diff options
| author | Ye Li <ye.li@nxp.com> | 2023-07-31 14:20:41 +0800 |
|---|---|---|
| committer | Marcel Ziswiler <marcel.ziswiler@toradex.com> | 2023-12-22 09:31:10 +0000 |
| commit | e5a026766feb22cfa8353eb23ded5635b8b6132e (patch) | |
| tree | 0f30e586fbc5ab44163ff0b342849ac771f98307 /doc/imx/habv4/guides/mx8m_encrypted_boot.txt | |
| parent | 8f253d01813221e7400e5b828b1f1479f5e95aa3 (diff) | |
LFU-573-3 doc: imx8m: Update iMX8M secure boot and encrypted boot doc
Update the documents of iMX8M secure boot and encrypted boot to mention
the hash of FIT FDT and optional FIT FDT signature.
Add the steps for how to sign and generate FIT FDT signature.
Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Upstream-Status: Inappropriate [downstream specific]
Upstream U-Boot fixed this differently in combination with binman to
create the final bootcontainer.
Commit 6039e0edc854 ("imx: hab: Simplify the mechanism")
Backport from NXP downstream [25fdc42caa30faa586a277162ae5373d3e2bc2be]
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Diffstat (limited to 'doc/imx/habv4/guides/mx8m_encrypted_boot.txt')
| -rw-r--r-- | doc/imx/habv4/guides/mx8m_encrypted_boot.txt | 102 |
1 files changed, 74 insertions, 28 deletions
diff --git a/doc/imx/habv4/guides/mx8m_encrypted_boot.txt b/doc/imx/habv4/guides/mx8m_encrypted_boot.txt index bb9b6b80f0..5a5f2bd835 100644 --- a/doc/imx/habv4/guides/mx8m_encrypted_boot.txt +++ b/doc/imx/habv4/guides/mx8m_encrypted_boot.txt @@ -41,19 +41,25 @@ The diagram below illustrates an encrypted flash.bin image layout: Signed | ------- +-----------------------------+ | Data | Enc ^ | u-boot-spl.bin | | | Data | | + | | SPL - v v | DDR FW | | Image + | | | DDR FW | | Image + | | | + | | + v v | Hash of FIT FDT | | ------------------ +-----------------------------+ | | CSF - SPL + DDR FW | v +-----------------------------+ -------- | DEK Blob | +-----------------------------+ | Padding | - ------- +-----------------------------+ -------- - Signed ^ | FDT - FIT | ^ - Data | +-----------------------------+ | - v | IVT - FIT | | - ------- +-----------------------------+ | - | CSF - FIT | | + ------------------ +-----------------------------+ -------- + ^ Signed ^ | FDT - FIT | ^ + | Data | +-----------------------------+ | + Signed | v | IVT - FIT | | + Data | ------- +-----------------------------+ | +(optional) | CSF - FIT | | + | +-----------------------------+ | + v | IVT - FIT FDT (optional) | | + ------------------ +-----------------------------+ | + | CSF - FIT FDT (optional) | | ------------------ +-----------------------------+ | ^ | u-boot-nodtb.bin | | FIT | +-----------------------------+ | Image @@ -81,6 +87,7 @@ by following one of the methods below: CONFIG_CMD_DEKBLOB=y CONFIG_IMX_OPTEE_DEK_ENCAP=y CONFIG_CMD_PRIBLOB=y + CONFIG_IMX_SPL_FIT_FDT_SIGNATURE=y (Optional, for FIT FDT signature only) - Kconfig @@ -166,7 +173,9 @@ Command Sequence File (CSF): Second Loader IMAGE: sld_header_off 0x57c00 sld_csf_off 0x58c20 - sld hab block: 0x401fcdc0 0x57c00 0x1020 + sld hab block: 0x401fadc0 0x57c00 0x1020 + fit-fdt csf_off 0x5ac20 + fit-fdt hab block: 0x401fadc0 0x57c00 0x3020 - Additional HAB information is provided by running the following command: @@ -176,10 +185,10 @@ Command Sequence File (CSF): ./../scripts/pad_image.sh u-boot-nodtb.bin fsl-imx8mm-evk.dtb TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 \ ./print_fit_hab.sh 0x60000 fsl-imx8mm-evk.dtb - 0x40200000 0x5AC00 0xB0318 - 0x402B0318 0x10AF18 0x8628 - 0x920000 0x113540 0xA160 - 0xBE000000 0x11D6A0 0x48520 + 0x40200000 0x5CC00 0xB0318 + 0x402B0318 0x10CF18 0x8628 + 0x920000 0x115540 0xA160 + 0xBE000000 0x11F6A0 0x48520 1.6 Creating the CSF description file for SPL + DDR FW image ------------------------------------------------------------- @@ -332,7 +341,7 @@ file. [Authenticate Data] ... - Blocks = 0x401FCDC0 0x57C00 0x1020 "flash-spl-enc.bin" + Blocks = 0x401FADC0 0x57C00 0x1020 "flash-spl-enc.bin" - Add the Install Secret Key command to generate the dek_fit.bin file and install the blob. The Blob Address is a fixed address defined in imx-mkimage @@ -356,10 +365,10 @@ file. imx-mkimage output: - 0x40200000 0x5AC00 0xB0318 ──┬── Total length = 0xB0318 + 0x8628 = 0xB8940 - 0x402B0318 0x10AF18 0x8628 ──┘ - 0x920000 0x113540 0xA160 - 0xBE000000 0x11D6A0 0x48520 + 0x40200000 0x5CC00 0xB0318 ──┬── Total length = 0xB0318 + 0x8628 = 0xB8940 + 0x402B0318 0x10CF18 0x8628 ──┘ + 0x920000 0x115540 0xA160 + 0xBE000000 0x11F6A0 0x48520 Decrypt data in csf_fit_enc.txt: @@ -367,9 +376,9 @@ file. [Decrypt Data] ... - Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ - 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ - 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" + Blocks = 0x40200000 0x5CC00 0xB8940 "flash-spl-fit-enc.bin", \ + 0x920000 0x115540 0xA160 "flash-spl-fit-enc.bin", \ + 0xBE000000 0x11F6A0 0x48520 "flash-spl-fit-enc.bin" 1.8.2 csf_fit_sign_enc.txt --------------------------- @@ -384,10 +393,10 @@ The second CSF is used to sign the encrypted FIT image previously generated [Authenticate Data] ... - Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-fit-enc.bin" - 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ - 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ - 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" + Blocks = 0x401fadc0 0x57c00 0x1020 "flash-spl-fit-enc.bin" + 0x40200000 0x5CC00 0xB8940 "flash-spl-fit-enc.bin", \ + 0x920000 0x115540 0xA160 "flash-spl-fit-enc.bin", \ + 0xBE000000 0x11F6A0 0x48520 "flash-spl-fit-enc.bin" - Add the Install Secret Key command to generate a dummy DEK blob file, @@ -408,9 +417,28 @@ The second CSF is used to sign the encrypted FIT image previously generated [Decrypt Data] ... - Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \ - 0x920000 0x113540 0xA160"flash-spl-fit-enc-dummy.bin", \ - 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc-dummy.bin" + Blocks = 0x40200000 0x5CC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \ + 0x920000 0x115540 0xA160"flash-spl-fit-enc-dummy.bin", \ + 0xBE000000 0x11F6A0 0x48520 "flash-spl-fit-enc-dummy.bin" + +1.8.3 (Optional) csf_fit_fdt.txt +--------------------------- + +When optional FIT FDT signature is used, user needs third CSF to sign encrypted-flash.bin +generated by 1.11.2. Because FIT FDT structure is not encrypted, so this step will not +encrypt any data. + +- FIT FDT signature "Authenticate Data" addresses in flash.bin build log: + + fit-fdt hab block: 0x401fadc0 0x57c00 0x3020 + +- "Authenticate Data" command in csf_fit_fdt.txt file: + + For example: + + [Authenticate Data] + ... + Blocks = 0x401fadc0 0x57c00 0x3020 "encrypted-flash.bin" 1.9 Encrypting and signing the FIT image ----------------------------------------- @@ -503,6 +531,10 @@ The CSF offsets can be obtained from the flash.bin build log: sld_csf_off 0x58c20 +- (Optional) FIT FDT CSF offset: + + fit-fdt csf_off 0x5ac20 + The encrypted flash.bin image can be then assembled: - Create a flash-spl-fit-enc.bin copy: @@ -539,7 +571,21 @@ The encrypted flash.bin image can be then assembled: $ dd if=dek_fit_blob.bin of=encrypted-flash.bin seek=$((0x165BC0)) bs=1 conv=notrunc -1.11.3 Flash encrypted boot image +1.11.3 (Optional) Create and Insert FIT FDT CSF +----------------------------------- + +If FIT FDT signature is used, users need to continue sign the encrypted-flash.bin +with csf_fit_fdt.txt CSF file + +- Create FIT FDT CSF binary file + + $ ./cst -i csf_fit_fdt.txt -o csf_fit_fdt.bin + +- Insert csf_fit_fdt.bin in encrypted-flash.bin at 0x5ac20 offset: + + $ dd if=csf_fit_fdt.bin of=encrypted-flash.bin seek=$((0x5ac20)) bs=1 conv=notrunc + +1.11.4 Flash encrypted boot image ----------------------------------- - Flash encrypted image in SDCard: |