帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Security- HAB feature i.MX8 platform

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Security- HAB feature i.MX8 platform

‎09-19-2021 10:47 PM
948 次查看
keerthi-karanth
Contributor II
Hi All
 
We are working on a custom platform based on i.MX8. At present we are exercising the HAB feature enabling on the platform.
 
 https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/  has been referred for first and second stage verification for HAB procedures.
 
U Boot source in  android/vendor/boundary/uboot-imx   is used with HAB feature enabled from menuconfig.
 
We have not fused any keys yet on to the platform and the secure boot fuse is also not configured yet.
 
Post flashing both the images on the board in boot-loader the following was verified 
  •  hab_status command is returning no HAB events.
  • Signed kernel image was verified manually by hab_auth_img cmd and this as well returned no HAB events.
 
We added additional prints in arch/arm/mach-imx/hab.c function imx_hab_authenticate_image .
In this function enabled DEBUG prints to check HAB verification details based on image load address.
The following is the observation of the same on normal boot of Ident platform to Android.
  • We are noticing prints of HAB verification details for boot-loader load address 0x401fcdc0.
  • However we do not see such a print for kernel verification  from the boot-loader for load address 0x40480000. 
 
While working on this we came across https://github.com/boundarydevices/u-boot-imx6/commit/a20a5ee3c0 patch.. 
Is something similar will have to be done to get kernel HAB verified in boot-loader ?
 
 
Any input is appreciated and will be very useful.
 
Thanks,
Keerthi
标记 (3)
0 项奖励
回复
3 回复数

‎09-23-2021 02:00 AM
933 次查看
Yuri
NXP Employee
NXP Employee

@keerthi-karanth 
Hello,

  please use recommendations of U-boot help.

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_secure_boot.txt?...

 

Regards,
Yuri.

0 项奖励
回复

‎09-27-2021 11:54 PM
909 次查看
keerthi-karanth
Contributor II

Hello Yuri

 

I have followed the HAB procedure , signing the kernel image is also fine and I loaded it with load mmc and checked with hab_auth_image as suggested in https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/

I get no HAB Events for both u-boot and kernel , that said I have not burned the fuses yet..

 

1. Is there a way to use shadow register and verify the signed images are fine before burning the fuses ?

 

2. The platform is i.MX8mm and we are having Android Pie on it. Is the Kernel verification in HAB required as we will have AVB too ?

If Kernel verification in HAB is not required , any code of u-boot which does this has to be commented ?

 

3. AVB , keystore provisioing/rpmb keys etc. other security features, should any of these be done before burning the fuses for HAB ? we have not enabled any of these on the platform yet.

Regards,

Keerthi

0 项奖励
回复

‎10-05-2021 04:03 AM
880 次查看
Yuri
NXP Employee
NXP Employee

@keerthi-karanth 
Hello,

  Theoretically it is possible to use the shadow register, but we do not have
considerations how to implement it.


  As for Android - please refer to "i.MX Android Security User’s Guide".

https://www.nxp.com/docs/en/user-guide/IMX_ANDROID_SECURITY_USERS_GUIDE.pdf

 

Regards,
Yuri.

0 项奖励
回复