Changes between Version 13 and Version 14 of venice/secure_boot


Ignore:
Timestamp:
03/20/2024 12:44:42 AM (8 weeks ago)
Author:
Tim Harvey
Comment:

change SPL_LOAD_FIT_ADDRESS to 0x44000000 to fit within memory map better

Legend:

Unmodified
Added
Removed
Modified

  • venice/secure_boot

    v13 v14  
    2626
    2727== i.MX secure boot
    28 Boards using U-Boot for boot firmware support using HABv4 authentication for both images.
     28Boards using U-Boot for boot firmware support using HABv4 authentication for both the SPL and U-Boot stages.
    2929
    3030The HAB library is a sub-component of the boot ROM on i.MX processors. It is responsible for verifying the digital signatures included as part of the product software and ensures that, when the processor is configured as a secure device, no unauthenticated code is allowed to run.
     
    3535 - Build boot firmware that contains HABv4 support
    3636  - CONFIG_IMX_HAB=y ('hab_auto_img', 'hab_status' and 'hab_version' cmds)
    37   - CONFIG_CMD_FSL_CAAM_KB=y ('caam genblob' and 'caam decap' cmds)
    38   - CONFIG_CMD_DEKBLOB=y (optional) ('dek_blob' cmd)
    39   - CONFIG_SPL_LOAD_FIT_ADDRESS=0x48000000
     37  - CONFIG_SPL_LOAD_FIT_ADDRESS=0x44000000
    4038 - Create a PKI tree and SRK table via the NXP Code Signing Tool
    4139 - Construct boot firmware with a proper Command Sequence File (CSF) (CSF blobs are created with the NXP Code Signing Tool)
     
    4543 - Close the device to force trusted boot
    4644
    47 Detailed Procedure (for Venice) on x86 host machine:
     45Detailed Procedure (for Venice) on x86 development host machine with an existing venice bsp build directory on it (VENICE_BSP env var):
     46  - this configuration is for using HABv4 for image authentication only on the Gateworks 2023.04 U-Boot branch. If you instead want to use DEK blob encap/decap support you need to to also add a Trusted Execution Environment (TEE) (see below)
    4847 1. Creation of Code Signing Key: '''This is an example - read the CST documentation and tailor to your needs'''
    4948  a. Retrieve the NXP Code Signing Tool (CST): https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW (Account required on NXP site)
     
    110109# configure for venice board
    111110make imx8mm_venice_defconfig
    112 make menuconfig # select CONFIG_IMX_HAB=y and CONFIG_SPL_LOAD_FIT_ADDRESS=0x48000000
     111make menuconfig # select CONFIG_IMX_HAB=y and CONFIG_SPL_LOAD_FIT_ADDRESS=0x44000000
    113112make flash.bin
    114113}}}
     
    149148hab fuse not enabled
    150149
    151 Authenticate image from DDR location 0x48000000...
     150Authenticate image from DDR location 0x44000000...
    152151DTB     : imx8mm-venice-gw72xx-0x
    153152NOTICE:  BL31: v2.4(release):f884ad7b0ba2
     
    190189 - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
    191190
     191[=#tee]
    192192== Trusted Execution Environment (TEE)
    193193The Trusted Execution Environment (TEE) is a set of specifications published by the [http://www.globalplatform.org GlobalPlatform association]. The purpose of the TEE is to provide a safe environment within the application processor for developing and executing secure applications. We call an application processor a system running a Rich OS like Android or Linux. A Rich environment represents a huge amount of code. It is open to third-party applications and it is an open ecosystem: it makes a Rich OS hard to audit. It is prone to bugs/vulnerability, which may compromise the security and integrity of the entire system. The TEE offers another level of protection against attacks from the rich OS. The TEE is only open to trusted partners, which makes it easier to audit. It executes only trusted and authorized software. All sensitive data are protected from the rest of the application processor and from the outside world.
     
    243243  - CONFIG_IMX_HAB=y
    244244  - CONFIG_CMD_DEKBLOB=y
    245   - CONFIG_SPL_LOAD_FIT_ADDRESS=0x48000000
     245  - CONFIG_SPL_LOAD_FIT_ADDRESS=0x44000000
    246246  - CONFIG_OPTEE=y
    247247  - CONFIG_OPTEE_LOAD_ADDRESS= the (link/load) address for TEE that should match BL32_BASE for ATF and CFG_TZDRAM_START for OPTEE
     
    324324make imx8mm_venice_defconfig # choose imx8mm/imx8mn/imx8mp depending on board SOC
    325325# enable IMX_HAB/OPTEE
    326 make menuconfig # search for (with /) and set CONFIG_IMX_HAB=y CONFIG_CMD_DEKBLOB=y CONFIG_SPL_LOAD_FIT_ADDRESS=0x48000000 CONFIG_OPTEE=y and CONFIG_OPTEE_LOAD_ADDRESS= set to the value of CFG_TZDRAM_START
     326make menuconfig # search for (with /) and set CONFIG_IMX_HAB=y CONFIG_CMD_DEKBLOB=y CONFIG_SPL_LOAD_FIT_ADDRESS=0x44000000 CONFIG_OPTEE=y and CONFIG_OPTEE_LOAD_ADDRESS= set to the value of CFG_TZDRAM_START
    327327make -j8 flash.bin
    328328}}}