By Toradex秦海

1).?簡介

由于NXP從iMX8/iMX8x處理器開始引入了SCU/SECO等底層控制模塊來進(jìn)行包含啟動(dòng)管理等多項(xiàng)底層初始化功能，因此對(duì)于Secure Boot功能支持，也同樣升級(jí)為Advanced High Assurance Boot (AHAB)?特性來配合，以區(qū)別于iMX6/iMX8MM/iMX8MP處理器所使用的HABv4特性；AHAB和HABv4都是基于公共密鑰加密?(Public Key Cryptography)?和數(shù)字簽名?(Digital Signature)?技術(shù)來實(shí)現(xiàn)Secure Boot的，SCU負(fù)責(zé)協(xié)調(diào)各個(gè)啟動(dòng)組件和流程，SECO用于驗(yàn)證簽名的Image文件并授權(quán)加載運(yùn)行，一個(gè)簡單的流程圖參考如下。本文就基于NXP iMX8平臺(tái)測(cè)試部署Secure Boot功能。

本文所演示的平臺(tái)來自于Toradex?Apalis?iMX8嵌入式平臺(tái)，這個(gè)平臺(tái)是基于近年發(fā)布的NXP iMX8系列ARM處理器，核心為Cortex-A72/A53。

2.?準(zhǔn)備

a).?Apalis iMX8 ARM核心版配合Ixora?載板，并連接調(diào)試串口用于測(cè)試。

b).?參考這里下載Toradex Ycoto Linux BSP5 Image用于后續(xù)測(cè)試，目前最新的是5.7版本。

3).?生成PKI Tree文件

a).?從NXP官方網(wǎng)站下載Code Signing Tools軟件包（需注冊(cè)），目前最新版本是3.3.1版本，然后解壓后使用預(yù)設(shè)的腳本生成Public Key Infrastructure (PKI) tree，用于后面簽名U-boot/Linux Kernel Image文件

--------------------------------

$ cp .../cst-3.3.1.tgz ~/.

$ cd ~

$ tar xvf cst-3.3.1.tgz

$ tree -L 1 cst-3.3.1/

cst-3.3.1/

├──?ca

├──?code

├──?crts

├──?docs

├──?keys

├──?LICENSE.bsd3

├──?LICENSE.hidapi

├──?LICENSE.openssl

├──?linux32

├──?linux64

├──?mingw32

├──?osx

├──?Release_Notes.txt

└──?Software_Content_Register_CST.txt

--------------------------------

b).?生成PKI TREE

./?修改CST工具默認(rèn)的serial和key_pass，本文因?yàn)閮H測(cè)試需要?jiǎng)t保持默認(rèn)沒有修改，實(shí)際應(yīng)用可以根據(jù)需要自行修改以保證安全

--------------------------------

$ cd ~/cst-3.3.1/keys

### default serial number for OpenSSL certification ###

$ cat serial

1234567C

### default key_pass for protection of private keys

$ cat key_pass.txt

test

test

--------------------------------

./?運(yùn)行CST工具預(yù)制腳本通過交互方式生成PKI TREE，這里生成一個(gè)P384 ECC SRK PKI TREE示例，還可以選擇其他選項(xiàng)或者生成包含下級(jí)SGK Key的PKI TREE，更多可以參考如下U-Boot源代碼中的文檔說明

https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/introduction_ahab.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0

--------------------------------

### generate P384 ECC PKI TREE ###

$ ./ahab_pki_tree.sh

??...

??Do you want to use an existing CA key (y/n)?: n

??Do you want to use Elliptic Curve Cryptography (y/n)?: y

??Enter length for elliptic curve to be used for PKI tree:

??Possible values p256, p384, p521: ?p384

??Enter the digest algorithm to use: sha384

??Enter PKI tree duration (years): 5

??Do you want the SRK certificates to have the CA flag set? (y/n)?: n

### check generated SRK keys ###

$ ls SRK*

SRK1_sha384_secp384r1_v3_usr_key.der ?SRK2_sha384_secp384r1_v3_usr_key.pem ?SRK4_sha384_secp384r1_v3_usr_key.der

