Signing RFS, Configuration and Application with AHAB possible?

cancel
Showing results for 
Search instead for 
Did you mean: 

Signing RFS, Configuration and Application with AHAB possible?

212 Views
quang_bui
Contributor I

Hello guys,

I am trying to implement secure boot on the new i.MX8X processor and having some question.

According to the documenation of AN12312 it is possible to secure the bootloader and the OS.

This leads me to the question:

Is it also possible with AHAB to sign and verify the Root File System and all Applications offered by the OEM.

If yes - how does it work?

Best regards,

Quang

0 Kudos
3 Replies

87 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,

  It may be recommended to use the DM-Crypt in Your case.

"i.MX Encrypted Storage Using CAAM Secure Keys"

https://www.nxp.com/docs/en/application-note/AN12714.pdf 


Have a great day,
Yuri

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

0 Kudos

87 Views
quang_bui
Contributor I

Hello Yuri,

thanks for the fast answer.

I am pretty new to this - but according to my understanding dm-crypts is used to encrypt my disk which protects the confidentiality of the data.

What about signing the RFS Kernel configuration and Application to ensure the security goal "integrity" and "authenticity"?

Are there other tools for that?

May it be possible with AHAB or is there no API for that?

Best regards,

Quang

0 Kudos

87 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,

   U-boot can be signed and checked by i.MX boot ROM; Linux kernel can be signed 

and checked by U-boot, using boot ROM HAB API, mentioned in  AN12263 (HABv4 RVT

Guidelines and Recommendations).

https://www.nxp.com/docs/en/application-note/AN12263.pdf 

  But for Linux we do not have proper HAB API, therefore such general approach as using 

DM-Crypt is recommended for Linux file system and applications.  

Regards,

Yuri.

0 Kudos