Security- HAB feature i.MX8 platform

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security- HAB feature i.MX8 platform

986 Views
keerthi-karanth
Contributor II
Hi All
 
We are working on a custom platform based on i.MX8. At present we are exercising the HAB feature enabling on the platform.
 
 https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/  has been referred for first and second stage verification for HAB procedures.
 
U Boot source in  android/vendor/boundary/uboot-imx   is used with HAB feature enabled from menuconfig.
 
We have not fused any keys yet on to the platform and the secure boot fuse is also not configured yet.
 
Post flashing both the images on the board in boot-loader the following was verified 
  •  hab_status command is returning no HAB events.
  • Signed kernel image was verified manually by hab_auth_img cmd and this as well returned no HAB events.
 
We added additional prints in arch/arm/mach-imx/hab.c function imx_hab_authenticate_image .
In this function enabled DEBUG prints to check HAB verification details based on image load address.
The following is the observation of the same on normal boot of Ident platform to Android.
  • We are noticing prints of HAB verification details for boot-loader load address 0x401fcdc0.
  • However we do not see such a print for kernel verification  from the boot-loader for load address 0x40480000. 
 
While working on this we came across https://github.com/boundarydevices/u-boot-imx6/commit/a20a5ee3c0 patch.. 
Is something similar will have to be done to get kernel HAB verified in boot-loader ?
 
 
Any input is appreciated and will be very useful.
 
Thanks,
Keerthi
Tags (3)
0 Kudos
3 Replies

971 Views
Yuri
NXP Employee
NXP Employee
0 Kudos

947 Views
keerthi-karanth
Contributor II

Hello Yuri

 

I have followed the HAB procedure , signing the kernel image is also fine and I loaded it with load mmc and checked with hab_auth_image as suggested in https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/

I get no HAB Events for both u-boot and kernel , that said I have not burned the fuses yet..

 

1. Is there a way to use shadow register and verify the signed images are fine before burning the fuses ?

 

2. The platform is i.MX8mm and we are having Android Pie on it. Is the Kernel verification in HAB required as we will have AVB too ?

If Kernel verification in HAB is not required , any code of u-boot which does this has to be commented ?

 

3. AVB , keystore provisioing/rpmb keys etc. other security features, should any of these be done before burning the fuses for HAB ? we have not enabled any of these on the platform yet.

Regards,

Keerthi

0 Kudos

918 Views
Yuri
NXP Employee
NXP Employee

@keerthi-karanth 
Hello,

  Theoretically it is possible to use the shadow register, but we do not have
considerations how to implement it.


  As for Android - please refer to "i.MX Android Security User’s Guide".

https://www.nxp.com/docs/en/user-guide/IMX_ANDROID_SECURITY_USERS_GUIDE.pdf

 

Regards,
Yuri.

0 Kudos