Changes between Initial Version and Version 1 of venice/secure_boot


Ignore:
Timestamp:
07/12/2021 07:45:15 PM (3 years ago)
Author:
Tim Harvey
Comment:

initial page

Legend:

Unmodified
Added
Removed
Modified
  • venice/secure_boot

    v1 v1  
     1[[PageOutline]]
     2
     3See also [wiki:secure_boot] for information on securing the rest of your firmware.
     4
     5= i.MX8M High Assurance Boot (HAB)
     6The i.MX family of processors provides a High Assurance Boot (HAB) feature in the on-chip BOOT ROM responsible for loading the initial program image from the boot media. HAB enables the BOOT ROM to authenticate and/or decrypt the program image by using crypto operations.
     7
     8The HABv4 secure boot feature uses digital signatures to prevent unauthorized code execution during the device boot sequence. This authentication is based on public key cryptography using RSA where the firmware image data is signed offline using a private key and the resulting signed image data is verified on the processor using the corresponding public key hash value programmed into the SoC fuses for establishing the root of trust.
     9
     10See also:
     11 - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/guides/mx6_mx7_spl_secure_boot.txt
     12 - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/introduction_habv4.txt
     13 - NXP AN4581 - i.MX Secure Boot on HABv4 Supported Devices
     14
     15Terminology:
     16 - CSF: Command Sequence File (generated off-line using the HAB CST)
     17 - CST: Code-Signing Tool
     18 - DCD: Device Configuration Data
     19 - DEK: Data Encryption Key
     20 - HAB: High Assurance Boot
     21 - IVT: Image Vector Table
     22 - SRK: Super Root Key
     23
     24In order to use High Assurance Boot (HAB) features you must have the NXP Code Signing Tool (CST):
     25https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW
     26
     27== i.MX secure boot SPL
     28Boards using U-Boot SPL and U-Boot propper for boot firmware support using HABv4 authentication for both images.
     29
     30The HAB library is a sub-component of the boot ROM on i.MX processors. It is responsible for verifying the digital signatures included as part of the product software and ensures that, when the processor is configured as a secure device, no unauthenticated code is allowed to run.
     31
     32On an 'open' device you can see HAB events which will tell you if the image would pass the authentication process. This is useful to test before you 'close' the device.
     33
     34In General you must:
     35 - Build boot firmware that contains HABv4 support
     36 - Create a PKI tree and SRK table via the NXP Code Signing Tool
     37 - Construct boot firmware with a proper Command Sequence File (CSF) (CSF blobs are created with the NXP Code Signing Tool)
     38 - Blow One Time Programmable (OTP) fuses on the target board with public keys
     39 - Flash signed firmware
     40 - Boot and verify no HAB events via 'hab_status' U-Boot command
     41 - Close the device to force trusted boot
     42
     43Detailed Procedure (for Venice):
     44 1. Creation of Code Signing Key:
     45  a. Retrieve the NXP Code Signing Tool (CST): https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW (Account required on NXP site)
     46  b. Unpack the CST :
     47{{{#!bash
     48tar xvf cst-3.3.1.tgz
     49cd cst-3.3.1/keys
     50}}}
     51  c. Create a text file named "serial", which contains 8 digits. OpenSSL uses the contents of this file for the 'certificate serial numbers'.
     52{{{#!bash
     53echo "12345678" > serial
     54}}}
     55  d.  Create a text file named "key_pass.txt which contains your pass phrase that will protect the HAB code signing private keys. The format is the first pass phrase repeated on the first and second lines:
     56{{{#!bash
     57PASS=mypassphrase
     58printf "$PASS\n$PASS" > key_pass.txt
     59}}}
     60  e. Create the signature keys (PKI tree) with hab4_pki_tree.sh (Must do this in the keys dir as the script hard-codes a relative path to certs)
     61{{{#!bash
     62./hab4_pki_tree.sh
     63...
     64Do you want to use an existing CA key (y/n)?: n
     65Do you want to use Elliptic Curve Cryptography (y/n)?: n
     66Enter key length in bits for PKI tree: 4096
     67Enter PKI tree duration (years): 10
     68How many Super Root Keys should be generated? 4
     69Do you want the SRK certificates to have the CA flag set? (y/n)?: y
     70...
     71}}}
     72   * this creates the following files which you can archive away as your 'PKI tree':
     73{{{#!bash
     74../crts/CA1_sha256_4096_65537_v3_ca_crt.der
     75../crts/CA1_sha256_4096_65537_v3_ca_crt.pem
     76../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.der
     77../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
     78../crts/CSF2_1_sha256_4096_65537_v3_usr_crt.der
     79../crts/CSF2_1_sha256_4096_65537_v3_usr_crt.pem
     80../crts/CSF3_1_sha256_4096_65537_v3_usr_crt.der
     81../crts/CSF3_1_sha256_4096_65537_v3_usr_crt.pem
     82../crts/CSF4_1_sha256_4096_65537_v3_usr_crt.der
     83../crts/CSF4_1_sha256_4096_65537_v3_usr_crt.pem
     84../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.der
     85../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
     86../crts/IMG2_1_sha256_4096_65537_v3_usr_crt.der
     87../crts/IMG2_1_sha256_4096_65537_v3_usr_crt.pem
     88../crts/IMG3_1_sha256_4096_65537_v3_usr_crt.der
     89../crts/IMG3_1_sha256_4096_65537_v3_usr_crt.pem
     90../crts/IMG4_1_sha256_4096_65537_v3_usr_crt.der
     91../crts/IMG4_1_sha256_4096_65537_v3_usr_crt.pem
     92../crts/SRK1_sha256_4096_65537_v3_ca_crt.der
     93../crts/SRK1_sha256_4096_65537_v3_ca_crt.pem
     94../crts/SRK2_sha256_4096_65537_v3_ca_crt.der
     95../crts/SRK2_sha256_4096_65537_v3_ca_crt.pem
     96../crts/SRK3_sha256_4096_65537_v3_ca_crt.der
     97../crts/SRK3_sha256_4096_65537_v3_ca_crt.pem
     98../crts/SRK4_sha256_4096_65537_v3_ca_crt.der
     99../crts/SRK4_sha256_4096_65537_v3_ca_crt.pem
     100./CA1_sha256_4096_65537_v3_ca_key.der
     101./CA1_sha256_4096_65537_v3_ca_key.pem
     102./CSF1_1_sha256_4096_65537_v3_usr_key.der
     103./CSF1_1_sha256_4096_65537_v3_usr_key.pem
     104./CSF2_1_sha256_4096_65537_v3_usr_key.der
     105./CSF2_1_sha256_4096_65537_v3_usr_key.pem
     106./CSF3_1_sha256_4096_65537_v3_usr_key.der
     107./CSF3_1_sha256_4096_65537_v3_usr_key.pem
     108./CSF4_1_sha256_4096_65537_v3_usr_key.der
     109./CSF4_1_sha256_4096_65537_v3_usr_key.pem
     110./IMG1_1_sha256_4096_65537_v3_usr_key.der
     111./IMG1_1_sha256_4096_65537_v3_usr_key.pem
     112./IMG2_1_sha256_4096_65537_v3_usr_key.der
     113./IMG2_1_sha256_4096_65537_v3_usr_key.pem
     114./IMG3_1_sha256_4096_65537_v3_usr_key.der
     115./IMG3_1_sha256_4096_65537_v3_usr_key.pem
     116./IMG4_1_sha256_4096_65537_v3_usr_key.der
     117./IMG4_1_sha256_4096_65537_v3_usr_key.pem
     118./SRK1_sha256_4096_65537_v3_ca_key.der
     119./SRK1_sha256_4096_65537_v3_ca_key.pem
     120./SRK2_sha256_4096_65537_v3_ca_key.der
     121./SRK2_sha256_4096_65537_v3_ca_key.pem
     122./SRK3_sha256_4096_65537_v3_ca_key.der
     123./SRK3_sha256_4096_65537_v3_ca_key.pem
     124./SRK4_sha256_4096_65537_v3_ca_key.der
     125./SRK4_sha256_4096_65537_v3_ca_key.pem
     126}}}
     127  f. Create the fuse table and binary (to be programmed to IMX OPT fuse blocks) using the SRK*_ca_crt.pem files created in the crts dir with srktool:
     128{{{#!bash
     129../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1
     130}}}
     131   * creates SRK_1_2_3_4_table.bin SRK_1_2_3_4_fuse.bin and
     132  g. Use hexdump to obtain the fuse table (8x 32bit fuse values) in the correct endianness for programming with u-boot 'fuse prog':
     133{{{#!bash
     134$ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin
     1350xDCE644DB
     1360x3900ABA
     1370x1D00ECF6
     1380xC4EE5E23
     1390x5BCA8A8
     1400x75B0AB86
     1410xF88753CC
     1420xDB9B5895
     143}}}
     144  * Note the above fuse values will differ per your serial/passphrase
     145 2. Build U-boot with HABv4 enabled and a single DTB:
     146{{{#!bash
     147# checkout u-boot
     148git clone https://github.com/Gateworks/uboot-venice.git -b v2021.07-venice
     149cd u-boot
     150# setup cross toolchain environment (ie source setup-environment in Venice BSP dir)
     151export PATH=$VENICE_BSP/buildroot/output/host/bin:$PATH
     152export CROSS_COMPILE="aarch64-linux-"
     153export ARCH=arm64
     154export ATF_LOAD_ADDR=0x920000 # IMX8MM
