Use cst tool to verify signature of images

Hello,

I am using a phytec phycore card with an imx6q processor.

Hi @haGkiu ,

In order to verify/authenticate a signed image you can use the U-Boot command hab_auth_img. 

3.4 Verifying HAB events
-------------------------

The U-Boot includes the hab_auth_img command which can be used for
authenticating and troubleshooting the signed image, zImage must be
loaded at the load address specified in the IVT.

- Authenticate additional image:

=> hab_auth_img <Load Address> <Image Size> <IVT Offset>

If no HAB events were found the zImage is successfully signed.

I'd recommend the following guide for secure boot in i.MX 6 devices: uboot-imx/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub

Let me know if this was of any help.

Best regards,
Hector.

Hello,

I am working with barebox not u_boot , do you have any information on how to sign barebox with cst (so it can be authenticated by hab).

Hi @haGkiu ,

Other bootloaders besides our U-Boot are currently out of our scope of support, so we don't have any previous tests/guides/examples using barebox for our CST software. Our tools were also designed around our software in this case, but I won't be able to confirm 100% if the process would be the same or if some critical modifications would be needed to ensure barebox compatibility. Is there a particular reason to not use U-boot?

Best regards,
Hector.

Hello @hector_delgado ,

The company in which I work is using barebox as a boatloder on the project.

Do you have an idea if there is a tool I can use to sign barebox ( to be authenticated by HAB module on imx6 electronic cards).

Best regards,

Moufida.

Hi @haGkiu ,

From previous cases I've found the following link to barebox documentation which apparently has built in support for CST: https://www.barebox.org/doc/latest/boards/imx.html#high-assurance-boot

I can't guarantee full compatibility but I think it's worth to look at.

Thank you.

Best regards,
Hector.