summaryrefslogtreecommitdiff
path: root/doc/README.mxc_hab
diff options
context:
space:
mode:
authorStefano Babic <sbabic@denx.de>2013-06-27 11:42:38 +0200
committerStefano Babic <sbabic@denx.de>2013-08-31 15:06:29 +0200
commit0187c985aa870a74caeecd3bd10244322b7e4d99 (patch)
tree5e6a7b86f84be2ba4107e1957e37a81b2500e6d9 /doc/README.mxc_hab
parent01390aff251e541fcaa77fa6c6e3eee4d7a5554b (diff)
downloadu-boot-0187c985aa870a74caeecd3bd10244322b7e4d99.tar.gz
u-boot-0187c985aa870a74caeecd3bd10244322b7e4d99.tar.bz2
u-boot-0187c985aa870a74caeecd3bd10244322b7e4d99.zip
tools: add support for setting the CSF into imximage
Add support for setting the CSF (Command Sequence File) pointer which is used for HAB (High Assurance Boot) in the imximage by adding e.g. CSF 0x2000 in the imximage.cfg file. This will set the CSF pointer accordingly just after the padded data image area. The boot_data.length is adjusted with the value from the imximage.cfg config file. The resulting u-boot.imx can be signed with the FSL HAB tooling. The generated CSF block needs to be appended to the u-boot.imx. Signed-off-by: Stefano Babic <sbabic@denx.de>
Diffstat (limited to 'doc/README.mxc_hab')
-rw-r--r--doc/README.mxc_hab48
1 files changed, 48 insertions, 0 deletions
diff --git a/doc/README.mxc_hab b/doc/README.mxc_hab
new file mode 100644
index 0000000000..97f8b7d743
--- /dev/null
+++ b/doc/README.mxc_hab
@@ -0,0 +1,48 @@
+High Assurance Boot (HAB) for i.MX6 CPUs
+
+To authenticate U-Boot only by the CPU there is no code required in
+U-Boot itself. However, the U-Boot image to be programmed into the
+boot media needs to be properly constructed, i.e. it must contain a
+proper Command Sequence File (CSF).
+
+The Initial Vector Table contains a pointer to the CSF. Please see
+doc/README.imximage for how to prepare u-boot.imx.
+
+The CSF itself is being generated by Freescale HAB tools.
+
+mkimage will output additional information about "HAB Blocks"
+which can be used in the Freescale tooling to authenticate U-Boot
+(entries in the CSF file).
+
+Image Type: Freescale IMX Boot Image
+Image Ver: 2 (i.MX53/6 compatible)
+Data Size: 327680 Bytes = 320.00 kB = 0.31 MB
+Load Address: 177ff420
+Entry Point: 17800000
+HAB Blocks: 177ff400 00000000 0004dc00
+ ^^^^^^^^ ^^^^^^^^ ^^^^^^^^
+ | | |
+ | | -------- (1)
+ | |
+ | ------------------- (2)
+ |
+ --------------------------- (3)
+
+(1) Size of area in file u-boot.imx to sign
+ This area should include the IVT, the Boot Data the DCD
+ and U-Boot itself.
+(2) Start of area in u-boot.imx to sign
+(3) Start of area in RAM to authenticate
+
+CONFIG_SECURE_BOOT currently enables only an additional command
+'hab_status' in U-Boot to retrieve the HAB status and events. This
+can be useful while developing and testing HAB.
+
+Commands to generate a signed U-Boot using Freescale HAB tools:
+cst --o U-Boot_CSF.bin < U-Boot.CSF
+objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
+ U-Boot_CSF.bin U-Boot_CSF_pad.bin
+cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
+
+NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
+the imximage.cfg file.