原创 基于NXP iMX8测试Secure Boot功能部署

2022-8-30 12:12 3839 12 12 分类: MCU/ 嵌入式

By Toradex秦海

1). 简介

由于NXPiMX8/iMX8x处理器开始引入了SCU/SECO等底层控制模块来进行包含启动管理等多项底层初始化功能,因此对于Secure Boot功能支持,也同样升级为Advanced High Assurance Boot (AHAB) 特性来配合,以区别于iMX6/iMX8MM/iMX8MP处理器所使用的HABv4特性;AHABHABv4都是基于公共密钥加密 (Public Key Cryptography) 和数字签名 (Digital Signature) 技术来实现Secure Boot的,SCU负责协调各个启动组件和流程,SECO用于验证签名的Image文件并授权加载运行,一个简单的流程图参考如下。本文就基于NXP iMX8平台测试部署Secure Boot功能

基于NXP iMX8部署Secure Boot功能426.png 

 

本文所演示的平台来自于Toradex Apalis iMX8嵌入式平台,这个平台是基于近年发布的NXP iMX8系列ARM处理器,核心为Cortex-A72/A53

 

 

2. 准备

a). Apalis iMX8 ARM核心版配合Ixora 载板,并连接调试串口用于测试

b). 参考>这里下载Toradex Ycoto Linux BSP5 Image用于后续测试,目前最新的是5.7版本。

 

 

3). 生成PKI Tree文件

a). NXP官方网站下载Code Signing Tools软件包(需注册),目前最新版本是3.3.1版本,然后解压后使用预设的脚本生成Public Key Infrastructure (PKI) tree,用于后面签名U-boot/Linux Kernel Image文件

--------------------------------

$ cp .../cst-3.3.1.tgz ~/.

$ cd ~

$ tar xvf cst-3.3.1.tgz

$ tree -L 1 cst-3.3.1/

cst-3.3.1/

├── ca

├── code

├── crts

├── docs

├── keys

├── LICENSE.bsd3

├── LICENSE.hidapi

├── LICENSE.openssl

├── linux32

├── linux64

├── mingw32

├── osx

├── Release_Notes.txt

└── Software_Content_Register_CST.txt

--------------------------------

 

b). 生成PKI TREE

./ 修改CST工具默认的serialkey_pass,本文因为仅测试需要则保持默认没有修改,实际应用可以根据需要自行修改以保证安全

--------------------------------

$ cd ~/cst-3.3.1/keys

### default serial number for OpenSSL certification ###

$ cat serial

1234567C

### default key_pass for protection of private keys

$ cat key_pass.txt

test

test

--------------------------------

 

./ 运行CST工具预制脚本通过交互方式生成PKI TREE,这里生成一个P384 ECC SRK PKI TREE示例,还可以选择其他选项或者生成包含下级SGK KeyPKI TREE,更多可以参考如下U-Boot源代码中的文档说明

https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/introduction_ahab.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0

--------------------------------

### generate P384 ECC PKI TREE ###

$ ./ahab_pki_tree.sh

  ...

  Do you want to use an existing CA key (y/n)?: n

  Do you want to use Elliptic Curve Cryptography (y/n)?: y

  Enter length for elliptic curve to be used for PKI tree:

  Possible values p256, p384, p521:  p384

  Enter the digest algorithm to use: sha384

  Enter PKI tree duration (years): 5

  Do you want the SRK certificates to have the CA flag set? (y/n)?: n

### check generated SRK keys ###

$ ls SRK*

SRK1_sha384_secp384r1_v3_usr_key.der  SRK2_sha384_secp384r1_v3_usr_key.pem  SRK4_sha384_secp384r1_v3_usr_key.der

SRK1_sha384_secp384r1_v3_usr_key.pem  SRK3_sha384_secp384r1_v3_usr_key.der  SRK4_sha384_secp384r1_v3_usr_key.pem

