Hi Saverio, 2018-01-24 5:35 GMT-02:00 Saverio Mori <[email protected]>: > Hi Breno Lima, > Thank you very much, indeed this is the answer that i need. Perhaps > could you give me some more details on realizing encrypted boot using > the yocto project platform?
Currently is not possible to sign or encrypt a U-Boot image using Yocto project, the CST (Code Signing Tool) is only available at NXP portal. You can build U-Boot using Yocto with the following configurations enabled and sign/encrypt this image with CST. CONFIG_SECURE_BOOT=y CONFIG_CMD_DEKBLOB=y This patch from Fabio Estevam can be also helpful: https://lists.denx.de/pipermail/u-boot/2018-January/317847.html Thanks, Breno Lima > All The Best, > > Saverio > > Il 20/01/2018 16:00, Breno Matheus Lima ha scritto: >> Hi Saveiro, >> >> 2018-01-19 16:45 GMT-02:00 Saverio Mori <[email protected]>: >>> Hi Breno Lima, >>> For the moment we have not secure boot, we use "plain" u-boot running on >>> a module board equipped with an "open" i.MX6UL processor, and we are >>> newbies in the field of secure boot. We wish that our firmware works >>> only on approved hardware, and not on common one. From what we have >>> read, secured boot allow that only approved FW works on prepared HW; our >>> problem is just the reciprocal, i.e. allow running of our FW only on >>> approved boards. In other words, a secured FW can works on a unsecured >>> board (while a secured board requires a secured FW), we wish to block >>> this situation. >>> All The Best, >> You can have more details about secure boot in doc/README.mxc_hab file. >> >> The application note AN4581 can be also helpful: >> https://www.nxp.com/docs/en/application-note/AN4581.pdf >> >> The secure boot is intended to prepare your device to just run >> authenticated SW, once your SRK Hash and SEC_CONFIG fuse are >> programmed you can only execute authenticated bootloader on this >> device. >> >> If you want that your SW can be only executed on approved hardware >> you can refer to encrypted boot, which is supported on i.MX6UL. >> >> You can find more details in doc/README.mxc_hab file and also in NXP >> community. Currently there is no application note provided by NXP >> about encrypted boot: >> https://community.nxp.com/docs/DOC-330622 >> >> Note that dek_blob command can be only executed in closed devices, so >> you need to run an authenticated U-Boot to prepare an encrypted boot >> image. >> >> Let us know if you have any questions during the process. >> >> Thanks, >> Breno Lima >> >>> Saverio M. >>> >>> Il 19/01/2018 18:54, Breno Matheus Lima ha scritto: >>>> Hi Saverio, >>>> >>>> 2018-01-19 11:12 GMT-02:00 Saverio Mori <[email protected]>: >>>>> Hi to the community. I have found a lot of material on secure booting and >>>>> how to sign u-boot an uimage in order to that only trusted sw is load. >>>>> This is good for my but i have also the opposite problem, that is i have >>>>> to be sure that my sw is load on an hardware signed in some way. It is >>>>> possible, and how, implement this feature in u-boot, at least running on >>>>> iMX6 boards? Thanks!!! >>>> Can you please share more details about this verification you want to >>>> achieve? Are you currently running a signed U-Boot in a closed device >>>> (eFuse SEC_CONFIG = 1)? >>>> >>>> Thanks, >>>> Breno Lima >>> >>> > > -- Breno Matheus Lima _______________________________________________ U-Boot mailing list [email protected] https://lists.denx.de/listinfo/u-boot
