diff options
Diffstat (limited to 'doc/imx/habv4/guides/mx8m_encrypted_boot.txt')
-rw-r--r-- | doc/imx/habv4/guides/mx8m_encrypted_boot.txt | 102 |
1 files changed, 74 insertions, 28 deletions
diff --git a/doc/imx/habv4/guides/mx8m_encrypted_boot.txt b/doc/imx/habv4/guides/mx8m_encrypted_boot.txt index bb9b6b80f0..5a5f2bd835 100644 --- a/doc/imx/habv4/guides/mx8m_encrypted_boot.txt +++ b/doc/imx/habv4/guides/mx8m_encrypted_boot.txt @@ -41,19 +41,25 @@ The diagram below illustrates an encrypted flash.bin image layout: Signed | ------- +-----------------------------+ | Data | Enc ^ | u-boot-spl.bin | | | Data | | + | | SPL - v v | DDR FW | | Image + | | | DDR FW | | Image + | | | + | | + v v | Hash of FIT FDT | | ------------------ +-----------------------------+ | | CSF - SPL + DDR FW | v +-----------------------------+ -------- | DEK Blob | +-----------------------------+ | Padding | - ------- +-----------------------------+ -------- - Signed ^ | FDT - FIT | ^ - Data | +-----------------------------+ | - v | IVT - FIT | | - ------- +-----------------------------+ | - | CSF - FIT | | + ------------------ +-----------------------------+ -------- + ^ Signed ^ | FDT - FIT | ^ + | Data | +-----------------------------+ | + Signed | v | IVT - FIT | | + Data | ------- +-----------------------------+ | +(optional) | CSF - FIT | | + | +-----------------------------+ | + v | IVT - FIT FDT (optional) | | + ------------------ +-----------------------------+ | + | CSF - FIT FDT (optional) | | ------------------ +-----------------------------+ | ^ | u-boot-nodtb.bin | | FIT | +-----------------------------+ | Image @@ -81,6 +87,7 @@ by following one of the methods below: CONFIG_CMD_DEKBLOB=y CONFIG_IMX_OPTEE_DEK_ENCAP=y CONFIG_CMD_PRIBLOB=y + CONFIG_IMX_SPL_FIT_FDT_SIGNATURE=y (Optional, for FIT FDT signature only) - Kconfig @@ -166,7 +173,9 @@ Command Sequence File (CSF): Second Loader IMAGE: sld_header_off 0x57c00 sld_csf_off 0x58c20 - sld hab block: 0x401fcdc0 0x57c00 0x1020 + sld hab block: 0x401fadc0 0x57c00 0x1020 + fit-fdt csf_off 0x5ac20 + fit-fdt hab block: 0x401fadc0 0x57c00 0x3020 - Additional HAB information is provided by running the following command: @@ -176,10 +185,10 @@ Command Sequence File (CSF): ./../scripts/pad_image.sh u-boot-nodtb.bin fsl-imx8mm-evk.dtb TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 \ ./print_fit_hab.sh 0x60000 fsl-imx8mm-evk.dtb - 0x40200000 0x5AC00 0xB0318 - 0x402B0318 0x10AF18 0x8628 - 0x920000 0x113540 0xA160 - 0xBE000000 0x11D6A0 0x48520 + 0x40200000 0x5CC00 0xB0318 + 0x402B0318 0x10CF18 0x8628 + 0x920000 0x115540 0xA160 + 0xBE000000 0x11F6A0 0x48520 1.6 Creating the CSF description file for SPL + DDR FW image ------------------------------------------------------------- @@ -332,7 +341,7 @@ file. [Authenticate Data] ... - Blocks = 0x401FCDC0 0x57C00 0x1020 "flash-spl-enc.bin" + Blocks = 0x401FADC0 0x57C00 0x1020 "flash-spl-enc.bin" - Add the Install Secret Key command to generate the dek_fit.bin file and install the blob. The Blob Address is a fixed address defined in imx-mkimage @@ -356,10 +365,10 @@ file. imx-mkimage output: - 0x40200000 0x5AC00 0xB0318 ──┬── Total length = 0xB0318 + 0x8628 = 0xB8940 - 0x402B0318 0x10AF18 0x8628 ──┘ - 0x920000 0x113540 0xA160 - 0xBE000000 0x11D6A0 0x48520 + 0x40200000 0x5CC00 0xB0318 ──┬── Total length = 0xB0318 + 0x8628 = 0xB8940 + 