SRK1_sha384_secp384r1_v3_usr_key.pem ?SRK3_sha384_secp384r1_v3_usr_key.der ?SRK4_sha384_secp384r1_v3_usr_key.pem

SRK2_sha384_secp384r1_v3_usr_key.der ?SRK3_sha384_secp384r1_v3_usr_key.pem

### generate SRK Table?和?SRK Hash ###

$ cd ../crts/

$ ../linux64/bin/srktool -a -s sha384 -t SRK_1_2_3_4_table.bin \

??????-e SRK_1_2_3_4_fuse.bin -f 1 -c \

??????SRK1_sha384_secp384r1_v3_usr_crt.pem,\

??????SRK2_sha384_secp384r1_v3_usr_crt.pem,\

??????SRK3_sha384_secp384r1_v3_usr_crt.pem,\

??????SRK4_sha384_secp384r1_v3_usr_crt.pem

### check SRK Table and SRK Hash ###

$ ls SRK_*

SRK_1_2_3_4_fuse.bin ?SRK_1_2_3_4_table.bin

--------------------------------

c).?上面最后生成的兩個(gè)文件就是我們后面簽名和fuse設(shè)備需要用到的，”SRK_1_2_3_4_table.bin”?文件是SRK Table，用于簽名Container Image；”SRK_1_2_3_4_fuse.bin”?文件是SRK Hash，用于fuse到Apalis iMX8設(shè)備的eFuse。更多CST工具使用說明可以參考如下CST User Guide文檔

cst-3.3.1/docs/CST_UG.pdf

?

?

4).?Boot Container?配置和簽名

a).?參考這里說明下載Toradex Ycoto?Linux?BSP 5.x.y版本U-boot源代碼，默認(rèn)配置并未使能AHAB功能支持，需要在config中使能如下選項(xiàng)，并重新編譯生成新的U-Boot文件?”u-boot.bin”

--------------------------------

→?ARM architecture

[*] Support i.MX8 AHAB features

--------------------------------

b).?參考上面U-boot源碼下載編譯文章以及下面參考文檔，使用編譯生成的U-Boot文件生成Apalis iMX8 Boot Container Image文件”flash.bin”

NXP iMX8 SCFW和Boot Container Image編譯

c).?此時(shí)先將上一步驟生成的?“flash.bin”?文件重命名為?“imx-boot”，然后通過這里的說明通過Toradex Easy Installer更新到Apalis iMX8模塊并啟動(dòng)進(jìn)入U(xiǎn)-Boot命令行，通過如下命令可以查看AHAB功能以及使能成功，但是由于Boot Container Image并未簽名，因此提示?“0xEE”?事件。

--------------------------------

### check AHAB enable status ###

Apalis iMX8 # ahab_status

Lifecycle: 0x0020, NXP closed

SECO Event[0] = 0x0087EE00

????????CMD = AHAB_AUTH_CONTAINER_REQ (0x87)

????????IND = AHAB_NO_AUTHENTICATION_IND (0xEE)

sc_seco_get_event: idx: 1, res:3

--------------------------------

d).?通過CST工具對(duì)上一步驟使用?imx-mkimage?生成的Boot Container Image?“flash.bin”?文件進(jìn)行簽名

--------------------------------

### copy boot container image file to CST tool containing folder ###

$ cp .../imx-mkimage/iMX8QM/flash.bin ~/

### copy CSF template to CST tool containing folder ###

$ cp u-boot-toradex/doc/imx/ahab/csf_examples/csf_boot_image.txt?~/

### modify?csf_boot_image.txt?to adopt your settings ###

vi csf_boot_image.txt

[Header]

Target = AHAB

Version = 1.0

[Install SRK]

# SRK table generated by srktool

File = "./cst-3.3.1/crts/SRK_1_2_3_4_table.bin"

# Public key certificate in PEM format

Source = "./cst-3.3.1/crts/SRK1_sha384_secp384r1_v3_usr_crt.pem"

# Index of the public key certificate within the SRK table (0 .. 3)

Source index = 0

# Type of SRK set (NXP or OEM)

Source set = OEM

# bitmask of the revoked SRKs

Revocations = 0x0

[Authenticate Data]

# Binary to be signed generated by mkimage

File = "flash.bin"

