iMX8M mini Secure Boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iMX8M mini Secure Boot

5,292 Views
flouveau
Contributor II

Hi all,

I try to understand how secure boot is working for imx8mmevk board.

I read following documentation :

My issue is about creating flash.bin with the output provided by yocto.

All documentation talks about doing all steps manually, but yocto provides these files. I assume it canbe used to generate flash.bin.

Yocto creates the following directory tmp/deploy/images/imx8mmevk/imx-boot-tools

In this directory, I have following files:

  • bl31-imx8mm.bin
  • bl31-imx8mm.bin-optee        
  • fsl-imx8mm-evk.dtb          
  • lpddr4_pmu_train_1d_dmem.bin
  • lpddr4_pmu_train_1d_imem.bin
  • lpddr4_pmu_train_2d_dmem.bin
  • lpddr4_pmu_train_2d_imem.bin 
  • mkimage_fit_atf.sh           
  • mkimage_imx8
  • mkimage_uboot
  • signed_dp_imx8m.bin
  • signed_hdmi_imx8m.bin
  • soc.mak
  • tee.bin
  • u-boot-imx8mmevk.bin-sd
  • u-boot-nodtb.bin-imx8mmevk-sd
  • u-boot-spl.bin-imx8mmevk-sd

My question : How to create the flash.bin file to be able to flash the EVK board ?

Regards,

Fabrice

5 Replies

4,777 Views
flouveau
Contributor II

I answer myself,

In Yocto BSP from NXP, tht too mkimage is already built and the recipe imx-boot generates the unsigned flash.bin as a file named imx-boot-<hardware>-sd.bin-flash_evk

This file contains SPL and U-BOOT.

To create a signed image, I follow steps described in mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc -...
All Signature part is well explained in Code Signing Tool User Guide.

I was able to create a signed file but no tested yet.
Hope this help.

0 Kudos
Reply

4,777 Views
kanimozhi_t
Contributor V

Hey @Fabrice,

    It's great to hear that you've successfully signed i.MX 8M Mini's flash.bin and I'm also trying to achieve the same.

    But, I'm facing issues now and posted it in here (https://community.nxp.com/thread/539440 ). Hope you can provide some help.

Thanks in advance.

0 Kudos
Reply

4,777 Views
flouveau
Contributor II

Hi Kanimozhi Thangappan,

I look at your csf_spl.txt, and it's similar to mine.

The only thing that differs is that you use absolute path where I use local path as explained in tutorial. I copy flash.bin into cst folder, at the exact place where txt file is (cst-3.3.0/release/linux64).

[Header]
    Version = 4.3
    Hash Algorithm = sha256
    Engine = CAAM
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS

[Install SRK]
    # Index of the key location in the SRK table to be installed
    File = "../crts/SRK_1_2_3_4_table.bin"
    Source index = 0

[Install CSFK]
    # Key used to authenticate the CSF data
    File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
    # Leave Job Ring and DECO master ID registers Unlocked
    Engine = CAAM
    Features = MID

[Install Key]
    # Key slot index used to authenticate the key to be installed
    Verification index = 0
    # Target key slot in HAB key store where key will be installed
    Target index = 2
    # Key to install
    File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
    # Key slot index used to authenticate the image data
    Verification index = 2
    # Authenticate Start Address, Offset, Length and file
    Blocks = 0x7e0fc0 0x0 0x2a600 "flash.bin"

Sorry to not helping you much than this.

Fabrice

4,777 Views
kanimozhi_t
Contributor V

Thanks for your inputs.

    I've solved my problem. If you're curious, here's the answer: https://community.nxp.com/thread/539440#comment-1352925 

0 Kudos
Reply

4,777 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello Fabrice,

You can find the yocto L4.14.92 documentation on

i.MX Software | NXP 

Regards

0 Kudos
Reply