Changes between Version 34 and Version 35 of venice/secure_boot


Ignore:
Timestamp:
06/18/2024 08:52:50 PM (3 months ago)
Author:
Tim Harvey
Comment:

added additional info about SRK HASH

Legend:

Unmodified
Added
Removed
Modified

  • venice/secure_boot

    v34 v35  
    3636The HABv4 secure boot feature uses digital signatures to prevent unauthorized code execution during the device boot sequence. This authentication is based on public key cryptography using RSA where the firmware image data is signed offline using a private key and the resulting signed image data is verified on the processor using the corresponding public key hash value programmed into the SoC fuses for establishing the root of trust.
    3737
     38The Super Root Key (SRK) is an RSA key pair which forms the start of the boot-time authentication chain. The hash of the SRK public key is embedded in the processor using OTP hardware. The SRK private key is held by the CA. The SRK in this document (unless noted) refers to the public key only.
     39
     40The authentication begins with establishing a root of trust with the SRK. HAB does this by computing a cryptographic hash of the SRK table and comparing the result with a pre-computed hash that is provisioned in OTP fuses.
     41
     42The SRK_HASH fuses for the IMX6/IMX7/IMX8 are defined by a bank and a word:
     43 - SRK_HASH[31:00] bank 6 word 0
     44 - SRK_HASH[63:32] bank 6 word 1
     45 - SRK_HASH[95:64] bank 6 word 2
     46 - SRK_HASH[127:96] bank 6 word 3
     47 - SRK_HASH[159:128] bank 7 word 0
     48 - SRK_HASH]191:160] bank 7 word 1
     49 - SRK_HASH[223:192] bank 7 word 2
     50 - SRK_HASH[255:224] bank 7 word 3
     51
    3852See also:
    39  - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
    40  - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/introduction_habv4.txt
    41  - NXP AN4581 - i.MX Secure Boot on HABv4 Supported Devices
     53 - [https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt U-Boot mx8m_spl_secure_boot.txt]
     54 - [https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/introduction_habv4.txt U-Boot introduction_habv4.txt]
     55 - [https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/160465/1/AN12056.pdf AN12056 Encrypted Boot on HABv4 and CAAM Enabled Devices]
     56 - [https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/112842/1/AN4581.pdf AN4581 Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4]
     57
    4258
    4359Terminology: