文件要求:
- U-Boot:u-boot-nodtb.binu-boot-spl.binU-Boot DTB file (e.g. fsl-imx8mq-evk.dtb)- ATF image:bl31.bin- DDR firmware:lpddr4_pmu_train_1d_dmem.binlpddr4_pmu_train_1d_imem.binlpddr4_pmu_train_2d_dmem.binlpddr4_pmu_train_2d_imem.bin- HDMI firmware (Only in i.MX8M):signed_hdmi_imx8m.bin- DisplayPort firmware (Only in i.MX8M):signed_dp_imx8m.bin- OP-TEE (Optional):tee.bin
修改uboot的配置,添加hab支持,然后重新bitbake获得最新的imx-boot-imx8mp-lpddr4-evk-sd.bin-flash_evk文件。
CONFIG_IMX_HAB=y
新建imx-boot文件夹,将 /tmp/work/imx8mp_lpddr4_evk-poky-linux/imx-boot/1.0-r0/git/中的内容全部拷贝到imx-boot文件夹。
打包生成flash.bin文件
make SOC=iMX8MP flash_hdmi_spl_uboot
打印HAB FIT信息
$ make SOC=iMX8MP print_fit_hab
./../scripts/dtb_check.sh imx8mp-evk.dtb evk.dtb
Use u-boot DTB: imx8mp-evk.dtb
./../scripts/pad_image.sh tee.bin
./../scripts/pad_image.sh bl31.bin
./../scripts/pad_image.sh u-boot-nodtb.bin evk.dtb
TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 VERSION=v2 ./print_fit_hab.sh 0x60000 evk.dtb
0x40200000 0x5B000 0xF6248
0x402F6248 0x151248 0xBC38
0x970000 0x15CE80 0xC150
0x56000000 0x168FD0 0x2065C0
创建CSF描述文件
CSF 包含 ROM 在安全引导期间执行的所有命令。这些命令指示 HAB 代码在图像的哪些内存区域
进行身份验证,安装、使用哪些密钥等。CSF 示例可在 doc/imx/hab/habv4/csf_examples/ 目录下找到。
如上文部分所述,SPL 首先通过 ROM 代码进行验证并且信任根扩展到 FIT 图像,因此两个 CSF 文件是
完全签署 flash.bin 映像所必需的。
SPL验证数据地址:
========= OFFSET dump =========
Loader IMAGE:header_image_off 0x0dcd_off 0x0image_off 0x40csf_off 0x30600spl hab block: 0x91ffc0 0x0 0x30600Second Loader IMAGE:sld_header_off 0x58000sld_csf_off 0x59020sld hab block: 0x401fcdc0 0x58000 0x1020
由此创建 csf_spl.txt文件:需参考https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt?h=lf-5.10.52-2.1.0 写出完整的文件。
Blocks = 0x91ffc0 0x0 0x30600 "flash.bin"
HAB FIT信息中的地址:
sld hab block:
0x401fcdc0 0x58000 0x1020
0x40200000 0x5B000 0xF6248
0x402F6248 0x151248 0xBC38
0x970000 0x15CE80 0xC150
0x56000000 0x168FD0 0x2065C0
由此创建csf_fit.txt
Blocks = 0x401fcdc0 0x58000 0x1020 "flash.bin", \0x40200000 0x5B000 0xF6248 "flash.bin", \0x402F6248 0x151248 0xBC38 "flash.bin", \0x970000 0x15CE80 0xC150 "flash.bin", \0x56000000 0x168FD0 0x2065C0 "flash.bin"
避免内核崩溃
对于 HAB v4.4.0 之前的设备,HAB 代码会锁定 Job Ring 和 DECO主 ID 寄存器处于封闭配置。如果用户特定
应用程序需要对 CAAM MID 寄存器进行任何更改,必须在 CSF 文件中添加“解锁 CAAM MID”命令。
我们希望将 CAAM 配置为在非安全 TrustZone 世界中运行时,再解锁CAAM寄存器。
