Whether uboot image cannot be verified on uboot via hab_auth_img command

tsung-chihwang · ‎01-03-2017

I uncommented CONFIG_SECURE_BOOT to support secure mode.
I tried to copy image data from QSPI flash to memory then do verification.
I can verify zImage successfully via hab_auth_img command on uboot.
However, i cannot verify uboot through this command.
I want to confirm that whether uboot image cannot be verified on uboot via hab_auth_img command?
uboot image only can be verified by boot room?

If cannot verify assigned uboot image on memory via hab_auth_img command,

Which combinations of HAB APIs can be used for this verification purpose?

Yuri · ‎01-05-2017

Hello,

Main idea behind HAB technology is checking image (by external code)

before running it. U-boot is checked by boot ROM ; kernel - by U-boot.

This is not good idea to verify application by itself.

Have a great day,

Yuri

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer

button. Thank you!

tsung-chihwang · ‎01-10-2017

Any combinations of HAB APIs can be used for this verification purpose!?

Yuri · ‎01-11-2017

Hello,

Yes, HAB API (based on boot ROM code) may be used to verify images.
Please refer to "HAB4_API.pdf" in the CST.

https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL

Regards,

Yuri.

tsung-chihwang · ‎01-12-2017

Hi Yuri,

I mean that use HAB APIs to verify U-boot under U-boot.
Is it possible?

BR,

carter

Yuri · ‎01-29-2017

Hello,

theoretically it is possible to use HAB API for U-boot self-checking,

but we never tried it. You should take into account, that

1) U-boot can be relocatable ;
2) all of the following data should be included in tested area (their final locations):
* IVT;
* DCD ;
* Boot Data ;
* Entry point .

Regards,

Yuri.

Whether uboot image cannot be verified on uboot via hab_auth_img command

Whether uboot image cannot be verified on uboot via hab_auth_img command

i.MX6UL