Lines Matching +full:inside +full:- +full:secure
2 + i.MX Secure and Encrypted Boot using HABv4 +
6 ----------------
9 (HAB) feature in the on-chip ROM. The ROM is responsible for loading the
10 initial program image (U-Boot) from the boot media and HAB enables the ROM
17 Step-by-step guides are available under doc/imx/habv4/guides/ directory,
21 1.1 The HABv4 Secure Boot Architecture
22 ---------------------------------------
24 The HABv4 secure boot feature uses digital signatures to prevent unauthorized
36 The diagram below illustrate the secure boot process overview:
39 +----------+ +----------+
40 ---> | U-Boot | | Compare |
41 | +----------+ +----------+
44 | +----------+ Hash / \ Hash
46 | +----------+ Key / \
47 | | | +----------+ +----------+
49 | +----------+ | +----------+ +----------+
50 | | Sign | <--- SRK ^ ^
51 | +----------+ HASH \ /
52 | | | CSF \ / U-Boot
54 | +----------+ +----------+ +----------+
55 | | U-Boot | | | | U-Boot |
56 ---> | + | -----> | i.MX | -----> | + |
58 +----------+ +----------+ +----------+
60 The U-Boot image to be programmed into the boot media needs to be properly
68 Details about the Secure Boot and Code Signing Tool (CST) can be found in
69 the application note AN4581[2] and in the secure boot guides.
72 ------------------------------------------
76 techniques (AES-CCM) to obscure the U-Boot data, so it cannot be seen or used
77 by unauthorized users. This mechanism protects the U-Boot code residing on
88 can be applied on the same region with exception of the U-Boot Header (IVT,
94 +------------+ +--------------+
95 | U-Boot | | U-Boot |
96 +------------+ +--------------+
99 v DEK +--------------+
100 +------------+ | ----> | Decrypt |
101 | Encrypt | <--- | +--------------+
102 +------------+ DEK | ^
105 v Key +------+ +--------------+
106 +------------+ | | CAAM | | Authenticate |
107 | Sign | <--- +------+ +--------------+
108 +------------+ DEK ^ ^
109 | + OTPMK DEK \ / U-Boot
112 +------------+ +----------+ +------------+
113 | Enc U-Boot | | | | Enc U-Boot |
114 | + CSF | ----> | i.MX | -------> | + CSF |
116 +------------+ +----------+ +------------+
119 ---------------------
131 decrypted inside a secure memory partition that can only be accessed by CAAM.
135 execution of malicious code. The PRIBLOB setting in CAAM allows secure boot
144 -------------------------
156 - Generating 2048-bit PKI tree on CST v3.1.0:
169 +---------+
171 +---------+
174 ---------------------------------------------------
178 +--------+ +--------+ +--------+ +--------+
180 +--------+ +--------+ +--------+ +--------+
183 +----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
185 +----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
192 ----------------------------------------------
202 - Generating 2048-bit fast authentication PKI tree on CST v3.1.0:
215 +---------+
217 +---------+
220 ---------------------------------------------------
224 +--------+ +--------+ +--------+ +--------+
226 +--------+ +--------+ +--------+ +--------+
229 ----------------------------------------
245 - Generating SRK Table and SRK Hash in Linux 64-bit machines:
247 $ ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e \
248 SRK_1_2_3_4_fuse.bin -d sha256 -c \
260 [2] AN4581: "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using
261 HABv4" - Rev 2.
262 [3] AN12056: "Encrypted Boot on HABv4 and CAAM Enabled Devices" - Rev. 1