now i have sucess to signature single zImage, and sucess to hab_auth_img without any HAB Events found.
=> hab_auth_img 80800000 585000
Authenticate image from DDR location 0x80800000...
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!
And now i want to signature dtb too, but i don't know how to do?
Any help is appresiated.
Solved! Go to Solution.
@changbaoma
Hello,
1) yes - in general Your understanding is correct.
2) U-boot uses HAB ROM API for authentication, but we do not have
Linux user space for HAB ROM.
Regards,
Yuri.
Basically the DTB may be signed in the same manner as kernel.
Please look at section 5.8 (Extending the root of trust) of app note
AN4581 (i.MX Secure Boot on HABv4 Supported Devices, Rev. 4, June 2020).
https://www.nxp.com/docs/en/application-note/AN4581.pdf
Also section 2 ( Extending the root of trust) will be helpful.
Use U-boot environment to define what parameters / addresses are used
in Your system for DTB load.
Regards,
Yuri.
@changbaoma
Hello,
What i.MX device is used in the case?
What Linux release?
Regards,
Yuri.
we use imx6ull in our product, and use nxp's linux-imx-5.4.24.
1、do you mean sign a dtb the same as sign a zImage, except DTB load_address and size?
2、and is the signed dtb layout the same as zImage's?
The diagram below illustrate the zImage layout:
------- +-----------------------------+ <-- *load_address
^ | |
| | |
| | |
| | |
| | zImage/dtb?
Signed | | |
Data | | |
| | |
| +-----------------------------+
| | Padding Next Boundary |
| +-----------------------------+ <-- *ivt
v | Image Vector Table |
------- +-----------------------------+ <-- *csf
| |
| Command Sequence File (CSF) |
| |
+-----------------------------+
| Padding (optional) |
+-----------------------------+ |
3、is there any software interface to authenticate zImage in user space(eg. rootfs) before update zImage?
@changbaoma
Hello,
1) yes - in general Your understanding is correct.
2) U-boot uses HAB ROM API for authentication, but we do not have
Linux user space for HAB ROM.
Regards,
Yuri.