summaryrefslogtreecommitdiff
path: root/doc/imx/ahab/guides/mx8_mx8x_encrypted_boot.txt
blob: dfea4c8277c5edf070a9cf56c9d465bb41c9a0a5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
         +=========================================================+
         +      i.MX 8, i.MX 8X Encrypted Boot guide using AHAB    +
         +=========================================================+

1. AHAB Encrypted Boot process
-------------------------------

This document describes a step-by-step procedure on how to encrypt and sign a
bootloader image for i.MX8/8x family devices. It is assumed that the reader
is familiar with basic AHAB concepts and has already closed the device,
step-by-step procedure can be found in mx8_mx8x_secure_boot.txt and
mx8_mx8x_spl_secure_boot.txt guides.

The steps described in this document were based in i.MX8QM device, the same
concept can be applied to others processors in i.MX8/8X family devices.

1.1 Understanding the encrypted image signature block
------------------------------------------------------

As described in mx8_mx8x_secure_boot.txt guide a single binary is used to boot
the device. The imx-mkimage tool combines all the input images in a container
structure, generating a flash.bin binary.

AHAB is able to decrypt image containers by calling SECO authentication
functions, the image must be encrypted by CST and the resulting DEK (Data
Encryption Key) must be encapsulated and included into the container signature
block:

                +----------------------------+
                |                            |  ^
                |                            |  |
                |      Container header      |  |
                |                            |  |
                |                            |  |
                +---+------------------------+  |
                | S | Signature block header |  | Signed
                | i +------------------------+  |
                | g |                        |  |
                | n |                        |  |
                | a |        SRK table       |  |
                | t |                        |  |
                | u |                        |  v
                | r +------------------------+
                | e |       Signature        |
                |   +------------------------+
                | B |                        |
                | l |        SGK Key         |
                | o | Certificate (optional) |
                | c |                        |
                | k +------------------------+
                |   |        DEK Blob        |
                +---+------------------------+

1.1.1 Understanding and generating the DEK blob
------------------------------------------------

The encrypted boot image requires a DEK blob on each time AHAB is used to
decrypt an image. The DEK blob is used as a security layer to wrap and store
the DEK off-chip using the OTPMK which is unique per device.

On i.MX8/8x devices the DEK blob is generated using the SECO API, the following
funtion is available in U-Boot and can be executed through dek_blob command:

- sc_seco_gen_key_blob(sc_ipc_t ipc, uint32_t id, sc_faddr_t load_addr,
		       sc_faddr_t export_addr, uint16_t max_size)

Details in API usage can be found in SCFW API guide [1].

1.2 Enabling the encrypted boot support in U-Boot
--------------------------------------------------

For deploying an encrypted boot image additional U-Boot tools are needed,
please be sure to have the following features enabled, this can be achieved
by following one of the methods below:

- Defconfig:

  CONFIG_AHAB_BOOT=y
  CONFIG_CMD_DEKBLOB=y
  CONFIG_IMX_SECO_DEK_ENCAP=y
  CONFIG_FAT_WRITE=y

- Kconfig:

  ARM architecture -> Support i.MX8 AHAB features
  ARM architecture -> Support the 'dek_blob' command
  File systems -> Enable FAT filesystem support-> Enable FAT filesystem
  write support

1.3 Enabling the encrypted boot support in CST
-----------------------------------------------

The encryption feature is not enabled by default in Code Signing tools (CST).
The CST backend must be recompiled, execute the following commands to enable
encryption support in CST:

  $ sudo apt-get install libssl-dev openssl
  $ cd <CST install directory>/code/back_end/src
  $ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c
    -lfrontend -lcrypto
  $ cp cst_encrypted ../../../linux64/bin/

1.4 Preparing the image container
----------------------------------

The container generation is explained in and mx8_mx8x_secure_boot.txt and
mx8_mx8x_spl_secure_boot.txt guides. This document is based in imx-mkimage
flash target (2 containers in flash.bin).

- Assembly flash.bin binary:

  $ make SOC=<SoC Name> flash

The mkimage log is used during the encrypted boot procedure to create the
Command Sequence File (CSF):

  CST: CONTAINER 0 offset: 0x400
  CST: CONTAINER 0: Signature Block: offset is at 0x590
  DONE.
  Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET

1.6 Creating the CSF description to encrypt the 2nd container
--------------------------------------------------------------

The csf_enc_boot_image.txt available under ahab/csf_examples/ can be used as
example for encrypting the flash.bin binary, the main change is the Install
Secret Key command that must be added after Authenticate Data command.

  [Install Secret Key]
  Key = "dek.bin"
  Key Length = 128
  #Key Identifier = 0x1234CAFE
  Image Indexes = 0xFFFFFFFE

By default all images are encrypted and image indexes parameter can be used
to mask the images indexes that must be encrypted, on this example only the
2nd container will be encrypted.

Optionally users can provide a key identifier that must match the value
provided during the blob generation, by default its value is zero.

1.7 Encrypting the 2nd container
---------------------------------

The image is encrypted using the Code Signing Tool. The tool generates the
encrypted image and a random dek.bin file.

