i.MX6 secure boot of Linux kernel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX6 secure boot of Linux kernel

Jump to solution
8,826 Views
spacemanspiff
Contributor II

As described in Secure boot on Wandboard, I have manged to use CST to sign my U-Boot image, and have my Wandboard verify the authenticity of U-Boot before executing it.

Now, I want to extend this to have the Linux kernel signed and to have U-Boot authenticate the image, as described in "i.MX 6 Linux High Assurance Boot (HAB) User's Guide". However, it appears that this document is based on a different U-Boot branch, than the one I am using (U-Boot 2013.10 from Yocto). I would prefer to use this recent U-Boot, because of device tree support, etc.

According to  Re: i.MX6 HAB support in U-Boot 2013 and later HAB is supported in later U-Boot, but after digging for some time, it appears that only support for reading out HAB event status (using the "hab_status" command) is available, and the raw HAB API functions. The infrastructure to actually have U-Boot call HAB to authenticate the Linux image seems to be missing.

Is there a patch available for U-boot 2013.10, which enables authentication of the Linux kernel image before continuing boot?

Best regards,

Mikkel Holm Olsen

Labels (3)
0 Kudos
Reply
1 Solution
2,467 Views
igorpadykov
NXP Employee
NXP Employee

Hi Mikkel,

had you checked V2012 Uboot security scripts, below

link. Also they are included in ../mxc_secureboot folder imx-test-3.10.17-1.0.0

package

ENGR00000000 secure boot:add support for V2012 Secure U-Boot · 4eecc7d · boundarydevices/imx-linux-t...

L3.10.17_1.0.0_IMX6QDLS_BUNDLE : Source Code Download Steps Documentation and Demo Images.

Best regards

chip

View solution in original post

0 Kudos
Reply
3 Replies
2,467 Views
spacemanspiff
Contributor II

Sorry about the late reply.

Thank you! Those links are very helpful, although at the moment I am investigating using U-Boot "verified boot" to sign the kernel.

Best regards,

Mikkel Holm Olsen

0 Kudos
Reply
2,468 Views
igorpadykov
NXP Employee
NXP Employee

Hi Mikkel,

had you checked V2012 Uboot security scripts, below

link. Also they are included in ../mxc_secureboot folder imx-test-3.10.17-1.0.0

package

ENGR00000000 secure boot:add support for V2012 Secure U-Boot · 4eecc7d · boundarydevices/imx-linux-t...

L3.10.17_1.0.0_IMX6QDLS_BUNDLE : Source Code Download Steps Documentation and Demo Images.

Best regards

chip

0 Kudos
Reply
2,467 Views
tengri
Contributor IV

Hi igorpadykov

I have a requirement to check the HAB status of uImage and if no HAB events to load the uImage. So how to do that checking in u-boot ?

Thanks in Advance

0 Kudos
Reply