secure boot in i.mx6ull

changbaoma · ‎07-17-2019

Hi, NXP engineers

i make secure boot in i.mx6ull refer to https://www.nxp.com/docs/en/application-note/AN4581.pdf . i miss understand the 3 params "877ff400 0x000 0x48000" in below section, which is in chapter “3.5. Create the CSF descriptionfile”

[AuthenticateData]
# Key slot index used to authenticatethe image data
Verification index = 2
# Address Offset Length DataFilePath

Blocks = 877fb000 0x000 0x48000 “/<path_to_u-boot_dir>/u-boot-dtb.imx"

## param 1: The first value is the address on the target where HAB expects the signed image data to begin.
## param 2: The second value is the offset into the file where CST will begin signing. (always offset 0 ???)
## param 3: The third value is length in bytes of the data to sign starting from the offset. （should it be the size of u-boot.imx ???）

While I compile the u-boot source, i get:

./tools/mkimage -n board/freescale/mx6ullevk/imximage.cfg.cfgtmp -T imximage -e 0x87800000 -d u-boot.bin u-boot.imx
Image Type:   Freescale IMX Boot Image
Image Ver:    2 (i.MX53/6/7 compatible)
Mode:         DCD
Data Size:    442368 Bytes = 432.00 kB = 0.42 MB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks:   877ff400 00000000 00067c00

What should i replace those 3 params "Blocks = 877fb000 0x000 0x48000" with in CSF according to my u-boot.imx?

Yuri · ‎07-18-2019

Hello,

use IVT header information:

the first parameter (Address) of [AuthenticateData] section is IVT address, ivt.self field of the header;
the second (Offset) - usually is zero;

the third (Length): is ivt.csf – ivt.self from the IVT.

Regards,

Yuri.

jane-jiajuan_zh · ‎07-20-2019

Hi, Yuri

I meet same problem , I don't know whether need pad to align 0x1000?

and I have another question, whether need clear DCD address before generate csf (AN4581 Appendix F)?

Jane

changbaoma · ‎07-18-2019

Hi，Yuri

Thinks for your Reply.

is it what you mean，see the follow picture：

As you know the u-boot.imx has padded IVT&BootData&DCD-Table by default.

Now i have 3 quetion?

1. How can i get the ivt.self and ivt.csf address in i.mx6ull ?

2. Should i need to align u-boot.imx size to 0x1000? 00067c00 padded to 00068000, as you see there is a Padding after Image Data in the picture above.

3. Should “Blocks = ” 3params of [Authenticate Data] section in Command Sequence File be equal to u-boot build.log "HAB Blocks: 877ff400 00000000 00067c00" mention above?

Other info:

file size of u-boot.imx is 424960 bytes, and is 0x67C00 in hex.

-rw-rw-r-- 1 sukaisheng sukaisheng 424960 Jul 17 20:59 ../../uboot-imx/u-boot.imx

Best Regards

Yuri · ‎07-22-2019

Hello,

An example below show how to get the IVT structure from u-boot.imx and do the signature.

Dump u-boot.imx IVT structure:

$ od -x -N 64 u-boot.imx

0000000 00d1 4020 0000 1780 0000 0000 f42c 177f

0000020 f420 177f f400 177f a000 1785 0000 0000

0000040 f000 177f d000 0005 0000 0000 02d2 40f8

0000060 02cc 04f4 0e02 9807 0c00 0000 0e02 5807

0000100

U-boot.imx header layout is

0	ivt_header_t header
4	uint32_t entry
8	uint32_t reserved1
12	uint32_t dcd_ptr
16	uint32_t boot_data_ptr
20	uint32_t self
24	uint32_t csf
28	uint32_t reserved2
32	uint32_t start
36	uint32_t size
40	uint32_t plugin

IVT address: IVT.self = 0x177ff400.

Image length: IVT.csf – IVT.self = 0x1785a000 - 0x177ff400 = 0x5AC00

u-boot.imx need to be padded to 0x5AC00.

So the [Authenticate Data] of csf file is

Verification index = 2

Blocks = 0x177FF400 0x0 0x5AC00 "u-boot-pad.bin"

Regards,

Yuri.

secure boot in i.mx6ull

secure boot in i.mx6ull

i.MX6UL