# Offsets = Container header ?Signature block (printed out by mkimage)

Offsets ??= 0x400 ????????????0x590

### sign boot container image ###

./cst-3.3.1/linux64/bin/cst -i csf_boot_image.txt -o flash_signed.bin

Install SRK

Authenticate data

CSF Processed successfully and signed image available in flash_signed.bin

--------------------------------

e).?此時(shí)再將上一步驟簽名成功的?“flash_signed.bin”?文件重命名為?“imx-boot”?并更新到Apalis iMX8模塊上面，此時(shí)AHAB狀態(tài)命令變化如下，因?yàn)椴⑽磳?duì)應(yīng)的Hash燒寫到Apalis iMX8 eFuse，因此提示?“0xEA”?事件。

--------------------------------

### check AHAB enable status ###

Apalis iMX8 # ahab_status

Lifecycle: 0x0020, NXP closed

SECO Event[0] = 0x0087FA00

????????CMD = AHAB_AUTH_CONTAINER_REQ (0x87)

????????IND = AHAB_BAD_KEY_HASH_IND (0xFA)

sc_seco_get_event: idx: 1, res:3

--------------------------------

f).?燒寫SRK Hash

./?簽名的Boot Container Image文件要通過iMX8 SOC SRK_HASH[511:0] fuse燒寫的SRK Hash進(jìn)行校驗(yàn)

./?導(dǎo)出SRK HASH fuse對(duì)應(yīng)數(shù)值

--------------------------------

### dump SRK HASH fuse value ###

$ od -t x4?~/cst-3.3.1/crts/SRK_1_2_3_4_fuse.bin

0000000 7ef8ad2a 4a3e54b6 ffa3df87 1774beb6

0000020 6f7b4d2e a9e90a59 c5fa9ea2 55c59bf4

0000040 b55aa0b9 8b30c2ec 519814df 26a0f058

0000060 52c0edda 7e686983 4bf5f8d7 27d7727a

--------------------------------

./?進(jìn)入Apalis iMX8 U-Boot命令行，通過如下命令寫入fuses，注意這些fuses都是一次寫入的，因此請(qǐng)務(wù)必保證一次寫入正確。另外不同的SOC有不同的地址，如下只適用于iMX8QM，如果是iMX8X要參考文檔修改。

--------------------------------

Apalis iMX8 #?fuse prog 0 722 7ef8ad2a

Apalis iMX8 #?fuse prog 0 723?4a3e54b6

Apalis iMX8 #?fuse prog 0 724?ffa3df87

Apalis iMX8 #?fuse prog 0 725?1774beb6

Apalis iMX8 #?fuse prog 0 726?6f7b4d2e

...

Apalis iMX8 #?fuse prog 0 736?4bf5f8d7

Apalis iMX8 #?fuse prog 0 737?27d7727a

--------------------------------

為了操作方便，可以將上述命令生成U-Boot腳本文件來執(zhí)行，或者可以通過類似如下?NXP Universal Update Utility (UUU)工具腳本來進(jìn)行操作

--------------------------------

# This command will be run when ROM support stream mode

# i.MX8QXP, i.MX8QM

SDPS: boot -f imx-boot

# refer related module tezi image recovery folder uuu.auto file

CFG: FB: -vid 0x0525 -pid 0x4000

CFG: FB: -vid 0x0525 -pid 0x4025

CFG: FB: -vid 0x0525 -pid 0x402F

CFG: FB: -vid 0x0525 -pid 0x4030

CFG: FB: -vid 0x0525 -pid 0x4031

SPDU: delay 1000

FB: ucmd setenv cmd 'fuse prog -y 0'

FB: ucmd ${cmd} 722 0x7ef8ad2a

FB: ucmd ${cmd} 723 0x......

...

FB: ucmd ${cmd} 737 0x27d7727a

FB: done

--------------------------------

e).?SRK HASH燒寫完成后，AHAB狀態(tài)命令變化如下，只有如下狀態(tài)下close設(shè)備才是安全的，否則設(shè)備就無法啟動(dòng)了。

--------------------------------

### check AHAB enable status ###

Apalis iMX8 # ahab_status

Lifecycle: 0x0020, NXP closed

sc_seco_get_event: idx: 1, res:3

No SECO Events Found!