默认情况下,解锁命令已包含在签名的 HDMI 和DisplayPort 固件。在 i.MX8MM、i.MX8MN 和 i.MX8MP 设备上,或者如果i.MX8M 中禁用了 HDMI 或 DisplayPort 控制器,用户必须确保这一点
命令包含在 SPL CSF 中。
在 csf_spl.txt 中手动添加解锁 MID 命令:
[Unlock]Engine = CAAMFeatures = MID
开始签名
下载签名工具https://www.nxp.com/webapp/sps/download/license.jsp?colCode=IMX_CST_TOOL_NEW&appType=file1&DOWNLOAD_ID=null
将cst、srktool、hab_log_parser放到自己新建的imx-boot目录下
现在需要根据https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/introduction_habv4.txt?h=lf-5.10.52-2.1.0 生称key。
将cst-3.3.1\keys、ca\、crts目录拷贝到/tmp/work/imx8mpevk-poky-linux/imx-boot/1.0-r0/git/iMX8M/
cd ~ && openssl rand -writerand .rnd
然后进入keys目录执行./hab4_pki_tree.sh,证书会生成在crts目录。
此时我的文件树:
.
├── ca
│ ├── openssl.cnf
│ ├── v3_ca.cnf
│ └── v3_usr.cnf
├── COPYING
├── crts
│ ├── CA1_sha256_2048_65537_v3_ca_crt.der
│ ├── CA1_sha256_2048_65537_v3_ca_crt.pem
│ ├── CSF1_1_sha256_2048_65537_v3_usr_crt.der
│ ├── CSF1_1_sha256_2048_65537_v3_usr_crt.pem
│ ├── CSF2_1_sha256_2048_65537_v3_usr_crt.der
│ ├── CSF2_1_sha256_2048_65537_v3_usr_crt.pem
│ ├── CSF3_1_sha256_2048_65537_v3_usr_crt.der
│ ├── CSF3_1_sha256_2048_65537_v3_usr_crt.pem
│ ├── CSF4_1_sha256_2048_65537_v3_usr_crt.der
│ ├── CSF4_1_sha256_2048_65537_v3_usr_crt.pem
│ ├── IMG1_1_sha256_2048_65537_v3_usr_crt.der
│ ├── IMG1_1_sha256_2048_65537_v3_usr_crt.pem
│ ├── IMG2_1_sha256_2048_65537_v3_usr_crt.der
│ ├── IMG2_1_sha256_2048_65537_v3_usr_crt.pem
│ ├── IMG3_1_sha256_2048_65537_v3_usr_crt.der
│ ├── IMG3_1_sha256_2048_65537_v3_usr_crt.pem
│ ├── IMG4_1_sha256_2048_65537_v3_usr_crt.der
│ ├── IMG4_1_sha256_2048_65537_v3_usr_crt.pem
│ ├── SRK_1_2_3_4_fuse.bin
│ ├── SRK_1_2_3_4_table.bin
│ ├── SRK1_sha256_2048_65537_v3_ca_crt.der
│ ├── SRK1_sha256_2048_65537_v3_ca_crt.pem
│ ├── SRK1_sha256_2048_65537_v3_usr_crt.der
│ ├── SRK1_sha256_2048_65537_v3_usr_crt.pem
│ ├── SRK2_sha256_2048_65537_v3_ca_crt.der
│ ├── SRK2_sha256_2048_65537_v3_ca_crt.pem
│ ├── SRK2_sha256_2048_65537_v3_usr_crt.der
│ ├── SRK2_sha256_2048_65537_v3_usr_crt.pem
│ ├── SRK3_sha256_2048_65537_v3_ca_crt.der
│ ├── SRK3_sha256_2048_65537_v3_ca_crt.pem
│ ├── SRK3_sha256_2048_65537_v3_usr_crt.der
│ ├── SRK3_sha256_2048_65537_v3_usr_crt.pem
│ ├── SRK4_sha256_2048_65537_v3_ca_crt.der
│ ├── SRK4_sha256_2048_65537_v3_ca_crt.pem
│ ├── SRK4_sha256_2048_65537_v3_usr_crt.der
