AnsweredAssumed Answered

chain of trust HAB imx6UL

Question asked by Giulio Dominutti on Sep 27, 2017
Latest reply on Sep 28, 2017 by igorpadykov
Branched to a new discussion

Hi, I'm stuck in building a secure board imx6UL. At the moment I'm able to sign and encrypt the u-boot and run it from sd.

Now I want to continue the chain of trust validating every loaded image.

- I modified u-boot in order to use default environment.

- I prepared a bootscript signed that contains the remaining part of the boot

- I modify the automatic boot sequence bootcmd with my personal sequence that load from sd and verify the signature of bootscript with hab_auth_img command.

- From bootscript with a well defined sequence i load from sd a signed kernel and a signed device tree, verify their signature and if all ok start kernel.


1) First question is: the procedure is correct? There is a better way than modify uboot and using hab_auth_image? There are other ways? ( give me a clue)

2) Suppose that the sign verification I implemented is correct. I want that loaded images are also encrypted to have confidentiality. I enabled in u-boot CMD_BLOB, that i suppose able to encrypt my datas, but cmd blob enc doesn't work. There are other config to set before use this cmd?