[U-Boot] [PATCH v1 0/7] The patchset fixes some issue in the generation of the imx image
Eric Nelson
eric.nelson at boundarydevices.com
Thu Jul 11 22:40:52 CEST 2013
Thanks Stefano,
On 07/11/2013 06:06 AM, Stefano Babic wrote:
> (header for Freescale's i.MX processors) to allow the usage of
> Freescale's tools to sign the u-boot image and provide a secure boot.
>
> This has nothing to do with the Secure Boot extensions implemented by
> Simon Glass, that can be in any case used to boot later a secure image.
> Freescale's secure boot ensures that a signed bootloader
> is started only if it is verified with a key that is burned into the iMX fuses.
> Documentation about the Freescale's secure process can be read from the
> AN4591, available on the Freescale's Website.
>
> The patchset allows to add to the imx Header the CSF (command Sequence File)
> generated by the tools provided by Freescale. The CSF is then simply concatenated
> to the u-boot image, making a signed bootloader, that the processor can verify
> if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not
> start a bootloader that cannot be verified - further infos how to configure
> the SOC to verify the bootloader can be found in the User Manual of the specific
> SOC.
>
> Next step is to verify the kernel, that can be still done using Simon's patches for
> verified boot (CONFIG_OF_CONTROL must be set in the board configuarion file).
>
I compile-tested the series against all of our boards
(boundary/boundary/* and board/freescale/mx6qsabrelite).
Run-time tests (without signing) against nitrogen6s (solo)
and nitrogen6q (quad). Both ran without a hitch.
Now we need to get configured for signing and burn some fuses!
More information about the U-Boot
mailing list