Commit 582a6bdc authored by Denis Pynkin's avatar Denis Pynkin Committed by Emanuele Aina

secure-boot.md: sign U-Boot

Described how to sign U-Boot for SabreLite secure boot.
Signed-off-by: default avatarDenis Pynkin <denis.pynkin@collabora.com>
parent 91a9ff4b
......@@ -351,5 +351,76 @@ and this ensures that only verified initial system will be started.
All other format types like zImage, as well as other boot methods are
prohibited on fully secured device when "closed" mode is enabled or emulated.
## Sign U-Boot bootloader such that the ROM can verify
To sign the U-Boot for SabreLite we need `cst` tool installed in the system
and the [Apertis development keys repository](https://gitlab.apertis.org/infrastructure/apertis-imx-srk) need to be checked out. Please use the [csf/csf_uboot.txt](https://gitlab.apertis.org/infrastructure/apertis-imx-srk/-/blob/master/csf/csf_uboot.txt) file
as a template for your U-Boot binary.
U-Boot for SabreLite board doesn't use SPL, hence the whole `u-boot.imx` binary
must be signed. With enabled `CONFIG_SECURE_BOOT` option the build log
will contain following output (and file `u-boot.imx.log` as well):
```
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 606208 Bytes = 592.00 KiB = 0.58 MiB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 0x177ff400 0x00000000 0x00091c00
DCD Blocks: 0x00910000 0x0000002c 0x00000310
```
we need values from the string started with "HAB Blocks:".
Those values must be used in "[Authenticate Data]" section of
[template](https://gitlab.apertis.org/infrastructure/apertis-imx-srk/-/blob/master/csf/csf_uboot.txt):
```
[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x00000000 0x00091C00 "u-boot.imx"
```
To sign the U-Boot with `cst` tool simply call:
```
cst -i csf_uboot.txt -o csf_uboot.bin
```
File `csf_uboot.bin` will contain signatures which should be
appended to original `u-boot.imx` binary:
```
cat u-boot.imx csf_uboot.bin > u-boot.imx.signed
```
### Sign U-Boot bootloader for loading via USB serial downloader
In case if something goes wrong and the system does not boot anymore
it is still possible to boot with the help of [USB serial downloaders](https://community.nxp.com/docs/DOC-95604),
such as `imx_usb_loader` or `uuu`.
However the U-Boot must be signed in a slightly different way since
some changes are done by ROM in runtime while loading binary. Please
refer to section "What about imx_usb_loader?" of [High Assurance Boot (HAB) for dummies](https://boundarydevices.com/high-assurance-boot-hab-dummies/)
document.
The template [csf_uboot.txt](https://gitlab.apertis.org/infrastructure/apertis-imx-srk/-/blob/master/csf/csf_uboot.txt)
for signing U-Boot to be loaded over serial downloader protocol should contain
additional block in "[Authenticate Data]" section:
```
[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x00000000 0x00091C00 "u-boot.imx", \
0x00910000 0x0000002c 0x00000310 "u-boot.imx"
```
With the help of [mod_4_mfgtool.sh](https://storage.googleapis.com/boundarydevices.com/mod_4_mfgtool.sh)
script we need to store and restore DCD address from original `u-boot.imx`
in addition to signing:
```
sh mod_4_mfgtool.sh clear_dcd_addr u-boot.imx
cst -i csf_uboot.txt -o csf_uboot.bin
sh mod_4_mfgtool.sh set_dcd_addr u-boot.imx
cat u-boot.imx csf_uboot.bin > u-boot.imx.signed_usb
```
* Integration of PCKS#11 support in the signing process to support HSM devices
* Automated testing of secure boot if possible
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment