From patchwork Wed Oct 10 01:10:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Breno Matheus Lima X-Patchwork-Id: 981643 X-Patchwork-Delegate: sbabic@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nxp.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=nxp.com header.i=@nxp.com header.b="nlXxT512"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 42VGpq4mFxz9s55 for ; Wed, 10 Oct 2018 12:34:11 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 56FCEC23440; Wed, 10 Oct 2018 01:26:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, SPF_HELO_PASS, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id C3C35C2303E; Wed, 10 Oct 2018 01:26:18 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 1C6E2C2303E; Wed, 10 Oct 2018 01:10:46 +0000 (UTC) Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10046.outbound.protection.outlook.com [40.107.1.46]) by lists.denx.de (Postfix) with ESMTPS id 9A069C231C2 for ; Wed, 10 Oct 2018 01:10:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8ajD5rXyzwKdGWeFZz9Is3ee/6zaxu4kAwl/5l2vLvc=; b=nlXxT512oL01TOZv6RaCTns2f1w/OOPac6Xh3vts6QJlpl5glxnY51zs02LdOLLNuocfsJqQqvHpOtaSYM/LuRNSJMz9LZZS0J0HsdJ0SnGUAop7qHM/yzuhtxQPHaiH/6oAnlnDk8xppge9kbPIGuZaZZFT67vPYYuMuaTaq8w= Received: from DB7PR04MB4636.eurprd04.prod.outlook.com (52.135.138.158) by DB7PR04MB4010.eurprd04.prod.outlook.com (52.134.107.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1228.21; Wed, 10 Oct 2018 01:10:44 +0000 Received: from DB7PR04MB4636.eurprd04.prod.outlook.com ([fe80::ddbe:f81a:38f4:bcd7]) by DB7PR04MB4636.eurprd04.prod.outlook.com ([fe80::ddbe:f81a:38f4:bcd7%7]) with mapi id 15.20.1207.029; Wed, 10 Oct 2018 01:10:44 +0000 From: Breno Matheus Lima To: Fabio Estevam , "sbabic@denx.de" Thread-Topic: [PATCH 5/7] doc: imx: hab: Reorganize High Assurance Boot documentation Thread-Index: AQHUYDYRLxSnbdZEtUavoc3prVVLug== Date: Wed, 10 Oct 2018 01:10:44 +0000 Message-ID: <1539133788-55-6-git-send-email-breno.lima@nxp.com> References: <1539133788-55-1-git-send-email-breno.lima@nxp.com> In-Reply-To: <1539133788-55-1-git-send-email-breno.lima@nxp.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [64.157.242.222] x-clientproxiedby: SN4PR0201CA0024.namprd02.prod.outlook.com (2603:10b6:803:2b::34) To DB7PR04MB4636.eurprd04.prod.outlook.com (2603:10a6:5:36::30) authentication-results: spf=none (sender IP is ) smtp.mailfrom=breno.lima@nxp.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; DB7PR04MB4010; 6:615T/4MotjSY9zSHyCe/HbA0MAi/ZFtZEGpOFJ4yHBDRo5o5AVFwrAk5SQQyCLRJWLGmdiQwrYwuwEXu38ydZ1h/kan81CpqHrFFR7tyxoLxYlog0rmR/Fq3dqGH2sKERsnpHO4oE7XeCf/zd0zfItmaJZphkALaeolBuFauDpH3V8CIbSSGgYW5XySZy+vxwEVluzeTEQP2evjYlqxqJe3JuFd63QN+czlQJUm54csIqxLuUyoNX9Pt6FW/nb08ZYcrB38gXZacB3jtEF9seB4Oh1EYMpRHhdj4jV5ucwOVMlP74LULFxupr5cFwP0OJevH5gENPvyF5pouEkZav9cjHaDoyFDJR7wUEJzlGxzDeOxEdA0hK3hKibrXkJ+zF1Gy2bgMetwIbAsjw/ViqGEeUSnFNlto2Wmd+DS78HVESoZyB8cz3wtWGmRtO70Xdg40AAioYl46oNmwRrMpLQ==; 5:C2yuTc7igT3FDmhPophFuZ5FIi3LMZyJRv30E/Y5cMzIzoDVKp/srI5116+I+HXjHP+tNtTgfILSqWr2jHp8oWSFkqzo80pE5KXwdybd/cTNPfj3nyowaVpPzQKUH4XPOnPgI5xhjYTPkNdcROEj87BTytwK5seSrG1LGG4el3w=; 7:9FEOSzTo3i1ZQtBAgSxjAJ53m6nnTBP2FwjRGf7Zemg537FhEpJkpMaoFD82PBue3fukh8r+USeeP47pHnpRF4GhXDuYwZIO4Lg/pYjq/ZbjKa0jlttaqJEmYlTcqqAwHbNCvFlKyBLnWrM3mxgPWawlmKc9abmC9tWBMVRizA5jNpqAwDW0ka5X+7xcx4TGH9zOCR39kkNz9fvWIBua/4+6CmKbjnwcvr0D3T6goEP3ubvnRWJfbxDs4ITgT2mL x-ms-office365-filtering-correlation-id: 