--------------------------------

f).?更多關(guān)于此步驟的說明請(qǐng)參考如下文檔

./ U-Boot documentation

mx8_mx8x_secure_boot.txt ? guides ? ahab ? imx ? doc - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules

./ NXP Application Note - AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB

5).?簽名包含Linux kernel?和?Device?Tree文件的OS Container Image?

a).?此步驟為可選步驟，如果不需要Linux Kernel Secure Boot功能則無需操作直接close設(shè)備即可。

b).?解壓Toradex Ycoto Linux BSP 5.7 Multimedia Image，獲得LInux Kernel和需要加載的Device Tree文件

--------------------------------

### uncompress BSP Image package ###

$ tar xvf Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20.tar

$ cd Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/

### uncompress boot filesystem ###

$ mkdir bootfs/

$ tar?Jxf?Reference-Minimal-Image-apalis-imx8.bootfs.tar.xz -C bootfs/

### copy Kernel and Device Tree files to imx-mkimage tools related device folder ###

$ cd bootfs/

$ gzip -d Image.gz

$ cp Image imx8qm-apalis-v1.1-eval.dtb .../imx-mkimage/iMX8QM/

--------------------------------

b).?使用?imx-mkimage?工具生成?OS Container Image

./?如下修改默認(rèn)配置，將Linux Kernel和Device Tree文件的命名和加載地址修改為適合你當(dāng)前設(shè)備定義的配置，Toradex U-Boot默認(rèn)配置Kernel?加載地址為?“0x96000000”，Device Tree加載地址為?“0x83000000”。

--------------------------------

--- a/iMX8QM/soc.mak?2022-08-19 17:31:57.488554800 +0800

+++ b/iMX8QM/soc.mak?2022-08-22 15:15:45.393002799 +0800

@@ -140,8 +140,8 @@

?flash_scfw: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin

??./$(MKIMG) -soc QM -rev B0 -dcd skip -append $(AHAB_IMG) -c -scfw scfw_tcm.bin -out flash.bin

-flash_kernel: $(MKIMG) Image fsl-imx8qm-mek.dtb

-?./$(MKIMG) -soc QM -rev B0 -c -ap Image a53 0x80280000 --data fsl-imx8qm-mek.dtb 0x83000000 -out flash.bin

+flash_kernel: $(MKIMG) Image imx8qm-apalis-v1.1-eval.dtb

+?./$(MKIMG) -soc QM -rev B0 -c -ap Image a53 0x96000000 --data imx8qm-apalis-v1.1-eval.dtb 0x83000000 -out flash_os.bin

?flash_ca72: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin u-boot-atf.bin

??./$(MKIMG) -soc QM -rev B0 -append $(AHAB_IMG) -c -scfw scfw_tcm.bin -ap u-boot-atf.bin a72 0x80000000 -out flash.bin

--------------------------------

./?生成?OS Container Image?文件?“flash_os.bin”，并記錄生成記錄最后的IVT_OFFSET + IMAGE_OFFSET數(shù)值用于后續(xù)CSF文件定義。

--------------------------------

$ cd .../imx-mkimage/

$?make SOC=iMX8QM flash_kernel

...

CST: CONTAINER 0 offset: 0x0

CST: CONTAINER 0: Signature Block: offset is at 0x110

DONE.

Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET

--------------------------------

c).?使用CST工具簽名剛才生成的OS Container Image

./?準(zhǔn)備CSF文件

--------------------------------

### copy CSF template to CST tool containing folder ###

$ cp u-boot-toradex/doc/imx/ahab/csf_examples/csf_linux_img.txt?~/

### modify?csf_linux_img.txt?to adopt your settings ###

vi csf_linux_img.txt

[Header]

Target = AHAB

Version = 1.0

[Install SRK]

# SRK table generated by srktool

File = "./cst-3.3.1/crts/SRK_1_2_3_4_table.bin"

# Public key certificate in PEM format

Source = "./cst-3.3.1/crts/SRK1_sha384_secp384r1_v3_usr_crt.pem"

