[U-Boot] U-boot can verify an HW signature?

Wed Jan 24 11:57:08 UTC 2018

Hi Saverio,

2018-01-24 5:35 GMT-02:00 Saverio Mori <saverio.mori at gmail.com>:
> Hi Breno Lima,
> Thank you very much, indeed this is the answer that i need. Perhaps
> could you give me some more details on realizing encrypted boot using
> the yocto project platform?

Currently is not possible to sign or encrypt a U-Boot image using
Yocto project, the CST (Code Signing Tool) is only available at NXP
portal. You can build U-Boot using Yocto with the following
configurations enabled and sign/encrypt this image with CST.

CONFIG_SECURE_BOOT=y
CONFIG_CMD_DEKBLOB=y

This patch from Fabio Estevam can be also helpful:
https://lists.denx.de/pipermail/u-boot/2018-January/317847.html

Thanks,
Breno Lima

> All The Best,
>
> Saverio
>
> Il 20/01/2018 16:00, Breno Matheus Lima ha scritto:
>> Hi Saveiro,
>>
>> 2018-01-19 16:45 GMT-02:00 Saverio Mori <saverio.mori at gmail.com>:
>>> Hi Breno Lima,
>>> For the moment we have not secure boot, we use "plain" u-boot running on
>>> a module board equipped with an "open" i.MX6UL processor, and we are
>>> newbies in the field of secure boot. We wish that our firmware works
>>> only on approved hardware, and not on common one. From what we have
>>> read, secured boot allow that only approved FW works on prepared HW; our
>>> problem is just the reciprocal, i.e. allow running of our FW only on
>>> approved boards. In other words, a secured FW can works on a unsecured
>>> board (while a secured board requires a secured FW), we wish to block
>>> this situation.
>>> All The Best,
>> You can have more details about secure boot in doc/README.mxc_hab file.
>>
>> The application note AN4581 can be also helpful:
>> https://www.nxp.com/docs/en/application-note/AN4581.pdf
>>
>> The secure boot is intended to prepare your device to just run
>> authenticated SW,  once your SRK Hash and SEC_CONFIG fuse are
>> programmed you can only execute authenticated bootloader on this
>> device.
>>
>> If you want that your SW can be only executed on  approved hardware
>> you can refer to encrypted boot, which is supported on i.MX6UL.
>>
>> You can find more details in doc/README.mxc_hab file and also in NXP
>> community. Currently there is no application note provided by NXP
>> about encrypted boot:
>> https://community.nxp.com/docs/DOC-330622
>>
>> Note that dek_blob command can be only executed in closed devices, so
>> you need to run an authenticated U-Boot to prepare an encrypted boot
>> image.
>>
>> Let us know if you have any questions during the process.
>>
>> Thanks,
>> Breno Lima
>>
>>> Saverio M.
>>>
>>> Il 19/01/2018 18:54, Breno Matheus Lima ha scritto:
>>>> Hi Saverio,
>>>>
>>>> 2018-01-19 11:12 GMT-02:00 Saverio Mori <saverio.mori at gmail.com>:
>>>>> Hi to the community. I have found a lot of material on secure booting and how to sign u-boot an uimage in order to that only trusted sw is load. This is good for my but i have also the opposite problem, that is i have to be sure that my sw is load on an hardware signed in some way. It is possible, and how, implement this feature in u-boot, at least running on iMX6 boards? Thanks!!!
>>>> Can you please share more details about this verification you want to
>>>> achieve? Are you currently running a signed U-Boot in a closed device
>>>> (eFuse SEC_CONFIG = 1)?
>>>>
>>>> Thanks,
>>>> Breno Lima
>>>
>>>
>
>

-- 
Breno Matheus Lima