[PATCH 0/6] implement i.MX93 AHAB secure boot

Ahmad Fatoum a.fatoum at pengutronix.de
Wed Feb 14 10:09:16 PST 2024 

Hello Sascha,

On 13.02.24 16:17, Sascha Hauer wrote:
> This adds support for AHAB based secure boot on i.MX93. The user
> interface is integrated into the existing hab command used for ealier
> i.MX variants. On i.MX93 the hab command can:
> 
> - read/write the SRK hash
> - lock the device
> - show lock status of the device
> 
> Like done with HAB the AHAB events will be shown during boot so that
> possible failure events are seen should there be any issues like no
> or wrong SRK hash fused or an unsigned image is attempted to be started.
> 
> Unlike with HAB it is currently not possible to sign the barebox images
> directly within the barebox build system. Instead, the images need to be
> signed afterwards with the NXP CST tool. I am currently unsure if it's
> worth the hassle, as it turned out to be quite straight forward to
> integrate the signing process into YOCTO (likely also ptxdist, but I
> haven't tried yet). In the end it might be easier than adding another
> indirection with tunneling the necessary keys through the barebox build
> process. I might be convinced otherwise though.

Could you make the signing inside the barebox build system optional
for HAB? Then we could have a prompt symbol that depends on HABv4, e.g.
CONFIG_HAB_SIGN_IMAGES or something and disabling that would require
external signing like for AHAB. I think this would improve user experience
a fair bit, because HAB and AHAB could be handled the same build-system
side and it would be easily discoverable in Kconfig that one supports
sigining internally and the other doesn't.

This would also allow us to build-test this configuration.

Thanks,
Ahmad

> 
> Sascha
> 
> Sascha Hauer (6):
>   hab: drop incomplete i.MX28 support
>   hab: drop i.MX35
>   hab: cleanup hab status printing during boot
>   hab: pass flags to lockdown_device()
>   ARM: i.MX: ele: implement more ELE operations
>   hab: implement i.MX9 support
> 
>  arch/arm/mach-imx/Kconfig |   5 +
>  arch/arm/mach-imx/ele.c   | 345 +++++++++++++++++++++++++++++++++++++-
>  drivers/hab/hab.c         | 137 ++++++++++++++-
>  drivers/hab/hab.h         |  10 ++
>  drivers/hab/habv3.c       |   6 +-
>  drivers/hab/habv4.c       |  62 +------
>  include/hab.h             |  20 +--
>  include/mach/imx/ele.h    |  18 ++
>  8 files changed, 516 insertions(+), 87 deletions(-)
>  create mode 100644 drivers/hab/hab.h
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

More information about the barebox mailing list