diff options
author | Ye Li <ye.li@nxp.com> | 2023-07-27 09:50:49 +0800 |
---|---|---|
committer | Marcel Ziswiler <marcel.ziswiler@toradex.com> | 2023-12-22 09:31:10 +0000 |
commit | 8f253d01813221e7400e5b828b1f1479f5e95aa3 (patch) | |
tree | 41a7da704e04d2c7f633334e8283110eed54bb41 /doc/imx/habv4/guides/mx8m_encrypted_boot.txt | |
parent | 2227ef5837b91acf4197078b7bf1642ca69f8d47 (diff) |
LFU-573-2 imx8m: hab: Verify optional FIT FDT signature
One limitation of verifying FIT hash approach is SPL must bind with FIT,
because FIT FDT hash is inserted into SPL image and authenticated by ROM.
For use cases need to upgrade the FIT individually, for example, android's
dual bootloader, this patch introduces an optional approach.
This optional approach adds FIT FDT signature (a new pair of IVT and CSF
for FIT FDT structure) after original FIT image IVT and CSF. imx-mkimage
always generates the new IVT and reserves the space for the new CSF.
Users just need an additional signing step.
This approach is default not enabled in SPL except Android build.
To enable it, set CONFIG_IMX_SPL_FIT_FDT_SIGNATURE=y with CONFIG_IMX_HAB=y
in u-boot defconfig
Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Upstream-Status: Inappropriate [downstream specific]
Upstream U-Boot fixed this differently in combination with binman to
create the final bootcontainer.
Commit 6039e0edc854 ("imx: hab: Simplify the mechanism")
Backport from NXP downstream [07b688228c5817e4d76cdc5484fd50f92e9cf1f0]
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Diffstat (limited to 'doc/imx/habv4/guides/mx8m_encrypted_boot.txt')
0 files changed, 0 insertions, 0 deletions