SRK2_sha384_secp384r1_v3_usr_key.der  SRK3_sha384_secp384r1_v3_usr_key.pem

### generate SRK Table 和 SRK Hash ###

$ cd ../crts/

$ ../linux64/bin/srktool -a -s sha384 -t SRK_1_2_3_4_table.bin \

      -e SRK_1_2_3_4_fuse.bin -f 1 -c \

      SRK1_sha384_secp384r1_v3_usr_crt.pem,\

      SRK2_sha384_secp384r1_v3_usr_crt.pem,\

      SRK3_sha384_secp384r1_v3_usr_crt.pem,\

      SRK4_sha384_secp384r1_v3_usr_crt.pem

### check SRK Table and SRK Hash ###

$ ls SRK_*

SRK_1_2_3_4_fuse.bin  SRK_1_2_3_4_table.bin

--------------------------------

 

c). 上面最后生成的两个文件就是我们后面签名和fuse设备需要用到的,”SRK_1_2_3_4_table.bin” 文件是SRK Table,用于签名Container Image”SRK_1_2_3_4_fuse.bin” 文件是SRK Hash,用于fuseApalis iMX8设备的eFuse。更多CST工具使用说明可以参考如下CST User Guide文档

cst-3.3.1/docs/CST_UG.pdf

 

 

4). Boot Container 配置和签名

a). 参考这里说明下载Toradex Ycoto Linux BSP 5.x.y版本U-boot源代码,默认配置并未使能AHAB功能支持,需要在config中使能如下选项,并重新编译生成新的U-Boot文件 u-boot.bin

--------------------------------

→ ARM architecture

  • Support i.MX8 AHAB features

    --------------------------------

     

    b). 参考上面U-boot源码下载编译文章以及下面参考文档,使用编译生成的U-Boot文件生成Apalis iMX8 Boot Container Image文件flash.bin

    https://www.toradex.cn/blog/nxp-imx8-scfw-heboot-container-image-bian-yi

     

    c). 此时先将上一步骤生成的 flash.bin 文件重命名为 imx-boot,然后通过这里的说明通过Toradex Easy Installer更新到Apalis iMX8模块并启动进入U-Boot命令行,通过如下命令可以查看AHAB功能以及使能成功,但是由于Boot Container Image并未签名,因此提示 0xEE 事件。

    --------------------------------

    ### check AHAB enable status ###

    Apalis iMX8 # ahab_status

    Lifecycle: 0x0020, NXP closed

     

    SECO Event[0] = 0x0087EE00

            CMD = AHAB_AUTH_CONTAINER_REQ (0x87)

            IND = AHAB_NO_AUTHENTICATION_IND (0xEE)

     

    sc_seco_get_event: idx: 1, res:3

    --------------------------------

     

    d). 通过CST工具对上一步骤使用 imx-mkimage 生成的Boot Container Image flash.bin 文件进行签名

    --------------------------------

    ### copy boot container image file to CST tool containing folder ###

    $ cp .../imx-mkimage/iMX8QM/flash.bin ~/

    ### copy CSF template to CST tool containing folder ###

    $ cp u-boot-toradex/doc/imx/ahab/csf_examples/csf_boot_image.txt ~/

    ### modify csf_boot_image.txt to adopt your settings ###

    vi csf_boot_image.txt

     

    [Header]

    Target = AHAB

    Version = 1.0

     

    [Install SRK]

    # SRK table generated by srktool

    File = "./cst-3.3.1/crts/SRK_1_2_3_4_table.bin"

    # Public key certificate in PEM format

    Source = "./cst-3.3.1/crts/SRK1_sha384_secp384r1_v3_usr_crt.pem"

    # Index of the public key certificate within the SRK table (0 .. 3)

    Source index = 0

    # Type of SRK set (NXP or OEM)

    Source set = OEM

    # bitmask of the revoked SRKs

    Revocations = 0x0

     

    [Authenticate Data]

    # Binary to be signed generated by mkimage

    File = "flash.bin"

    # Offsets = Container header  Signature block (printed out by mkimage)

    Offsets   = 0x400             0x590

     

