IMX8QXP secure boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IMX8QXP secure boot

1,625 Views
gravity_one
Contributor III

Hi,

After reading the IMX8QXP secure boot document, it is found that only uboot is signed.

How does the KERNEL sign and boot?  Is there any document?

 

0 Kudos
4 Replies

1,618 Views
Yuri
NXP Employee
NXP Employee
0 Kudos

1,598 Views
gravity_one
Contributor III

Hi Yuri,

But when FOTA is upgraded, only KERNEL IMAGE and DTB are upgraded, how to boot safely?
How do I verify that KERNEL IMAGE and DTB are signed?

Brs,

Gravity

 

0 Kudos

1,585 Views
BiyongSUN
NXP Employee
NXP Employee

Have you ever read the doc yuri provided?

Have you ? 

If you read it, you will find 

The OS container needs to be prepared with proper container header in order to
sign the OS image. Using imx-mkimage tool provided by NXP, the OS image can be
wrapped into a container format.

- Build the kernel image for the target

  $ make SOC=<SoC name> flash_kernel
  $ mv <SoC name>/flash.bin <SoC name>/flash_os.bin

https://source.codeaurora.org/external/imx/imx-mkimage/tree/iMX8QX/soc.mak?h=lf-5.10.52-2.1.0

flash_kernel: $(MKIMG) Image fsl-imx8qxp-mek.dtb
	./$(MKIMG) -soc QX -rev B0 -c -ap Image a35 0x80280000 --data fsl-imx8qxp-mek.dtb 0x83000000 -out flash.bin


 If you want, you can modify to add a ramdisk to sign. 

If you want, you can modify anything to sign.

That is to say, anything you need for boot without authentication. Just add to the os container by imx-mkimge then you can use the athentication boot.  

The BSP example is use the Image, fsl-imx8qxp-mek.dtb to do none athentication.

and just put the Image, fsl-imx8qxp-mek.dtb to os container by imx-mkimage and sign it, then can do anthentication boot.

It is container, Image0 ~ ImageN. 

authenticate_os_container will help you copy the image for example the Image(kernel) to the loader address 0x80280000  (-ap Image a35 0x80280000 in imx-mkimage).

Before, you use the fatload to load the Image to the 0x80280000. 

loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}

#define CONFIG_LOADADDR 0x80280000

dr_mode with "peripheral"

"fi; " \

"if test ${sec_boot} = yes; then " \

"${get_cmd} ${cntr_addr} ${cntr_file}; " \

"if run auth_os; then " \

"run boot_os; " \

"else " \

"echo ERR: failed to authenticate; " \

"fi; " \

"else " \

"${get_cmd} ${loadaddr} ${image}; " \

"if test ${boot_fdt} = yes || test ${boot_fdt} = try; then " \

"if ${get_cmd} ${fdt_addr} ${fdt_file}; then " \

"run boot_os; " \

"else " \

"echo WARN: Cannot load the DT; " \

"fi; " \

 

 

int authenticate_os_container(ulong addr)

{

..........

..........

..........

 

/* Copy images to dest address */

for (i = 0; i < phdr->num_images; i++) {

img = (struct boot_img_t *)(addr +

sizeof(struct container_hdr) +

i * sizeof(struct boot_img_t));

 

debug("img %d, dst 0x%x, src 0x%lux, size 0x%x\n",

i, (uint32_t) img->dst, img->offset + addr, img->size);

 

memcpy((void *)img->dst, (const void *)(img->offset + addr),

img->size);

 

s = img->dst & ~(CONFIG_SYS_CACHELINE_SIZE - 1);

e = ALIGN(img->dst + img->size, CONFIG_SYS_CACHELINE_SIZE) - 1;

 

flush_dcache_range(s, e);

无标题.png

0 Kudos

1,560 Views
gravity_one
Contributor III

Hi,

Thank you for your reply!

The information made me understand!

Gravity

0 Kudos