As described in Secure boot on Wandboard, I have manged to use CST to sign my U-Boot image, and have my Wandboard verify the authenticity of U-Boot before executing it.
Now, I want to extend this to have the Linux kernel signed and to have U-Boot authenticate the image, as described in "i.MX 6 Linux High Assurance Boot (HAB) User's Guide". However, it appears that this document is based on a different U-Boot branch, than the one I am using (U-Boot 2013.10 from Yocto). I would prefer to use this recent U-Boot, because of device tree support, etc.
According to Re: i.MX6 HAB support in U-Boot 2013 and later HAB is supported in later U-Boot, but after digging for some time, it appears that only support for reading out HAB event status (using the "hab_status" command) is available, and the raw HAB API functions. The infrastructure to actually have U-Boot call HAB to authenticate the Linux image seems to be missing.
Is there a patch available for U-boot 2013.10, which enables authentication of the Linux kernel image before continuing boot?
Best regards,
Mikkel Holm Olsen
Solved! Go to Solution.
Hi Mikkel,
had you checked V2012 Uboot security scripts, below
link. Also they are included in ../mxc_secureboot folder imx-test-3.10.17-1.0.0
package
L3.10.17_1.0.0_IMX6QDLS_BUNDLE : Source Code Download Steps Documentation and Demo Images.
Best regards
chip
Sorry about the late reply.
Thank you! Those links are very helpful, although at the moment I am investigating using U-Boot "verified boot" to sign the kernel.
Best regards,
Mikkel Holm Olsen
Hi Mikkel,
had you checked V2012 Uboot security scripts, below
link. Also they are included in ../mxc_secureboot folder imx-test-3.10.17-1.0.0
package
L3.10.17_1.0.0_IMX6QDLS_BUNDLE : Source Code Download Steps Documentation and Demo Images.
Best regards
chip
Hi igorpadykov
I have a requirement to check the HAB status of uImage and if no HAB events to load the uImage. So how to do that checking in u-boot ?
Thanks in Advance