│ └── SRK4_sha256_2048_65537_v3_usr_crt.pem
├── iMX8DXL
│ ├── scripts
│ │ ├── android.mak
│ │ ├── autobuild.mak
│ │ ├── m4.mak
│ │ ├── misc.mak
│ │ └── test.mak
│ └── soc.mak
├── iMX8M
│ ├── bl31.bin
│ ├── csf_fit.txt
│ ├── csf_spl.txt
│ ├── cst
│ ├── hab_log_parser
│ ├── imx8mp-evk.dtb
│ ├── imx-boot-imx8mp-lpddr4-evk-sd.bin-flash_evk
│ ├── lpddr4_pmu_train_1d_dmem_202006.bin
│ ├── lpddr4_pmu_train_1d_imem_202006.bin
│ ├── lpddr4_pmu_train_2d_dmem_202006.bin
│ ├── lpddr4_pmu_train_2d_imem_202006.bin
│ ├── mkimage_fit_atf.sh
│ ├── mkimage_imx8
│ ├── mkimage_imx8.c
│ ├── mkimage_uboot
│ ├── print_fit_hab.sh
│ ├── README
│ ├── signed_dp_imx8m.bin
│ ├── signed_hdmi_imx8m.bin
│ ├── soc.mak
│ ├── srktool
│ ├── tee.bin
│ ├── u-boot.bin
│ ├── u-boot.itb
│ ├── u-boot-nodtb.bin
│ ├── u-boot-spl.bin
│ └── u-boot-spl-ddr.bin
├── iMX8QM
│ ├── expand_c_define.sh
│ ├── mkimage_fit_atf.sh
│ ├── scripts
│ │ ├── alias.mak
│ │ ├── android.mak
│ │ ├── autobuild.mak
│ │ ├── m4.mak
│ │ ├── misc.mak
│ │ └── test.mak
│ └── soc.mak
├── iMX8QX
│ ├── mkimage_fit_atf.sh
│ ├── scripts
│ │ ├── alias.mak
│ │ ├── android.mak
│ │ ├── autobuild.mak
│ │ ├── m4.mak
│ │ ├── misc.mak
│ │ └── test.mak
│ └── soc.mak
├── iMX8ULP
│ ├── README
│ └── soc.mak
├── keys
│ ├── 12345678.pem
│ ├── 12345679.pem
│ ├── 1234567A.pem
│ ├── 1234567B.pem
│ ├── 1234567C.pem
│ ├── 1234567D.pem
│ ├── 1234567E.pem
│ ├── 1234567F.pem
│ ├── 12345680.pem
│ ├── 12345681.pem
│ ├── 12345682.pem
│ ├── 12345683.pem
│ ├── 12345684.pem
│ ├── 12345685.pem
│ ├── 12345686.pem
│ ├── 12345687.pem
│ ├── add_key.bat
│ ├── add_key.sh
│ ├── ahab_pki_tree.bat
│ ├── ahab_pki_tree.sh
│ ├── CA1_sha256_2048_65537_v3_ca_key.der
│ ├── CA1_sha256_2048_65537_v3_ca_key.pem
│ ├── convlb.exe
│ ├── CSF1_1_sha256_2048_65537_v3_usr_key.der
│ ├── CSF1_1_sha256_2048_65537_v3_usr_key.pem
│ ├── CSF2_1_sha256_2048_65537_v3_usr_key.der
│ ├── CSF2_1_sha256_2048_65537_v3_usr_key.pem
│ ├── CSF3_1_sha256_2048_65537_v3_usr_key.der
│ ├── CSF3_1_sha256_2048_65537_v3_usr_key.pem
│ ├── CSF4_1_sha256_2048_65537_v3_usr_key.der
│ ├── CSF4_1_sha256_2048_65537_v3_usr_key.pem
│ ├── hab4_pki_tree.bat
│ ├── hab4_pki_tree.sh
│ ├── IMG1_1_sha256_2048_65537_v3_usr_key.der
│ ├── IMG1_1_sha256_2048_65537_v3_usr_key.pem
