Changes between Version 6 and Version 7 of venice/secure_boot

Timestamp:

06/12/2023 04:45:49 PM (18 months ago)

Author:

Tim Harvey

Comment:

add wget for grabbing the helper script from attachment and boot consoles for various steps

venice/secure_boot

@@ -175 +175 @@
 export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
 # sign it
+$ wget http://trac.gateworks.com/raw-attachment/wiki/venice/secure_boot/sign_hab_imx8m.sh 
+$ chmod +x sign_hab_imx8m.sh
 $ ./sign_hab_imx8m.sh 
 Install SRK
@@ -199 +201 @@
 }}}
   * the script will create csf_spl.txt and csf_fit.txt which are templates used to create csf_spl.bin and csf_fit.bin which are then copied to the correct offsets in flash.bin to create signed_flash.bin 
+  * on a board without SRK Hash fuses programmed and flashed with this signed image the serial console will look this this:
+{{{#!bash
+U-Boot SPL 2021.07-00087-g54ac394a7c74 (Jun 09 2023 - 14:39:52 -0700)
+GSCv3   : v61 0x1d6f RST:VIN Thermal protection:disabled 
+RTC     : 1970-01-01   0:00:31 UTC
+Model   : GW7301-00-B1B
+Serial  : 852420
+MFGDate : 11-19-2021
+PMIC    : MP5416
+DRAM    : LPDDR4 1 GiB
+WDT:   Started with servicing (60s timeout)
+Trying to boot from MMC1
+DTB     : imx8mm-venice-gw73xx-0x
+hab fuse not enabled
+
+Authenticate image from DDR location 0x401fcdc0...
+NOTICE:  BL31: v2.4(release):f884ad7b0ba2
+NOTICE:  BL31: Built : 13:06:09, Oct 20 2021
+
+
+U-Boot 2021.07-00087-g54ac394a7c74 (Jun 09 2023 - 14:39:52 -0700)
+
+CPU:   Freescale i.MX8MMQ rev1.0 1600 MHz (running at 1200 MHz)
+CPU:   Industrial temperature grade (-40C to 105C) at 34C
+Reset cause: POR
+Model: Gateworks Venice GW73xx-0x i.MX8MM Development Kit
+DRAM:  1 GiB
+WDT:   Started with servicing (60s timeout)
+MMC:   FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2
+Loading Environment from MMC... OK
+In:    serial
+Out:   serial
+Err:   serial
+Net:   DP83867 eth0: ethernet@30be0000 [PRIME]
+GSC     : boot watchdog disabled
+Hit any key to stop autoboot:  0 
+u-boot=>  
+}}}
+  - Note the 'hab fuse not enabled' and the 'Authenticate image from DDR location' messages
  4. Program SRK Hash fuses from Step 1 into IMX OTP (using U-Boot and the keys from fuse bin)
 {{{#!bash
@@ -226 +267 @@
  7 Close the device (lock it down!) - this step is irreversible, make sure there are no HAB events from the prior step
 {{{#!bash
-u-boot=> fuse prog 1 3 0x2000000
+u-boot=> fuse prog -y 1 3 0x2000000
 }}}
   * This sets the SEC_CONFIG[1] fuse on the i.MX8M and once done the processor will not load an image that has not been signed using the correct PKI tree
+  * on a board with SRK Hash fuses programmed, SEC_CONFIG[1] set and flashed with a signed image the serial console will look this this:
+{{{#!bash
+U-Boot SPL 2021.07-00087-g54ac394a7c74 (Jun 09 2023 - 14:39:52 -0700)
+GSCv3   : v58 0xf098 RST:VIN Thermal protection:enabled at 96C 
+RTC     : 1970-01-03  16:34:29 UTC
+Model   : GW7301-01-B1B
+Serial  : 852455
+MFGDate : 11-10-2020
+PMIC    : MP5416
+DRAM    : LPDDR4 4 GiB
+WDT:   Started with servicing (60s timeout)
+Trying to boot from MMC1
+DTB     : imx8mm-venice-gw73xx-0x
+
+Authenticate image from DDR location 0x401fcdc0...
+NOTICE:  BL31: v2.4(release):f884ad7b0ba2
+NOTICE:  BL31: Built : 13:06:09, Oct 20 2021
+
+
+U-Boot 2021.07-00087-g54ac394a7c74 (Jun 09 2023 - 14:39:52 -0700)
+
+CPU:   Freescale i.MX8MMQ rev1.0 1600 MHz (running at 1200 MHz)
+CPU:   Industrial temperature grade (-40C to 105C) at 30C
+Reset cause: POR
+Model: Gateworks Venice GW73xx-0x i.MX8MM Development Kit
+DRAM:  4 GiB
+WDT:   Started with servicing (60s timeout)
+MMC:   FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2
+Loading Environment from MMC... OK
+In:    serial
+Out:   serial
+Err:   serial
+Net:   DP83867 eth0: ethernet@30be0000 [PRIME]
+GSC     : boot watchdog disabled
+Thermal protection:enabled at 96C 
+Hit any key to stop autoboot:  0 
+}}}
+  - Note the 'Authenticate image from DDR location' message
 
 == HABv4 encrypted boot architecture