Enable HAB ON imx6 to secure barebox boatloder

haGkiu · ‎10-03-2023

Dear community,

I am working on enabling secure boot or HAB on IMX6 version silicium 1.6 with barebox as a boatloder.

precisely i want to sign barebox with CST tool and enable HAB so it authenticates it

I have some questions regarding the process :

- If i close the device to avtivate the HAB is it possible to reopen it( to desactivate HAB) ?

- I can't find any documentation about the CSF file to sign barebox , i can only find documentation about u-boot, can anyone provide me with information about how to write the .csf file for barebox.

- I can't find documentation about the steps to avtivate secure boot on IMX6 with barebox as a boatloder, most of the documentations i found were on u-boot.

If anyone encountered the same issues or worked on the secure boot for IMX6 barbebox, any help is appreciated.

Thanks in advance.

hector_delgado · ‎10-05-2023

Hi @haGkiu ,

I hope you're doing great!

Once a device is closed, it can't be opened again, so please double check and make sure you are certain about closing the device.

Unfortunately, we don't have support for Barebox, only for U-boot. For implementation and use of Barebox with CST and HAB you can review our documentation for U-boot and try to replicate the steps with Barebox, but it's not guaranteed to be a one-to-one process.

Another alternative would be to use U-boot instead, but I understand this may not be an option for you depending on your needs/requirements.

Let me know if this was of any help!

Best regards,
Hector.

View solution in original post

hector_delgado · ‎10-05-2023

Hi @haGkiu ,

I hope you're doing great!

Once a device is closed, it can't be opened again, so please double check and make sure you are certain about closing the device.

Unfortunately, we don't have support for Barebox, only for U-boot. For implementation and use of Barebox with CST and HAB you can review our documentation for U-boot and try to replicate the steps with Barebox, but it's not guaranteed to be a one-to-one process.

Another alternative would be to use U-boot instead, but I understand this may not be an option for you depending on your needs/requirements.

Let me know if this was of any help!

Best regards,
Hector.

haGkiu · ‎10-06-2023

Hello @hector_delgado

Thank you very much for your reply.

I really appreciated the informations you shared and it answers my questions.

I can't switch to u-boot but I will use the documentation that exists and try and adapt as much for barebox.

I have another questions about the private/public keys generated with CST tool.

I generated CA, CST, IMG and SRK files in the the keys directory but I don't know which are the private keys and which are the public keys.

Also when I try to open the keys I am asked a password so I write the password in the file key_pass.txt but it is not correct, I am wondering what is the password to unlock these keys.

Thank you in advance and have a great day.

hector_delgado · ‎10-11-2023

Hi @haGkiu ,

I hope you're doing great! For your follow up questions I created another case and I'll be replying to you directly via email. Thank you!

Best regards,
Hector.

haGkiu · ‎10-12-2023

Hi @hector_delgado

Good Morning,

Thank you for your effort and I will be waiting your mail.

Have a great day,