│ ├── IMG2_1_sha256_2048_65537_v3_usr_key.der
│ ├── IMG2_1_sha256_2048_65537_v3_usr_key.pem
│ ├── IMG3_1_sha256_2048_65537_v3_usr_key.der
│ ├── IMG3_1_sha256_2048_65537_v3_usr_key.pem
│ ├── IMG4_1_sha256_2048_65537_v3_usr_key.der
│ ├── IMG4_1_sha256_2048_65537_v3_usr_key.pem
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── key_pass.txt
│ ├── serial
│ ├── serial.old
│ ├── SRK1_sha256_2048_65537_v3_ca_key.der
│ ├── SRK1_sha256_2048_65537_v3_ca_key.pem
│ ├── SRK1_sha256_2048_65537_v3_usr_key.der
│ ├── SRK1_sha256_2048_65537_v3_usr_key.pem
│ ├── SRK2_sha256_2048_65537_v3_ca_key.der
│ ├── SRK2_sha256_2048_65537_v3_ca_key.pem
│ ├── SRK2_sha256_2048_65537_v3_usr_key.der
│ ├── SRK2_sha256_2048_65537_v3_usr_key.pem
│ ├── SRK3_sha256_2048_65537_v3_ca_key.der
│ ├── SRK3_sha256_2048_65537_v3_ca_key.pem
│ ├── SRK3_sha256_2048_65537_v3_usr_key.der
│ ├── SRK3_sha256_2048_65537_v3_usr_key.pem
│ ├── SRK4_sha256_2048_65537_v3_ca_key.der
│ ├── SRK4_sha256_2048_65537_v3_ca_key.pem
│ ├── SRK4_sha256_2048_65537_v3_usr_key.der
│ └── SRK4_sha256_2048_65537_v3_usr_key.pem
├── Makefile
├── mkimage_imx8
├── README
├── scripts
│ ├── dtb_check.sh
│ ├── fspi_header
│ ├── fspi_header_atxp
│ ├── fspi_packer.sh
│ ├── gen_sit.sh
│ ├── pad_image.sh
│ ├── qspi_header
│ ├── sit_template
│ ├── split_kernel.sh
│ └── split_spl.sh
└── src├── build_info.h├── imx8qxb0.c├── mkimage_common.h└── mkimage_imx8.c
生成SRK Table 和 SRK Hash,需要进入crts目录
:~/imx-boot/crts$ ../iMX8M/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_ca_crt.pem,SRK2_sha256_2048_65537_v3_ca_crt.pem,SRK3_sha256_2048_65537_v3_ca_crt.pem,SRK4_sha256_2048_65537_v3_ca_crt.pem
Number of certificates = 4
SRK table binary filename = SRK_1_2_3_4_table.bin
SRK Fuse binary filename = SRK_1_2_3_4_fuse.bin
SRK Fuse binary dump:
SRK HASH[0] = 0xCFA07F92
SRK HASH[1] = 0x8B09944A
SRK HASH[2] = 0x6570070E
SRK HASH[3] = 0x18679F1A
SRK HASH[4] = 0xC1B35F06
SRK HASH[5] = 0x81E56BF7
SRK HASH[6] = 0x84CC65D3
SRK HASH[7] = 0x1536EB1C
到这里,所有的文件都准备好了。此时csf_spl.txt的内容为:
