ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX6 secure boot of Linux kernel

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
解決済み
ソリューションへジャンプ

i.MX6 secure boot of Linux kernel

ソリューションへジャンプ
‎05-27-2014 04:47 AM
8,323件の閲覧回数
spacemanspiff
Contributor II

As described in Secure boot on Wandboard, I have manged to use CST to sign my U-Boot image, and have my Wandboard verify the authenticity of U-Boot before executing it.

Now, I want to extend this to have the Linux kernel signed and to have U-Boot authenticate the image, as described in "i.MX 6 Linux High Assurance Boot (HAB) User's Guide". However, it appears that this document is based on a different U-Boot branch, than the one I am using (U-Boot 2013.10 from Yocto). I would prefer to use this recent U-Boot, because of device tree support, etc.

According to  Re: i.MX6 HAB support in U-Boot 2013 and later HAB is supported in later U-Boot, but after digging for some time, it appears that only support for reading out HAB event status (using the "hab_status" command) is available, and the raw HAB API functions. The infrastructure to actually have U-Boot call HAB to authenticate the Linux image seems to be missing.

Is there a patch available for U-boot 2013.10, which enables authentication of the Linux kernel image before continuing boot?

Best regards,

Mikkel Holm Olsen

ラベル(3)
ラベル
0 件の賞賛
返信
1 解決策

ソリューションへジャンプ
‎05-29-2014 04:10 AM
1,964件の閲覧回数
igorpadykov
NXP Employee
NXP Employee

Hi Mikkel,

had you checked V2012 Uboot security scripts, below

link. Also they are included in ../mxc_secureboot folder imx-test-3.10.17-1.0.0

package

ENGR00000000 secure boot:add support for V2012 Secure U-Boot · 4eecc7d · boundarydevices/imx-linux-t...

L3.10.17_1.0.0_IMX6QDLS_BUNDLE : Source Code Download Steps Documentation and Demo Images.

Best regards

chip

元の投稿で解決策を見る

0 件の賞賛
返信
3 返答(返信)

ソリューションへジャンプ
‎06-17-2014 04:21 AM
1,964件の閲覧回数
spacemanspiff
Contributor II

Sorry about the late reply.

Thank you! Those links are very helpful, although at the moment I am investigating using U-Boot "verified boot" to sign the kernel.

Best regards,

Mikkel Holm Olsen

0 件の賞賛
返信

ソリューションへジャンプ
‎05-29-2014 04:10 AM
1,965件の閲覧回数
igorpadykov
NXP Employee
NXP Employee

Hi Mikkel,

had you checked V2012 Uboot security scripts, below

link. Also they are included in ../mxc_secureboot folder imx-test-3.10.17-1.0.0

package

ENGR00000000 secure boot:add support for V2012 Secure U-Boot · 4eecc7d · boundarydevices/imx-linux-t...

L3.10.17_1.0.0_IMX6QDLS_BUNDLE : Source Code Download Steps Documentation and Demo Images.

Best regards

chip

0 件の賞賛
返信

ソリューションへジャンプ
‎11-21-2017 08:26 PM
1,964件の閲覧回数
tengri
Contributor IV

Hi igorpadykov

I have a requirement to check the HAB status of uImage and if no HAB events to load the uImage. So how to do that checking in u-boot ?

Thanks in Advance

0 件の賞賛
返信