1*872cfa20SBreno Matheus Lima +=======================================================+ 2*872cfa20SBreno Matheus Lima + i.MX6, i.MX7 U-Boot Secure Boot guide using HABv4 + 3*872cfa20SBreno Matheus Lima +=======================================================+ 4*872cfa20SBreno Matheus Lima 5*872cfa20SBreno Matheus Lima1. HABv4 secure boot process 6*872cfa20SBreno Matheus Lima----------------------------- 7*872cfa20SBreno Matheus Lima 8*872cfa20SBreno Matheus LimaThis document describes a step-by-step procedure on how to sign and securely 9*872cfa20SBreno Matheus Limaboot an U-Boot image for non-SPL targets. It is assumed that the reader is 10*872cfa20SBreno Matheus Limafamiliar with basic HAB concepts and with the PKI tree generation. 11*872cfa20SBreno Matheus Lima 12*872cfa20SBreno Matheus LimaDetails about HAB can be found in the application note AN4581[1] and in the 13*872cfa20SBreno Matheus Limaintroduction_habv4.txt document. 14*872cfa20SBreno Matheus Lima 15*872cfa20SBreno Matheus Lima1.1 Building a u-boot-dtb.imx image supporting secure boot 16*872cfa20SBreno Matheus Lima----------------------------------------------------------- 17*872cfa20SBreno Matheus Lima 18*872cfa20SBreno Matheus LimaThe U-Boot provides support to secure boot configuration and also provide 19*872cfa20SBreno Matheus Limaaccess to the HAB APIs exposed by the ROM vector table, the support is 20*872cfa20SBreno Matheus Limaenabled by selecting the CONFIG_SECURE_BOOT option. 21*872cfa20SBreno Matheus Lima 22*872cfa20SBreno Matheus LimaWhen built with this configuration, the U-Boot provides extra functions for 23*872cfa20SBreno Matheus LimaHAB, such as the HAB status logs retrievement through the hab_status command 24*872cfa20SBreno Matheus Limaand support for extending the root of trust. 25*872cfa20SBreno Matheus Lima 26*872cfa20SBreno Matheus LimaThe U-Boot also correctly pads the final image by aligning to the next 0xC00 27*872cfa20SBreno Matheus Limaaddress, so the CSF signature data generated by CST can be concatenated to 28*872cfa20SBreno Matheus Limaimage. 29*872cfa20SBreno Matheus Lima 30*872cfa20SBreno Matheus LimaThe diagram below illustrate a signed u-boot-dtb.imx image layout: 31*872cfa20SBreno Matheus Lima 32*872cfa20SBreno Matheus Lima ------- +-----------------------------+ <-- *start 33*872cfa20SBreno Matheus Lima ^ | Image Vector Table | 34*872cfa20SBreno Matheus Lima | +-----------------------------+ <-- *boot_data 35*872cfa20SBreno Matheus Lima | | Boot Data | 36*872cfa20SBreno Matheus Lima | +-----------------------------+ <-- *dcd 37*872cfa20SBreno Matheus Lima | | DCD Table | 38*872cfa20SBreno Matheus Lima | +-----------------------------+ 39*872cfa20SBreno Matheus Lima Signed | | Padding | 40*872cfa20SBreno Matheus Lima Data | +-----------------------------+ <-- *entry 41*872cfa20SBreno Matheus Lima | | | 42*872cfa20SBreno Matheus Lima | | | 43*872cfa20SBreno Matheus Lima | | u-boot-dtb.bin | 44*872cfa20SBreno Matheus Lima | | | 45*872cfa20SBreno Matheus Lima | | | 46*872cfa20SBreno Matheus Lima | +-----------------------------+ 47*872cfa20SBreno Matheus Lima v | Padding | 48*872cfa20SBreno Matheus Lima ------- +-----------------------------+ <-- *csf 49*872cfa20SBreno Matheus Lima | | 50*872cfa20SBreno Matheus Lima | Command Sequence File (CSF) | 51*872cfa20SBreno Matheus Lima | | 52*872cfa20SBreno Matheus Lima +-----------------------------+ 53*872cfa20SBreno Matheus Lima | Padding (optional) | 54*872cfa20SBreno Matheus Lima +-----------------------------+ 55*872cfa20SBreno Matheus Lima 56*872cfa20SBreno Matheus Lima1.2 Enabling the secure boot support 57*872cfa20SBreno Matheus Lima------------------------------------- 58*872cfa20SBreno Matheus Lima 59*872cfa20SBreno Matheus LimaThe first step is to generate an U-Boot image supporting the HAB features 60*872cfa20SBreno Matheus Limamentioned above, this can be achieved by adding CONFIG_SECURE_BOOT to the 61*872cfa20SBreno Matheus Limabuild configuration: 62*872cfa20SBreno Matheus Lima 63*872cfa20SBreno Matheus Lima- Defconfig: 64*872cfa20SBreno Matheus Lima 65*872cfa20SBreno Matheus Lima CONFIG_SECURE_BOOT=y 66*872cfa20SBreno Matheus Lima 67*872cfa20SBreno Matheus Lima- Kconfig: 68*872cfa20SBreno Matheus Lima 69*872cfa20SBreno Matheus Lima ARM architecture -> Support i.MX HAB features 70*872cfa20SBreno Matheus Lima 71*872cfa20SBreno Matheus Lima1.3 Creating the CSF description file 72*872cfa20SBreno Matheus Lima-------------------------------------- 73*872cfa20SBreno Matheus Lima 74*872cfa20SBreno Matheus LimaThe CSF contains all the commands that the HAB executes during the secure 75*872cfa20SBreno Matheus Limaboot. These commands instruct the HAB on which memory areas of the image 76*872cfa20SBreno Matheus Limato authenticate, which keys to install, use and etc. 77*872cfa20SBreno Matheus Lima 78*872cfa20SBreno Matheus LimaCSF examples are available under doc/imx/habv4/csf_examples/ directory. 79*872cfa20SBreno Matheus Lima 80*872cfa20SBreno Matheus LimaA build log containing the "Authenticate Data" parameters is available after 81*872cfa20SBreno Matheus Limathe U-Boot build, the example below is a log for mx7dsabresd_defconfig target: 82*872cfa20SBreno Matheus Lima 83*872cfa20SBreno Matheus Lima- mkimage build log: 84*872cfa20SBreno Matheus Lima 85*872cfa20SBreno Matheus Lima $ cat u-boot-dtb.imx.log 86*872cfa20SBreno Matheus Lima 87*872cfa20SBreno Matheus Lima Image Type: Freescale IMX Boot Image 88*872cfa20SBreno Matheus Lima Image Ver: 2 (i.MX53/6/7 compatible) 89*872cfa20SBreno Matheus Lima Mode: DCD 90*872cfa20SBreno Matheus Lima Data Size: 667648 Bytes = 652.00 KiB = 0.64 MiB 91*872cfa20SBreno Matheus Lima Load Address: 877ff420 92*872cfa20SBreno Matheus Lima Entry Point: 87800000 93*872cfa20SBreno Matheus Lima HAB Blocks: 0x877ff400 0x00000000 0x0009ec00 94*872cfa20SBreno Matheus Lima ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ 95*872cfa20SBreno Matheus Lima | | | 96*872cfa20SBreno Matheus Lima | | ------- (1) 97*872cfa20SBreno Matheus Lima | | 98*872cfa20SBreno Matheus Lima | ------------------ (2) 99*872cfa20SBreno Matheus Lima | 100*872cfa20SBreno Matheus Lima ----------------------------- (3) 101*872cfa20SBreno Matheus Lima 102*872cfa20SBreno Matheus Lima (1) Size of area in file u-boot-dtb.imx to sign. 103*872cfa20SBreno Matheus Lima This area should include the IVT, the Boot Data the DCD 104*872cfa20SBreno Matheus Lima and the U-Boot itself. 