GitHub-Mirror/u-boot
2
0
Fork 0
mirror of https://github.com/Fishwaldo/u-boot.git synced 2025-03-28 10:01:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

doc: imx: hab: Reorganize High Assurance Boot documentation

Browse source 
The current High Assurance Boot document README.mxc_hab
include details for the following features in a single file:

- HAB Secure Boot
- HAB Encrypted Boot

Split HAB documentation in a specific directory for a cleaner
documentation structure, subsequent patches will include more
content in HAB documentation.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
This commit is contained in:
Breno Matheus Lima 2018-10-10 01:10:44 +00:00 committed by Stefano Babic
parent 843400fd26
commit dfe9ff9cc7
2 changed files with 43 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
doc/imx/hab/habv4/encrypted_boot.txt Normal file
View file

@ -0,0 +1,43 @@
1. Setup U-Boot Image for Encrypted Boot
----------------------------------------
An authenticated U-Boot image is used as starting point for
Encrypted Boot. The image is encrypted by i.MX Code Signing
Tool (CST). The CST replaces only the image data of
u-boot-dtb.imx with the encrypted data. The Initial Vector Table,
DCD, and Boot data, remains in plaintext.
The image data is encrypted with a Encryption Key (DEK).
Therefore, this key is needed to decrypt the data during the
booting process. The DEK is protected by wrapping it in a Blob,
which needs to be appended to the U-Boot image and specified in
the CSF file.
The DEK blob is generated by an authenticated U-Boot image with
the dek_blob cmd enabled. The image used for DEK blob generation
needs to have the following configurations enabled in Kconfig:
CONFIG_SECURE_BOOT=y
CONFIG_CMD_DEKBLOB=y
Note: The encrypted boot feature is only supported by HABv4 or
greater.
The dek_blob command then can be used to generate the DEK blob of
a DEK previously loaded in memory. The command is used as follows:
dek_blob <DEK address> <Output Address> <Key Size in Bits>
example: dek_blob 0x10800000 0x10801000 192
The resulting DEK blob then is used to construct the encrypted
U-Boot image. Note that the blob needs to be transferred back
to the host.Then the following commands are used to construct
the final image.
cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx
objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \
u-boot-signed.imx u-boot-signed-pad.bin
cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx
NOTE: u-boot-signed.bin needs to be padded to the value
equivalent to the address in which the DEK blob is specified
in the CSF.

44
doc/imx/README.mxc_hab → doc/imx/hab/habv4/secure_boot.txt
View file

@ -98,47 +98,3 @@ cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
These two signed binaries can be used on an i.MX in closed These two signed binaries can be used on an i.MX in closed
configuration when the according SRK Table Hash has been flashed. configuration when the according SRK Table Hash has been flashed.
4. Setup U-Boot Image for Encrypted Boot
----------------------------------------
An authenticated U-Boot image is used as starting point for
Encrypted Boot. The image is encrypted by i.MX Code Signing
Tool (CST). The CST replaces only the image data of
u-boot-dtb.imx with the encrypted data. The Initial Vector Table,
DCD, and Boot data, remains in plaintext.
The image data is encrypted with a Encryption Key (DEK).
Therefore, this key is needed to decrypt the data during the
booting process. The DEK is protected by wrapping it in a Blob,
which needs to be appended to the U-Boot image and specified in
the CSF file.
The DEK blob is generated by an authenticated U-Boot image with
the dek_blob cmd enabled. The image used for DEK blob generation
needs to have the following configurations enabled in Kconfig:
CONFIG_SECURE_BOOT=y
CONFIG_CMD_DEKBLOB=y
Note: The encrypted boot feature is only supported by HABv4 or
greater.
The dek_blob command then can be used to generate the DEK blob of
a DEK previously loaded in memory. The command is used as follows:
dek_blob <DEK address> <Output Address> <Key Size in Bits>
example: dek_blob 0x10800000 0x10801000 192
The resulting DEK blob then is used to construct the encrypted
U-Boot image. Note that the blob needs to be transferred back
to the host.Then the following commands are used to construct
the final image.
cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx
objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \
u-boot-signed.imx u-boot-signed-pad.bin
cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx
NOTE: u-boot-signed.bin needs to be padded to the value
equivalent to the address in which the DEK blob is specified
in the CSF.