[PATCH 0/6] implement i.MX93 AHAB secure boot

Marco Felsch m.felsch at pengutronix.de
Thu Feb 15 02:12:52 PST 2024


On 24-02-15, Sascha Hauer wrote:
> On Wed, Feb 14, 2024 at 07:09:16PM +0100, Ahmad Fatoum wrote:
> > Hello Sascha,
> > 
> > On 13.02.24 16:17, Sascha Hauer wrote:
> > > This adds support for AHAB based secure boot on i.MX93. The user
> > > interface is integrated into the existing hab command used for ealier
> > > i.MX variants. On i.MX93 the hab command can:
> > > 
> > > - read/write the SRK hash
> > > - lock the device
> > > - show lock status of the device
> > > 
> > > Like done with HAB the AHAB events will be shown during boot so that
> > > possible failure events are seen should there be any issues like no
> > > or wrong SRK hash fused or an unsigned image is attempted to be started.
> > > 
> > > Unlike with HAB it is currently not possible to sign the barebox images
> > > directly within the barebox build system. Instead, the images need to be
> > > signed afterwards with the NXP CST tool. I am currently unsure if it's
> > > worth the hassle, as it turned out to be quite straight forward to
> > > integrate the signing process into YOCTO (likely also ptxdist, but I
> > > haven't tried yet). In the end it might be easier than adding another
> > > indirection with tunneling the necessary keys through the barebox build
> > > process. I might be convinced otherwise though.
> > 
> > Could you make the signing inside the barebox build system optional
> > for HAB? Then we could have a prompt symbol that depends on HABv4, e.g.
> > CONFIG_HAB_SIGN_IMAGES or something and disabling that would require
> > external signing like for AHAB. I think this would improve user experience
> > a fair bit, because HAB and AHAB could be handled the same build-system
> > side and it would be easily discoverable in Kconfig that one supports
> > sigining internally and the other doesn't.
> 
> Originally it was a design decision to integrate the signing into
> barebox. I wanted to make barebox self contained and not depend on
> external tools to generate images.
> I am not sure though if anyone really builds signed images without
> the help of a build system. So I had the same thought as well if we
> could let the build system do the signing also for HAB. I haven't looked
> into it what it takes to implement that. One point where it gets
> difficult is our special trick to create signed USB images. We handle
> the DCD table in imx-usb-loader to setup DDR and disable DCD in the
> image. To make that work with signed images we sign an image which
> has the DCD table disabled.

Additional the i.MX8M signing is quite different compared to the i.MX5/6
sigining since only the pbl part is signed and we use symbols to get the
size of the pbl. I'm not saying that it's impossible but we would need
to expose information to the build system.

Regards,
  Marco

> 
> Sascha
> 
> -- 
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
> 
> 



More information about the barebox mailing list