105*872cfa20SBreno Matheus Lima (2) Start of area in u-boot-dtb.imx to sign. 106*872cfa20SBreno Matheus Lima (3) Start of area in RAM to authenticate. 107*872cfa20SBreno Matheus Lima 108*872cfa20SBreno Matheus Lima- In "Authenticate Data" CSF command users can copy and past the output 109*872cfa20SBreno Matheus Lima addresses: 110*872cfa20SBreno Matheus Lima 111*872cfa20SBreno Matheus Lima Block = 0x877ff400 0x00000000 0x0009ec00 "u-boot-dtb.imx" 112*872cfa20SBreno Matheus Lima 113*872cfa20SBreno Matheus Lima1.4 Signing the U-Boot binary 114*872cfa20SBreno Matheus Lima------------------------------ 115*872cfa20SBreno Matheus Lima 116*872cfa20SBreno Matheus LimaThe CST tool is used for singing the U-Boot binary and generating a CSF binary, 117*872cfa20SBreno Matheus Limausers should input the CSF description file created in the step above and 118*872cfa20SBreno Matheus Limashould receive a CSF binary, which contains the CSF commands, SRK table, 119*872cfa20SBreno Matheus Limasignatures and certificates. 120*872cfa20SBreno Matheus Lima 121*872cfa20SBreno Matheus Lima- Create CSF binary file: 122*872cfa20SBreno Matheus Lima 123*872cfa20SBreno Matheus Lima $ ./cst -i csf_uboot.txt -o csf_uboot.bin 124*872cfa20SBreno Matheus Lima 125*872cfa20SBreno Matheus Lima- Append CSF signature to the end of U-Boot image: 126*872cfa20SBreno Matheus Lima 127*872cfa20SBreno Matheus Lima $ cat u-boot-dtb.imx csf_uboot.bin > u-boot-signed.imx 128*872cfa20SBreno Matheus Lima 129*872cfa20SBreno Matheus LimaThe u-boot-signed.imx is the signed binary and should be flashed into the boot 130*872cfa20SBreno Matheus Limamedia. 131*872cfa20SBreno Matheus Lima 132*872cfa20SBreno Matheus Lima- Flash signed U-Boot binary: 133*872cfa20SBreno Matheus Lima 134*872cfa20SBreno Matheus Lima $ sudo dd if=u-boot-signed.imx of=/dev/sd<x> bs=1K seek=1 && sync 135*872cfa20SBreno Matheus Lima 136*872cfa20SBreno Matheus Lima1.5 Programming SRK Hash 137*872cfa20SBreno Matheus Lima------------------------- 138*872cfa20SBreno Matheus Lima 139*872cfa20SBreno Matheus LimaAs explained in AN4581[1] and in introduction_habv4.txt document the SRK Hash 140*872cfa20SBreno Matheus Limafuse values are generated by the srktool and should be programmed in the 141*872cfa20SBreno Matheus LimaSoC SRK_HASH[255:0] fuses. 142*872cfa20SBreno Matheus Lima 143*872cfa20SBreno Matheus LimaBe careful when programming these values, as this data is the basis for the 144*872cfa20SBreno Matheus Limaroot of trust. An error in SRK Hash results in a part that does not boot. 145*872cfa20SBreno Matheus Lima 146*872cfa20SBreno Matheus LimaThe U-Boot fuse tool can be used for programming eFuses on i.MX SoCs. 147*872cfa20SBreno Matheus Lima 148*872cfa20SBreno Matheus Lima- Dump SRK Hash fuses values in host machine: 149*872cfa20SBreno Matheus Lima 150*872cfa20SBreno Matheus Lima $ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin 151*872cfa20SBreno Matheus Lima 0x20593752 152*872cfa20SBreno Matheus Lima 0x6ACE6962 153*872cfa20SBreno Matheus Lima 0x26E0D06C 154*872cfa20SBreno Matheus Lima 