brain-hackers_pepepper-mirror/u-boot-brain
1
0
Fork 0
mirror of https://github.com/brain-hackers/u-boot-brain synced 2024-07-06 11:16:15 +09:00
Code Issues Projects Releases Wiki Activity
aff092ed13
u-boot-brain/doc/README.mxc_hab
Raul Cardenas 0200020bc2 imx6: Added DEK blob generator command 
Freescale's SEC block has built-in Data Encryption
Key(DEK) Blob Protocol which provides a method for
protecting a DEK for non-secure memory storage.
SEC block protects data in a data structure called
a Secret Key Blob, which provides both confidentiality
and integrity protection.
Every time the blob encapsulation is executed,
a AES-256 key is randomly generated to encrypt the DEK.
This key is encrypted with the OTP Secret key
from SoC. The resulting blob consists of the encrypted
AES-256 key, the encrypted DEK, and a 16-bit MAC.

During decapsulation, the reverse process is performed
to get back the original DEK. A caveat to the blob
decapsulation process,  is that the DEK is decrypted
in secure-memory and can only be read by FSL SEC HW.
The DEK is used to decrypt data during encrypted boot.

Commands added
--------------
  dek_blob - encapsulating DEK as a cryptgraphic blob

Commands Syntax
---------------
  dek_blob src dst len

    Encapsulate and create blob of a len-bits DEK at
    address src and store the result at address dst.

Signed-off-by: Raul Cardenas <Ulises.Cardenas@freescale.com>
Signed-off-by: Nitin Garg <nitin.garg@freescale.com>

Signed-off-by: Ulises Cardenas <ulises.cardenas@freescale.com>

Signed-off-by: Ulises Cardenas-B45798 <Ulises.Cardenas@freescale.com>
2015-03-02 09:57:06 +01:00

97 lines
3.5 KiB
Plaintext
Raw Blame History

High Assurance Boot (HAB) for i.MX6 CPUs
To authenticate U-Boot only by the CPU there is no code required in
U-Boot itself. However, the U-Boot image to be programmed into the
boot media needs to be properly constructed, i.e. it must contain a
proper Command Sequence File (CSF).
The Initial Vector Table contains a pointer to the CSF. Please see
doc/README.imximage for how to prepare u-boot.imx.
The CSF itself is being generated by Freescale HAB tools.
mkimage will output additional information about "HAB Blocks"
which can be used in the Freescale tooling to authenticate U-Boot
(entries in the CSF file).
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Data Size: 327680 Bytes = 320.00 kB = 0.31 MB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 177ff400 00000000 0004dc00
^^^^^^^^ ^^^^^^^^ ^^^^^^^^
| | |
| | -------- (1)
| |
| ------------------- (2)
|
--------------------------- (3)
(1) Size of area in file u-boot.imx to sign
This area should include the IVT, the Boot Data the DCD
and U-Boot itself.
(2) Start of area in u-boot.imx to sign
(3) Start of area in RAM to authenticate
CONFIG_SECURE_BOOT currently enables only an additional command
'hab_status' in U-Boot to retrieve the HAB status and events. This
can be useful while developing and testing HAB.
Commands to generate a signed U-Boot using Freescale HAB tools:
cst --o U-Boot_CSF.bin < U-Boot.CSF
objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
U-Boot_CSF.bin U-Boot_CSF_pad.bin
cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
the imximage.cfg file.
Setup U-Boot Image for Encrypted Boot
-------------------------------------
An authenticated U-Boot image is used as starting point for
Encrypted Boot. The image is encrypted by Freescale's Code
Signing Tool (CST). The CST replaces only the image data of
u-boot.imx with the encrypted data. The Initial Vector Table,
DCD, and Boot data, remains in plaintext.
The image data is encrypted with a Encryption Key (DEK).
Therefore, this key is needed to decrypt the data during the
booting process. The DEK is protected by wrapping it in a Blob,
which needs to be appended to the U-Boot image and specified in
the CSF file.
The DEK blob is generated by an authenticated U-Boot image with
the dek_blob cmd enabled. The image used for DEK blob generation
needs to have the following configurations enabled:
CONFIG_SECURE_BOOT
CONFIG_SYS_FSL_SEC_COMPAT 4 /* HAB version */
CONFIG_FSL_CAAM
CONFIG_CMD_DEKBLOB
Note: The encrypted boot feature is only supported by HABv4 or
greater.
The dek_blob command then can be used to generate the DEK blob of
a DEK previously loaded in memory. The command is used as follows:
dek_blob <DEK address> <Output Address> <Key Size in Bits>
example: dek_blob 0x10800000 0x10801000 192
The resulting DEK blob then is used to construct the encrypted
U-Boot image. Note that the blob needs to be transferred back
to the host.Then the following commands are used to construct
the final image.
objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \
U-Boot_CSF.bin U-Boot_CSF_pad.bin
cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \
u-boot-signed.imx u-boot-signed-pad.bin
cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx
NOTE: u-boot-signed.bin needs to be padded to the value
equivalent to the address in which the DEK blob is specified
in the CSF.
Reference in New Issue View Git Blame Copy Permalink