Hello Team,
I am working on adding Secure boot functionality for my sub system. Which developed on imx6Dl.
Linux kernel 4.1.15 Ver.
u-boot 2016.
I have downloaded CST-3.1.0.tgz tool from site.
By following release/doc/CST_UG and other readme files able to Generate key and cert.
Able to update ucl2 file in{ \deployment\Profiles\Linux\OS Firmware} directory to fuse the OTP registers.
able to write u-boot.csf file by referring above Doc. In u-boot.csf file in block section Iam putting the offset by running mkimage -l cmd on u-boot.imx
but unable to generate signed images for u-boot.imx, zImage, Rootfs.
Also I am using MfgTool2 for flashing the device which takes u-boot_mfg.imx and zImage_mfg may be these images also need to update.
If there is any reference document or guide then please share.
Regards,
Vishal Rana
Hi,
Getting below information after running mkimage -l.
this u-boot.imx image is generated by enabling the macro CONFIG_SECURE_BOOT in "include/configs/mx6sabre_common.h".
me@D-developer:~/Projects/uboot-imx/tools$ mkimage -l ../u-boot.imx
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 307200 Bytes = 300.00 KiB = 0.29 MiB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 0x177ff400 0x00000000 0x00046c00
DCD Blocks: 0x00910000 0x0000002c 0x000002f0
using above info how below script should be modified.
///////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
#!/bin/sh
echo "Extend U-Boot to 0x2f000..."
objcopy -I binary -O binary --pad-to 0x2f000 --gap-fill=0xff U-Boot.bin UBoot-
pad.bin
echo "generate CSF data..."
../linux/cst --o U-Boot_CSF.bin < U-Boot.CSF
echo "merge image and CSF data..."
cat U-Boot-pad.bin U-Boot_CSF.bin > U-Boot-signed.bin
echo "extend final image to 0x31000..."
objcopy -I binary -O binary --pad-to 0x31000 --gap-fill=0xff U-Bootsigned.
bin U-Boot-signed-pad.bin
echo "U-Boot-signed-pad.bin is ready"
////////////////////////////////////////////////////////////////////////////////
Hi Team,
I am referring u-boot-imx/doc/README.imximage for how to prepare u-boot.imx signed image.
According to readme file I executed below steps to generate u-boot-signed.imx image.
But size of u-boot.imx and u-boot-signed.imx(final uboot signed image) remain same.
Is it expected?? How I can validate.
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
mkimage will output additional information about "HAB Blocks"
which can be used in the Freescale tooling to authenticate U-Boot
(entries in the CSF file).
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Data Size: 307200 Bytes = 300.00 kB = 0.29 MB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 177ff400 00000000 00046c00{ these values I am getting for my u-boot.imx image}
^^^^^^^^ ^^^^^^^^ ^^^^^^^^
| | |
| | -------- (1)
| |
| ------------------- (2)
|
--------------------------- (3)
(1) Size of area in file u-boot.imx to sign.This area should include the IVT, the Boot Data the DCD
and U-Boot itself.
(2) Start of area in u-boot.imx to sign
(3) Start of area in RAM to authenticate
CONFIG_SECURE_BOOT currently enables only an additional command
'hab_status' in U-Boot to retrieve the HAB status and events. This
can be useful while developing and testing HAB.
Commands to generate a signed U-Boot using Freescale HAB tools:
cst --o U-Boot_CSF.bin < U-Boot.CSF
# padded value is 0x4000 in CONFIG_CSF_SIZE macro.
objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x00 U-Boot_CSF.bin U-Boot_CSF_pad.bin
cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
NOTE: U-Boot_CSF.bin needs to be padded to the value specified in the imximage.cfg file.
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Regards,
Vishal Rana
Hi Team,
I am referring u-boot-imx/doc/README.imximage for how to prepare u-boot.imx signed image.
According to readme file I executed below steps to generate u-boot-signed.imx image.
But size of u-boot.imx and u-boot-signed.imx(final uboot signed image) remain same.
Is it expected?? How I can validate.
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
mkimage will output additional information about "HAB Blocks"
which can be used in the Freescale tooling to authenticate U-Boot
(entries in the CSF file).
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Data Size: 307200 Bytes = 300.00 kB = 0.29 MB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 177ff400 00000000 00046c00{ these values I am getting for my u-boot.imx image}
^^^^^^^^ ^^^^^^^^ ^^^^^^^^
| | |
| | -------- (1)
| |
| ------------------- (2)
|
--------------------------- (3)
(1) Size of area in file u-boot.imx to sign.This area should include the IVT, the Boot Data the DCD
and U-Boot itself.
(2) Start of area in u-boot.imx to sign
(3) Start of area in RAM to authenticate
CONFIG_SECURE_BOOT currently enables only an additional command
'hab_status' in U-Boot to retrieve the HAB status and events. This
can be useful while developing and testing HAB.
Commands to generate a signed U-Boot using Freescale HAB tools:
cst --o U-Boot_CSF.bin < U-Boot.CSF
# padded value is 0x4000 in CONFIG_CSF_SIZE macro.
objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x00 U-Boot_CSF.bin U-Boot_CSF_pad.bin
cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
NOTE: U-Boot_CSF.bin needs to be padded to the value specified in the imximage.cfg file.
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Regards,
Vishal Rana