     155# configure for venice board
     156make imx8mm_venice_defconfig
     157make menuconfig # select CONFIG_IMX_HAB=y 'Support i.MX HAB features' and CONFIG_OF_LIST to specify a single board dtb
     158make flash.bin
     159}}}
     160  * Use the v2021.07-venice U-Boot branch as this has support for IMX8M HAB
     161  * Select a single board DTB for CONFIG_OF_LIST
     162 3. create a signed_flash.bin using the [http://trac.gateworks.com/attachment/wiki/venice/secure_boot/sign_hab_imx8m.sh  sign_hab_imx8m.sh script]
     163{{{#!bash
     164$ ./sign_hab_imx8m.sh
     165Install SRK
     166Install CSFK
     167Authenticate CSF
     168Install key
     169Authenticate data
     170CSF Processed successfully and signed data available in csf_spl.bin
     171Install SRK
     172Install CSFK
     173Authenticate CSF
     174Install key
     175Authenticate data
     176CSF Processed successfully and signed data available in csf_fit.bin
     1776472+0 records in
     1786472+0 records out
     1796472 bytes (6.5 kB, 6.3 KiB) copied, 0.0102526 s, 631 kB/s
     1806488+0 records in
     1816488+0 records out
     1826488 bytes (6.5 kB, 6.3 KiB) copied, 0.0119102 s, 545 kB/s
     183signed_flash.bin is ready!
     184# create a JTAG image if needed
     185mkimage_jtag --emmc -s signed_flash.bin@user:erase_none:66-32640 > signed_u-boot_spl-imx8mm.bin
     186}}}
     187  * the script will create csf_spl.txt and csf_fit.txt which are templates used to create csf_spl.bin and csf_fit.bin which are then copied to the correct offsets in flash.bin to create signed_flash.bin
     188 4. Program SRK Hash fuses from Step 1 into IMX OTP (using U-Boot and the keys from fuse bin)
     189{{{#!bash
     190fuse prog -y 6 0 0xDCE644DB
     191fuse prog -y 6 1 0x3900ABA
     192fuse prog -y 6 2 0x1D00ECF6
     193fuse prog -y 6 3 0xC4EE5E23
     194fuse prog -y 7 0 0x5BCA8A8
     195fuse prog -y 7 1 0x75B0AB86
     196fuse prog -y 7 2 0xF88753CC
     197fuse prog -y 7 3 0xDB9B5895
     198}}}
     199   * **Do not use the above fuse values - use values generated above from your serial/passphrase**
     200   * **OTP fuses can only be programmed once - be careful to use the correct values**
     201  5. Program signed firmware image:
     202{{{#!bash
     203jtag_usbv4 -p signed_u-boot_spl-imx8mm.bin
     204}}}
     205  6. Boot it and verify no HAB events:
     206{{{#!bash
     207u-boot=> hab_status
     208Secure boot disabled
     209
     210HAB Configuration: 0xf0, HAB State: 0x66
     211No HAB Events Found!
     212}}}
     213 7 Close the device (lock it down!) - this step is irreversible, make sure there are no HAB events from the prior step
     214{{{#!bash
     215u-boot=> fuse prog 1 3 0x2000000
     216}}}
     217  * This sets the SEC_CONFIG[1] fuse on the i.MX8M and once done the processor will not load an image that has not been signed using the correct PKI tree
     218
     219== HABv4 encrypted boot architecture
     220The IMX HABv4 also provides an extra optional security operation by using cryptography (AES-CCM) to obscure the boot image so it can not be seen or used by unauthorized users.
     221
     222Encrypted boot adds an extra layer of security to the boot sequence using cryptographic techniques to obscure the bootloader data (which can be extended to the entire firmware image)so that it can not be seen or used by unauthorized users. This mechanism protects and conceals the bootloader code residing in flash.
     223
     224The Data Encryption Key (DEK) is an AES key used to encrypt the boot image (via the Code Signing Tool) and decrypt the boot image (using the DEK blob appended to the image). The DEK blob is used as a security layer to wrap and store the DEK off-chip which is unique to the chip that generated the blob.
     225
     226Generation of the DEK blob that gets appended to your image must be done on the IMX via the U-Boot dek_blob command which is enabled with CONFIG_CMD_DEKBLOB=y.
     227
     228References:
     229 - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/introduction_habv4.txt
     230 - https://elixir.bootlin.com/u-boot/v2021.07/source/doc/imx/habv4/guides/encrypted_boot.txt
     231 - NXP AN12056 - Encrypted Boot on HABv4 and CAAM Enabled devices