[Header]Version = 4.3Hash Algorithm = sha256Engine = CAAMEngine Configuration = 0Certificate Format = X509Signature Format = CMS[Install SRK]# Index of the key location in the SRK table to be installedFile = "../crts/SRK_1_2_3_4_table.bin"Source index = 0[Install CSFK]# Key used to authenticate the CSF dataFile = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"[Authenticate CSF][Unlock]# Leave Job Ring and DECO master ID registers UnlockedEngine = CAAMFeatures = MID[Install Key]# Key slot index used to authenticate the key to be installedVerification index = 0# Target key slot in HAB key store where key will be installedTarget index = 2# Key to installFile = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"[Authenticate Data]Verification index = 2Blocks = 0x91ffc0 0x0 0x30600 "imx-boot-imx8mp-lpddr4-evk-sd.bin-flash_evk"
csf_fit.txt的内容:
[Header]Version = 4.3Hash Algorithm = sha256Engine = CAAMEngine Configuration = 0Certificate Format = X509Signature Format = CMS[Install SRK]# Index of the key location in the SRK table to be installedFile = "../crts/SRK_1_2_3_4_table.bin"Source index = 0[Install CSFK]# Key used to authenticate the CSF dataFile = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"[Authenticate CSF][Install Key]# Key slot index used to authenticate the key to be installedVerification index = 0# Target key slot in HAB key store where key will be installedTarget index = 2# Key to installFile = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"[Authenticate Data]# Key slot index used to authenticate the image dataVerification index = 2# Authenticate Start Address, Offset, Length and fileBlocks = 0x401fcdc0 0x58000 0x1020 "imx-boot-imx8mp-lpddr4-evk-sd.bin-flash_evk", \0x40200000 0x5B000 0xF1920 "imx-boot-imx8mp-lpddr4-evk-sd.bin-flash_evk", \0x402F1920 0x14C920 0xBC30 "imx-boot-imx8mp-lpddr4-evk-sd.bin-flash_evk", \0x970000 0x158550 0xC150 "imx-boot-imx8mp-lpddr4-evk-sd.bin-flash_evk", \0x56000000 0x1646A0 0x2065C0 "imx-boot-imx8mp-lpddr4-evk-sd.bin-flash_evk"
将cst-3.3.1\linux64\bin中的文件拷贝到i.MX8M目录
./cst -i csf_spl.txt -o csf_spl.bin
输出结果:
Install SRK
Install CSFK
Authenticate CSF
Install key
Authenticate data
CSF Processed successfully and signed data available in csf_spl.bin
对fit进行csf签名
./cst -i csf_fit.txt -o csf_fit.bin
输出结果:
Install SRK
Install CSFK
Authenticate CSF
Install key
Authenticate data
CSF Processed successfully and signed data available in csf_fit.bin
将csf文件打进 flash.bin
从第一步的打印log可以看出spl的csf偏移量为0x30600、fit image的csf的偏移量为0x59020.