1b0af010-f3b1-47a9-4ddb-08d62e4d33d2 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DB7PR04MB4010; x-ms-traffictypediagnostic: DB7PR04MB4010: x-ld-processed: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635,ExtAddr x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(185117386973197); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231355)(944501410)(52105095)(3002001)(6055026)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699051)(76991055); SRVR:DB7PR04MB4010; BCL:0; PCL:0; RULEID:; SRVR:DB7PR04MB4010; x-forefront-prvs: 08213D42D3 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(39860400002)(136003)(396003)(366004)(189003)(199004)(4326008)(486006)(39060400002)(446003)(11346002)(2616005)(186003)(26005)(106356001)(102836004)(105586002)(52116002)(6116002)(68736007)(476003)(76176011)(2906002)(256004)(478600001)(99286004)(3846002)(66066001)(6512007)(54906003)(6506007)(386003)(6486002)(5660300001)(97736004)(6436002)(71200400001)(71190400001)(305945005)(110136005)(2900100001)(8676002)(316002)(14454004)(86362001)(81156014)(8936002)(7736002)(5250100002)(81166006)(53936002)(25786009)(2501003)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR04MB4010; H:DB7PR04MB4636.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: qtXEj6pirenyEEVXnjQ0B54VimgdUTSymFIL70488Iz56rcJ2ZPc+lI3QKZhGPZG7Ig4mpy5fopnI9qgZmh6tVLvHdGwjTr5HxQZk4TF9QcxGt+yxfH7BQhu8/uXTMDncX6sxUq1MBGlpakZgtnGYbIbY35Cw9hmbIdiE8i+Ph0OcM+iEDHW4NzC/vhnBiZjIYLAoK+OlN3qikXwVFWrd/eX+lapSE0HtMVTv7hA89jPJpSBz6n+ZQ5HRAfbjPg0FiLdw/feuTO6z9N29PhiEtmSj/Y0lLOvqlJlmNNNUqk3qpFad3jY/JpLuZCFd7itdnVPXl+hgwzWjdOlfz+ozA3NxiWIz28h1ZQdG9L7sjk= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1b0af010-f3b1-47a9-4ddb-08d62e4d33d2 X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2018 01:10:44.1487 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR04MB4010 Cc: Stefan Agner , Breno Matheus Lima , "u-boot@lists.denx.de" Subject: [U-Boot] [PATCH 5/7] doc: imx: hab: Reorganize High Assurance Boot documentation X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" The current High Assurance Boot document README.mxc_hab include details for the following features in a single file: - HAB Secure Boot - HAB Encrypted Boot Split HAB documentation in a specific directory for a cleaner documentation structure, subsequent patches will include more content in HAB documentation. Signed-off-by: Breno Lima --- doc/imx/hab/habv4/encrypted_boot.txt | 43 ++++++++++++++++++ .../habv4/secure_boot.txt} | 44 ------------------- 2 files changed, 43 insertions(+), 44 deletions(-) create mode 100644 doc/imx/hab/habv4/encrypted_boot.txt rename doc/imx/{README.mxc_hab => hab/habv4/secure_boot.txt} (68%) diff --git a/doc/imx/hab/habv4/encrypted_boot.txt b/doc/imx/hab/habv4/encrypted_boot.txt new file mode 100644 index 0000000000..c59d204d38 --- /dev/null +++ b/doc/imx/hab/habv4/encrypted_boot.txt @@ -0,0 +1,43 @@ +1. Setup U-Boot Image for Encrypted Boot +---------------------------------------- +An authenticated U-Boot image is used as starting point for +Encrypted Boot. The image is encrypted by i.MX Code Signing +Tool (CST). The CST replaces only the image data of +u-boot-dtb.imx with the encrypted data. The Initial Vector Table, +DCD, and Boot data, remains in plaintext. + +The image data is encrypted with a Encryption Key (DEK). +Therefore, this key is needed to decrypt the data during the +booting process. The DEK is protected by wrapping it in a Blob, +which needs to be appended to the U-Boot image and specified in +the CSF file. + +The DEK blob is generated by an authenticated U-Boot image with +the dek_blob cmd enabled. The image used for DEK blob generation +needs to have the following configurations enabled in Kconfig: + +CONFIG_SECURE_BOOT=y +CONFIG_CMD_DEKBLOB=y + +Note: The encrypted boot feature is only supported by HABv4 or +greater. + +The dek_blob command then can be used to generate the DEK blob of +a DEK previously loaded in memory. The command is used as follows: + +dek_blob +example: dek_blob 0x10800000 0x10801000 192 + +The resulting DEK blob then is used to construct the encrypted +U-Boot image. Note that the blob needs to be transferred back +to the host.Then the following commands are used to construct +the final image. + +cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx +objcopy -I binary -O binary --pad-to --gap-fill=0x00 \ + u-boot-signed.imx u-boot-signed-pad.bin +cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx + + NOTE: u-boot-signed.bin needs to be padded to the value + equivalent to the address in which the DEK blob is specified + in the CSF. diff --git a/doc/imx/README.mxc_hab b/doc/imx/hab/habv4/secure_boot.txt similarity index 68% rename from doc/imx/README.mxc_hab rename to doc/imx/hab/habv4/secure_boot.txt index a40ebf3e84..ae68dc8040 100644 --- a/doc/imx/README.mxc_hab +++ b/doc/imx/hab/habv4/secure_boot.txt @@ -98,47 +98,3 @@ cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img These two signed binaries can be used on an i.MX in closed configuration when the according SRK Table Hash has been flashed. - -4. Setup U-Boot Image for Encrypted Boot ----------------------------------------- -An authenticated U-Boot image is used as starting point for -Encrypted Boot. The image is encrypted by i.MX Code Signing -Tool (CST). The CST replaces only the image data of -u-boot-dtb.imx with the encrypted data. The Initial Vector Table, -DCD, and Boot data, remains in plaintext. - -The image data is encrypted with a Encryption Key (DEK). -Therefore, this key is needed to decrypt the data during the -booting process. The DEK is protected by wrapping it in a Blob, -which needs to be appended to the U-Boot image and specified in -the CSF file. - -The DEK blob is generated by an authenticated U-Boot image with -the dek_blob cmd enabled. The image used for DEK blob generation -needs to have the following configurations enabled in Kconfig: - -CONFIG_SECURE_BOOT=y -CONFIG_CMD_DEKBLOB=y - -Note: The encrypted boot feature is only supported by HABv4 or -greater. - -The dek_blob command then can be used to generate the DEK blob of -a DEK previously loaded in memory. The command is used as follows: - -dek_blob -example: dek_blob 0x10800000 0x10801000 192 - -The resulting DEK blob then is used to construct the encrypted -U-Boot image. Note that the blob needs to be transferred back -to the host.Then the following commands are used to construct -the final image. - -cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx -objcopy -I binary -O binary --pad-to --gap-fill=0x00 \ - u-boot-signed.imx u-boot-signed-pad.bin -cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx - - NOTE: u-boot-signed.bin needs to be padded to the value - equivalent to the address in which the DEK blob is specified - in the CSF.