0x402B0318 0x10CF18 0x8628 ──┘ + 0x920000 0x115540 0xA160 + 0xBE000000 0x11F6A0 0x48520 Decrypt data in csf_fit_enc.txt: @@ -367,9 +376,9 @@ file. [Decrypt Data] ... - Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ - 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ - 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" + Blocks = 0x40200000 0x5CC00 0xB8940 "flash-spl-fit-enc.bin", \ + 0x920000 0x115540 0xA160 "flash-spl-fit-enc.bin", \ + 0xBE000000 0x11F6A0 0x48520 "flash-spl-fit-enc.bin" 1.8.2 csf_fit_sign_enc.txt --------------------------- @@ -384,10 +393,10 @@ The second CSF is used to sign the encrypted FIT image previously generated [Authenticate Data] ... - Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-fit-enc.bin" - 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \ - 0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \ - 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin" + Blocks = 0x401fadc0 0x57c00 0x1020 "flash-spl-fit-enc.bin" + 0x40200000 0x5CC00 0xB8940 "flash-spl-fit-enc.bin", \ + 0x920000 0x115540 0xA160 "flash-spl-fit-enc.bin", \ + 0xBE000000 0x11F6A0 0x48520 "flash-spl-fit-enc.bin" - Add the Install Secret Key command to generate a dummy DEK blob file, @@ -408,9 +417,28 @@ The second CSF is used to sign the encrypted FIT image previously generated [Decrypt Data] ... - Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \ - 0x920000 0x113540 0xA160"flash-spl-fit-enc-dummy.bin", \ - 0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc-dummy.bin" + Blocks = 0x40200000 0x5CC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \ + 0x920000 0x115540 0xA160"flash-spl-fit-enc-dummy.bin", \ + 0xBE000000 0x11F6A0 0x48520 "flash-spl-fit-enc-dummy.bin" + +1.8.3 (Optional) csf_fit_fdt.txt +--------------------------- + +When optional FIT FDT signature is used, user needs third CSF to sign encrypted-flash.bin +generated by 1.11.2. Because FIT FDT structure is not encrypted, so this step will not +encrypt any data. + +- FIT FDT signature "Authenticate Data" addresses in flash.bin build log: + + fit-fdt hab block: 0x401fadc0 0x57c00 0x3020 + +- "Authenticate Data" command in csf_fit_fdt.txt file: + + For example: + + [Authenticate Data] + ... + Blocks = 0x401fadc0 0x57c00 0x3020 "encrypted-flash.bin" 1.9 Encrypting and signing the FIT image ----------------------------------------- @@ -503,6 +531,10 @@ The CSF offsets can be obtained from the flash.bin build log: sld_csf_off 0x58c20 +- (Optional) FIT FDT CSF offset: + + fit-fdt csf_off 0x5ac20 + The encrypted flash.bin image can be then assembled: - Create a flash-spl-fit-enc.bin copy: @@ -539,7 +571,21 @@ The encrypted flash.bin image can be then assembled: $ dd if=dek_fit_blob.bin of=encrypted-flash.bin seek=$((0x165BC0)) bs=1 conv=notrunc -1.11.3 Flash encrypted boot image +1.11.3 (Optional) Create and Insert FIT FDT CSF +----------------------------------- + +If FIT FDT signature is used, users need to continue sign the encrypted-flash.bin +with csf_fit_fdt.txt CSF file + +- Create FIT FDT CSF binary file + + $ ./cst -i csf_fit_fdt.txt -o csf_fit_fdt.bin + +- Insert csf_fit_fdt.bin in encrypted-flash.bin at 0x5ac20 offset: + + $ dd if=csf_fit_fdt.bin of=encrypted-flash.bin seek=$((0x5ac20)) bs=1 conv=notrunc + +1.11.4 Flash encrypted boot image ----------------------------------- - Flash encrypted image in SDCard: |