0xFC600661 155*872cfa20SBreno Matheus Lima 0x1240E88F 156*872cfa20SBreno Matheus Lima 0x1209F144 157*872cfa20SBreno Matheus Lima 0x831C8117 158*872cfa20SBreno Matheus Lima 0x1190FD4D 159*872cfa20SBreno Matheus Lima 160*872cfa20SBreno Matheus Lima- Program SRK_HASH[255:0] fuses, using i.MX6 series as example: 161*872cfa20SBreno Matheus Lima 162*872cfa20SBreno Matheus Lima => fuse prog 3 0 0x20593752 163*872cfa20SBreno Matheus Lima => fuse prog 3 1 0x6ACE6962 164*872cfa20SBreno Matheus Lima => fuse prog 3 2 0x26E0D06C 165*872cfa20SBreno Matheus Lima => fuse prog 3 3 0xFC600661 166*872cfa20SBreno Matheus Lima => fuse prog 3 4 0x1240E88F 167*872cfa20SBreno Matheus Lima => fuse prog 3 5 0x1209F144 168*872cfa20SBreno Matheus Lima => fuse prog 3 6 0x831C8117 169*872cfa20SBreno Matheus Lima => fuse prog 3 7 0x1190FD4D 170*872cfa20SBreno Matheus Lima 171*872cfa20SBreno Matheus LimaThe table below lists the SRK_HASH bank and word according to the i.MX device: 172*872cfa20SBreno Matheus Lima 173*872cfa20SBreno Matheus Lima +-------------------+---------------+---------------+---------------+ 174*872cfa20SBreno Matheus Lima | | i.MX6 Series | i.MX7D/S | i.MX7ULP | 175*872cfa20SBreno Matheus Lima +-------------------+---------------+---------------+---------------+ 176*872cfa20SBreno Matheus Lima | SRK_HASH[31:00] | bank 3 word 0 | bank 6 word 0 | bank 5 word 0 | 177*872cfa20SBreno Matheus Lima +-------------------+---------------+---------------+---------------+ 178*872cfa20SBreno Matheus Lima | SRK_HASH[63:32] | bank 3 word 1 | bank 6 word 1 | bank 5 word 1 | 179*872cfa20SBreno Matheus Lima +-------------------+---------------+---------------+---------------+ 180*872cfa20SBreno Matheus Lima | SRK_HASH[95:64] | bank 3 word 2 | bank 6 word 2 | bank 5 word 2 | 181*872cfa20SBreno Matheus Lima +-------------------+---------------+---------------+---------------+ 182*872cfa20SBreno Matheus Lima | SRK_HASH[127:96] | bank 3 word 3 | bank 6 word 3 | bank 5 word 3 | 183*872cfa20SBreno Matheus Lima +-------------------+---------------+---------------+---------------+ 184*872cfa20SBreno Matheus Lima | SRK_HASH[159:128] | bank 3 word 4 | bank 7 word 0 | bank 5 word 4 | 185*872cfa20SBreno Matheus Lima +-------------------+---------------+---------------+---------------+ 186*872cfa20SBreno Matheus Lima | SRK_HASH[191:160] | bank 3 word 5 | bank 7 word 1 | bank 5 word 5 | 187*872cfa20SBreno Matheus Lima +-------------------+---------------+---------------+---------------+ 188*872cfa20SBreno Matheus Lima | SRK_HASH[223:192] | bank 3 word 6 | bank 7 word 2 | bank 5 word 6 | 189*872cfa20SBreno Matheus Lima +-------------------+---------------+---------------+---------------+ 190*872cfa20SBreno Matheus Lima | SRK_HASH[255:224] | bank 3 word 7 | bank 7 word 3 | bank 5 word 7 | 191*872cfa20SBreno Matheus Lima +-------------------+---------------+---------------+---------------+ 192*872cfa20SBreno Matheus Lima 193*872cfa20SBreno Matheus Lima1.6 Verifying HAB events 194*872cfa20SBreno Matheus Lima------------------------- 195*872cfa20SBreno Matheus Lima 196*872cfa20SBreno Matheus LimaThe next step is to verify that the signature attached to U-Boot is 197*872cfa20SBreno Matheus Limasuccessfully processed without errors. HAB generates events when processing 198*872cfa20SBreno Matheus Limathe commands if it encounters issues. 