# Index of the public key certificate within the SRK table (0 .. 3)

Source index = 0

# Type of SRK set (NXP or OEM)

Source set = OEM

# bitmask of the revoked SRKs

Revocations = 0x0

[Authenticate Data]

# Binary to be signed generated by mkimage

File = "flash_os.bin"

# Offsets = Container header ?Signature block (printed out by mkimage)

Offsets ??= 0x0 ????????????0x110

--------------------------------

./?簽名，獲得簽名好的OS Container Image?文件?“os_cntr_signed.bin”

--------------------------------

$ cp .../imx-mkimage/iMX8QM/flash_os.bin ~/

$?./cst-3.3.1/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin

--------------------------------

6).?部署OS Container Image

a).?將OS Container Image重新部署到剛才解壓的Ycoto Linux Multimedia BSP5.7 bootfs中，并重新創(chuàng)建bootfs?壓縮包

--------------------------------

### copy signed os container image to bsp rootfs folder ###

$ cp os_cntr_signed.bin?.../Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/bootfs/

### remove default boot script and linux kernel/device tree files ###

$ cd .../Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/bootfs/

$ rm boot.scr Image *.dtb

### check bootfs files ###

$ tree -L 2

.

├── dpfw.bin

├── hdmitxfw.bin

├── os_cntr_signed.bin

├── overlays

│?? ├── apalis-imx8_ar0521_overlay.dtbo

│?? ├── apalis-imx8_atmel-mxt_overlay.dtbo

│?? ├── apalis-imx8_hdmi_overlay.dtbo

│?? ├── apalis-imx8_lvds_overlay.dtbo

│?? ├── apalis-imx8_mezzanine-can_overlay.dtbo

│?? ├── apalis-imx8_mezzanine_lvds_overlay.dtbo

│?? ├── apalis-imx8_mezzanine_ov5640_overlay.dtbo

│?? ├── apalis-imx8_ov5640_overlay.dtbo

│?? ├── apalis-imx8_resistive-touch_overlay.dtbo

│?? ├── display-dpi-lt170410_overlay.dtbo

│?? ├── display-edt5.7_overlay.dtbo

│?? ├── display-edt7_overlay.dtbo

│?? ├── display-fullhd_overlay.dtbo

│?? ├── display-lt161010_overlay.dtbo

│?? ├── display-lt170410_overlay.dtbo

│?? ├── display-vga_overlay.dtbo

│?? └── touch-atmel-mxt_overlay.dtbo

└── overlays.txt

1 directory, 21 files

### compress new bootfs package ###

$ tar Jcf ../Reference-Minimal-Image-apalis-imx8.bootfs.tar.xz *

### clear bootfs

$ cd ..

$ rm -rf bootfs/

--------------------------------

b).?修改BSP package中的?“u-boot-initial-env-sd”?文件，增加如下環(huán)境變量用于Secure Boot

./?命令方式格式

--------------------------------

### set boot device info mmc 0:1 ###

Apalis iMX8 # setenv pre_boot 'devnum=0; if mmc dev ${devnum}; then devtype=mmc; setenv load_cmd \"load ${devtype} ${devnum}:1\"; fi'

### signed os container image loading info ###

Apalis iMX8 # setenv cntr_addr '0x98000000'

Apalis iMX8 # setenv cntr_file 'os_cntr_signed.bin'

Apalis iMX8 # setenv cntr_load '${load_cmd} ${cntr_addr} ${cntr_file}'

### authenticate signed os container image ###

Apalis iMX8 # setenv auth_os 'auth_cntr ${cntr_addr}'

### device tree overlay apply ###

Apalis iMX8 # setenv overlays_file 'overlays.txt'

Apalis iMX8 # setenv overlays_prefix 'overlays/'

Apalis iMX8 # setenv load_overlays_file '${load_cmd} ${loadaddr} ${overlays_file} && env import -t ${loadaddr} ${filesize}'

Apalis iMX8 # setenv fdt_resize 'fdt addr ${fdt_addr_r} && fdt resize 0x20000'

Apalis iMX8 #?setenv?apply_overlays 'for overlay_file in ${fdt_overlays}; do echo Applying Overlay: ${overlay_file} && ${load_cmd} ${loadaddr} ${overlays_prefix}\${overlay_file} && fdt apply ${loadaddr}; env set overlay_file; done; true'

