Secure boot on i.MX 8MPlus (865)
- Secure boot on i.MX 8MPlus (865)
- Introduction:
- 1. Boot Flow:
- 2. BootImage layout:
- Build steps:
- 1. Build U-Boot and SPL:
- a. Get U-Boot source:
- b. Build images:
- 2. ARM Trusted Firmware:
- a.Obtain the ATF source:
- b. Build image:
- 3. Get the DDR FW images:
- 4. Get IMX-MKIMAGE source:
- 5. Build the i.MX8 MP boot image:
- a. Gather necessary images:
- b. Build flash.bin
- c. Print HAB blocks
- 6.Sign the final image (manual method):
- a. Prepare CSF files:
- b. Prepare the signed image:
Introduction:
This document can be used as an example to build a signed boot image for i.MX 8MPlus application processor. It is a subset of i.MX8MQ secure boot document as most of the information is similar. This document omits Code Signing Tool and HAB Key Generation information needed for a successful secure boot. The i.MX8MQ secure boot document covers those needed topics. A typical boot image involves an SPL, DDR firmware, ARM-Trusted Firmware (ATF) and U-BOOT images.
1. Boot Flow:
2. Boot Image layout:
Build steps:
1. Build U-Boot and SPL:
a. Get U-Boot source:
https://source.codeaurora.org/external/imx/uboot-imx/
b. Build images:
# Add secure boot features in boot image
echo CONFIG_IMX_HAB=y >> configs/imx8mp_evk_defconfig
make imx8mp_evk_defconfig
make all
Output images:
$(UBOOT_SRC)/u-boot.bin
$(UBOOT_SRC)/u-boot-nodtb.bin
$(UBOOT_SRC)/spl/u-boot-spl.bin
$(UBOOT_SRC)/arch/arm/dts/imx8mp-evk.dtb
2. ARM Trusted Firmware:
a. Obtain the ATF source:
https://source.codeaurora.org/external/imx/imx-atf/
b. Build image:
make PLAT=imx8mp bl31
Output images:
$(ATF_SRC)/build/imx8mp/release/bl31.bin
3. Get the DDR FW image:
Get the latest firmware-imx binary. Check IMX Release Notes.
wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/firmware-imx-8.0.bin
chmod 777 firmware-imx-8.0.bin
./firmware-imx-8.0.bin
Accept the LICENSE AGREEMENT
cd firmware-imx-8.0
Output images:
$(DDRFW_SRC)/firmware/ddr/synopsys/lpddr4_pmu_train_*
4. Get IMX-MKIMAGE source:
https://source.codeaurora.org/external/imx/imx-mkimage/
5. Build the i.MX8 MP boot image:
a. Gather necessary images:
The following images are needed to generate boot image.
- SPL and U-boot images
- u-boot.bin
- u-boot-nodtb.bin
- u-boot-spl.bin
- imx8mp-evk.dtb
- ATF image
- bl31.bin
- DDR firmware images
- lpddr4_pmu_train_1d_dmem.bin
- lpddr4_pmu_train_1d_imem.bin
- lpddr4_pmu_train_2d_dmem.bin
- lpddr4_pmu_train_2d_imem.bin
Script to copy necessary files:
#!/bin/bash
cd $(IMXMKIMAGE_SRC)
echo "Copying SPL and u-boot images"
cp -v $(UBOOT_SRC)/spl/u-boot-spl.bin iMX8M/
cp -v $(UBOOT_SRC)/u-boot.bin iMX8M/
cp -v $(UBOOT_SRC)/u-boot-nodtb.bin iMX8M/
cp -v $(UBOOT_SRC)/arch/arm/dts/imx8mp-evk.dtb iMX8M/
echo
echo "Copying DDR FW"
cp -v $(DDRFW_SRC)/firmware/ddr/synopsys/lpddr4_pmu_train_* iMX8M/
echo
echo "Copying ATF image"
cp -v $(ATF_SRC)/build/imx8mp/release/bl31.bin iMX8M/
echo "Build instructions"
echo "make SOC=iMX8MP flash_evk"
echo "Print HAB blocks"
echo "make SOC=iMX8MP print_fit_hab"
echo "Flash SD card"
echo "sudo dd if=iMX8M/flash.bin of=/dev/sd<block> bs=1k seek=33 && sync"#!/bin/bash
cd $(IMXMKIMAGE_SRC)
echo "Copying SPL and u-boot images"
cp -v $(UBOOT_SRC)/spl/u-boot-spl.bin iMX8M/
cp -v $(UBOOT_SRC)/u-boot.bin iMX8M/
cp -v $(UBOOT_SRC)/u-boot-nodtb.bin iMX8M/
cp -v $(UBOOT_SRC)/arch/arm/dts/imx8mp-evk.dtb iMX8M/
echo
echo "Copying DDR FW"
cp -v $(DDRFW_SRC)/firmware/ddr/synopsys/lpddr4_pmu_train_* iMX8M/
echo
echo "Copying ATF image"
cp -v $(ATF_SRC)/build/imx8mp/release/bl31.bin iMX8M/
echo "Build instructions"
echo "make SOC=iMX8MP flash_evk"
echo "Print HAB blocks"
echo "make SOC=iMX8MP print_fit_hab"
echo "Flash SD card"
echo "sudo dd if=iMX8M/flash.bin of=/dev/sd<block> bs=1k seek=33 && sync"
b. Build flash.bin
Output from command "make SOC=iMX8MP flash_evk":
========= OFFSET dump =========
Loader IMAGE:
header_image_off 0x1a000
dcd_off 0x0
image_off 0x1a040
csf_off 0x44600 <---- Offset required to copy SPL CSF binary to SPL image
spl hab block: 0x7e0fd0 0x1a000 0x2e600 <----- Goes into SPL CSF fileSecond Loader IMAGE:
sld_header_off 0x57c00
sld_csf_off 0x58c20 <---- Offset required to copy FIT CSF binary to FIT image
ld hab block: 0x401fcdc0 0x57c00 0x1020 <---- Goes into FIT CSF file
c. Print HAB blocks
Using the command "make SOC=iMX8MP print_fit_hab":
0x40200000 0x5AC00 0x9AAC8 }
0x910000 0xFCC90 0x9170 }---- Goes into FIT CSF file
0xFE000000 0xFE804 0x4D268 }
0x402A2090 0x105E00 0x688D
6. Sign the final image (manual method):
a. Prepare CSF files:
imx8mp-spl.csf
[Header]
Version = 4.3
Hash Algorithm = sha256......
[Authenticate Data]
Verification index = 2
Blocks = 0x7e0fd0 0x1a000 0x2e600 "flash.bin"
imx8mp-fit.csf
[Header]
Version = 4.3
Hash Algorithm = sha256.......
[Authenticate Data]
Verification index = 2
Blocks = 0x401fcdc0 0x57c00 0x1020 "flash.bin", \
0x40200000 0x5AC00 0x9AAC8 "flash.bin", \
0x910000 0xFCC90 0x9170 "flash.bin", \
0xFE000000 0xFE804 0x4D268 "flash.bin", \
0x402A2090 0x105E00 0x688D "flash.bin"
b. Prepare the signed image:
Script to prepare signed flash image:
#! /bin/bash
echo "generate SPL csf data..."
../linux64/bin/cst --o imx8mp-spl_csf.bin --i imx8mp-spl.csfecho "generate FIT csf data..."
../linux64/bin/cst --o imx8mp-fit_csf.bin --i imx8mp-fit.csfcp flash.bin signed-flash.bin
echo "insert SPL csf data to ..."
dd if=imx8mp-spl_csf.bin of=signed-flash.bin seek=$((0x44600)) bs=1 conv=notruncecho "insert FIT csf data to ..."
dd if=imx8mp-fit_csf.bin of=signed-flash.bin seek=$((0x58c20)) bs=1 conv=notruncecho "signed-flash.bin is ready"
echo "Flash SD card"
echo "sudo dd if=signed-flash.bin of=/dev/sd<block> bs=1k seek=33 && sync"
