Run unsigned kernel and dtb images on closed device

mohamed-ali_fod · ‎05-19-2023

Hi,

Is it possible to run unsigned kernel and dtb on closed imx6 device using signed u-boot but without CONFIG_SECURE_BOOT and CONFIG_IMX_HUB config flags (so the authentication steps done by u-boot for the kernel and dtb will not be performed) ?

Best regards,

Mohamed Ali

Harvey021 · ‎05-22-2023

Hi @mohamed-ali_fod

Should be no problem to run Kernel and dtb. But not sure why you do that, as you see (uboot-imx/mx6_mx7_secure_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub)

1.1 Building a u-boot-dtb.imx image supporting secure boot

The U-Boot provides support to secure boot configuration and also provide
access to the HAB APIs exposed by the ROM vector table, the support is
enabled by selecting the CONFIG_IMX_HAB option.

When built with this configuration, the U-Boot provides extra functions for
HAB, such as the HAB status logs retrievement through the hab_status command
and support for extending the root of trust.

Best regards

Harvey

mason2036 · ‎05-23-2023

Harvey,

That is your description:

1.1 Building a u-boot-dtb.imx image supporting secure boot

The U-Boot provides support to secure boot configuration and also provide
access to the HAB APIs exposed by the ROM vector table, the support is
enabled by selecting the CONFIG_IMX_HAB option.

When built with this configuration, the U-Boot provides extra functions for
HAB, such as the HAB status logs retrievement through the hab_status command
and support for extending the root of trust.

This is u-boot software to do that. It is optional. authenticating any data, here is kernel and/or dtb, is customized software. Again, it is software.

Authenticating boot loader, here is u-boot of i.MX6, is mandatory. It is ROM code to do that.

Here is your "why":

"But not sure why you do that"

My question is, why you ask "why"?

and you copy the description of "1.1 Building a u-boot-dtb.imx image supporting secure boot"

Have you even read it by yourself before you put here.