Changes between Version 8 and Version 9 of venice/secure_boot

Timestamp:

06/23/2023 11:06:07 PM (2 years ago)

Author:

Tim Harvey

Comment:

updated instructions for latest Gateworks U-Boot v2023.04

venice/secure_boot

@@ -25 +25 @@
 https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW
 
-== i.MX secure boot SPL (U-Boot v2021-07-venice)
-** This section is based on the [https://github.com/Gateworks/uboot-venice/tree/v2021.07-venice v2021-07-venice Gateworks U-Boot repository] - Instructions will differ for other versions of U-Boot **
-
-Boards using U-Boot SPL and U-Boot propper for boot firmware support using HABv4 authentication for both images.
+== i.MX secure boot
+Boards using U-Boot for boot firmware support using HABv4 authentication for both images.
 
 The HAB library is a sub-component of the boot ROM on i.MX processors. It is responsible for verifying the digital signatures included as part of the product software and ensures that, when the processor is configured as a secure device, no unauthenticated code is allowed to run.
@@ -39 +37 @@
   - CONFIG_CMD_FSL_CAAM_KB=y ('caam genblob' and 'caam decap' cmds)
   - CONFIG_CMD_DEKBLOB=y (optional) ('dek_blob' cmd)
-  - CONFIG_OF_LIST=<single target> (at this time only a single board can be supported by the image so replace the list of models in configs/imx8*_venice_defconfig with just the model you want to support)
+  - CONFIG_SPL_LOAD_FIT_ADDRESS=0x48000000
  - Create a PKI tree and SRK table via the NXP Code Signing Tool
  - Construct boot firmware with a proper Command Sequence File (CSF) (CSF blobs are created with the NXP Code Signing Tool)
@@ -99 +97 @@
 {{{#!bash
 # checkout u-boot
-git clone https://github.com/Gateworks/uboot-venice.git -b v2021.07-venice
+git clone https://github.com/Gateworks/uboot-venice.git
 cd u-boot
 # setup cross toolchain environment (ie source setup-environment in Venice BSP dir)
@@ -105 +103 @@
 export CROSS_COMPILE="aarch64-linux-"
 export ARCH=arm64
-export ATF_LOAD_ADDR=0x920000 # IMX8MM
 # configure for venice board
 make imx8mm_venice_defconfig
-make menuconfig # select CONFIG_IMX_HAB=y 'Support i.MX HAB features' and CONFIG_OF_LIST to specify a single board dtb
+make menuconfig # select CONFIG_IMX_HAB=y and CONFIG_SPL_LOAD_FIT_ADDRESS=0x48000000
 make flash.bin
 }}}
-  * Use the v2021.07-venice U-Boot branch as this has support for IMX8M HAB
-  * Select a single board DTB for CONFIG_OF_LIST
- 3. create a signed_flash.bin using the [http://trac.gateworks.com/attachment/wiki/venice/secure_boot/sign_hab_imx8m.sh  sign_hab_imx8m.sh script]
+ 3. create a signed_flash.bin
 {{{#!bash
 # setup env to point to the CST
-export CST_DIR=/usr/src/nxp/cst-3.3.1/
+export CST_DIR=/usr/src/nxp/cst-3.3.2/
 export CST_BIN=$CST_DIR/linux64/bin/cst
-export SIGN_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
+export CSF_KEY=$CST_DIR/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem
 export IMG_KEY=$CST_DIR/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem
 export SRK_TABLE=$CST_DIR/crts/SRK_1_2_3_4_table.bin
-# sign it
-$ wget http://trac.gateworks.com/raw-attachment/wiki/venice/secure_boot/sign_hab_imx8m.sh 
-$ chmod +x sign_hab_imx8m.sh
-$ ./sign_hab_imx8m.sh 
-Install SRK
-Install CSFK
-Authenticate CSF
-Install key
-Authenticate data
-CSF Processed successfully and signed data available in csf_spl.bin
-Install SRK
-Install CSFK
-Authenticate CSF
-Install key
-Authenticate data
-CSF Processed successfully and signed data available in csf_fit.bin
-6472+0 records in
-6472+0 records out
-6472 bytes (6.5 kB, 6.3 KiB) copied, 0.0102526 s, 631 kB/s
-6488+0 records in
-6488+0 records out
-6488 bytes (6.5 kB, 6.3 KiB) copied, 0.0119102 s, 545 kB/s
-signed_flash.bin is ready!
-# create a JTAG image if needed
-mkimage_jtag --emmc -s signed_flash.bin@user:erase_none:66-32640 > signed_u-boot_spl-imx8mm.bin 
-}}}
-  * the script will create csf_spl.txt and csf_fit.txt which are templates used to create csf_spl.bin and csf_fit.bin which are then copied to the correct offsets in flash.bin to create signed_flash.bin 
-  * on a board without SRK Hash fuses programmed and flashed with this signed image the serial console will look this this:
-{{{#!bash
-U-Boot SPL 2021.07-00087-g54ac394a7c74 (Jun 09 2023 - 14:39:52 -0700)
+export PATH=$CST_DIR/linux64/bin:$PATH
+# sign flash.bin
+/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
+# create a JTAG image (if needed) using one of the following
+mkimage_jtag --emmc -s --partconf=boot0 \
+  flash.bin@boot0:erase_none:66-8192 > signed_u-boot_spl-imx8mm.bin # imx8mm emmc boot0 partition
+mkimage_jtag --emmc -s --partconf=boot0 \
+  flash.bin@boot0:erase_none:0-8192 > signed_u-boot_spl-imx8mm.bin # imx8mp/imx8mn emmc boot0 partition
+}}}
+  4. Program signed firmware image:
+{{{#!bash
+jtag_usbv4 -p signed_u-boot_spl-imx8mm.bin
+}}}
+  * Booting this would look something like the following:
+{{{#!bash
+U-Boot SPL 2023.04-00034-g1f567dfbe119 (Jun 23 2023 - 15:53:20 -0700)
 GSCv3   : v61 0x1d6f RST:VIN Thermal protection:disabled 
 RTC     : 1970-01-01   0:00:31 UTC
-Model   : GW7301-00-B1B
-Serial  : 852420
-MFGDate : 11-19-2021
-PMIC    : MP5416
-DRAM    : LPDDR4 1 GiB
-WDT:   Started with servicing (60s timeout)
-Trying to boot from MMC1
-DTB     : imx8mm-venice-gw73xx-0x
+Model   : GW7200-01-B1F
+Serial  : 935180
+MFGDate : 04-05-2023
+PMIC    : MP5416 (IMX8MM)
+DRAM    : LPDDR4 4 GiB 3000MT/s 1500MHz
+Failed to initialize caam_jr: -19
+WDT:   Started watchdog@30280000 with servicing every 1000ms (60s timeout)
+Trying to boot from eMMC
 hab fuse not enabled
 
