doc: mxc_hab: Move HAB related info to the appropriate doc

Currently the High Assurance Boot procedure is documented in two
places:

- doc/README.imx6
- doc/README.mxc_hab

It is better to consolidate all HAB related information into
README.mxc_hab file, so move the content from README.imx6 to
README.mxc_hab.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
This commit is contained in:
Breno Lima 2018-02-22 00:42:55 +00:00 committed by Stefano Babic
parent f0d5bd4ba5
commit b887f0a68e
2 changed files with 54 additions and 51 deletions

View File

@ -113,51 +113,3 @@ issue the command:
In order to load SPL and u-boot.img via imx_usb_loader tool,
please refer to doc/README.sdp.
3. Using Secure Boot on i.MX6 machines with SPL support
-------------------------------------------------------
This version of U-Boot is able to build a signable version of the SPL
as well as a signable version of the U-Boot image. The signature can
be verified through High Assurance Boot (HAB).
CONFIG_SECURE_BOOT is needed to build those two binaries.
After building, you need to create a command sequence file and use
Freescales Code Signing Tool to sign both binaries. After creation,
the mkimage tool outputs the required information about the HAB Blocks
parameter for the CSF. During the build, the information is preserved
in log files named as the binaries. (SPL.log and u-boot-ivt.log).
More information about the CSF and HAB can be found in the AN4581.
https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
We don't want to explain how to create a PKI tree or SRK table as
this is well explained in the Application Note.
Example Output of the SPL (imximage) creation:
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 61440 Bytes = 60.00 kB = 0.06 MB
Load Address: 00907420
Entry Point: 00908000
HAB Blocks: 00907400 00000000 0000cc00
Example Output of the u-boot-ivt.img (firmware_ivt) creation:
Image Name: U-Boot 2016.11-rc1-31589-g2a4411
Created: Sat Nov 5 21:53:28 2016
Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
Data Size: 352192 Bytes = 343.94 kB = 0.34 MB
Load Address: 17800000
Entry Point: 00000000
HAB Blocks: 0x177fffc0 0x0000 0x00054020
The CST (Code Signing Tool) can be downloaded from NXP.
# Compile CSF and create signature
./cst --o csf-u-boot.bin < command_sequence_uboot.csf
./cst --o csf-SPL.bin < command_sequence_spl.csf
# Append compiled CSF to Binary
cat SPL csf-SPL.bin > SPL-signed
cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
These two signed binaries can be used on an i.MX6 in closed
configuration when the according SRK Table Hash has been flashed.

View File

@ -1,4 +1,5 @@
High Assurance Boot (HAB) for i.MX6 CPUs
1. High Assurance Boot (HAB) for i.MX CPUs
------------------------------------------
To enable the authenticated or encrypted boot mode of U-Boot, it is
required to set the proper configuration for the target board. This
@ -52,8 +53,58 @@ cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
the imximage.cfg file.
Setup U-Boot Image for Encrypted Boot
-------------------------------------
2. Using Secure Boot on i.MX6 machines with SPL support
-------------------------------------------------------
This version of U-Boot is able to build a signable version of the SPL
as well as a signable version of the U-Boot image. The signature can
be verified through High Assurance Boot (HAB).
CONFIG_SECURE_BOOT is needed to build those two binaries.
After building, you need to create a command sequence file and use
Freescales Code Signing Tool to sign both binaries. After creation,
the mkimage tool outputs the required information about the HAB Blocks
parameter for the CSF. During the build, the information is preserved
in log files named as the binaries. (SPL.log and u-boot-ivt.log).
More information about the CSF and HAB can be found in the AN4581.
https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
We don't want to explain how to create a PKI tree or SRK table as
this is well explained in the Application Note.
Example Output of the SPL (imximage) creation:
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 61440 Bytes = 60.00 kB = 0.06 MB
Load Address: 00907420
Entry Point: 00908000
HAB Blocks: 00907400 00000000 0000cc00
Example Output of the u-boot-ivt.img (firmware_ivt) creation:
Image Name: U-Boot 2016.11-rc1-31589-g2a4411
Created: Sat Nov 5 21:53:28 2016
Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
Data Size: 352192 Bytes = 343.94 kB = 0.34 MB
Load Address: 17800000
Entry Point: 00000000
HAB Blocks: 0x177fffc0 0x0000 0x00054020
The CST (Code Signing Tool) can be downloaded from NXP.
# Compile CSF and create signature
./cst --o csf-u-boot.bin < command_sequence_uboot.csf
./cst --o csf-SPL.bin < command_sequence_spl.csf
# Append compiled CSF to Binary
cat SPL csf-SPL.bin > SPL-signed
cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
These two signed binaries can be used on an i.MX6 in closed
configuration when the according SRK Table Hash has been flashed.
3. Setup U-Boot Image for Encrypted Boot
-----------------------------------------
An authenticated U-Boot image is used as starting point for
Encrypted Boot. The image is encrypted by Freescale's Code
Signing Tool (CST). The CST replaces only the image data of