Apalis iMX8 # setenv bootcmd_overlays 'run load_overlays_file && run fdt_resize && run apply_overlays'

### kernel/dtb loading ###

Apalis iMX8 # setenv bootcmd_boot 'echo "Bootargs: \${bootargs}" && booti ${kernel_addr_r} - ${fdt_addr_r}'

### config for all boot process ###

Apalis iMX8 # setenv bootcmd_run 'run pre_boot && run cntr_load && run auth_os && run bootcmd_overlays && run finduuid && run setup && run bootcmd_boot; echo "Booting from ${devtype} failed!" && false'

### auto run config ###

Apalis iMX8 # setenv bootcmd 'run bootcmd_run'

--------------------------------

./?文件方式定義

--------------------------------

---?a/u-boot-initial-env-sd?2022-08-29 17:22:27.668166883 +0800

+++?b/u-boot-initial-env-sd?2022-08-29 17:52:18.795402902 +0800

@@ -1,4 +1,4 @@

-bootcmd=run distro_bootcmd

+bootcmd=run bootcmd_run

?bootdelay=1

?baudrate=115200

?ipaddr=192.168.10.2

@@ -71,4 +71,16 @@

?video=imxdpufb5:off video=imxdpufb6:off video=imxdpufb7:off

?setup=run loadhdp; hdp load ${hdp_addr}; run mmcargs

?defargs=pci=nomsi

-

+pre_boot=devnum=0; if mmc dev ${devnum}; then devtype=mmc; setenv load_cmd "load ${devtype} ${devnum}:1"; fi

+cntr_addr=0x98000000

+cntr_file=os_cntr_signed.bin

+cntr_load=${load_cmd} ${cntr_addr} ${cntr_file}

+auth_os=auth_cntr ${cntr_addr}

+overlays_file=overlays.txt

+overlays_prefix=overlays/

+load_overlays_file=${load_cmd} ${loadaddr} ${overlays_file} && env import -t ${loadaddr} ${filesize}

+fdt_resize=fdt addr ${fdt_addr_r} && fdt resize 0x20000

+apply_overlays=for overlay_file in ${fdt_overlays}; do echo Applying Overlay: ${overlay_file} && ${load_cmd} ${loadaddr} ${overlays_prefix}${overlay_file} && fdt apply ${loadaddr}; env set overlay_file; done; true

+bootcmd_overlays=run load_overlays_file && run fdt_resize && run apply_overlays

+bootcmd_boot=echo "Bootargs: ${bootargs}" && booti ${kernel_addr_r} - ${fdt_addr_r}

+bootcmd_run=run pre_boot && run cntr_load && run auth_os && run bootcmd_overlays && run finduuid && run setup && run bootcmd_boot; echo "Booting from ${devtype} failed!" && false

--------------------------------

c).?需要注意的是由于Kernel階段的Secure Boot相關(guān)認(rèn)證和加載都是基于U-Boot命令行來實(shí)現(xiàn)的， 因此如果要讓這個(gè)啟動(dòng)機(jī)制更加安全可靠，則要讓U-Boot保持在上述安全啟動(dòng)路徑，而不能通過其他啟動(dòng)介質(zhì)或者腳本來啟動(dòng)而繞開Secure Boot，比如Toradex U-Boot默認(rèn)是使能Distro Boot功能的，可以自動(dòng)掃描外設(shè)介質(zhì)的啟動(dòng)腳本，那么這個(gè)功能就需要關(guān)閉掉，類似這樣的U-Boot定制化需要自行根據(jù)實(shí)際使用場景來配置。

7).?部署測(cè)試

a).?參考這里將上述制作的支持Secure Boot的Image通過Toradex Easy Installer更新到Apalis iMX8模塊

./啟動(dòng)后首先進(jìn)入U(xiǎn)-Boot命令行下，測(cè)試AHAB狀態(tài)

--------------------------------

Apalis iMX8 # ahab_status

Lifecycle: 0x0020, NXP closed

sc_seco_get_event: idx: 0, res:3

No SECO Events Found!

