Hi Saverio,
2018-01-24 5:35 GMT-02:00 Saverio Mori saverio.mori@gmail.com:
Hi Breno Lima, Thank you very much, indeed this is the answer that i need. Perhaps could you give me some more details on realizing encrypted boot using the yocto project platform?
Currently is not possible to sign or encrypt a U-Boot image using Yocto project, the CST (Code Signing Tool) is only available at NXP portal. You can build U-Boot using Yocto with the following configurations enabled and sign/encrypt this image with CST.
CONFIG_SECURE_BOOT=y CONFIG_CMD_DEKBLOB=y
This patch from Fabio Estevam can be also helpful: https://lists.denx.de/pipermail/u-boot/2018-January/317847.html
Thanks, Breno Lima
All The Best,
Saverio
Il 20/01/2018 16:00, Breno Matheus Lima ha scritto:
Hi Saveiro,
2018-01-19 16:45 GMT-02:00 Saverio Mori saverio.mori@gmail.com:
Hi Breno Lima, For the moment we have not secure boot, we use "plain" u-boot running on a module board equipped with an "open" i.MX6UL processor, and we are newbies in the field of secure boot. We wish that our firmware works only on approved hardware, and not on common one. From what we have read, secured boot allow that only approved FW works on prepared HW; our problem is just the reciprocal, i.e. allow running of our FW only on approved boards. In other words, a secured FW can works on a unsecured board (while a secured board requires a secured FW), we wish to block this situation. All The Best,
You can have more details about secure boot in doc/README.mxc_hab file.
The application note AN4581 can be also helpful: https://www.nxp.com/docs/en/application-note/AN4581.pdf
The secure boot is intended to prepare your device to just run authenticated SW, once your SRK Hash and SEC_CONFIG fuse are programmed you can only execute authenticated bootloader on this device.
If you want that your SW can be only executed on approved hardware you can refer to encrypted boot, which is supported on i.MX6UL.
You can find more details in doc/README.mxc_hab file and also in NXP community. Currently there is no application note provided by NXP about encrypted boot: https://community.nxp.com/docs/DOC-330622
Note that dek_blob command can be only executed in closed devices, so you need to run an authenticated U-Boot to prepare an encrypted boot image.
Let us know if you have any questions during the process.
Thanks, Breno Lima
Saverio M.
Il 19/01/2018 18:54, Breno Matheus Lima ha scritto:
Hi Saverio,
2018-01-19 11:12 GMT-02:00 Saverio Mori saverio.mori@gmail.com:
Hi to the community. I have found a lot of material on secure booting and how to sign u-boot an uimage in order to that only trusted sw is load. This is good for my but i have also the opposite problem, that is i have to be sure that my sw is load on an hardware signed in some way. It is possible, and how, implement this feature in u-boot, at least running on iMX6 boards? Thanks!!!
Can you please share more details about this verification you want to achieve? Are you currently running a signed U-Boot in a closed device (eFuse SEC_CONFIG = 1)?
Thanks, Breno Lima