    ### sign boot container image ###

    ./cst-3.3.1/linux64/bin/cst -i csf_boot_image.txt -o flash_signed.bin

    Install SRK

    Authenticate data

    CSF Processed successfully and signed image available in flash_signed.bin

    --------------------------------

     

    e). 此时再将上一步骤签名成功的 flash_signed.bin 文件重命名为 imx-boot 并更新到Apalis iMX8模块上面,此时AHAB状态命令变化如下,因为并未将对应的Hash烧写到Apalis iMX8 eFuse,因此提示 0xEA 事件。

    --------------------------------

    ### check AHAB enable status ###

    Apalis iMX8 # ahab_status

    Lifecycle: 0x0020, NXP closed

     

    SECO Event[0] = 0x0087FA00

            CMD = AHAB_AUTH_CONTAINER_REQ (0x87)

            IND = AHAB_BAD_KEY_HASH_IND (0xFA)

     

    sc_seco_get_event: idx: 1, res:3

    --------------------------------

     

    f). 烧写SRK Hash

    ./ 签名的Boot Container Image文件要通过iMX8 SOC SRK_HASH[511:0] fuse烧写的SRK Hash进行校验

    ./ 导出SRK HASH fuse对应数值

    --------------------------------

    ### dump SRK HASH fuse value ###

    $ od -t x4 ~/cst-3.3.1/crts/SRK_1_2_3_4_fuse.bin

    0000000 7ef8ad2a 4a3e54b6 ffa3df87 1774beb6

    0000020 6f7b4d2e a9e90a59 c5fa9ea2 55c59bf4

    0000040 b55aa0b9 8b30c2ec 519814df 26a0f058

    0000060 52c0edda 7e686983 4bf5f8d7 27d7727a

    --------------------------------

    ./ 进入Apalis iMX8 U-Boot命令行,通过如下命令写入fuses,注意这些fuses都是一次写入的,因此请务必保证一次写入正确。另外不同的SOC有不同的地址,如下只适用于iMX8QM,如果是iMX8X要参考文档修改。

    --------------------------------

    Apalis iMX8 # fuse prog 0 722 7ef8ad2a

    Apalis iMX8 # fuse prog 0 724a3e54b6

    Apalis iMX8 # fuse prog 0 72ffa3df87

    Apalis iMX8 # fuse prog 0 721774beb6

    Apalis iMX8 # fuse prog 0 726f7b4d2e

    ...

    Apalis iMX8 # fuse prog 0 736 4bf5f8d7

    Apalis iMX8 # fuse prog 0 737 27d7727a

    --------------------------------

     

    为了操作方便,可以将上述命令生成U-Boot脚本文件来执行,或者可以通过类似如下 NXP Universal Update Utility (UUU)工具脚本来进行操作

    --------------------------------

    # This command will be run when ROM support stream mode

    # i.MX8QXP, i.MX8QM

    SDPS: boot -f imx-boot

    # refer related module tezi image recovery folder uuu.auto file

    CFG: FB: -vid 0x0525 -pid 0x4000

    CFG: FB: -vid 0x0525 -pid 0x4025

    CFG: FB: -vid 0x0525 -pid 0x402F

    CFG: FB: -vid 0x0525 -pid 0x4030

    CFG: FB: -vid 0x0525 -pid 0x4031

     

    SPDU: delay 1000

     

    FB: ucmd setenv cmd 'fuse prog -y 0'

     

    FB: ucmd ${cmd} 722 0x7ef8ad2a

    FB: ucmd ${cmd} 723 0x......

    ...

    FB: ucmd ${cmd} 737 0x27d7727a

     

    FB: done

    --------------------------------

     

    e). SRK HASH烧写完成后,AHAB状态命令变化如下,只有如下状态下close设备才是安全的,否则设备就无法启动了。

    --------------------------------

    ### check AHAB enable status ###

    Apalis iMX8 # ahab_status

    Lifecycle: 0x0020, NXP closed

     

    sc_seco_get_event: idx: 1, res:3

    No SECO Events Found!