199*872cfa20SBreno Matheus Lima 200*872cfa20SBreno Matheus LimaThe hab_status U-Boot command call the hab_report_event() and hab_status() 201*872cfa20SBreno Matheus LimaHAB API functions to verify the processor security configuration and status. 202*872cfa20SBreno Matheus LimaThis command displays any events that were generated during the process. 203*872cfa20SBreno Matheus Lima 204*872cfa20SBreno Matheus LimaPrior to closing the device users should ensure no HAB events were found, as 205*872cfa20SBreno Matheus Limathe example below: 206*872cfa20SBreno Matheus Lima 207*872cfa20SBreno Matheus Lima- Verify HAB events: 208*872cfa20SBreno Matheus Lima 209*872cfa20SBreno Matheus Lima => hab_status 210*872cfa20SBreno Matheus Lima 211*872cfa20SBreno Matheus Lima Secure boot disabled 212*872cfa20SBreno Matheus Lima 213*872cfa20SBreno Matheus Lima HAB Configuration: 0xf0, HAB State: 0x66 214*872cfa20SBreno Matheus Lima No HAB Events Found! 215*872cfa20SBreno Matheus Lima 216*872cfa20SBreno Matheus Lima1.7 Closing the device 217*872cfa20SBreno Matheus Lima----------------------- 218*872cfa20SBreno Matheus Lima 219*872cfa20SBreno Matheus LimaAfter the device successfully boots a signed image without generating any HAB 220*872cfa20SBreno Matheus Limaevents, it is safe to close the device. This is the last step in the HAB 221*872cfa20SBreno Matheus Limaprocess, and is achieved by programming the SEC_CONFIG[1] fuse bit. 222*872cfa20SBreno Matheus Lima 223*872cfa20SBreno Matheus LimaOnce the fuse is programmed, the chip does not load an image that has not been 224*872cfa20SBreno Matheus Limasigned using the correct PKI tree. 225*872cfa20SBreno Matheus Lima 226*872cfa20SBreno Matheus Lima- Program SEC_CONFIG[1] fuse, using i.MX6 series as example: 227*872cfa20SBreno Matheus Lima 228*872cfa20SBreno Matheus Lima => fuse prog 0 6 0x00000002 229*872cfa20SBreno Matheus Lima 230*872cfa20SBreno Matheus LimaThe table below list the SEC_CONFIG[1] bank and word according to the i.MX 231*872cfa20SBreno Matheus Limadevice: 232*872cfa20SBreno Matheus Lima 233*872cfa20SBreno Matheus Lima +--------------+-----------------+------------+ 234*872cfa20SBreno Matheus Lima | Device | Bank and Word | Value | 235*872cfa20SBreno Matheus Lima +--------------+-----------------+------------+ 236*872cfa20SBreno Matheus Lima | i.MX6 Series | bank 0 word 6 | 0x00000002 | 237*872cfa20SBreno Matheus Lima +--------------+-----------------+------------+ 238*872cfa20SBreno Matheus Lima | i.MX7D/S | bank 1 word 3 | 0x02000000 | 239*872cfa20SBreno Matheus Lima +--------------+-----------------+------------+ 240*872cfa20SBreno Matheus Lima | i.MX7ULP | bank 29 word 6 | 0x80000000 | 241*872cfa20SBreno Matheus Lima +--------------+-----------------+------------+ 242*872cfa20SBreno Matheus Lima 243*872cfa20SBreno Matheus Lima1.8 Completely secure the device 244*872cfa20SBreno Matheus Lima--------------------------------- 245*872cfa20SBreno Matheus Lima 246*872cfa20SBreno Matheus LimaAdditional fuses can be programmed for completely secure the device, more 247*872cfa20SBreno Matheus Limadetails about these fuses and their possible impact can be found at AN4581[1]. 