Hi everyone,
We are trying to implement a Secure boot on the NXP iMX8MP using a TPM ( SLB 9670VQ2.0).
I know that iMX8MP allows a secure boot using its HAB hw modules and also have explored that option but apart from that, we want to be able to verify a kernel before loading it.
So, currently I've got an u-boot with TPM commands enabled, these are the commands it offers:
- STARTUP
- SELF TEST
- CLEAR
- PCR EXTEND
- PCR READ
- GET CAPABILITY
- DICTIONARY ATTACK LOCK RESET
- DICTIONARY ATTACK CHANGE PARAMETERS
- HIERARCHY CHANGE AUTH
As far as I understand, to verify the kernel I need to decrypt a hash of the kernel that was previously encrypted with a private key.
When using a TPM I know how to create keys and use them to sign the kernel from linux.
But, as long as the keys cannot leave the TPM I'm wondering how could the uboot verify the signed kernel. The first option that comes to my mind is that u-boot should ask the TPM to decrypt the hash of the kernel with its internal private key but from uboot and I don't have any commands to do that.
The second option would be to ask the TPM for the private key, and this can't be done as the security of the TPM ( and the whole system ) would be compromised.
How can this step ( kernel verification ) of the secure boot be done? maybe by means of a measured boot ( PCRs)?
Thanks in advance, any idea will be much appreciated
