diff mbox

[U-Boot,v2,4/5] doc: imx6: add section for secure boot with SPL

Message ID 1478446678-130231-5-git-send-email-sven.ebenfeld@gmail.com
State Awaiting Upstream
Delegated to: Stefano Babic
Headers show

Commit Message

Sven Ebenfeld Nov. 6, 2016, 3:37 p.m. UTC 
Cc: sbabic@denx.de

Signed-off-by: Sven Ebenfeld <sven.ebenfeld@gmail.com>
---
 doc/README.imx6 | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

Comments

George McCollister Nov. 10, 2016, 7:26 p.m. UTC | #1 
On Sun, Nov 6, 2016 at 9:37 AM, Sven Ebenfeld <sven.ebenfeld@gmail.com> wrote:
> Cc: sbabic@denx.de
>
> Signed-off-by: Sven Ebenfeld <sven.ebenfeld@gmail.com>
> ---
>  doc/README.imx6 | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 48 insertions(+)
>

Reviewed-by: George McCollister <george.mccollister@gmail.com>
diff mbox

Patch

diff --git a/doc/README.imx6 b/doc/README.imx6
index 73b8b0b..add1d80 100644
--- a/doc/README.imx6
+++ b/doc/README.imx6
@@ -138,3 +138,51 @@  c
 The last "c" command tells kermit (from ckermit package in most distros)
 to switch from command line mode to communication mode, and when the
 script is finished, the U-Boot prompt is shown in the same shell.
+
+3. Using Secure Boot on i.MX6 machines with SPL support
+-------------------------------------------------------
+
+This version of U-Boot is able to build a signable version of the SPL
+as well as a signable version of the U-Boot image. The signature can
+be verified through High Assurance Boot (HAB).
+
+CONFIG_SECURE_BOOT is needed to build those two binaries.
+After building, you need to create a command sequence file and use
+Freescales Code Signing Tool to sign both binaries. After creation,
+the mkimage tool outputs the required information about the HAB Blocks
+parameter for the CSF.
+
+More information about the CSF and HAB can be found in the AN4581.
+https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
+
+We don't want to explain how to create a PKI tree or SRK table as
+this is well explained in the Application Note.
+
+Example Output of the SPL (imximage) creation:
+ Image Type:   Freescale IMX Boot Image
+ Image Ver:    2 (i.MX53/6/7 compatible)
+ Mode:         DCD
+ Data Size:    61440 Bytes = 60.00 kB = 0.06 MB
+ Load Address: 00907420
+ Entry Point:  00908000
+ HAB Blocks:   00907400 00000000 0000cc00
+
+Example Output of the u-boot-ivt.img (firmware_ivt) creation:
+ Image Name:   U-Boot 2016.11-rc1-31589-g2a4411
+ Created:      Sat Nov  5 21:53:28 2016
+ Image Type:   ARM U-Boot Firmware with HABv4 IVT (uncompressed)
+ Data Size:    352192 Bytes = 343.94 kB = 0.34 MB
+ Load Address: 17800000
+ Entry Point:  00000000
+ HAB Blocks:   0x177fffc0   0x0000   0x00054020
+
+The CST (Code Signing Tool) can be downloaded from NXP.
+# Compile CSF and create signature
+./cst --o csf-u-boot.bin < command_sequence_uboot.csf
+./cst --o csf-SPL.bin < command_sequence_spl.csf
+# Append compiled CSF to Binary
+cat SPL csf-SPL.bin > SPL-signed
+cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
+
+These two signed binaries can be used on an i.MX6 in closed
+configuration when the according SRK Table Hash has been flashed.
\ No newline at end of file