[U-Boot] U-boot can verify an HW signature?

Breno Matheus Lima brenomatheus at gmail.com
Sat Jan 20 15:00:20 UTC 2018 

Hi Saveiro,

2018-01-19 16:45 GMT-02:00 Saverio Mori <saverio.mori at gmail.com>:
> Hi Breno Lima,
> For the moment we have not secure boot, we use "plain" u-boot running on
> a module board equipped with an "open" i.MX6UL processor, and we are
> newbies in the field of secure boot. We wish that our firmware works
> only on approved hardware, and not on common one. From what we have
> read, secured boot allow that only approved FW works on prepared HW; our
> problem is just the reciprocal, i.e. allow running of our FW only on
> approved boards. In other words, a secured FW can works on a unsecured
> board (while a secured board requires a secured FW), we wish to block
> this situation.
> All The Best,

You can have more details about secure boot in doc/README.mxc_hab file.

The application note AN4581 can be also helpful:
https://www.nxp.com/docs/en/application-note/AN4581.pdf

The secure boot is intended to prepare your device to just run
authenticated SW,  once your SRK Hash and SEC_CONFIG fuse are
programmed you can only execute authenticated bootloader on this
device.

If you want that your SW can be only executed on  approved hardware
you can refer to encrypted boot, which is supported on i.MX6UL.

You can find more details in doc/README.mxc_hab file and also in NXP
community. Currently there is no application note provided by NXP
about encrypted boot:
https://community.nxp.com/docs/DOC-330622

Note that dek_blob command can be only executed in closed devices, so
you need to run an authenticated U-Boot to prepare an encrypted boot
image.

Let us know if you have any questions during the process.

Thanks,
Breno Lima

>
> Saverio M.
>
> Il 19/01/2018 18:54, Breno Matheus Lima ha scritto:
>> Hi Saverio,
>>
>> 2018-01-19 11:12 GMT-02:00 Saverio Mori <saverio.mori at gmail.com>:
>>> Hi to the community. I have found a lot of material on secure booting and how to sign u-boot an uimage in order to that only trusted sw is load. This is good for my but i have also the opposite problem, that is i have to be sure that my sw is load on an hardware signed in some way. It is possible, and how, implement this feature in u-boot, at least running on iMX6 boards? Thanks!!!
>> Can you please share more details about this verification you want to
>> achieve? Are you currently running a signed U-Boot in a closed device
>> (eFuse SEC_CONFIG = 1)?
>>
>> Thanks,
>> Breno Lima
>
>
>

More information about the U-Boot mailing list