Skip to content

Add manual test of SabreLite secure boot

Denis Pynkin requested to merge wip/d4s/secureboot_2021dev2 into apertis/v2021dev2

This test ensures:

  • U-Boot is compiled with HAB and FIT support
  • SRK hash is fused and U-Boot is signed ('hab_status' call)
  • U-Boot is able to verify signed OS image in FIT format
  • U-Boot hangs in case if we try to boot with unsigned binary

Unfortunately the DUT in "open" mode assume any signature as valid, hence it is not possible to check the boot hang for FIT image signed with incorrect key -- the HW return 'success' while checking signature.

If the system is in 'closed' state then it is able to use incorrect signature for the image, for example taken from document "High Assurance Boot (HAB) for dummies" by Boundary Devises: https://boundarydevices.com/high-assurance-boot-hab-dummies/

To check if the system is in "closed" state: => fuse read 0 6 Reading bank 0:

 Word 0x00000006: 00000012

the last digit must be "2".

Signed-off-by: Denis Pynkin denis.pynkin@collabora.com Signed-off-by: Emanuele Aina emanuele.aina@collabora.com

Merge request reports

Loading