    --------------------------------

     

    f). 更多关于此步骤的说明请参考如下文档

    ./ U-Boot documentation

    https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0

    ./ NXP Application Note - AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB

     

     

    5). 签名包含Linux kernel 和 Device Tree文件的OS Container Image 

    a). 此步骤为可选步骤,如果不需要Linux Kernel Secure Boot功能则无需操作直接close设备即可。

     

    b). 解压Toradex Ycoto Linux BSP 5.7 Multimedia Image,获得LInux Kernel和需要加载的Device Tree文件

    --------------------------------

    ### uncompress BSP Image package ###

    $ tar xvf Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20.tar

    $ cd Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/

    ### uncompress boot filesystem ###

    $ mkdir bootfs/

    $ tar Jxf Reference-Minimal-Image-apalis-imx8.bootfs.tar.xz -C bootfs/

    ### copy Kernel and Device Tree files to imx-mkimage tools related device folder ###

    $ cd bootfs/

    $ gzip -d Image.gz

    $ cp Image imx8qm-apalis-v1.1-eval.dtb .../imx-mkimage/iMX8QM/

    --------------------------------

     

    b). 使用 imx-mkimage 工具生成 OS Container Image

    ./ 如下修改默认配置,将Linux KernelDevice Tree文件的命名和加载地址修改为适合你当前设备定义的配置,Toradex U-Boot默认配置Kernel 加载地址为 0x96000000Device Tree加载地址为 0x83000000

    --------------------------------

    --- a/iMX8QM/soc.mak 2022-08-19 17:31:57.488554800 +0800

    +++ b/iMX8QM/soc.mak 2022-08-22 15:15:45.393002799 +0800

    @@ -140,8 +140,8 @@

     flash_scfw: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin

      ./$(MKIMG) -soc QM -rev B0 -dcd skip -append $(AHAB_IMG) -c -scfw scfw_tcm.bin -out flash.bin

     

    -flash_kernel: $(MKIMG) Image fsl-imx8qm-mek.dtb

    - ./$(MKIMG) -soc QM -rev B0 -c -ap Image a53 0x80280000 --data fsl-imx8qm-mek.dtb 0x83000000 -out flash.bin

    +flash_kernel: $(MKIMG) Image imx8qm-apalis-v1.1-eval.dtb

    + ./$(MKIMG) -soc QM -rev B0 -c -ap Image a53 0x96000000 --data imx8qm-apalis-v1.1-eval.dtb 0x83000000 -out flash_os.bin

     

     flash_ca72: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin u-boot-atf.bin

      ./$(MKIMG) -soc QM -rev B0 -append $(AHAB_IMG) -c -scfw scfw_tcm.bin -ap u-boot-atf.bin a72 0x80000000 -out flash.bin

    --------------------------------

    ./ 生成 OS Container Image 文件 flash_os.bin,并记录生成记录最后的IVT_OFFSET + IMAGE_OFFSET数值用于后续CSF文件定义。

    --------------------------------

    $ cd .../imx-mkimage/

    make SOC=iMX8QM flash_kernel

    ...

    CST: CONTAINER 0 offset: 0x0

    CST: CONTAINER 0: Signature Block: offset is at 0x110

    DONE.

    Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET

    --------------------------------

     

    c). 使用CST工具签名刚才生成的OS Container Image

    ./ 准备CSF文件

    --------------------------------

    ### copy CSF template to CST tool containing folder ###

    $ cp u-boot-toradex/doc/imx/ahab/csf_examples/csf_linux_img.txt ~/

    ### modify csf_linux_img.txt to adopt your settings ###

    vi csf_linux_img.txt

    [Header]

    Target = AHAB

    Version = 1.0

     

    [Install SRK]

    # SRK table generated by srktool

    File = "./cst-3.3.1/crts/SRK_1_2_3_4_table.bin"

    # Public key certificate in PEM format

    Source = "./cst-3.3.1/crts/SRK1_sha384_secp384r1_v3_usr_crt.pem"

    # Index of the public key certificate within the SRK table (0 .. 3)

    Source index = 0

    # Type of SRK set (NXP or OEM)

    Source set = OEM

    # bitmask of the revoked SRKs

    Revocations = 0x0

     

    [Authenticate Data]

    # Binary to be signed generated by mkimage

    File = "flash_os.bin"

