I am trying to get secure boot working on the Wandboard quad, based on AN4581 (Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4), HABCST_UG (HAB Code-Signing Tool User’s Guide) and a few other sources of information. In case it matters, I am currently experimenting with U-boot on the SD card, although in the end U-boot will be in a SPI flash.
I have compiled U-boot 2013.10 with CONFIG_SECURE_BOOT (to get hab_status) as well as CONFIG_CMD_FUSE and CONFIG_MXC_OCOTP (to access fuses from U-boot).
I have created the PKI and SRK table and eFuse hash according to HAB CST user guide chapter 3.2.
Based on a guide regarding secure boot on the Nitrogen 6X, I have attempted to write a CSF input file for CST, and created the binary CSF.
There are various guides on how to combine the U-Boot image with the CSF, but I think some things have changed since these guides were written. Maybe there is an easier way of putting everything together for secure booting on the i.MX6.
1) What is the easiest way to reserve space for the CSF before the BSS? In the guides, modifications are being done to the linker-script (i.e. u-boot.lds), but I am not quite sure what linker script is being used for the wandboard-quad, or if there is an easier way of reserving this region.
2) I have looked at the u-boot.imx, and see the IVT at the beginning, but the CSF-pointer is 0. What is the easiest way to set the CSF-pointer?
3) According to U-boots README.mxc_hab, mkimage should "output additional information about ''HAB Blocks'' which can be used in the Freescale tooling to authenticate U-Boot (entries in the CSF file)". However, this is not shown when I run mkimage -l u-boot.imx:
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Data Size: 290816 Bytes = 284.00 kB = 0.28 MB
Load Address: 177ff420
Entry Point: 17800000
4) Does anyone have any pointers to resources about writing the CSF input file, or other resources regarding secure boot on i.MX6?
Any help is greatly appreciated,
Mikkel Holm Olsen