Secure boot on Wandboard

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Secure boot on Wandboard

Jump to solution
4,224 Views
spacemanspiff
Contributor II

I am trying to get secure boot working on the Wandboard quad, based on AN4581 (Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4), HABCST_UG (HAB Code-Signing Tool User’s Guide) and a few other sources of information. In case it matters, I am currently experimenting with U-boot on the SD card, although in the end U-boot will be in a SPI flash.

I have compiled U-boot 2013.10 with CONFIG_SECURE_BOOT (to get hab_status) as well as CONFIG_CMD_FUSE and CONFIG_MXC_OCOTP (to access fuses from U-boot).

I have created the PKI and SRK table and eFuse hash according to HAB CST user guide chapter 3.2.

Based on a guide regarding secure boot on the Nitrogen 6X, I have attempted to write a CSF input file for CST, and created the binary CSF.

There are various guides on how to combine the U-Boot image with the CSF, but I think some things have changed since these guides were written. Maybe there is an easier way of putting everything together for secure booting on the i.MX6.

1) What is the easiest way to reserve space for the CSF before the BSS? In the guides, modifications are being done to the linker-script (i.e. u-boot.lds), but I am not quite sure what linker script is being used for the wandboard-quad, or if there is an easier way of reserving this region.

2) I have looked at the u-boot.imx, and see the IVT at the beginning, but the CSF-pointer is 0. What is the easiest way to set the CSF-pointer?

3) According to U-boots README.mxc_hab, mkimage should "output additional information about ''HAB Blocks'' which can be used in the Freescale tooling to authenticate U-Boot (entries in the CSF file)". However, this is not shown when I run mkimage -l u-boot.imx:

Image Type:   Freescale IMX Boot Image

Image Ver:    2 (i.MX53/6 compatible)

Data Size:    290816 Bytes = 284.00 kB = 0.28 MB

Load Address: 177ff420

Entry Point:  17800000

4) Does anyone have any pointers to resources about writing the CSF input file, or other resources regarding secure boot on i.MX6?

Any help is greatly appreciated,

Mikkel Holm Olsen

Labels (2)
1 Solution
1,672 Views
spacemanspiff
Contributor II

I managed to get secure boot of U-Boot 2013.10 working on the Wandboard (i.MX6), so for anyone struggling with this, here are some pointers:

1. Reserve space for CSF in U-boot. Edit u-boot.lds and add the following between "_end = .;" and ". = ALIGN(4096);":

. = ALIGN(0x1000);

.hab_section (OVERLAY) : {

   __hab_data = .;

   . = . + 0x2000; /* Reserve 8kB for CSF */

   __hab_data_end = .;

}

This sets aside 8kB in the U-boot memory layout, where we can have the IVT load the CSF (appended to U-boot image).

2. In order to change the CSF pointer in IVT, edit the imximage configuration file. First find your board in u-boots boards.cfg, and locate the IMX_CONFIG variable. Now open this file (in my case board/boundary/nitrogen6x/nitrogen6q2g.cfg) and add the following (I added it after "BOOT_FROM":

/* Reserve 8kB for CSF */

CSF    0x2000

This will both set the CSF pointer in IVT, and also add 8kB to the length-field, so we get the CSF loded into memory along with the U-boot image.

3. Build the u-boot.imx file (you could verify with hexdump that CSF-pointer is populated).

4. Assuming you have created the PKI tree and SRK table (using hab4_pki_tree.sh and srktool), you now need to create the CSF source file (see attached u-boot.csf for inspiration). You need to set the size of u-boot.imx in the "Authenticate Data" section. In my case this was 0x46C00 (i.e. 289792 bytes).