248*872cfa20SBreno Matheus Lima 249*872cfa20SBreno Matheus Lima- Program SRK_LOCK, using i.MX6 series as example: 250*872cfa20SBreno Matheus Lima 251*872cfa20SBreno Matheus Lima => fuse prog 0 0 0x4000 252*872cfa20SBreno Matheus Lima 253*872cfa20SBreno Matheus Lima- Program DIR_BT_DIS, using i.MX6 series as example: 254*872cfa20SBreno Matheus Lima 255*872cfa20SBreno Matheus Lima => fuse prog 0 6 0x8 256*872cfa20SBreno Matheus Lima 257*872cfa20SBreno Matheus Lima- Program SJC_DISABLE, using i.MX6 series as example: 258*872cfa20SBreno Matheus Lima 259*872cfa20SBreno Matheus Lima => fuse prog 0 6 0x100000 260*872cfa20SBreno Matheus Lima 261*872cfa20SBreno Matheus Lima- JTAG_SMODE, using i.MX6 series as example: 262*872cfa20SBreno Matheus Lima 263*872cfa20SBreno Matheus Lima => fuse prog 0 6 0xC00000 264*872cfa20SBreno Matheus Lima 265*872cfa20SBreno Matheus LimaThe table below list the SRK_LOCK, DIR_BT_DIS, SJC_DISABLE, and JTAG_SMODE bank 266*872cfa20SBreno Matheus Limaand word according to the i.MX device: 267*872cfa20SBreno Matheus Lima 268*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 269*872cfa20SBreno Matheus Lima | Device | Bank and Word | Value | 270*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 271*872cfa20SBreno Matheus Lima | SRK_LOCK | 272*872cfa20SBreno Matheus Lima +-------------------------------------------+ 273*872cfa20SBreno Matheus Lima | i.MX6 Series | bank 0 word 0 | 0x00004000 | 274*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 275*872cfa20SBreno Matheus Lima | i.MX7D/S | bank 0 word 0 | 0x00000200 | 276*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 277*872cfa20SBreno Matheus Lima | i.MX7ULP | bank 1 word 1 | 0x00000080 | 278*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 279*872cfa20SBreno Matheus Lima | DIR_BT_DIS | 280*872cfa20SBreno Matheus Lima +-------------------------------------------+ 281*872cfa20SBreno Matheus Lima | i.MX6 Series | bank 0 word 6 | 0x00000008 | 282*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 283*872cfa20SBreno Matheus Lima | i.MX7D/S | bank 1 word 3 | 0x08000000 | 284*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 285*872cfa20SBreno Matheus Lima | i.MX7ULP | bank 1 word 1 | 0x00002000 | 286*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 287*872cfa20SBreno Matheus Lima | SJC_DISABLE | 288*872cfa20SBreno Matheus Lima +-------------------------------------------+ 289*872cfa20SBreno Matheus Lima | i.MX6 Series | bank 0 word 6 | 0x00100000 | 290*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 291*872cfa20SBreno Matheus Lima | i.MX7D/S | bank 1 word 3 | 0x00200000 | 292*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 293*872cfa20SBreno Matheus Lima | i.MX7ULP | bank 1 word 1 | 0x00000020 | 294*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 295*872cfa20SBreno Matheus Lima | JTAG_SMODE | 296*872cfa20SBreno Matheus Lima +-------------------------------------------+ 297*872cfa20SBreno Matheus Lima | i.MX6 Series | bank 0 