FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX 8ULP Secure boot: Manual build steps

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX 8ULP Secure boot: Manual build steps

i.MX 8ULP Secure boot: Manual build steps

Build steps:

 

1. Build U-Boot and SPL:

a. Get U-Boot source:

https://source.codeaurora.org/external/imx/uboot-imx/‍‍‍‍‍‍‍‍‍‍‍‍
Checkout target release branch

 

b. Build images:

# Add secure boot features in the boot image
echo CONFIG_AHAB_BOOT=y >> configs/imx8ulp_evk_defconfig
make imx8ulp_evk_defconfig
make all‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

Output images:

$(UBOOT_SRC)/u-boot.bin
$(UBOOT_SRC)/spl/u-boot-spl.bin‍‍‍‍

2. ARM Trusted Firmware:

a. Obtain the ATF source:

https://source.codeaurora.org/external/imx/imx-atf/‍‍‍‍‍‍‍‍‍‍‍‍
Checkout target release branch

 

b. Build image:

make PLAT=imx8ulp bl31‍‍‍‍‍‍‍‍‍‍‍‍ (WITHOUT optee)
make PLAT=imx8ulp SPD=opteed bl31 (WITH optee)

 

Output images:

$(ATF_SRC)/build/imx8ulp/release/bl31.bin‍‍‍‍‍‍‍‍‍‍‍‍

 

3. (Optional) OPTEE:

a. Obtain the OPTEE source:

https://source.codeaurora.org/external/imx/imx-optee-os/
Checkout target release branch

 

b. Build image:

cd $(OPTEE_SRC)
./scripts/nxp_build.sh imx-mx8ulpevk

 

Output images:

$(OPTEE_SRC)/build.imx-mx8ulpevk/tee-imx-mx8ulpevk.bin

 

4. Get/Build M33 boot image:

a. Obtain the M33 source:

Go to http://mcuxpresso.nxp.com
Click on Select Development Board
Dropdown Boards
Dropdown i.MX
Select EVK-MIMX8ULP board
Click on Build MCUXpresso SDK vX.XX.X (select version available for BSP release)
Select appropriate options and click on "DOWNLOAD SDK"

 

b. Build M33 Hello World demo image:

cd SDK_<version>_EVK-MIMX8ULP/boards/evkmimx8ulp/demo_apps/hello_world/armgcc
ARMGCC_DIR=<compiler location> ./build_all.sh

 

Output images:

cd $(M33_SRC)/boards/evkmimx8ulp/demo_apps/hello_world/armgcc$ boards/evkmimx8ulp/demo_apps/hello_world/armgcc
Target: Flash
./flash_debug/sdk20-app.bin
./flash_release/sdk20-app.bin
Target: RAM
./debug/sdk20-app.bin
./release/sdk20-app.bin

 

b. (or) Get M33 demo image:

wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/imx8ulp-m33-demo-2.11.0.bin
Find out the latest demo image version from Linux Release Notes in BSP release

Make downloaded demo image package executable and accept EULA
chmod +x imx8ulp-m33-demo-2.11.0.bin
./imx8ulp-m33-demo-2.11.0.bin

Sentinel firmware source located at:
$(M33_SRC)/imx8ulp_m33_*.bin 
Choose the demo image you would like to use

 

5. Get IMX-MKIMAGE source:

https://source.codeaurora.org/external/imx/imx-mkimage/‍‍‍‍‍‍‍‍‍‍‍
Checkout target release branch

 

6. Get Sentinel FW image:

wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/firmware-sentinel-0.2.bin
Find out the latest firmware version from Linux Release Notes in BSP release

Make downloaded firmware package executable and accept EULA
chmod +x firmware-sentinel-0.2.bin
./firmware-sentinel-0.2.bin

Sentinel firmware source located at:
$(SENTINEL_FW_SRC/mx8ulpa0-ahab-container.img

  

7. Get uPower FW image:

wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/firmware-upower-0.1.1.bin
Find out the latest firmware version from Linux Release Notes in BSP release

Make downloaded firmware package executable and accept EULA
chmod +x firmware-upower-0.1.1.bin
./firmware-upower-0.1.1.bin

uPower firmware source located at:
$(UPOWER_FW_SRC)/upower.bin

 

8. Prepare to build i.MX8 ULP boot image:

Gather necessary images:

The following images are needed to generate boot image.

  • SPL and U-boot images
    • u-boot.bin
    • u-boot-spl.bin
  • ATF image
    • bl31.bin
  • (Optional) OPTEE image
    • tee-imx-mx8ulpevk.bin
  • (Optional) M33 demo image (for Dualboot/LP boot modes)
    • sdk20-app.bin (or) imx8ulp_m33_*.bin
  • Sentinel FW
    • mx8ulpa0-ahab-container.img
  • uPower FW
    • upower.bin

Script to copy necessary files:

