Hi everyone,
We are trying to implement a Secure boot on the NXP iMX8MP using a TPM ( SLB 9670VQ2.0).
I know that iMX8MP allows a secure boot using its HAB hw modules and also have explored that option but apart from that, we want to be able to verify a kernel before loading it.
So, currently I've got an u-boot with TPM commands enabled, these are the commands it offers:
When using a TPM I know how to create keys and use them to sign the kernel from linux.
But, as long as the keys cannot leave the TPM I'm wondering how could the uboot verify the signed kernel. The first option that comes to my mind is that u-boot should ask the TPM to decrypt the hash of the kernel with its internal private key but from uboot and I don't have any commands to do that.
The second option would be to ask the TPM for the private key, and this can't be done as the security of the TPM ( and the whole system ) would be compromised.
How can this step ( kernel verification ) of the secure boot be done? maybe by means of a measured boot ( PCRs)?
Thanks in advance, any idea will be much appreciated
Hi Alvaro
one can look at AN12812 Using Code-Signing Tool with Hardware Security Module
Best regards
igor
@igorpadykov the CST would run on the PC, right? But we're interested in interfacing the TPM with the target hardware (i.MX processor). How that can be done?
@AlfTeleco Any updates on this one?
Hi Kanimozhi
for such case, as it is not supported in official BSPs may be recommended to proceed with
help of NXP Professional Services:
https://contact.nxp.com/new-prof-svcs-sw-tech
Best regards
igor