FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Signing RFS, Configuration and Application with AHAB possible?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Signing RFS, Configuration and Application with AHAB possible?

‎03-05-2020 08:12 AM
825 Views
quang_bui
Contributor I

Hello guys,

I am trying to implement secure boot on the new i.MX8X processor and having some question.

According to the documenation of AN12312 it is possible to secure the bootloader and the OS.

This leads me to the question:

Is it also possible with AHAB to sign and verify the Root File System and all Applications offered by the OEM.

If yes - how does it work?

Best regards,

Quang

0 Kudos
Reply
3 Replies

‎03-05-2020 07:30 PM
700 Views
Yuri
NXP Employee
NXP Employee

Hello,

  It may be recommended to use the DM-Crypt in Your case.

"i.MX Encrypted Storage Using CAAM Secure Keys"

https://www.nxp.com/docs/en/application-note/AN12714.pdf 


Have a great day,
Yuri

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

0 Kudos
Reply

‎03-06-2020 01:48 AM
700 Views
quang_bui
Contributor I

Hello Yuri,

thanks for the fast answer.

I am pretty new to this - but according to my understanding dm-crypts is used to encrypt my disk which protects the confidentiality of the data.

What about signing the RFS Kernel configuration and Application to ensure the security goal "integrity" and "authenticity"?

Are there other tools for that?

May it be possible with AHAB or is there no API for that?

Best regards,

Quang

0 Kudos
Reply

‎03-10-2020 01:01 AM
700 Views
Yuri
NXP Employee
NXP Employee

Hello,

   U-boot can be signed and checked by i.MX boot ROM; Linux kernel can be signed 

and checked by U-boot, using boot ROM HAB API, mentioned in  AN12263 (HABv4 RVT

Guidelines and Recommendations).

https://www.nxp.com/docs/en/application-note/AN12263.pdf 

  But for Linux we do not have proper HAB API, therefore such general approach as using 

DM-Crypt is recommended for Linux file system and applications.  

Regards,

Yuri.

0 Kudos
Reply