    # Offsets = Container header  Signature block (printed out by mkimage)

    Offsets   = 0x0             0x110

    --------------------------------

     

    ./ 签名,获得签名好的OS Container Image 文件 “os_cntr_signed.bin”

    --------------------------------

    $ cp .../imx-mkimage/iMX8QM/flash_os.bin ~/

    ./cst-3.3.1/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin

    --------------------------------

     

     

    6). 部署OS Container Image

    a). OS Container Image重新部署到刚才解压的Ycoto Linux Multimedia BSP5.7 bootfs中,并重新创建bootfs 压缩包

    --------------------------------

    ### copy signed os container image to bsp rootfs folder ###

    $ cp os_cntr_signed.bin .../Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/bootfs/

    ### remove default boot script and linux kernel/device tree files ###

    $ cd .../Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/bootfs/

    $ rm boot.scr Image *.dtb

    ### check bootfs files ###

    $ tree -L 2

    .

    ├── dpfw.bin

    ├── hdmitxfw.bin

    ├── os_cntr_signed.bin

    ├── overlays

    │   ├── apalis-imx8_ar0521_overlay.dtbo

    │   ├── apalis-imx8_atmel-mxt_overlay.dtbo

    │   ├── apalis-imx8_hdmi_overlay.dtbo

    │   ├── apalis-imx8_lvds_overlay.dtbo

    │   ├── apalis-imx8_mezzanine-can_overlay.dtbo

    │   ├── apalis-imx8_mezzanine_lvds_overlay.dtbo

    │   ├── apalis-imx8_mezzanine_ov5640_overlay.dtbo

    │   ├── apalis-imx8_ov5640_overlay.dtbo

    │   ├── apalis-imx8_resistive-touch_overlay.dtbo

    │   ├── display-dpi-lt170410_overlay.dtbo

    │   ├── display-edt5.7_overlay.dtbo

    │   ├── display-edt7_overlay.dtbo

    │   ├── display-fullhd_overlay.dtbo

    │   ├── display-lt161010_overlay.dtbo

    │   ├── display-lt170410_overlay.dtbo

    │   ├── display-vga_overlay.dtbo

    │   └── touch-atmel-mxt_overlay.dtbo

    └── overlays.txt

     

    1 directory, 21 files

    ### compress new bootfs package ###

    $ tar Jcf ../Reference-Minimal-Image-apalis-imx8.bootfs.tar.xz *

    ### clear bootfs

    $ cd ..

    $ rm -rf bootfs/

    --------------------------------

     

    b). 修改BSP package中的 “u-boot-initial-env-sd” 文件,增加如下环境变量用于Secure Boot

    ./ 命令方式格式

    --------------------------------

    ### set boot device info mmc 0:1 ###

    Apalis iMX8 # setenv pre_boot 'devnum=0; if mmc dev ${devnum}; then devtype=mmc; setenv load_cmd \"load ${devtype} ${devnum}:1\"; fi'

    ### signed os container image loading info ###

    Apalis iMX8 # setenv cntr_addr '0x98000000'

    Apalis iMX8 # setenv cntr_file 'os_cntr_signed.bin'

    Apalis iMX8 # setenv cntr_load '${load_cmd} ${cntr_addr} ${cntr_file}'

    ### authenticate signed os container image ###

    Apalis iMX8 # setenv auth_os 'auth_cntr ${cntr_addr}'

    ### device tree overlay apply ###

    Apalis iMX8 # setenv overlays_file 'overlays.txt'

    Apalis iMX8 # setenv overlays_prefix 'overlays/'

    Apalis iMX8 # setenv load_overlays_file '${load_cmd} ${loadaddr} ${overlays_file} && env import -t ${loadaddr} ${filesize}'

    Apalis iMX8 # setenv fdt_resize 'fdt addr ${fdt_addr_r} && fdt resize 0x20000'

    Apalis iMX8 # setenv apply_overlays 'for overlay_file in ${fdt_overlays}; do echo Applying Overlay: ${overlay_file} && ${load_cmd} ${loadaddr} ${overlays_prefix}\${overlay_file} && fdt apply ${loadaddr}; env set overlay_file; done; true'