--------------------------------

./?然后重新啟動(dòng)，查看啟動(dòng)log，Secure Boot成功完整加載U-Boot、Linux Kernel和Rootfs

--------------------------------

U-Boot 2020.04-06964-g33bb8e9683 (Aug 15 2022 - 15:32:22 +0800)

CPU: ??NXP i.MX8QM RevB A53 at 1200 MHz

DRAM: ?4 GiB

MMC: ??FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2

Loading Environment from MMC... OK

In: ???serial

Out: ??serial

Err: ??serial

Model: Toradex Apalis iMX8 QuadMax 4GB Wi-Fi / BT IT V1.1B, Serial# 06738378

?BuildInfo:

??- SCFW 216a2c2e, SECO-FW c9de51c0, IMX-MKIMAGE fe124bce, ATF 2fa8c63

??- U-Boot 2020.04-06964-g33bb8e9683

switch to partitions #0, OK

mmc0(part 0) is current device

flash target is MMC:0

Net: ??eth0: ethernet@5b040000

Fastboot: Normal

Normal Boot

Hit any key to stop autoboot: ?0

switch to partitions #0, OK

mmc0(part 0) is current device

25877504 bytes read in 787 ms (31.4 MiB/s)

Authenticate OS container at 0x98000000

43 bytes read in 12 ms (2.9 KiB/s)

Applying Overlay: apalis-imx8_hdmi_overlay.dtbo

2177 bytes read in 31 ms (68.4 KiB/s)

106496 bytes read in 16 ms (6.3 MiB/s)

Loading hdp firmware from 0x000000009c000000 offset 0x0000000000002000

Loading hdp firmware Complete

Bootargs: console=ttyLP1 earlycon,115200 root=PARTUUID=e8daf485-02 rootwait mmcdev=0

## Flattened Device Tree blob at 83000000

???Booting using the fdt blob at 0x83000000

???Loading Device Tree to 00000000fd5fc000, end 00000000fd648fff ... OK

Starting kernel ...

[ ???0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]

[ ???0.000000] Linux version 5.4.193-5.7.0+git.f78299297185 (oe-user@oe-host) (gcc version 9.2

...

[ ?OK ?] Started Start a wayland application.

[ ?OK ?] Reached target Multi-User System.

[ ?OK ?] Reached target Graphical Interface.

?????????Starting Update UTMP about System Runlevel Changes...

[ ?OK ?] Started Update UTMP about System Runlevel Changes.

TDX Wayland with XWayland 5.7.0+build.20 (dunfell) apalis-imx8-06738378 ttyLP1

Apalis-iMX8_Reference-Multimedia-Image

apalis-imx8-06738378 login:

--------------------------------

b). Close設(shè)備

經(jīng)過上述測(cè)試已經(jīng)確認(rèn)從U-Boot到Linux Kernel Secure Boot正常，即可以在U-Boot命令行下面執(zhí)行下面命令Close設(shè)備，請(qǐng)注意此操作之后，沒有簽名的Image就無法再在此模塊加載運(yùn)行了，因此請(qǐng)謹(jǐn)慎操作。

--------------------------------

Apalis iMX8 # ahab_close

--------------------------------

10).?總結(jié)

本文基于NXP iMX8處理器演示了基于AHAB的Secure Boot功能，設(shè)計(jì)U-Boot和Linux Kernel、Device Tree等，至于Rootfs的加密，則需要配置類似Squashfs只讀文件系統(tǒng)配合initramfs最小啟動(dòng)鏡像進(jìn)行加解密掛載啟動(dòng)，可以結(jié)合參考如下兩篇文章，本文不做具體測(cè)試。

./?嵌入式?ARM?平臺(tái)使用dm-crypt加密磁盤分區(qū)

./?使用Squashfs和Overlayfs提高嵌入式Linux文件系統(tǒng)可靠性

參考文檔

introduction_ahab.txt ? ahab ? imx ? doc - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules

mx8_mx8x_secure_boot.txt ? guides ? ahab ? imx ? doc - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules

NXP Application Note AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB

?

總結(jié)

以上是生活随笔為你收集整理的基于NXP iMX8测试Secure Boot功能部署的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。