- Encrypt flash.bin binary:

  $ ./cst_encrypted -i csf_enc_boot_image.txt -o enc_flash.bin
   The DEK BLOB must be inserted at offset 0x7c0 (its expected size is 72 bytes)
   CSF Processed successfully and signed image available in enc_boot_image.bin

The output log will be used in a later step to insert the DEK blob into the
signature block.

1.8 Generating the DEK Blob
----------------------------

The DEK must be encapsulated into a CAAM blob so it can be included into the
final encrypted binary. The U-Boot provides a tool called dek_blob which is
calling the SECO blob encapsulation API.

Copy the dek.bin in SDCard FAT partition and run the following commands from
U-Boot prompt:

  => mmc list
     FSL_SDHC: 1 (SD)
     FSL_SDHC: 2
  => fatload mmc 1:1 0x80280000 dek.bin
  => dek_blob 0x80280000 0x80280100 128
  => fatwrite mmc 1:1 0x80280100 dek_blob.bin 0x48

In host PC copy the generated dek_blob.bin to the CST directory.

1.9 Assembling the encrypted image
-----------------------------------

The DEK blob generated in the step above have to be inserted into the container
signature block.

The CSF log is used to determine the DEK Blob offset:

  The DEK BLOB must be inserted at offset 0x7c0 (its expected size is 72 bytes)
  CSF Processed successfully and signed image available in enc_boot_image.bin

- Insert DEK Blob into container signature block:

  $ dd if=dek_blob.bin of=enc_flash.bin bs=1 seek=$((0x7c0)) conv=notrunc

1.10 Flashing the encrypted boot image
---------------------------------------

The same offset is used for encrypted boot images, in case booting from
eMMC/SDCard the offset is 32K.

- Flash encrypted image in SDCard:

  $ sudo dd if=enc_flash.bin of=/dev/sd<x> bs=1K seek=32 && sync

2.0 Encrypting a standalone container
--------------------------------------

CST is also able to encrypt additional images containers, the steps documented
in this section are based in OS container but can be also applied to SPL
targets and 3rd containers.

2.1 Creating the OS container
------------------------------

As explained in mx8_mx8x_secure_boot.txt guide the imx-mkimage tool is used to
generate an image container for OS images, the mkimage log is used during the
encrypted boot procedure to create the Command Sequence File (CSF).

- Creating OS container:

  $ make SOC=<SoC Name> flash_kernel
   ...
   CST: CONTAINER 0 offset: 0x0
   CST: CONTAINER 0: Signature Block: offset is at 0x110

2.2 Creating the CSF description file for standalone container
---------------------------------------------------------------

The Image Indexes parameter is used to mask the images that are encrypted by
CST, as a single container is used for OS images the Image Indexes command can
be commented or set to 0xFFFFFFFF.

  [Install Secret Key]
  Key = "dek_os.bin"
  Key Length = 128
  #Key Identifier = 0x1234CAFE
  Image Indexes = 0xFFFFFFFF

2.3 Encrypting the standalone container
----------------------------------------

As explained in section 1.7 the CST generates the encrypted image and a random
dek.bin file.

- Encrypt the standalone container:

  $ ./cst_encrypted -i csf_linux_img.txt -o enc_flash_os.bin
   The DEK BLOB must be inserted at offset 0x340 (its expected size is 72 bytes)
   CSF Processed successfully and signed image available in enc_flash_os.bin

The output log will be used in a later step to insert the DEK blob into the
signature block.

2.4 Generating the DEK Blob for standalone container
----------------------------------------------------

Similar to section 1.8 the DEK must be encapsulated into a CAAM blob so it can
be included into the final encrypted binary.

Copy the dek_os.bin in SDCard FAT partition and run the following commands from
U-Boot prompt:

  => mmc list
     FSL_SDHC: 1 (SD)
     FSL_SDHC: 2
  => fatload mmc 1:1 0x80280000 dek_os.bin
  => dek_blob 0x80280000 0x80280100 128
  => fatwrite mmc 1:1 0x80280100 dek_blob_os.bin 0x48

In host PC copy the generated dek_blob_os.bin to the CST directory.

2.5 Assembling the encrypted image
-----------------------------------

The DEK blob generated in the step above have to be inserted into the container
signature block.

The CSF log is used to determine the DEK Blob offset:

   The DEK BLOB must be inserted at offset 0x340 (its expected size is 72 bytes)
   CSF Processed successfully and signed image available in enc_flash_os.bin

- Insert DEK Blob into container signature block:

  $ dd if=dek_blob_os.bin of=enc_flash_os.bin bs=1 seek=$((0x340)) conv=notrunc

2.6 Copy encrypted image to SDCard
-----------------------------------

The encrypted container can be copied to SDCard FAT partition, please note
that U-Boot requires signed and encrypted containers to be named as
os_cntr_signed.bin.

  $ sudo cp enc_flash_os.bin /media/UserID/Boot\ imx8/os_cntr_signed.bin

References:
[1] SCFW API guide: "System Controller Firmware API Reference Guide - Rev 1.5"