diff options
author | Breno Matheus Lima <breno.lima@nxp.com> | 2019-01-23 19:30:16 +0000 |
---|---|---|
committer | Stefano Babic <sbabic@denx.de> | 2019-02-15 12:55:39 +0100 |
commit | 2dd652e6657cb44f962ae072800a80a678114539 (patch) | |
tree | 436d7e97d19d90f67fc0095e49f5f4373fd17d5f /doc | |
parent | 364c0a89bcfa3fde7dcdf61f6cd25589831ff8b8 (diff) | |
download | u-boot-2dd652e6657cb44f962ae072800a80a678114539.tar.gz u-boot-2dd652e6657cb44f962ae072800a80a678114539.tar.bz2 u-boot-2dd652e6657cb44f962ae072800a80a678114539.zip |
doc: imx: habv4: Remove secure_boot.txt guide
The secure_boot.txt guide was replaced by mx6_mx7_secure_boot.txt and
mx6_mx7_spl_secure_boot.txt documents.
Both documents covers all steps needed for SPL and non-SPL tagets,
so remove secure_boot.txt file to avoid duplicated content.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/imx/habv4/secure_boot.txt | 100 |
1 files changed, 0 insertions, 100 deletions
diff --git a/doc/imx/habv4/secure_boot.txt b/doc/imx/habv4/secure_boot.txt deleted file mode 100644 index ae68dc8040..0000000000 --- a/doc/imx/habv4/secure_boot.txt +++ /dev/null @@ -1,100 +0,0 @@ -1. High Assurance Boot (HAB) for i.MX CPUs ------------------------------------------- - -To enable the authenticated or encrypted boot mode of U-Boot, it is -required to set the proper configuration for the target board. This -is done by adding the following configuration in the defconfig file: - -CONFIG_SECURE_BOOT=y - -In addition, the U-Boot image to be programmed into the -boot media needs to be properly constructed, i.e. it must contain a -proper Command Sequence File (CSF). - -The CSF itself is generated by the i.MX High Assurance Boot Reference -Code Signing Tool. -https://www.nxp.com/webapp/sps/download/license.jsp?colCode=IMX_CST_TOOL - -More information about the CSF and HAB can be found in the AN4581. -https://www.nxp.com/docs/en/application-note/AN4581.pdf - -We don't want to explain how to create a PKI tree or SRK table as -this is well explained in the Application Note. - -2. Secure Boot on non-SPL targets ---------------------------------- - -On non-SPL targets a singe U-Boot binary is generated, mkimage will -output additional information about "HAB Blocks" which can be used -in the CST to authenticate the U-Boot image (entries in the CSF file). - -Image Type: Freescale IMX Boot Image -Image Ver: 2 (i.MX53/6 compatible) -Data Size: 327680 Bytes = 320.00 kB = 0.31 MB -Load Address: 177ff420 -Entry Point: 17800000 -HAB Blocks: 0x177ff400 0x00000000 0x0004dc00 - ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ - | | | - | | ----- (1) - | | - | ---------------- (2) - | - --------------------------- (3) - -(1) Size of area in file u-boot-dtb.imx to sign - This area should include the IVT, the Boot Data the DCD - and U-Boot itself. -(2) Start of area in u-boot-dtb.imx to sign -(3) Start of area in RAM to authenticate - -CONFIG_SECURE_BOOT currently enables only an additional command -'hab_status' in U-Boot to retrieve the HAB status and events. This -can be useful while developing and testing HAB. - -Commands to generate a signed U-Boot using i.MX HAB CST tool: -# Compile CSF and create signature -cst --o csf-u-boot.bin --i command_sequence_uboot.csf -# Append compiled CSF to Binary -cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx - -3. Secure Boot on SPL targets ------------------------------ - -This version of U-Boot is able to build a signable version of the SPL -as well as a signable version of the U-Boot image. The signature can -be verified through High Assurance Boot (HAB). - -After building, you need to create a command sequence file and use -i.MX HAB Code Signing Tool to sign both binaries. After creation, -the mkimage tool outputs the required information about the HAB Blocks -parameter for the CSF. During the build, the information is preserved -in log files named as the binaries. (SPL.log and u-boot-ivt.log). - -Example Output of the SPL (imximage) creation: - Image Type: Freescale IMX Boot Image - Image Ver: 2 (i.MX53/6/7 compatible) - Mode: DCD - Data Size: 61440 Bytes = 60.00 kB = 0.06 MB - Load Address: 00907420 - Entry Point: 00908000 - HAB Blocks: 0x00907400 0x00000000 0x0000cc00 - -Example Output of the u-boot-ivt.img (firmware_ivt) creation: - Image Name: U-Boot 2016.11-rc1-31589-g2a4411 - Created: Sat Nov 5 21:53:28 2016 - Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed) - Data Size: 352192 Bytes = 343.94 kB = 0.34 MB - Load Address: 17800000 - Entry Point: 00000000 - HAB Blocks: 0x177fffc0 0x0000 0x00054020 - -# Compile CSF and create signature -cst --o csf-u-boot.bin --i command_sequence_uboot.csf -cst --o csf-SPL.bin --i command_sequence_spl.csf -# Append compiled CSF to Binary -cat SPL csf-SPL.bin > SPL-signed -cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img - -These two signed binaries can be used on an i.MX in closed -configuration when the according SRK Table Hash has been flashed. |