AnsweredAssumed Answered

i.MX6 secure boot of Linux kernel

Question asked by Mikkel Holm Olsen on May 27, 2014
Latest reply on Nov 21, 2017 by Anuradha Ranasinghe

As described in Secure boot on Wandboard, I have manged to use CST to sign my U-Boot image, and have my Wandboard verify the authenticity of U-Boot before executing it.

 

Now, I want to extend this to have the Linux kernel signed and to have U-Boot authenticate the image, as described in "i.MX 6 Linux High Assurance Boot (HAB) User's Guide". However, it appears that this document is based on a different U-Boot branch, than the one I am using (U-Boot 2013.10 from Yocto). I would prefer to use this recent U-Boot, because of device tree support, etc.

 

According to  Re: i.MX6 HAB support in U-Boot 2013 and later HAB is supported in later U-Boot, but after digging for some time, it appears that only support for reading out HAB event status (using the "hab_status" command) is available, and the raw HAB API functions. The infrastructure to actually have U-Boot call HAB to authenticate the Linux image seems to be missing.

 

Is there a patch available for U-boot 2013.10, which enables authentication of the Linux kernel image before continuing boot?

 

Best regards,

Mikkel Holm Olsen

Outcomes