[PATCH 0/6] implement i.MX93 AHAB secure boot
Sascha Hauer
s.hauer at pengutronix.de
Thu Feb 15 00:17:57 PST 2024
On Wed, Feb 14, 2024 at 07:09:16PM +0100, Ahmad Fatoum wrote:
> Hello Sascha,
>
> On 13.02.24 16:17, Sascha Hauer wrote:
> > This adds support for AHAB based secure boot on i.MX93. The user
> > interface is integrated into the existing hab command used for ealier
> > i.MX variants. On i.MX93 the hab command can:
> >
> > - read/write the SRK hash
> > - lock the device
> > - show lock status of the device
> >
> > Like done with HAB the AHAB events will be shown during boot so that
> > possible failure events are seen should there be any issues like no
> > or wrong SRK hash fused or an unsigned image is attempted to be started.
> >
> > Unlike with HAB it is currently not possible to sign the barebox images
> > directly within the barebox build system. Instead, the images need to be
> > signed afterwards with the NXP CST tool. I am currently unsure if it's
> > worth the hassle, as it turned out to be quite straight forward to
> > integrate the signing process into YOCTO (likely also ptxdist, but I
> > haven't tried yet). In the end it might be easier than adding another
> > indirection with tunneling the necessary keys through the barebox build
> > process. I might be convinced otherwise though.
>
> Could you make the signing inside the barebox build system optional
> for HAB? Then we could have a prompt symbol that depends on HABv4, e.g.
> CONFIG_HAB_SIGN_IMAGES or something and disabling that would require
> external signing like for AHAB. I think this would improve user experience
> a fair bit, because HAB and AHAB could be handled the same build-system
> side and it would be easily discoverable in Kconfig that one supports
> sigining internally and the other doesn't.
Originally it was a design decision to integrate the signing into
barebox. I wanted to make barebox self contained and not depend on
external tools to generate images.
I am not sure though if anyone really builds signed images without
the help of a build system. So I had the same thought as well if we
could let the build system do the signing also for HAB. I haven't looked
into it what it takes to implement that. One point where it gets
difficult is our special trick to create signed USB images. We handle
the DCD table in imx-usb-loader to setup DDR and disable DCD in the
image. To make that work with signed images we sign an image which
has the DCD table disabled.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list