[U-Boot] [PATCH 1/2] doc: mxc_hab: Move HAB related info to the appropriate doc

Breno Lima brenomatheus at gmail.com
Thu Feb 22 00:42:55 UTC 2018


From: Breno Lima <breno.lima at nxp.com>

Currently the High Assurance Boot procedure is documented in two
places:

- doc/README.imx6
- doc/README.mxc_hab

It is better to consolidate all HAB related information into
README.mxc_hab file, so move the content from README.imx6 to
README.mxc_hab.

Signed-off-by: Breno Lima <breno.lima at nxp.com>
---
 doc/README.imx6    | 48 ---------------------------------------------
 doc/README.mxc_hab | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 54 insertions(+), 51 deletions(-)

diff --git a/doc/README.imx6 b/doc/README.imx6
index 2e8f1d8..b0644f8 100644
--- a/doc/README.imx6
+++ b/doc/README.imx6
@@ -113,51 +113,3 @@ issue the command:
 In order to load SPL and u-boot.img via imx_usb_loader tool,
 please refer to doc/README.sdp.
 
-3. Using Secure Boot on i.MX6 machines with SPL support
--------------------------------------------------------
-
-This version of U-Boot is able to build a signable version of the SPL
-as well as a signable version of the U-Boot image. The signature can
-be verified through High Assurance Boot (HAB).
-
-CONFIG_SECURE_BOOT is needed to build those two binaries.
-After building, you need to create a command sequence file and use
-Freescales Code Signing Tool to sign both binaries. After creation,
-the mkimage tool outputs the required information about the HAB Blocks
-parameter for the CSF. During the build, the information is preserved
-in log files named as the binaries. (SPL.log and u-boot-ivt.log).
-
-More information about the CSF and HAB can be found in the AN4581.
-https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
-
-We don't want to explain how to create a PKI tree or SRK table as
-this is well explained in the Application Note.
-
-Example Output of the SPL (imximage) creation:
- Image Type:   Freescale IMX Boot Image
- Image Ver:    2 (i.MX53/6/7 compatible)
- Mode:         DCD
- Data Size:    61440 Bytes = 60.00 kB = 0.06 MB
- Load Address: 00907420
- Entry Point:  00908000
- HAB Blocks:   00907400 00000000 0000cc00
-
-Example Output of the u-boot-ivt.img (firmware_ivt) creation:
- Image Name:   U-Boot 2016.11-rc1-31589-g2a4411
- Created:      Sat Nov  5 21:53:28 2016
- Image Type:   ARM U-Boot Firmware with HABv4 IVT (uncompressed)
- Data Size:    352192 Bytes = 343.94 kB = 0.34 MB
- Load Address: 17800000
- Entry Point:  00000000
- HAB Blocks:   0x177fffc0   0x0000   0x00054020
-
-The CST (Code Signing Tool) can be downloaded from NXP.
-# Compile CSF and create signature
-./cst --o csf-u-boot.bin < command_sequence_uboot.csf
-./cst --o csf-SPL.bin < command_sequence_spl.csf
-# Append compiled CSF to Binary
-cat SPL csf-SPL.bin > SPL-signed
-cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
-
-These two signed binaries can be used on an i.MX6 in closed
-configuration when the according SRK Table Hash has been flashed.
diff --git a/doc/README.mxc_hab b/doc/README.mxc_hab
index 4bd07d3..056ade7 100644
--- a/doc/README.mxc_hab
+++ b/doc/README.mxc_hab
@@ -1,4 +1,5 @@
-High Assurance Boot (HAB) for i.MX6 CPUs
+1. High Assurance Boot (HAB) for i.MX CPUs
+------------------------------------------
 
 To enable the authenticated or encrypted boot mode of U-Boot, it is
 required to set the proper configuration for the target board. This
@@ -52,8 +53,58 @@ cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx
 NOTE: U-Boot_CSF.bin needs to be padded to the value specified in
 the imximage.cfg file.
 
-Setup U-Boot Image for Encrypted Boot
--------------------------------------
+
+2. Using Secure Boot on i.MX6 machines with SPL support
+-------------------------------------------------------
+
+This version of U-Boot is able to build a signable version of the SPL
+as well as a signable version of the U-Boot image. The signature can
+be verified through High Assurance Boot (HAB).
+
+CONFIG_SECURE_BOOT is needed to build those two binaries.
+After building, you need to create a command sequence file and use
+Freescales Code Signing Tool to sign both binaries. After creation,
+the mkimage tool outputs the required information about the HAB Blocks
+parameter for the CSF. During the build, the information is preserved
+in log files named as the binaries. (SPL.log and u-boot-ivt.log).
+
+More information about the CSF and HAB can be found in the AN4581.
+https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
+
+We don't want to explain how to create a PKI tree or SRK table as
+this is well explained in the Application Note.
+
+Example Output of the SPL (imximage) creation:
+ Image Type:   Freescale IMX Boot Image
+ Image Ver:    2 (i.MX53/6/7 compatible)
+ Mode:         DCD
+ Data Size:    61440 Bytes = 60.00 kB = 0.06 MB
+ Load Address: 00907420
+ Entry Point:  00908000
+ HAB Blocks:   00907400 00000000 0000cc00
+
+Example Output of the u-boot-ivt.img (firmware_ivt) creation:
+ Image Name:   U-Boot 2016.11-rc1-31589-g2a4411
+ Created:      Sat Nov  5 21:53:28 2016
+ Image Type:   ARM U-Boot Firmware with HABv4 IVT (uncompressed)
+ Data Size:    352192 Bytes = 343.94 kB = 0.34 MB
+ Load Address: 17800000
+ Entry Point:  00000000
+ HAB Blocks:   0x177fffc0   0x0000   0x00054020
+
+The CST (Code Signing Tool) can be downloaded from NXP.
+# Compile CSF and create signature
+./cst --o csf-u-boot.bin < command_sequence_uboot.csf
+./cst --o csf-SPL.bin < command_sequence_spl.csf
+# Append compiled CSF to Binary
+cat SPL csf-SPL.bin > SPL-signed
+cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
+
+These two signed binaries can be used on an i.MX6 in closed
+configuration when the according SRK Table Hash has been flashed.
+
+3. Setup U-Boot Image for Encrypted Boot
+-----------------------------------------
 An authenticated U-Boot image is used as starting point for
 Encrypted Boot. The image is encrypted by Freescale's Code
 Signing Tool (CST). The CST replaces only the image data of
-- 
2.7.4



More information about the U-Boot mailing list