5. Compile the CSF to binary form by using cst:

linux/cst --o u-boot_csf.bin < u-boot.csf

6. Pad the CST file to 8kB length:

objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0xAA u-boot_csf.bin u-boot_csf_padded.bin

7. Append the padded CSF to the IMX image:

cat u-boot.imx u-boot_csf_padded.bin > u-boot_csf.imx

8. Copy the combined image to SD card:

sudo dd if=u-boot_csf.imx of=/dev/sdc bs=512 seek=2

9. Program the SRK hash fuses.

View solution in original post

0 Kudos
5 Replies
1,673 Views
spacemanspiff
Contributor II

I managed to get secure boot of U-Boot 2013.10 working on the Wandboard (i.MX6), so for anyone struggling with this, here are some pointers:

1. Reserve space for CSF in U-boot. Edit u-boot.lds and add the following between "_end = .;" and ". = ALIGN(4096);":

. = ALIGN(0x1000);

.hab_section (OVERLAY) : {

   __hab_data = .;

   . = . + 0x2000; /* Reserve 8kB for CSF */

   __hab_data_end = .;

}

This sets aside 8kB in the U-boot memory layout, where we can have the IVT load the CSF (appended to U-boot image).

2. In order to change the CSF pointer in IVT, edit the imximage configuration file. First find your board in u-boots boards.cfg, and locate the IMX_CONFIG variable. Now open this file (in my case board/boundary/nitrogen6x/nitrogen6q2g.cfg) and add the following (I added it after "BOOT_FROM":

/* Reserve 8kB for CSF */

CSF    0x2000

This will both set the CSF pointer in IVT, and also add 8kB to the length-field, so we get the CSF loded into memory along with the U-boot image.

3. Build the u-boot.imx file (you could verify with hexdump that CSF-pointer is populated).

4. Assuming you have created the PKI tree and SRK table (using hab4_pki_tree.sh and srktool), you now need to create the CSF source file (see attached u-boot.csf for inspiration). You need to set the size of u-boot.imx in the "Authenticate Data" section. In my case this was 0x46C00 (i.e. 289792 bytes).

5. Compile the CSF to binary form by using cst:

linux/cst --o u-boot_csf.bin < u-boot.csf

6. Pad the CST file to 8kB length:

objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0xAA u-boot_csf.bin u-boot_csf_padded.bin

7. Append the padded CSF to the IMX image:

cat u-boot.imx u-boot_csf_padded.bin > u-boot_csf.imx

8. Copy the combined image to SD card:

sudo dd if=u-boot_csf.imx of=/dev/sdc bs=512 seek=2

9. Program the SRK hash fuses.

0 Kudos
1,672 Views
ganeshc
Contributor III

Hi,
Unknowingly I executed this command in my Wandboard Quad
echo 0x2 > /sys/fsl_otp/HW_OCOTP_CFG5
after executing this command my board is not booting up.
After that I read many documentation to get what actually happened and it shows I enabled chip security which is used for secure boot.

Now what should I do to get my board to boot /start ?

0 Kudos
1,672 Views
siah77
Contributor I

Is the a way to unlock or remove the secure boot after burn fuse? The document didn't mention about the removal. Please advice and thank you

0 Kudos
1,672 Views
igorpadykov
NXP Employee
NXP Employee

Hi Ricky

unfortunately these (and other) fuses are unreversable.

They can not be changed back to unsecure state, when programmed to

secure state. So once programmed, board stays secure forever.

Best regards

chip

0 Kudos
1,672 Views
spacemanspiff
Contributor II

It seems all the documentation (application notes and examples) say that one should use older U-boot, except this recent question i.MX6 HAB support in U-Boot 2013 and later.

I would really prefer to use a recent U-boot, because we need to patch it to support various devices, and we need device tree support etc.

From my findings all that needs to be done before I have securely started U-boot is:

  1. Patch U-boot to reserve space for the CSF.
  2. Make the image consisting of the existing u-boot.imx + padding + CSF
  3. Set the CSF pointer in the IVT.
  4. Burn fuses

As for 1. it appears that there have been changes in the U-boot linker scripts. I am just wondering if there is an easy way (e.g. board specific configuration option or similar) to reserve this space.

Regarding 2. and 3. this was just my idea of how to get the needed result. There may be a cleaner way to achieve this. If you have a suggestion, please let me know.