-Authenticate image from DDR location 0x401fcdc0...
+Authenticate image from DDR location 0x48000000...
+DTB     : imx8mm-venice-gw72xx-0x
 NOTICE:  BL31: v2.4(release):f884ad7b0ba2
 NOTICE:  BL31: Built : 13:06:09, Oct 20 2021
 
 
-U-Boot 2021.07-00087-g54ac394a7c74 (Jun 09 2023 - 14:39:52 -0700)
-
-CPU:   Freescale i.MX8MMQ rev1.0 1600 MHz (running at 1200 MHz)
-CPU:   Industrial temperature grade (-40C to 105C) at 34C
-Reset cause: POR
-Model: Gateworks Venice GW73xx-0x i.MX8MM Development Kit
-DRAM:  1 GiB
-WDT:   Started with servicing (60s timeout)
-MMC:   FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2
-Loading Environment from MMC... OK
-In:    serial
-Out:   serial
-Err:   serial
-Net:   DP83867 eth0: ethernet@30be0000 [PRIME]
-GSC     : boot watchdog disabled
-Hit any key to stop autoboot:  0 
-u-boot=>  
-}}}
-  - Note the 'hab fuse not enabled' and the 'Authenticate image from DDR location' messages
- 4. Program SRK Hash fuses from Step 1 into IMX OTP (using U-Boot and the keys from fuse bin)
+U-Boot 2023.04-00034-g1f567dfbe119 (Jun 23 2023 - 15:53:20 -0700)
+}}}
+  - Note the 'hab fuse not enabled' message which means the SEC_CONFIG[1] fuse is not blown and the device is not locked
+  - Note the 'Authenticate image from DDR location' messages which shows that image authentication is able to be used
+ 5. Program SRK Hash fuses from Step 1 into IMX OTP (using U-Boot and the keys from fuse bin)
 {{{#!bash
 fuse prog -y 6 0 0xDCE644DB
@@ -200 +167 @@
    * **Do not use the above fuse values - use values generated above from your serial/passphrase**
    * **OTP fuses can only be programmed once - be careful to use the correct values**
-  5. Program signed firmware image:
-{{{#!bash
-jtag_usbv4 -p signed_u-boot_spl-imx8mm.bin
-}}}
-  6. Boot it and verify no HAB events:
+  6. Boot it again and verify no HAB events:
 {{{#!bash
 u-boot=> hab_status
@@ -217 +180 @@
 }}}
   * This sets the SEC_CONFIG[1] fuse on the i.MX8M and once done the processor will not load an image that has not been signed using the correct PKI tree
-  * on a board with SRK Hash fuses programmed, SEC_CONFIG[1] set and flashed with a signed image the serial console will look this this:
-{{{#!bash
-U-Boot SPL 2021.07-00087-g54ac394a7c74 (Jun 09 2023 - 14:39:52 -0700)
-GSCv3   : v58 0xf098 RST:VIN Thermal protection:enabled at 96C 
-RTC     : 1970-01-03  16:34:29 UTC
-Model   : GW7301-01-B1B
-Serial  : 852455
-MFGDate : 11-10-2020
-PMIC    : MP5416
-DRAM    : LPDDR4 4 GiB
-WDT:   Started with servicing (60s timeout)
-Trying to boot from MMC1
-DTB     : imx8mm-venice-gw73xx-0x
-
-Authenticate image from DDR location 0x401fcdc0...
-NOTICE:  BL31: v2.4(release):f884ad7b0ba2
-NOTICE:  BL31: Built : 13:06:09, Oct 20 2021
-
-
-U-Boot 2021.07-00087-g54ac394a7c74 (Jun 09 2023 - 14:39:52 -0700)
-
-CPU:   Freescale i.MX8MMQ rev1.0 1600 MHz (running at 1200 MHz)
-CPU:   Industrial temperature grade (-40C to 105C) at 30C
-Reset cause: POR
-Model: Gateworks Venice GW73xx-0x i.MX8MM Development Kit
-DRAM:  4 GiB
-WDT:   Started with servicing (60s timeout)
-MMC:   FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2
-Loading Environment from MMC... OK
-In:    serial
-Out:   serial
-Err:   serial
-Net:   DP83867 eth0: ethernet@30be0000 [PRIME]
-GSC     : boot watchdog disabled
-Thermal protection:enabled at 96C 
-Hit any key to stop autoboot:  0 
-}}}
-  - Note the 'Authenticate image from DDR location' message
+
+For more info see:
+ - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/introduction_habv4.txt
+ - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
+
 
 == HABv4 encrypted boot architecture