elftosb that work too.

But, when encrypted, freescale tools doesn't work anymore (BitInit,

bitloader, etc). I think it's normal because code loaded by this tools

are not encrypted.

I don't try to close imx28 to accept only signed message. It's the next

step. I suppose that tools don't work on closed cpu ?

Best regards

---

Jérôme Dusautois

06 815 315 77

TRUST DESIGNER

http://trustdesigner.com

http://shotnget.com

09 52 88 36 14

Euratechnologies - 165 avenue de Bretagne, 59000 Lille

Ce message est exclusivement destiné aux personnes dont le nom figure

ci-dessus. Il peut contenir des informations confidentielles dont la

divulgation est à ce titre rigoureusement interdite. Dans l'hypothèse où

vous auriez reçu ce message par erreur, merci de le renvoyer à

l'émetteur, et de détruire toute copie.

This message may contain confidential and proprietary material for the

sole use of the intended recipient. Any review or distribution by others

is strictly prohibited. If you are not the intended recipient, please

contact the sender and delete all copies.

Le 2015-03-09 19:28, Alejandro Lozano Lozano a écrit :

HOW TO SIGN CODE FOR UBOOT 2014-04 FOR IMX28 ? THIS VERSION OF UBOOT INTEGRATE CODE SIGNING FOR IMX28.
reply from Alejandro Lozano Lozano in i.MX Community - View the full discussion

How to sign code for uboot 2014-04 for imx28 ? This version of uboot integrate code signing for imx28.

How to sign code for uboot 2014-04 for imx28 ? This version of uboot integrate code signing for imx28.

i.MX2x