I am using iMX8M Mini .
I haven't found any references to possibility of automatically signing bootloaders and images by Yocto for HAB secure Boot.
IMX8M YOCTO how to sign image to secure boot
mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot
But there are manual steps to get offsets and other data from images just build and feed CST tool with them to produce signed images.
Are there Yocto layers implementing this automatically ?
Surely, it could be done signing inside Yocto. Just make some bb files.
But it makes no sense.
Surely， a very basic violation of security basic concept.
It should have a security server to sign for you. not you do it by yourself.
The security server is black box to you. You will never know the private key.
Your input is an Images and security server output is a signed image and public key.
Of course, for i.MX could be csf bin, key hash.
There is no excuse to not provide automated build system with signing because of this.
1. The simple .bb files you talk about is quite difficult to write based on your documentation an support. This is the key issue on this thread.
2. The .bb files can send images to be signed to a black box for signing, wrap the signing tool.
3. The entire black box may even be the company official build server producing artifacts. R&D developers can then use a separate set of keys.This is the intended aim in our case.
I have question for you.
It is Yocto question or i.MX processor question?
It is Yocto community or i.MX processor community?
Who should have the skills and knowledge to use yocto and write bb file?
Who should provide the document to write down Yocto bb file?
So I spend several weeks on this and eventually figured out how to automate build of U-boot and Linux kernel signing it with CST from a set of keys. The comple set of needed stuff is still not done, like booting into a verity protected filesystem, making U-boot env variables protected, etc etc, but I left the project and perhaps this will never be completed properly. It for sure is complicated just to get the basic stuff working.
Full story would be to much but via imx-boot_%.bbappend and linux-imx_%.bbappend I hooked into it. Setting IMXBOOT_TARGET to "..._signed" will generate "imx-boot-xxxxreva5-sd.bin-flash_evk_signed" for me now. First I also got a signed "sImage" but later changed to replaceing Image with the signed version for practical reasons. Keys are found via env CST_TREE and since cts tool needs to "be in this tree" I adapted build directories to provide soft links appropriately (Digi has a modification that can work out of tree). I addded a cst-im-native_3.3.1.bb also....
Perhaps not easy but possible, something like this would be very very useful if NXP could incorporate
Hello Antonio Santagiuliana,
The Linux BSP for i.MX does not have recipes that allow for automation of this process and I haven’t seen any similar recipes on the Yocto Project layers outside of our BSP either. This because the process requires several steps that will depend on your configuration and are not easy to automate. Although you may create your own recipes or scripts to automate as much as possible, this is not a trivial task.
My apologies for the inconvenience.
Wish to recommend for NXP to provide a template of yocto recipes for secure boot to remove the manual steps and also standalone scripts. Digi has the offering mentioned above by another customer. They do have the non-trivial yocto scripts and they also have the standalone scripts that manufacturing could use to do the secure boot steps. But one has to buy and use their SOCs per the license agreement to actually use them. So, NXP would be helping their customers out a great deal if they provided at least templates and standalone scripts that customers could easily modify and use for secure boot setup and configuration. Every customer has to deal with this who uses secure boot on any of NXPs products because of the manual steps involved.