Hi Freescale Support Team,
1.In Imx6 series processors,in order to make HAB to authenticate boot image (for eg: u-boot),we need to call HAB APIs from u-boot directly?.
2.How can I extend this secure booting feature for kernel Image?...For kernel image authentication also ,can i follow the same steps used for signing the u-boot using CST tools .?.
3.Where should I include the authentation APIs in kernel to make HAB to authenticate the uImage?
The following are information sources :
“i.MX 6 Linux High Assurance Boot (HAB) User's Guide”
from Linux documentation.
https://www.freescale.com/webapp/Download?colCode=L3.0.35_1.1.0_LINUXDOCS_BUNDLE&location=null
AN4581
“Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4”
http://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
i.MX Trust Architecture presentation :
1.
The recent document states, that HAB API may be called from:
- Boot ROM.
− Other boot stages.
−APIs used in U-Boot in this session are:
hab_status_t(*report_event)(hab_status_tstatus, uint32_t index, uint8_t *event, size_t*bytes)
hab_status_t(*report_status)(hab_config_t*config, hab_state_t*state)
2.
Kernel image may be checked by U-boot, as mentioned in “i.MX 6 Linux High Assurance Boot (HAB) User's Guide” :
“The second stage is the authentication of uImage by U-Boot. authenticate_image is called
by U-boot to verify uImage when executing bootm.”
Hello Yuri,
authenticate_image, can this also be done for zImage?
Cheers,
Satya
Hello,
> authenticate_image, can this also be done for zImage?
Yes.
Regards,
Yuri.
Hi Yuri ,
Thanks a lot for your post .I have all documents except i.MX 6 Linux High Assurance Boot (HAB) User's Guide .This document is very helpfull .Thanks for your help.