I Try to use u-boot-signed.sb target to sign bootloader.
Does somebody already use this ?
Generally the U-boot in itself does not handle the secure boot, since
there is HAB functionality of the internal (ROM) bootloader of the i.MX28.
Please look at Chapter 12 (Boot Modes) of the i.MX28 Reference Manual.
More details may be found in so called the i.MX28 Security Reference Manual,
which should be published soon on the Web.
Basically for the HAB we have to provide some valid information (in addition to the application) :
- a command sequence file (CSF) ;
- the super root key structure (public key is shown there, and hash of
this key is provided in the fuses).
General sequence of HAB checking is as following :
1. Install Super_Root_Key.
For fuse SRK processors, the SRK is supplied in external memory. The SRK data is
first copied to internal memory for better integrity protection, and the SRK
fingerprint is verified against the SRK hash present in the OTP fuses to ensure
that the supplied SRK data is correct.
2. Verify CSF Certificate with Super-Root Key.
3. Verify CSF with CSF Key.
4. Verify App Certificates (CSF Key)
5. Verify App Signatures (App Keys)
If all verifications are OK the application starts.
Now You may request the Code Signing Tools.
i.MX Design Tools|Freescale
Thanks for your response,
I found in u-boot a target to make signed u-boot.sb.
After some correction in makefile it works.
I try to encrypt with elftosb that work too.
But, when encrypted, freescale tools doesn't work anymore (BitInit,
bitloader, etc). I think it's normal because code loaded by this tools
are not encrypted.
I don't try to close imx28 to accept only signed message. It's the next
step. I suppose that tools don't work on closed cpu ?
06 815 315 77
09 52 88 36 14
Euratechnologies - 165 avenue de Bretagne, 59000 Lille
Ce message est exclusivement destiné aux personnes dont le nom figure
ci-dessus. Il peut contenir des informations confidentielles dont la
divulgation est à ce titre rigoureusement interdite. Dans l'hypothèse où
vous auriez reçu ce message par erreur, merci de le renvoyer à
l'émetteur, et de détruire toute copie.
This message may contain confidential and proprietary material for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies.
Le 2015-03-09 19:28, Alejandro Lozano Lozano a écrit :
HOW TO SIGN CODE FOR UBOOT 2014-04 FOR IMX28 ? THIS VERSION OF UBOOT INTEGRATE CODE SIGNING FOR IMX28. reply from Alejandro Lozano Lozano in i.MX Community - View the full discussion
HOW TO SIGN CODE FOR UBOOT 2014-04 FOR IMX28 ? THIS VERSION OF UBOOT INTEGRATE CODE SIGNING FOR IMX28.
reply from Alejandro Lozano Lozano in i.MX Community - View the full discussion
Retrieving data ...