    Apalis iMX8 # setenv bootcmd_overlays 'run load_overlays_file && run fdt_resize && run apply_overlays'

    ### kernel/dtb loading ###

    Apalis iMX8 # setenv bootcmd_boot 'echo "Bootargs: \${bootargs}" && booti ${kernel_addr_r} - ${fdt_addr_r}'

    ### config for all boot process ###

    Apalis iMX8 # setenv bootcmd_run 'run pre_boot && run cntr_load && run auth_os && run bootcmd_overlays && run finduuid && run setup && run bootcmd_boot; echo "Booting from ${devtype} failed!" && false'

    ### auto run config ###

    Apalis iMX8 # setenv bootcmd 'run bootcmd_run'

    --------------------------------

    ./ 文件方式定义

    --------------------------------

    --- a/u-boot-initial-env-sd 2022-08-29 17:22:27.668166883 +0800

    +++ b/u-boot-initial-env-sd 2022-08-29 17:52:18.795402902 +0800

    @@ -1,4 +1,4 @@

    -bootcmd=run distro_bootcmd

    +bootcmd=run bootcmd_run

     bootdelay=1

     baudrate=115200

     ipaddr=192.168.10.2

    @@ -71,4 +71,16 @@

     video=imxdpufb5:off video=imxdpufb6:off video=imxdpufb7:off

     setup=run loadhdp; hdp load ${hdp_addr}; run mmcargs

     defargs=pci=nomsi

    -

    +pre_boot=devnum=0; if mmc dev ${devnum}; then devtype=mmc; setenv load_cmd "load ${devtype} ${devnum}:1"; fi

    +cntr_addr=0x98000000

    +cntr_file=os_cntr_signed.bin

    +cntr_load=${load_cmd} ${cntr_addr} ${cntr_file}

    +auth_os=auth_cntr ${cntr_addr}

    +overlays_file=overlays.txt

    +overlays_prefix=overlays/

    +load_overlays_file=${load_cmd} ${loadaddr} ${overlays_file} && env import -t ${loadaddr} ${filesize}

    +fdt_resize=fdt addr ${fdt_addr_r} && fdt resize 0x20000

    +apply_overlays=for overlay_file in ${fdt_overlays}; do echo Applying Overlay: ${overlay_file} && ${load_cmd} ${loadaddr} ${overlays_prefix}${overlay_file} && fdt apply ${loadaddr}; env set overlay_file; done; true

    +bootcmd_overlays=run load_overlays_file && run fdt_resize && run apply_overlays

    +bootcmd_boot=echo "Bootargs: ${bootargs}" && booti ${kernel_addr_r} - ${fdt_addr_r}

    +bootcmd_run=run pre_boot && run cntr_load && run auth_os && run bootcmd_overlays && run finduuid && run setup && run bootcmd_boot; echo "Booting from ${devtype} failed!" && false

    --------------------------------

     

    c). 需要注意的是由于Kernel阶段的Secure Boot相关认证和加载都是基于U-Boot命令行来实现的, 因此如果要让这个启动机制更加安全可靠,则要让U-Boot保持在上述安全启动路径,而不能通过其他启动介质或者脚本来启动而绕开Secure Boot,比如Toradex U-Boot默认是使能Distro Boot功能的,可以自动扫描外设介质的启动脚本,那么这个功能就需要关闭掉,类似这样的U-Boot定制化需要自行根据实际使用场景来配置。

     

     

    7). 部署测试

    a). 参考这里将上述制作的支持Secure BootImage通过Toradex Easy Installer更新到Apalis iMX8模块

    ./启动后首先进入U-Boot命令行下,测试AHAB状态

    --------------------------------

    Apalis iMX8 # ahab_status

    Lifecycle: 0x0020, NXP closed

     

    sc_seco_get_event: idx: 0, res:3

    No SECO Events Found!

