帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

how to authenticate dtb togeter with zImage?

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

how to authenticate dtb togeter with zImage?

跳至解决方案
‎10-27-2020 07:30 PM
2,501 次查看
changbaoma
Contributor IV

now i have sucess to signature single zImage, and sucess to hab_auth_img without any HAB Events found.

=> hab_auth_img 80800000 585000

Authenticate image from DDR location 0x80800000...

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!

 

And now i want to  signature dtb too,  but i don't know how to do?

Any help is appresiated.

0 项奖励
回复
1 解答

跳至解决方案
‎11-03-2020 11:57 PM
2,469 次查看
Yuri
NXP Employee
NXP Employee

@changbaoma 
Hello,

  1) yes - in general Your understanding is correct.
  2) U-boot uses HAB ROM API for authentication, but we do not have 
       Linux user space for HAB ROM.

Regards,
Yuri.

在原帖中查看解决方案

回复
4 回复数

跳至解决方案
‎11-02-2020 11:55 PM
2,487 次查看
Yuri
NXP Employee
NXP Employee

@changbaoma 

Basically the DTB may be signed in the same manner as kernel.
Please look at section 5.8 (Extending the root of trust) of app note
AN4581 (i.MX Secure Boot on HABv4 Supported Devices, Rev. 4, June 2020).

https://www.nxp.com/docs/en/application-note/AN4581.pdf

Also section 2 ( Extending the root of trust) will be helpful.

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.t...

Use U-boot environment to define what parameters / addresses are used
in Your system for DTB load.

 

Regards,
Yuri.

0 项奖励
回复

跳至解决方案
‎11-02-2020 08:24 PM
2,491 次查看
Yuri
NXP Employee
NXP Employee

@changbaoma 
Hello,

  What i.MX device is used in the case?
What Linux release?

Regards,
Yuri.

0 项奖励
回复

跳至解决方案
‎11-03-2020 01:28 AM
2,479 次查看
changbaoma
Contributor IV

we use imx6ull in our product, and use nxp's linux-imx-5.4.24.

1、do you mean sign a dtb the same as sign a zImage, except DTB load_address and size?

2、and is the signed dtb layout the same as zImage's?

The diagram below illustrate the zImage layout:

            ------- +-----------------------------+ <-- *load_address
                ^   |                             |
                |   |                             |
                |   |                             |
                |   |                             |
                |   |           zImage/dtb?        
         Signed |   |                             |
          Data  |   |                             |
                |   |                             |
                |   +-----------------------------+
                |   |    Padding Next Boundary    |
                |   +-----------------------------+ <-- *ivt
                v   |     Image Vector Table      |
            ------- +-----------------------------+ <-- *csf
                    |                             |
                    | Command Sequence File (CSF) |
                    |                             |
                    +-----------------------------+
                    |     Padding (optional)      |
                    +-----------------------------+

3、is there any software interface to authenticate zImage in user space(eg. rootfs) before update zImage?

0 项奖励
回复

跳至解决方案
‎11-03-2020 11:57 PM
2,470 次查看
Yuri
NXP Employee
NXP Employee

@changbaoma 
Hello,

  1) yes - in general Your understanding is correct.
  2) U-boot uses HAB ROM API for authentication, but we do not have 
       Linux user space for HAB ROM.

Regards,
Yuri.

回复