1High Assurance Boot (HAB) for i.MX6 CPUs 2 3To enable the authenticated or encrypted boot mode of U-Boot, it is 4required to set the proper configuration for the target board. This 5is done by adding the following configuration in the defconfig file: 6 7CONFIG_SECURE_BOOT=y 8 9In addition, the U-Boot image to be programmed into the 10boot media needs to be properly constructed, i.e. it must contain a 11proper Command Sequence File (CSF). 12 13The Initial Vector Table contains a pointer to the CSF. Please see 14doc/README.imximage for how to prepare u-boot.imx. 15 16The CSF itself is being generated by Freescale HAB tools. 17 18mkimage will output additional information about "HAB Blocks" 19which can be used in the Freescale tooling to authenticate U-Boot 20(entries in the CSF file). 21 22Image Type: Freescale IMX Boot Image 23Image Ver: 2 (i.MX53/6 compatible) 24Data Size: 327680 Bytes = 320.00 kB = 0.31 MB 25Load Address: 177ff420 26Entry Point: 17800000 27HAB Blocks: 177ff400 00000000 0004dc00 28 ^^^^^^^^ ^^^^^^^^ ^^^^^^^^ 29 | | | 30 | | -------- (1) 31 | | 32 | ------------------- (2) 33 | 34 --------------------------- (3) 35 36(1) Size of area in file u-boot.imx to sign 37 This area should include the IVT, the Boot Data the DCD 38 and U-Boot itself. 39(2) Start of area in u-boot.imx to sign 40(3) Start of area in RAM to authenticate 41 42CONFIG_SECURE_BOOT currently enables only an additional command 43'hab_status' in U-Boot to retrieve the HAB status and events. This 44can be useful while developing and testing HAB. 45 46Commands to generate a signed U-Boot using Freescale HAB tools: 47cst --o U-Boot_CSF.bin < U-Boot.CSF 48objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ 49 U-Boot_CSF.bin U-Boot_CSF_pad.bin 50cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx 51 52NOTE: U-Boot_CSF.bin needs to be padded to the value specified in 53the imximage.cfg file. 54 55Setup U-Boot Image for Encrypted Boot 56------------------------------------- 57An authenticated U-Boot image is used as starting point for 58Encrypted Boot. The image is encrypted by Freescale's Code 59Signing Tool (CST). The CST replaces only the image data of 60u-boot.imx with the encrypted data. The Initial Vector Table, 61DCD, and Boot data, remains in plaintext. 62 63The image data is encrypted with a Encryption Key (DEK). 64Therefore, this key is needed to decrypt the data during the 65booting process. The DEK is protected by wrapping it in a Blob, 66which needs to be appended to the U-Boot image and specified in 67the CSF file. 68 69The DEK blob is generated by an authenticated U-Boot image with 70the dek_blob cmd enabled. The image used for DEK blob generation 71needs to have the following configurations enabled: 72 73CONFIG_SECURE_BOOT 74CONFIG_SYS_FSL_SEC_COMPAT 4 /* HAB version */ 75CONFIG_FSL_CAAM 76CONFIG_CMD_DEKBLOB 77CONFIG_SYS_FSL_SEC_LE 78 79Note: The encrypted boot feature is only supported by HABv4 or 80greater. 81 82The dek_blob command then can be used to generate the DEK blob of 83a DEK previously loaded in memory. The command is used as follows: 84 85dek_blob <DEK address> <Output Address> <Key Size in Bits> 86example: dek_blob 0x10800000 0x10801000 192 87 88The resulting DEK blob then is used to construct the encrypted 89U-Boot image. Note that the blob needs to be transferred back 90to the host.Then the following commands are used to construct 91the final image. 92 93objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ 94 U-Boot_CSF.bin U-Boot_CSF_pad.bin 95cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx 96objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \ 97 u-boot-signed.imx u-boot-signed-pad.bin 98cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx 99 100 NOTE: u-boot-signed.bin needs to be padded to the value 101 equivalent to the address in which the DEK blob is specified 102 in the CSF. 103