word 6 | 0x00C00000 | 298*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 299*872cfa20SBreno Matheus Lima | i.MX7D/S | bank 1 word 3 | 0x00C00000 | 300*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 301*872cfa20SBreno Matheus Lima | i.MX7ULP | bank 1 word 1 | 0x000000C0 | 302*872cfa20SBreno Matheus Lima +--------------+---------------+------------+ 303*872cfa20SBreno Matheus Lima 304*872cfa20SBreno Matheus Lima2. Extending the root of trust 305*872cfa20SBreno Matheus Lima------------------------------- 306*872cfa20SBreno Matheus Lima 307*872cfa20SBreno Matheus LimaThe High Assurance Boot (HAB) code located in the on-chip ROM provides an 308*872cfa20SBreno Matheus LimaApplication Programming Interface (API) making it possible to call back 309*872cfa20SBreno Matheus Limainto the HAB code for authenticating additional boot images. 310*872cfa20SBreno Matheus Lima 311*872cfa20SBreno Matheus LimaThe U-Boot supports this feature and can be used to authenticate the Linux 312*872cfa20SBreno Matheus LimaKernel Image. 313*872cfa20SBreno Matheus Lima 314*872cfa20SBreno Matheus LimaThe process of signing an additional image is similar to the U-Boot. 315*872cfa20SBreno Matheus LimaThe diagram below illustrate the zImage layout: 316*872cfa20SBreno Matheus Lima 317*872cfa20SBreno Matheus Lima ------- +-----------------------------+ <-- *load_address 318*872cfa20SBreno Matheus Lima ^ | | 319*872cfa20SBreno Matheus Lima | | | 320*872cfa20SBreno Matheus Lima | | | 321*872cfa20SBreno Matheus Lima | | | 322*872cfa20SBreno Matheus Lima | | zImage | 323*872cfa20SBreno Matheus Lima Signed | | | 324*872cfa20SBreno Matheus Lima Data | | | 325*872cfa20SBreno Matheus Lima | | | 326*872cfa20SBreno Matheus Lima | +-----------------------------+ 327*872cfa20SBreno Matheus Lima | | Padding Next Boundary | 328*872cfa20SBreno Matheus Lima | +-----------------------------+ <-- *ivt 329*872cfa20SBreno Matheus Lima v | Image Vector Table | 330*872cfa20SBreno Matheus Lima ------- +-----------------------------+ <-- *csf 331*872cfa20SBreno Matheus Lima | | 332*872cfa20SBreno Matheus Lima | Command Sequence File (CSF) | 333*872cfa20SBreno Matheus Lima | | 334*872cfa20SBreno Matheus Lima +-----------------------------+ 335*872cfa20SBreno Matheus Lima | Padding (optional) | 336*872cfa20SBreno Matheus Lima +-----------------------------+ 337*872cfa20SBreno Matheus Lima 338*872cfa20SBreno Matheus Lima2.1 Padding the image 339*872cfa20SBreno Matheus Lima---------------------- 340*872cfa20SBreno Matheus Lima 341*872cfa20SBreno Matheus LimaThe zImage must be padded to the next boundary address (0x1000), for instance 342*872cfa20SBreno Matheus Limaif the image size is 0x649920 it must be padded to 0x64A000. 343*872cfa20SBreno Matheus Lima 344*872cfa20SBreno Matheus LimaThe tool objcopy can be used for padding the image. 