Hi, I'm stuck in building a secure board imx6UL. At the moment I'm able to sign and encrypt the u-boot and run it from sd.
Now I want to continue the chain of trust validating every loaded image.
- I modified u-boot in order to use default environment.
- I prepared a bootscript signed that contains the remaining part of the boot
- I modify the automatic boot sequence bootcmd with my personal sequence that load from sd and verify the signature of bootscript with hab_auth_img command.
- From bootscript with a well defined sequence i load from sd a signed kernel and a signed device tree, verify their signature and if all ok start kernel.
1) First question is: the procedure is correct? There is a better way than modify uboot and using hab_auth_image? There are other ways? ( give me a clue)
2) Suppose that the sign verification I implemented is correct. I want that loaded images are also encrypted to have confidentiality. I enabled in u-boot CMD_BLOB, that i suppose able to encrypt my datas, but cmd blob enc doesn't work. There are other config to set before use this cmd?
Thanks
Hi Giulio
please refer to
Signed and encrypted boot in i.MX6UL
AN4581 Secure Boot on i.MX50, i.MX53, and i.MX6 Series using HABv4
https://www.nxp.com/docs/en/application-note/AN4581.pdf
Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------