ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

how to authenticate dtb togeter with zImage?

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
解決済み
ソリューションへジャンプ

how to authenticate dtb togeter with zImage?

ソリューションへジャンプ
‎10-27-2020 07:30 PM
2,507件の閲覧回数
changbaoma
Contributor IV

now i have sucess to signature single zImage, and sucess to hab_auth_img without any HAB Events found.

=> hab_auth_img 80800000 585000

Authenticate image from DDR location 0x80800000...

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!

 

And now i want to  signature dtb too,  but i don't know how to do?

Any help is appresiated.

0 件の賞賛
返信
1 解決策

ソリューションへジャンプ
‎11-03-2020 11:57 PM
2,475件の閲覧回数
Yuri
NXP Employee
NXP Employee

@changbaoma 
Hello,

  1) yes - in general Your understanding is correct.
  2) U-boot uses HAB ROM API for authentication, but we do not have 
       Linux user space for HAB ROM.

Regards,
Yuri.

元の投稿で解決策を見る

返信
4 返答(返信)

ソリューションへジャンプ
‎11-02-2020 11:55 PM
2,493件の閲覧回数
Yuri
NXP Employee
NXP Employee

@changbaoma 

Basically the DTB may be signed in the same manner as kernel.
Please look at section 5.8 (Extending the root of trust) of app note
AN4581 (i.MX Secure Boot on HABv4 Supported Devices, Rev. 4, June 2020).

https://www.nxp.com/docs/en/application-note/AN4581.pdf

Also section 2 ( Extending the root of trust) will be helpful.

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.t...

Use U-boot environment to define what parameters / addresses are used
in Your system for DTB load.

 

Regards,
Yuri.

0 件の賞賛
返信

ソリューションへジャンプ
‎11-02-2020 08:24 PM
2,497件の閲覧回数
Yuri
NXP Employee
NXP Employee

@changbaoma 
Hello,

  What i.MX device is used in the case?
What Linux release?

Regards,
Yuri.

0 件の賞賛
返信

ソリューションへジャンプ
‎11-03-2020 01:28 AM
2,485件の閲覧回数
changbaoma
Contributor IV

we use imx6ull in our product, and use nxp's linux-imx-5.4.24.

1、do you mean sign a dtb the same as sign a zImage, except DTB load_address and size?

2、and is the signed dtb layout the same as zImage's?

The diagram below illustrate the zImage layout:

            ------- +-----------------------------+ <-- *load_address
                ^   |                             |
                |   |                             |
                |   |                             |
                |   |                             |
                |   |           zImage/dtb?        
         Signed |   |                             |
          Data  |   |                             |
                |   |                             |
                |   +-----------------------------+
                |   |    Padding Next Boundary    |
                |   +-----------------------------+ <-- *ivt
                v   |     Image Vector Table      |
            ------- +-----------------------------+ <-- *csf
                    |                             |
                    | Command Sequence File (CSF) |
                    |                             |
                    +-----------------------------+
                    |     Padding (optional)      |
                    +-----------------------------+

3、is there any software interface to authenticate zImage in user space(eg. rootfs) before update zImage?

0 件の賞賛
返信

ソリューションへジャンプ
‎11-03-2020 11:57 PM
2,476件の閲覧回数
Yuri
NXP Employee
NXP Employee

@changbaoma 
Hello,

  1) yes - in general Your understanding is correct.
  2) U-boot uses HAB ROM API for authentication, but we do not have 
       Linux user space for HAB ROM.

Regards,
Yuri.

返信