[U-Boot] U-boot can verify an HW signature?

Saverio Mori saverio.mori at gmail.com
Wed Jan 24 07:35:22 UTC 2018


Hi Breno Lima,
Thank you very much, indeed this is the answer that i need. Perhaps
could you give me some more details on realizing encrypted boot using
the yocto project platform?
All The Best,

Saverio

Il 20/01/2018 16:00, Breno Matheus Lima ha scritto:
> Hi Saveiro,
>
> 2018-01-19 16:45 GMT-02:00 Saverio Mori <saverio.mori at gmail.com>:
>> Hi Breno Lima,
>> For the moment we have not secure boot, we use "plain" u-boot running on
>> a module board equipped with an "open" i.MX6UL processor, and we are
>> newbies in the field of secure boot. We wish that our firmware works
>> only on approved hardware, and not on common one. From what we have
>> read, secured boot allow that only approved FW works on prepared HW; our
>> problem is just the reciprocal, i.e. allow running of our FW only on
>> approved boards. In other words, a secured FW can works on a unsecured
>> board (while a secured board requires a secured FW), we wish to block
>> this situation.
>> All The Best,
> You can have more details about secure boot in doc/README.mxc_hab file.
>
> The application note AN4581 can be also helpful:
> https://www.nxp.com/docs/en/application-note/AN4581.pdf
>
> The secure boot is intended to prepare your device to just run
> authenticated SW,  once your SRK Hash and SEC_CONFIG fuse are
> programmed you can only execute authenticated bootloader on this
> device.
>
> If you want that your SW can be only executed on  approved hardware
> you can refer to encrypted boot, which is supported on i.MX6UL.
>
> You can find more details in doc/README.mxc_hab file and also in NXP
> community. Currently there is no application note provided by NXP
> about encrypted boot:
> https://community.nxp.com/docs/DOC-330622
>
> Note that dek_blob command can be only executed in closed devices, so
> you need to run an authenticated U-Boot to prepare an encrypted boot
> image.
>
> Let us know if you have any questions during the process.
>
> Thanks,
> Breno Lima
>
>> Saverio M.
>>
>> Il 19/01/2018 18:54, Breno Matheus Lima ha scritto:
>>> Hi Saverio,
>>>
>>> 2018-01-19 11:12 GMT-02:00 Saverio Mori <saverio.mori at gmail.com>:
>>>> Hi to the community. I have found a lot of material on secure booting and how to sign u-boot an uimage in order to that only trusted sw is load. This is good for my but i have also the opposite problem, that is i have to be sure that my sw is load on an hardware signed in some way. It is possible, and how, implement this feature in u-boot, at least running on iMX6 boards? Thanks!!!
>>> Can you please share more details about this verification you want to
>>> achieve? Are you currently running a signed U-Boot in a closed device
>>> (eFuse SEC_CONFIG = 1)?
>>>
>>> Thanks,
>>> Breno Lima
>>
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180124/1b6d8fff/attachment.sig>


More information about the U-Boot mailing list