csf_off 0x30600
sld_csf_off 0x59020
1、复制flash.bin文件
cp flash.bin signed_flash.bin
2.将csf_spl.bin插入到signed_flash.bin文件的0x30600处
dd if=csf_spl.bin of=signed_flash.bin seek=$((0x30600)) bs=1 conv=notrunc
3912+0 records in
3912+0 records out
3912 bytes (3.9 kB, 3.8 KiB) copied, 0.0120894 s, 324 kB/s
3.将csf_fit.bin插入到signed_flash.bin文件的0x59020处
dd if=csf_fit.bin of=signed_flash.bin seek=$((0x59020)) bs=1 conv=notrunc
3936+0 records in
3936+0 records out
3936 bytes (3.9 kB, 3.8 KiB) copied, 0.00613787 s, 641 kB/s
3.烧写signed_flash.bin文件
uuu -d signed_flash.bin
修改 SRK的hash值
1.先在linux主机上dump srk值:
~/git/crts$ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin0xCFA07F92
0x8B09944A
0x6570070E
0x18679F1A
0xC1B35F06
0x81E56BF7
0x84CC65D3
0x1536EB1C
2.进evk写入srk值
fuse prog 6 0 0xCFA07F92
fuse prog 6 1 0x8B09944A
fuse prog 6 2 0x6570070E
fuse prog 6 3 0x18679F1A
fuse prog 7 0 0xC1B35F06
fuse prog 7 1 0x81E56BF7
fuse prog 7 2 0x84CC65D3
fuse prog 7 3 0x1536EB1C
3.烧写进板子:
uuu -b emmc_all .\signed_flash.bin .\imx-image-multimedia-imx8mpevk.wic
4.hab验证
u-boot=> hab_statusSecure boot disabledHAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
5.写入fuse后关闭设备
fuse prog 1 3 0x2000000
对额外的启动内容签名(以内核为例)
上面的步骤做完,只是对bootloader签名,还需要对内核签名才能启动内核。这里也以对kernel,dtb,rootfs打包的fit image签名。
1.读取内核的大小
od -x -j 0x10 -N 0x4 --endian=little Image
0x1d40000
0000020 0000 01d4
0000024
2.生成pad 内核
objcopy -I binary -O binary --pad-to 0x1d40000 --gap-fill=0x00 \
Image Image_pad.bin
3.生成image的向量表
HAB 代码需要一个图像向量表 (IVT) 来确定图像长度和 CSF 位置。由于 Image 不包含 IVT,因此它具有手动创建并附加到填充图像的末尾,script_examples目录下的脚本genIVT.pl可以作为参考。doc/imx/habv4/script_examples/genIVT.pl
#! /usr/bin/perl -w
use strict;
open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";
print $out pack("V", 0x412000D1); # Signature
print $out pack("V", 0x40480000); # Load Address (*load_address)
print $out pack("V", 0x0); # Reserved
print $out pack("V", 0x0); # DCD pointer
print $out pack("V", 0x0); # Boot Data
print $out pack("V", 0x421C0000); # IVT offset in Image, 0x40480000 + 0x1d40000 (the size of Image_pad.bin)(*ivt)
print $out pack("V", 0x421C0020); # CSF offset in Image, IVT offset + 0x20 (the size of IVT binary)
print $out pack("V", 0x0); # Reserved
close($out);
./genIVT.pl
生成ivt.bin,然后将其添加到imgae_pad上。
cat Image_pad.bin ivt.bin > Image_pad_ivt.bin
4.创建内核的csf信息表
https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/csf_examples/additional_images/csf_additional_images.txt?h=lf-5.10.52-2.1.0
csf_additional_images.txt
[Header]Version = 4.2Hash Algorithm = sha256Engine Configuration = 0Certificate Format = X509Signature Format = CMSEngine = CAAM[Install SRK]# Index of the key location in the SRK table to be installedFile = "../crts/SRK_1_2_3_4_table.bin"Source index = 0[Install CSFK]# Key used to authenticate the CSF dataFile = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"[Authenticate CSF][Install Key]# Key slot index used to authenticate the key to be installedVerification index = 0# Target key slot in HAB key store where key will be installedTarget Index = 2# Key to installFile= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"[Authenticate Data]# Key slot index used to authenticate the image dataVerification index = 2# Authenticate Start Address, Offset, Length and fileBlocks = 0x40480000 0x00000000 0x01CA7A00 "Image"
Length:ls -l Image, then convert to hex
5.添加csf信息
./cst --i csf_additional_images.txt --o csf_kernel.bin
6.组合csf_kernel.bin和Image_pad_ivt.bin
cat Image_pad_ivt.bin csf_kernel.bin > Image_signed
至此,这颗芯片就只能烧写加密的image~
教程地址:https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_secure_boot.txt?h=lf-5.10.52-2.1.0