- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors Knowledge Base
- :
- iMX7D Plugin mode HAB (High Assurance Boot)
iMX7D Plugin mode HAB (High Assurance Boot)
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
iMX7D Plugin mode HAB (High Assurance Boot)
iMX7D Plugin mode HAB (High Assurance Boot)
This doc describe the steps to enable HAB on i.MX7D EVK board with plugin boot mode. The BSP version is L3.14.52_ga_1.1.0 or L4.1.15_ga_1.2.0, the CST tool version is cst-2.3.2.
Since fast authentication is supported after HAB 4.1.2, and the HAB version of i.MX7D is 4.2, we use fast authentication here.
The PC to run the CST tool is Ubuntu 10.04, x86 version.
1. Generate HAB4 Keys and Certificates
1.1. Unpack the CST package, there are seven folders: ca, code, crts, docs, keys, linux32 and linux64
In "keys" folder, create "serial" file, openSSL uses the contents of this file for the certificate serial numbers.
In "keys" folder, create "key_pass.txt" file, this file contains your passphrase that will protect the HAB code signing private keys.
In this example, the content in "serial" file is
$ cat serial
12345678
The content in "key_pass.txt" file is
$ cat key_pass.txt
nxp_imx7d
nxp_imx7d
1.2 Prior to running the hab4_pki_tree.sh, ensure that OpenSSL is included in your search path by running
$ openssl version
OpenSSL 0.9.8k 25 Mar 2009
1.3 Run the hab4_pki_tree.sh script to generate hab4 keys and certificates
$ cd keys
$ ./hab4_pki_tree.sh
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: n
Since we are verifying fast authentication, answer 'n' here.
1.4 Generating HAB4 SRK tables and efuse Hash
$ cd ../crts
$ ../linux32/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_usr_crt.pem,SRK2_sha256_2048_65537_v3
_usr_crt.pem,SRK3_sha256_2048_65537_v3_usr_crt.pem,SRK4
_sha256_2048_65537_v3_usr_crt.pem
SRK_1_2_3_4_fuse.bin is SRK efuse binary file.
SRK_1_2_3_4_table.bin is SRK table binary file.
2. Program SRK_HASH fuse
2.1 Dump SRK_1_2_3_4_fuse.bin.
$ od -t x4 SRK_1_2_3_4_fuse.bin
0000000 ac7ab98f 8febd6b4 b6e15ce3 3e870783
0000020 6f06d6a9 e1107545 3e19d19c e79d1556
2.2 Boot up the board with Linux rootfs, after log in, program SRK_HASH fuse.
# echo 0xac7ab98f > /sys/fsl_otp/HW_OCOTP_SRK0
# echo 0x8febd6b4 > /sys/fsl_otp/HW_OCOTP_SRK1
# echo 0xb6e15ce3 > /sys/fsl_otp/HW_OCOTP_SRK2
# echo 0x3e870783 > /sys/fsl_otp/HW_OCOTP_SRK3
# echo 0x6f06d6a9 > /sys/fsl_otp/HW_OCOTP_SRK4
# echo 0xe1107545 > /sys/fsl_otp/HW_OCOTP_SRK5
# echo 0x3e19d19c > /sys/fsl_otp/HW_OCOTP_SRK6
# echo 0xe79d1556 > /sys/fsl_otp/HW_OCOTP_SRK7
3 Sign u-boot
3.1 Apply the HAB patch and build the u-boot.
Goto u-boot source code folder and apply the patch:
$ git apply 0001-iMX7D-SabreSD-enable-HAB-boot-for-plugin-mode.patch
Build u-boot.
$ make distclean
$ make mx7dsabresd_defconfig
$ make
The followed two defines should be enabled in "uboot-imx/include/configs/mx7dsabresd.h" for secure configure and plugin mode.
#define CONFIG_SECURE_BOOT
#define CONFIG_USE_PLUGIN
3.2 Create u-boot folder in cst-2.3.2 folder, copy u-boot.imx to u-boot folder. Dump u-boot.imx IVT structures.
Dump plugin IVT header:
$ cd u-boot
$ od -x -N 48 u-boot.imx
0000000 00d1 4020 042c 0091 0000 0000 0000 0000
0000020 0420 0091 0400 0091 2400 0091 0000 0000
0000040 0000 0091 8000 0000 0001 0000 401f e92d
Plugin IVT header layout is:
Offset Name Value
0 ivt.header 0x402000d1
4 ivt.entry 0x0091042c
8 ivt.reserved1 0x00000000
12 ivt.dcd_ptr 0x00000000
16 ivt.boot_data_ptr 0x00910420
20 ivt.self 0x00910400
24 ivt.csf 0x00912400
28 ivt.reserved2 0x00000000
32 boot_data.start 0x00910000
36 boot_data.size 0x00008000
40 plugin 0x00000001
IVT address: ivt.self = 0x00910400
Image length: ivt.csf – ivt.self = 0x00912400 - 0x00910400 = 0x2000
So the [Authenticate Data] field of csf file "csf_u-boot_plugin_ivt1.txt" is
Verification index = 0
Blocks = 0x00910400 0x000 0x2000 "u-boot.imx"
Dump u-boot IVT header:
$ dd if=u-boot.imx of=u-boot-body.bin bs=1 skip=16384
$ od -x -N 48 u-boot-body.bin
0000000 00d1 4020 0000 8780 0000 0000 0000 0000
0000020 fff4 877f ffd4 877f 8bd4 8785 0000 0000
0000040 bbd4 877f f000 0005 0000 0000 00be ea00
U-boot IVT header layout is:
Offset Name Value
0 ivt.header 0x402000d1
4 ivt.entry 0x87800000
8 ivt.reserved1 0x00000000
12 ivt.dcd_ptr 0x00000000
16 ivt.boot_data_ptr 0x877ffff4
20 ivt.self 0x877fffd4
24 ivt.csf 0x87858bd4
28 ivt.reserved2 0x00000000
32 boot_data.start 0x877fbbd4
36 boot_data.size 0x0005F000
IVT address: ivt.self = 0x877fffd4
Image length: ivt.csf – ivt.self = 0x87858bd4 - 0x877fffd4 = 0x58c00
So the [Authenticate Data] field of csf file "csf_u-boot_plugin_ivt2.txt" is
Verification index = 0
Blocks = 0x877fffd4 0x0000 0x58c00 "u-boot-body-pad.bin"
When enable CONFIG_SECURE_BOOT, boot_data consists of uboot image and csf data, so it's larger than uboot Image length.
And the u-boot-body.bin should be padded to 0x58c00.
3.3 The command to sign u-boot
$ ../linux32/cst -o csf_plugin.bin -i csf_u-boot_plugin_ivt1.txt
$ objcopy -I binary -O binary --pad-to 0x58c00 --gap-fill=0x00 u-boot-body.bin u-boot-body-pad.bin
$ ../linux32/cst -o csf_u-boot.bin -i csf_u-boot_plugin_ivt2.txt
$ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 csf_plugin.bin csf_plugin-pad.bin
$ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 csf_u-boot.bin csf_u-boot-pad.bin
$ dd if=u-boot.imx of=plugin-body.bin bs=1 count=8192
$ cat plugin-body.bin csf_plugin-pad.bin u-boot-body-pad.bin csf_u-boot-pad.bin > u-boot-signed.imx
3.4 Download u-boot-signed.imx to SD
$ sudo dd if=u-boot-signed.imx of=/dev/sdx bs=1K seek=1
3.5 Bootup from SD card, check HAB status by uboot command
=> hab_status
If see "No HAB Events Found", the signature is verified successfully.
