[PATCH 3/3] doc: boards: imx: add HAB section

Ulrich Ölmann u.oelmann at pengutronix.de
Wed Jun 5 02:20:52 PDT 2019


On Tue, Jun 04 2019 at 18:53 +0200, Bastian Krause <bst at pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst at pengutronix.de>
> ---
>  Documentation/boards/imx.rst | 59 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 59 insertions(+)
>
> diff --git a/Documentation/boards/imx.rst b/Documentation/boards/imx.rst
> index abd9c76151..ba0a3b7988 100644
> --- a/Documentation/boards/imx.rst
> +++ b/Documentation/boards/imx.rst
> @@ -83,6 +83,65 @@ The images can also always be started as second stage on the target:
>  
>    barebox at Board Name:/ bootm /mnt/tftp/barebox-freescale-imx51-babbage.img
>  
> +High Assurance Boot
> +^^^^^^^^^^^^^^^^^^^
> +
> +HAB is a NXP ROM code feature which is able to authenticate software in

s/a NXP/an NXP/

> +external memory at boot time.
> +This is done by verifying signatures as defined in the Command Sequence FILE

s/FILE/File/ ?

Best regards
Ulrich

> +(CSF) as compiled into the i.MX boot header.
> +
> +barebox supports generating signed images, signed USB images suitable for
> +*imx-usb-loader* and encrypted images.
> +
> +In contrast to normal (unsigned) images booting signed images via
> +imx-usb-loader requires special images:
> +DCD data is invalidated (DCD pointer set to zero), the image is then signed and
> +afterwards the DCD pointer is set to the DCD data again (practically making
> +the signature invalid).
> +This works because the imx-usb-loader transmits the DCD table setup prior to
> +the actual image to set up the RAM in order to load the barebox image.
> +Now the DCD pointer is set to zero (making the signature valid again) and the
> +image is loaded and verified by the ROM code.
> +
> +Note that the device-specific Data Encryption Key (DEK) blob needs to be
> +appended to the image after the build process for appropriately encrypted
> +images.
> +
> +In order to generate these special image types barebox is equipped with
> +corresponding static pattern rules in ``images/Makefile.imx``.
> +Unlike the typical ``imximg`` file extension the following ones are used for
> +these cases:
> +
> +* ``simximg``: generate signed image
> +* ``usimximg``: generate signed USB image
> +* ``esimximg``: generate encrypted and signed image
> +
> +The imx-image tool is then automatically called with the appropriate flags
> +during image creation.
> +This again calls Freescale's Code Signing Tool (CST) which must be installed in
> +the path or given via the environment variable "CST".
> +
> +Assuming ``CONFIG_HAB`` and ``CONFIG_HABV4`` are enabled the necessary
> +keys/certificates are expected in these config variables (assuming HABv4):
> +
> +.. code-block:: none
> +
> +  CONFIG_HABV4_TABLE_BIN
> +  CONFIG_HABV4_CSF_CRT_PEM
> +  CONFIG_HABV4_IMG_CRT_PEM
> +
> +A CSF template is located in
> +``arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h`` which is preprocessed
> +by barebox.
> +It must be included in the board's flash header:
> +
> +.. code-block:: none
> +
> +  #include <mach/habv4-imx6-gencsf.h>
> +
> +Analogous to HABv4 options and a template exist for HABv3.
> +
>  Using GPT on i.MX
>  ^^^^^^^^^^^^^^^^^
-- 
Pengutronix e.K.                           | Ulrich Ölmann               |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |



More information about the barebox mailing list