#!/bin/bash
cd $(IMXMKIMAGE_SRC)
echo "Copying SPL and u-boot images"
cp -v $(UBOOT_SRC)/spl/u-boot-spl.bin iMX8ULP/
cp -v $(UBOOT_SRC)/u-boot.bin iMX8ULP/
echo
echo "Copying ATF image"
cp -v $(ATF_SRC)/build/imx8ulp/release/bl31.bin iMX8ULP/
echo
echo "(Optional)Copying OPTEE image"
cp -v $(OPTEE_SRC)/build.imx-mx8ulpevk/tee-imx-mx8ulpevk.bin iMX8ULP/tee.bin
echo
echo "(Optional) M33 demo image (for Dualboot/LP boot modes)"
cp -v $(M33_SRC)/sdk20-app.bin iMX8ULP/m33_image.bin
#(or)
#cp -v $(M33_SRC)/imx8ulp_m33_*.bin iMX8ULP/m33_image.bin
echo
echo "Copying Sentinel FW"
cp -v $(SENTINEL_FW_SRC)/mx8ulpa0-ahab-container.img iMX8ULP/
echo
echo "Copying uPower FW"
cp -v $(UPOWER_FW_SRC)/upower.bin iMX8ULP/
echo
echo "Build instructions"
echo "make SOC=iMX8ULP flash_singleboot"
echo "make SOC=iMX8ULP flash_singleboot_m33"
echo "make SOC=iMX8ULP flash_dualboot"
echo "make SOC=iMX8ULP flash_dualboot_m33"

 

9. (A core) Build singleboot/_m33 or dualboot boot image:

 

Since the final boot image is made up of multiple containers, the 3rd container needs to be built first and signed. Then the 2nd contianer needs to be built and signed and concatenated with the 2nd container to build the final flash.bin image. Since the 1st container containing the Sentinel FW is already signed, its simply concatenated during the final image build process. For more details look into the "iMX8ULP/soc.mk" file in imx-mkimage repository.

 

Build u-boot-atf-container.img file:

Output from command "make SOC=iMX8ULP u-boot-atf-container":

....

465604 bytes (466 kB, 455 KiB) copied, 0.00443882 s, 105 MB/s
AP file_offset = 0xe4800 size = 0x71c00
CST: CONTAINER 0 offset: 0x0
CST: CONTAINER 0: Signature Block: offset is at 0x190
DONE.
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET

Sign the u-boot-atf-container.img file:

a. Prepare CSF file:

imx8ulp-u-boot-atf-container.csf

[Header]
Target = AHAB
Version = 1.0

......

[Authenticate Data]
# Binary to be signed generated by mkimage
File = "u-boot-atf-container.img"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x000 0x190

b. Sign u-boot-atf-container.img file:

../linux64/bin/cst --o u-boot-atf-container.img.signed --i imx8ulp-u-boot-atf-container.csf

#Copy the signed u-boot-atf-container.img.signed image to imx-mkimage to build final image

cp -rv u-boot-atf-container.img.signed $(IMXMKIMAGE_SRC)/iMX8ULP/u-boot-atf-container.img

Build final flash.bin file:

Output from command "make SOC=iMX8ULP flash_singleboot":

....

78100 bytes (78 kB, 76 KiB) copied, 0.000954499 s, 81.8 MB/s
AP file_offset = 0xf400 size = 0x13400
CST: CONTAINER 0 offset: 0x400
CST: CONTAINER 0: Signature Block: offset is at 0x510
DONE.
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET
append u-boot-atf-container.img at 138 KB
1369+0 records in
1369+0 records out
1401856 bytes (1.4 MB, 1.3 MiB) copied, 0.00915428 s, 153 MB/s

Sign the final flash.bin file:

a. Prepare CSF file:

imx8ulp-flash.csf

[Header]
Target = AHAB
Version = 1.0

......

[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash.bin"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x400 0x510

b. Sign final flash.bin image:

../linux64/bin/cst --o signed-flash.bin --i imx8ulp-flash.csf

#Final signed flash.bin image is ready "signed-flash.bin"

 

9. (M core) Build dualboot_m33 boot image:

 

The boot image built for M core starts from an offset of 0x1000 as the first 0x1000 is reserved for configuration information of the flash. Thus, when applying the CSF details from the build in CSF file, the 0x1000 offset needs to be added. The 1st container contains the Sentinel FW which is already signed by NXP so only 2nd container with M33 boot image needs to be signed.

Build final flash.bin file:

Output from command "make SOC=iMX8ULP flash_dualboot_m33":

....

M4 file_offset = 0xf400 size = 0xcc00
CST: CONTAINER 0 offset: 0x400   <---- Add 0x1000 offset
CST: CONTAINER 0: Signature Block: offset is at 0x510 <---- Add 0x1000 offset
DONE.
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET
./../scripts/fspi_packer.sh ../scripts/fspi_header_atxp
0+1 records in
0+1 records out
512 bytes copied, 0.000273614 s, 1.9 MB/s
112+0 records in
112+0 records out
114688 bytes (115 kB, 112 KiB) copied, 0.000980111 s, 117 MB/s
3+0 records in
3+0 records out
1536 bytes (1.5 kB, 1.5 KiB) copied, 0.000267603 s, 5.7 MB/s
F(Q)SPI IMAGE PACKED

Sign the final flash.bin file:

a. Prepare CSF file:

imx8ulp-flash_m33.csf

[Header]
Target = AHAB
Version = 1.0

......

[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash.bin"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x1400 0x1510

b. Sign final flash.bin image:

../linux64/bin/cst --o signed-flash.bin --i imx8ulp-flash_m33.csf

#Final signed flash.bin image is ready "signed-flash.bin"

 

 

Was this article helpful? Yes No
No ratings
Version history
Last update:
‎02-15-2022 03:41 PM
Updated by:
NXP Employee