    --------------------------------

     

    ./ 然后重新启动,查看启动logSecure Boot成功完整加载U-BootLinux KernelRootfs

    --------------------------------

    U-Boot 2020.04-06964-g33bb8e9683 (Aug 15 2022 - 15:32:22 +0800)

     

    CPU:   NXP i.MX8QM RevB A53 at 1200 MHz

     

    DRAM:  4 GiB

    MMC:   FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2

    Loading Environment from MMC... OK

    In:    serial

    Out:   serial

    Err:   serial

    Model: Toradex Apalis iMX8 QuadMax 4GB Wi-Fi / BT IT V1.1B, Serial# 06738378

     

     BuildInfo:

      - SCFW 216a2c2e, SECO-FW c9de51c0, IMX-MKIMAGE fe124bce, ATF 2fa8c63

      - U-Boot 2020.04-06964-g33bb8e9683

     

    switch to partitions #0, OK

    mmc0(part 0) is current device

    flash target is MMC:0

    Net:   eth0: ethernet@5b040000

    Fastboot: Normal

    Normal Boot

    Hit any key to stop autoboot:  0

    switch to partitions #0, OK

    mmc0(part 0) is current device

    25877504 bytes read in 787 ms (31.4 MiB/s)

    Authenticate OS container at 0x98000000

    43 bytes read in 12 ms (2.9 KiB/s)

    Applying Overlay: apalis-imx8_hdmi_overlay.dtbo

    2177 bytes read in 31 ms (68.4 KiB/s)

    106496 bytes read in 16 ms (6.3 MiB/s)

    Loading hdp firmware from 0x000000009c000000 offset 0x0000000000002000

    Loading hdp firmware Complete

    Bootargs: console=ttyLP1 earlycon,115200 root=PARTUUID=e8daf485-02 rootwait mmcdev=0

    ## Flattened Device Tree blob at 83000000

       Booting using the fdt blob at 0x83000000

       Loading Device Tree to 00000000fd5fc000, end 00000000fd648fff ... OK

     

    Starting kernel ...

     

    [    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]

    [    0.000000] Linux version 5.4.193-5.7.0+git.f78299297185 (oe-user@oe-host) (gcc version 9.2

    ...

    [  OK  ] Started Start a wayland application.

    [  OK  ] Reached target Multi-User System.

    [  OK  ] Reached target Graphical Interface.

             Starting Update UTMP about System Runlevel Changes...

    [  OK  ] Started Update UTMP about System Runlevel Changes.

     

    TDX Wayland with XWayland 5.7.0+build.20 (dunfell) apalis-imx8-06738378 ttyLP1

    Apalis-iMX8_Reference-Multimedia-Image

     

    apalis-imx8-06738378 login:

    --------------------------------

     

    b). Close设备

    经过上述测试已经确认从U-BootLinux Kernel Secure Boot正常,即可以在U-Boot命令行下面执行下面命令Close设备,请注意此操作之后,没有签名的Image就无法再在此模块加载运行了,因此请谨慎操作。

    --------------------------------

    Apalis iMX8 # ahab_close

    --------------------------------

     

     

    10). 总结

    本文基于NXP iMX8处理器演示了基于AHABSecure Boot功能,设计U-BootLinux KernelDevice Tree等,至于Rootfs的加密,则需要配置类似Squashfs只读文件系统配合initramfs最小启动镜像进行加解密挂载启动,可以结合参考如下两篇文章,本文不做具体测试。

    ./ 嵌入式 ARM 平台使用dm-crypt加密磁盘分区

    ./ 使用SquashfsOverlayfs提高嵌入式Linux文件系统可靠性

     

    参考文档

    https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/introduction_ahab.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0

    https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0

    NXP Application Note AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB


  • 作者: hai.qin_651820742, 来源:面包板社区

    链接: https://mbb.eet-china.com/blog/uid-me-1864768.html

    版权声明:本文为博主原创,未经本人允许,禁止转载!

    给作者打赏,鼓励TA抓紧创作!

    赞赏支持
    点赞 12
    赞赏0

    文章评论0条评论)

    登录后参与讨论
    EE直播间
    更多
    我要评论
    0
    12
    1
    2
    3
    4
    5
    6
    7
    8
    9
    0
    关闭 站长推荐上一条 /3 下一条