iMX8M Mini Yocto secure boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iMX8M Mini Yocto secure boot

2,826 Views
antonio_santagi
Contributor IV

Hello,

I am using iMX8M Mini .

I haven't found any references to possibility of automatically signing bootloaders and images by Yocto for HAB secure Boot.

I read 

IMX8M YOCTO how to sign image to secure boot  

and 

mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot  

But there are manual steps to get offsets and other data from images just build and feed CST tool with them to produce signed images.

Are there Yocto layers implementing this automatically ?

thank you

Tags (3)
0 Kudos
7 Replies

2,230 Views
BiyongSUN
NXP Employee
NXP Employee

Surely, it could be done signing inside Yocto. Just make some bb files. 

But it makes no sense.

Surely, a very basic   violation of security basic concept. 

It should have a security server to sign for you. not you do it by yourself. 

The security server is black box to you. You will never know the private key. 

Your input is an Images and  security server output is a signed image and public key. 

Of course, for i.MX could be csf bin, key hash.   

 

Untitled.png

0 Kudos

2,224 Views
petter-osterlund
Contributor II

There is no excuse to not provide automated build system with signing because of this.

1. The simple .bb files you talk about is quite difficult to write based on your documentation an support. This is the key issue on this thread.

2. The .bb files can send images to be signed to a black box for signing, wrap the signing tool.

3. The entire black box may even be the company official build server producing artifacts. R&D developers can then use a separate set of keys.This is the intended aim in our case.

0 Kudos

2,218 Views
BiyongSUN
NXP Employee
NXP Employee

I have question for you.

It is Yocto question or i.MX processor question?  

It is Yocto community  or i.MX processor community?

Who should have the skills and knowledge to use yocto and write bb file?

Who should provide the document to write down Yocto bb file? 

 

 

0 Kudos

2,235 Views
petter-osterlund
Contributor II


So I spend several weeks on this and eventually figured out how to automate build of U-boot and Linux kernel signing it with CST from a set of keys. The comple set of needed stuff is still not done, like booting into a verity protected filesystem, making U-boot env variables protected, etc etc, but I left the project and perhaps this will never be completed properly. It for sure is complicated just to get the basic stuff working.

Full story would be to much but via  imx-boot_%.bbappend and linux-imx_%.bbappend I hooked into it. Setting IMXBOOT_TARGET to "..._signed" will generate "imx-boot-xxxxreva5-sd.bin-flash_evk_signed" for me now. First I also got a signed "sImage" but later changed to replaceing Image with the signed version for practical reasons. Keys are found via env CST_TREE and since cts tool needs to "be in this tree" I adapted build directories to provide soft links appropriately (Digi has a modification that can work out of tree). I addded a cst-im-native_3.3.1.bb also....

0 Kudos

2,522 Views
petter-osterlund
Contributor II

Perhaps not easy but possible, something like this would be very very useful if NXP could incorporate

https://www.digi.com/resources/documentation/digidocs/embedded/dey/3.0/cc8mmini/yocto-trustfence_t_s...

2,702 Views
gusarambula
NXP TechSupport
NXP TechSupport

Hello Antonio Santagiuliana,

The Linux BSP for i.MX does not have recipes that allow for automation of this process and I haven’t seen any similar recipes on the Yocto Project layers outside of our BSP either. This because the process requires several steps that will depend on your configuration and are not easy to automate. Although you may create your own recipes or scripts to automate as much as possible, this is not a trivial task.

My apologies for the inconvenience.

Regards,

2,242 Views
Gandalf-kern
Contributor IV

Wish to recommend for NXP to provide a template of yocto recipes for secure boot to remove the manual steps and also standalone scripts.  Digi has the offering mentioned above by another customer.  They do have the non-trivial yocto scripts and they also have the standalone scripts that manufacturing could use to do the secure boot steps.  But one has to buy and use their SOCs per the license agreement to actually use them. So, NXP would be helping their customers out a great deal if they provided at least templates and standalone scripts that customers could easily modify and use for secure boot setup and configuration. Every customer has to deal with this who uses secure boot on any of NXPs products because of the manual steps involved.

0 Kudos