帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

iMX8M Mini Yocto secure boot

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

iMX8M Mini Yocto secure boot

‎05-15-2020 06:31 AM
6,247 次查看
antonio_santagi
Contributor IV

Hello,

I am using iMX8M Mini .

I haven't found any references to possibility of automatically signing bootloaders and images by Yocto for HAB secure Boot.

I read 

IMX8M YOCTO how to sign image to secure boot  

and 

mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot  

But there are manual steps to get offsets and other data from images just build and feed CST tool with them to produce signed images.

Are there Yocto layers implementing this automatically ?

thank you

标记 (3)
0 项奖励
回复
7 回复数

‎03-31-2022 05:37 PM
5,651 次查看
BiyongSUN
NXP Employee
NXP Employee

Surely, it could be done signing inside Yocto. Just make some bb files. 

But it makes no sense.

Surely, a very basic   violation of security basic concept. 

It should have a security server to sign for you. not you do it by yourself. 

The security server is black box to you. You will never know the private key. 

Your input is an Images and  security server output is a signed image and public key. 

Of course, for i.MX could be csf bin, key hash.   

 

Untitled.png

0 项奖励
回复

‎03-31-2022 11:21 PM
5,645 次查看
petter-osterlund
Contributor II

There is no excuse to not provide automated build system with signing because of this.

1. The simple .bb files you talk about is quite difficult to write based on your documentation an support. This is the key issue on this thread.

2. The .bb files can send images to be signed to a black box for signing, wrap the signing tool.

3. The entire black box may even be the company official build server producing artifacts. R&D developers can then use a separate set of keys.This is the intended aim in our case.

0 项奖励
回复

‎03-31-2022 11:49 PM
5,639 次查看
BiyongSUN
NXP Employee
NXP Employee

I have question for you.

It is Yocto question or i.MX processor question?  

It is Yocto community  or i.MX processor community?

Who should have the skills and knowledge to use yocto and write bb file?

Who should provide the document to write down Yocto bb file? 

 

 

0 项奖励
回复

‎03-31-2022 05:46 AM
5,656 次查看
petter-osterlund
Contributor II


So I spend several weeks on this and eventually figured out how to automate build of U-boot and Linux kernel signing it with CST from a set of keys. The comple set of needed stuff is still not done, like booting into a verity protected filesystem, making U-boot env variables protected, etc etc, but I left the project and perhaps this will never be completed properly. It for sure is complicated just to get the basic stuff working.

Full story would be to much but via  imx-boot_%.bbappend and linux-imx_%.bbappend I hooked into it. Setting IMXBOOT_TARGET to "..._signed" will generate "imx-boot-xxxxreva5-sd.bin-flash_evk_signed" for me now. First I also got a signed "sImage" but later changed to replaceing Image with the signed version for practical reasons. Keys are found via env CST_TREE and since cts tool needs to "be in this tree" I adapted build directories to provide soft links appropriately (Digi has a modification that can work out of tree). I addded a cst-im-native_3.3.1.bb also....

0 项奖励
回复

‎06-17-2021 08:15 AM
5,943 次查看
petter-osterlund
Contributor II

Perhaps not easy but possible, something like this would be very very useful if NXP could incorporate

https://www.digi.com/resources/documentation/digidocs/embedded/dey/3.0/cc8mmini/yocto-trustfence_t_s...

回复

‎05-15-2020 01:50 PM
6,123 次查看
gusarambula
NXP TechSupport
NXP TechSupport

Hello Antonio Santagiuliana,

The Linux BSP for i.MX does not have recipes that allow for automation of this process and I haven’t seen any similar recipes on the Yocto Project layers outside of our BSP either. This because the process requires several steps that will depend on your configuration and are not easy to automate. Although you may create your own recipes or scripts to automate as much as possible, this is not a trivial task.

My apologies for the inconvenience.

Regards,

回复

‎03-30-2022 11:50 AM
5,663 次查看
Gandalf-kern
Contributor IV

Wish to recommend for NXP to provide a template of yocto recipes for secure boot to remove the manual steps and also standalone scripts.  Digi has the offering mentioned above by another customer.  They do have the non-trivial yocto scripts and they also have the standalone scripts that manufacturing could use to do the secure boot steps.  But one has to buy and use their SOCs per the license agreement to actually use them. So, NXP would be helping their customers out a great deal if they provided at least templates and standalone scripts that customers could easily modify and use for secure boot setup and configuration. Every customer has to deal with this who uses secure boot on any of NXPs products because of the manual steps involved.

0 项奖励
回复