FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

how to authenticate dtb togeter with zImage?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

how to authenticate dtb togeter with zImage?

Jump to solution
‎10-27-2020 07:30 PM
1,406 Views
changbaoma
Contributor III

now i have sucess to signature single zImage, and sucess to hab_auth_img without any HAB Events found.

=> hab_auth_img 80800000 585000

Authenticate image from DDR location 0x80800000...

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!

 

And now i want to  signature dtb too,  but i don't know how to do?

Any help is appresiated.

0 Kudos
Reply
1 Solution

Jump to solution
‎11-03-2020 11:57 PM
1,374 Views
Yuri
NXP Employee
NXP Employee

@changbaoma 
Hello,

  1) yes - in general Your understanding is correct.
  2) U-boot uses HAB ROM API for authentication, but we do not have 
       Linux user space for HAB ROM.

Regards,
Yuri.

View solution in original post

Reply
4 Replies

Jump to solution
‎11-02-2020 11:55 PM
1,392 Views
Yuri
NXP Employee
NXP Employee

@changbaoma 

Basically the DTB may be signed in the same manner as kernel.
Please look at section 5.8 (Extending the root of trust) of app note
AN4581 (i.MX Secure Boot on HABv4 Supported Devices, Rev. 4, June 2020).

https://www.nxp.com/docs/en/application-note/AN4581.pdf

Also section 2 ( Extending the root of trust) will be helpful.

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.t...

Use U-boot environment to define what parameters / addresses are used
in Your system for DTB load.

 

Regards,
Yuri.

0 Kudos
Reply

Jump to solution
‎11-02-2020 08:24 PM
1,396 Views
Yuri
NXP Employee
NXP Employee

@changbaoma 
Hello,

  What i.MX device is used in the case?
What Linux release?

Regards,
Yuri.

0 Kudos
Reply

Jump to solution
‎11-03-2020 01:28 AM
1,384 Views
changbaoma
Contributor III

we use imx6ull in our product, and use nxp's linux-imx-5.4.24.

1、do you mean sign a dtb the same as sign a zImage, except DTB load_address and size?

2、and is the signed dtb layout the same as zImage's?

The diagram below illustrate the zImage layout:

            ------- +-----------------------------+ <-- *load_address
                ^   |                             |
                |   |                             |
                |   |                             |
                |   |                             |
                |   |           zImage/dtb?        
         Signed |   |                             |
          Data  |   |                             |
                |   |                             |
                |   +-----------------------------+
                |   |    Padding Next Boundary    |
                |   +-----------------------------+ <-- *ivt
                v   |     Image Vector Table      |
            ------- +-----------------------------+ <-- *csf
                    |                             |
                    | Command Sequence File (CSF) |
                    |                             |
                    +-----------------------------+
                    |     Padding (optional)      |
                    +-----------------------------+

3、is there any software interface to authenticate zImage in user space(eg. rootfs) before update zImage?

0 Kudos
Reply

Jump to solution
‎11-03-2020 11:57 PM
1,375 Views
Yuri
NXP Employee
NXP Employee

@changbaoma 
Hello,

  1) yes - in general Your understanding is correct.
  2) U-boot uses HAB ROM API for authentication, but we do not have 
       Linux user space for HAB ROM.

Regards,
Yuri.

Reply