Hi Breno Lima, Thank you very much, indeed this is the answer that i need. Perhaps could you give me some more details on realizing encrypted boot using the yocto project platform? All The Best,
Saverio Il 20/01/2018 16:00, Breno Matheus Lima ha scritto: > Hi Saveiro, > > 2018-01-19 16:45 GMT-02:00 Saverio Mori <[email protected]>: >> Hi Breno Lima, >> For the moment we have not secure boot, we use "plain" u-boot running on >> a module board equipped with an "open" i.MX6UL processor, and we are >> newbies in the field of secure boot. We wish that our firmware works >> only on approved hardware, and not on common one. From what we have >> read, secured boot allow that only approved FW works on prepared HW; our >> problem is just the reciprocal, i.e. allow running of our FW only on >> approved boards. In other words, a secured FW can works on a unsecured >> board (while a secured board requires a secured FW), we wish to block >> this situation. >> All The Best, > You can have more details about secure boot in doc/README.mxc_hab file. > > The application note AN4581 can be also helpful: > https://www.nxp.com/docs/en/application-note/AN4581.pdf > > The secure boot is intended to prepare your device to just run > authenticated SW, once your SRK Hash and SEC_CONFIG fuse are > programmed you can only execute authenticated bootloader on this > device. > > If you want that your SW can be only executed on approved hardware > you can refer to encrypted boot, which is supported on i.MX6UL. > > You can find more details in doc/README.mxc_hab file and also in NXP > community. Currently there is no application note provided by NXP > about encrypted boot: > https://community.nxp.com/docs/DOC-330622 > > Note that dek_blob command can be only executed in closed devices, so > you need to run an authenticated U-Boot to prepare an encrypted boot > image. > > Let us know if you have any questions during the process. > > Thanks, > Breno Lima > >> Saverio M. >> >> Il 19/01/2018 18:54, Breno Matheus Lima ha scritto: >>> Hi Saverio, >>> >>> 2018-01-19 11:12 GMT-02:00 Saverio Mori <[email protected]>: >>>> Hi to the community. I have found a lot of material on secure booting and >>>> how to sign u-boot an uimage in order to that only trusted sw is load. >>>> This is good for my but i have also the opposite problem, that is i have >>>> to be sure that my sw is load on an hardware signed in some way. It is >>>> possible, and how, implement this feature in u-boot, at least running on >>>> iMX6 boards? Thanks!!! >>> Can you please share more details about this verification you want to >>> achieve? Are you currently running a signed U-Boot in a closed device >>> (eFuse SEC_CONFIG = 1)? >>> >>> Thanks, >>> Breno Lima >> >>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ U-Boot mailing list [email protected] https://lists.denx.de/listinfo/u-boot