345*872cfa20SBreno Matheus Lima 346*872cfa20SBreno Matheus Lima- Pad the zImage: 347*872cfa20SBreno Matheus Lima 348*872cfa20SBreno Matheus Lima $ objcopy -I binary -O binary --pad-to 0x64A000 --gap-fill=0x00 \ 349*872cfa20SBreno Matheus Lima zImage zImage_pad.bin 350*872cfa20SBreno Matheus Lima 351*872cfa20SBreno Matheus Lima2.2 Generating Image Vector Table 352*872cfa20SBreno Matheus Lima---------------------------------- 353*872cfa20SBreno Matheus Lima 354*872cfa20SBreno Matheus LimaThe HAB code requires an Image Vector Table (IVT) for determining the image 355*872cfa20SBreno Matheus Limalength and the CSF location. Since zImage does not include an IVT this has 356*872cfa20SBreno Matheus Limato be manually created and appended to the end of the padded zImage, the 357*872cfa20SBreno Matheus Limascript genIVT.pl in script_examples directory can be used as reference. 358*872cfa20SBreno Matheus Lima 359*872cfa20SBreno Matheus Lima- Generate IVT: 360*872cfa20SBreno Matheus Lima 361*872cfa20SBreno Matheus Lima $ genIVT.pl 362*872cfa20SBreno Matheus Lima 363*872cfa20SBreno Matheus LimaNote: The load Address may change depending on the device. 364*872cfa20SBreno Matheus Lima 365*872cfa20SBreno Matheus Lima- Append the ivt.bin at the end of the padded zImage: 366*872cfa20SBreno Matheus Lima 367*872cfa20SBreno Matheus Lima $ cat zImage_pad.bin ivt.bin > zImage_pad_ivt.bin 368*872cfa20SBreno Matheus Lima 369*872cfa20SBreno Matheus Lima2.3 Signing the image 370*872cfa20SBreno Matheus Lima---------------------- 371*872cfa20SBreno Matheus Lima 372*872cfa20SBreno Matheus LimaA CSF file has to be created to sign the image. HAB does not allow to change 373*872cfa20SBreno Matheus Limathe SRK once the first image is authenticated, so the same SRK key used in 374*872cfa20SBreno Matheus LimaU-Boot must be used when extending the root of trust. 375*872cfa20SBreno Matheus Lima 376*872cfa20SBreno Matheus LimaCSF examples are available in ../csf_examples/additional_images/ 377*872cfa20SBreno Matheus Limadirectory. 378*872cfa20SBreno Matheus Lima 379*872cfa20SBreno Matheus Lima- Create CSF binary file: 380*872cfa20SBreno Matheus Lima 381*872cfa20SBreno Matheus Lima $ ./cst --i csf_additional_images.txt --o csf_zImage.bin 382*872cfa20SBreno Matheus Lima 383*872cfa20SBreno Matheus Lima- Attach the CSF binary to the end of the image: 384*872cfa20SBreno Matheus Lima 385*872cfa20SBreno Matheus Lima $ cat zImage_pad_ivt.bin csf_zImage.bin > zImage_signed.bin 386*872cfa20SBreno Matheus Lima 387*872cfa20SBreno Matheus Lima2.4 Verifying HAB events 388*872cfa20SBreno Matheus Lima------------------------- 389*872cfa20SBreno Matheus Lima 390*872cfa20SBreno Matheus LimaThe U-Boot includes the hab_auth_img command which can be used for 391*872cfa20SBreno Matheus Limaauthenticating and troubleshooting the signed image, zImage must be 392*872cfa20SBreno Matheus Limaloaded at the load address specified in the IVT. 393*872cfa20SBreno Matheus Lima 394*872cfa20SBreno Matheus Lima- Authenticate additional image: 395*872cfa20SBreno Matheus Lima 396*872cfa20SBreno Matheus Lima => hab_auth_img <Load Address> <Image Size> <IVT Offset> 397*872cfa20SBreno Matheus Lima 398*872cfa20SBreno Matheus LimaIf no HAB events were found the zImage is successfully signed. 399*872cfa20SBreno Matheus Lima 400*872cfa20SBreno Matheus LimaReferences: 401*872cfa20SBreno Matheus Lima[1] AN4581: "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using 402*872cfa20SBreno Matheus Lima HABv4" - Rev 2. 403