基于NXP iMX8测试Secure Boot功能部署
By Toradex秦海
1).?簡介
由于NXP從iMX8/iMX8x處理器開始引入了SCU/SECO等底層控制模塊來進行包含啟動管理等多項底層初始化功能,因此對于Secure Boot功能支持,也同樣升級為Advanced High Assurance Boot (AHAB)?特性來配合,以區別于iMX6/iMX8MM/iMX8MP處理器所使用的HABv4特性;AHAB和HABv4都是基于公共密鑰加密?(Public Key Cryptography)?和數字簽名?(Digital Signature)?技術來實現Secure Boot的,SCU負責協調各個啟動組件和流程,SECO用于驗證簽名的Image文件并授權加載運行,一個簡單的流程圖參考如下。本文就基于NXP iMX8平臺測試部署Secure Boot功能。
本文所演示的平臺來自于Toradex?Apalis?iMX8嵌入式平臺,這個平臺是基于近年發布的NXP iMX8系列ARM處理器,核心為Cortex-A72/A53。
2.?準備
a).?Apalis iMX8 ARM核心版配合Ixora?載板,并連接調試串口用于測試。
b).?參考這里下載Toradex Ycoto Linux BSP5 Image用于后續測試,目前最新的是5.7版本。
3).?生成PKI Tree文件
a).?從NXP官方網站下載Code Signing Tools軟件包(需注冊),目前最新版本是3.3.1版本,然后解壓后使用預設的腳本生成Public Key Infrastructure (PKI) tree,用于后面簽名U-boot/Linux Kernel Image文件
--------------------------------
$ cp .../cst-3.3.1.tgz ~/.
$ cd ~
$ tar xvf cst-3.3.1.tgz
$ tree -L 1 cst-3.3.1/
cst-3.3.1/
├──?ca
├──?code
├──?crts
├──?docs
├──?keys
├──?LICENSE.bsd3
├──?LICENSE.hidapi
├──?LICENSE.openssl
├──?linux32
├──?linux64
├──?mingw32
├──?osx
├──?Release_Notes.txt
└──?Software_Content_Register_CST.txt
--------------------------------
b).?生成PKI TREE
./?修改CST工具默認的serial和key_pass,本文因為僅測試需要則保持默認沒有修改,實際應用可以根據需要自行修改以保證安全
--------------------------------
$ cd ~/cst-3.3.1/keys
### default serial number for OpenSSL certification ###
$ cat serial
1234567C
### default key_pass for protection of private keys
$ cat key_pass.txt
test
test
--------------------------------
./?運行CST工具預制腳本通過交互方式生成PKI TREE,這里生成一個P384 ECC SRK PKI TREE示例,還可以選擇其他選項或者生成包含下級SGK Key的PKI TREE,更多可以參考如下U-Boot源代碼中的文檔說明
https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/introduction_ahab.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0
--------------------------------
### generate P384 ECC PKI TREE ###
$ ./ahab_pki_tree.sh
??...
??Do you want to use an existing CA key (y/n)?: n
??Do you want to use Elliptic Curve Cryptography (y/n)?: y
??Enter length for elliptic curve to be used for PKI tree:
??Possible values p256, p384, p521: ?p384
??Enter the digest algorithm to use: sha384
??Enter PKI tree duration (years): 5
??Do you want the SRK certificates to have the CA flag set? (y/n)?: n
### check generated SRK keys ###
$ ls SRK*
SRK1_sha384_secp384r1_v3_usr_key.der ?SRK2_sha384_secp384r1_v3_usr_key.pem ?SRK4_sha384_secp384r1_v3_usr_key.der
SRK1_sha384_secp384r1_v3_usr_key.pem ?SRK3_sha384_secp384r1_v3_usr_key.der ?SRK4_sha384_secp384r1_v3_usr_key.pem
SRK2_sha384_secp384r1_v3_usr_key.der ?SRK3_sha384_secp384r1_v3_usr_key.pem
### generate SRK Table?和?SRK Hash ###
$ cd ../crts/
$ ../linux64/bin/srktool -a -s sha384 -t SRK_1_2_3_4_table.bin \
??????-e SRK_1_2_3_4_fuse.bin -f 1 -c \
??????SRK1_sha384_secp384r1_v3_usr_crt.pem,\
??????SRK2_sha384_secp384r1_v3_usr_crt.pem,\
??????SRK3_sha384_secp384r1_v3_usr_crt.pem,\
??????SRK4_sha384_secp384r1_v3_usr_crt.pem
### check SRK Table and SRK Hash ###
$ ls SRK_*
SRK_1_2_3_4_fuse.bin ?SRK_1_2_3_4_table.bin
--------------------------------
c).?上面最后生成的兩個文件就是我們后面簽名和fuse設備需要用到的,”SRK_1_2_3_4_table.bin”?文件是SRK Table,用于簽名Container Image;”SRK_1_2_3_4_fuse.bin”?文件是SRK Hash,用于fuse到Apalis iMX8設備的eFuse。更多CST工具使用說明可以參考如下CST User Guide文檔
cst-3.3.1/docs/CST_UG.pdf
?
?
4).?Boot Container?配置和簽名
a).?參考這里說明下載Toradex Ycoto?Linux?BSP 5.x.y版本U-boot源代碼,默認配置并未使能AHAB功能支持,需要在config中使能如下選項,并重新編譯生成新的U-Boot文件?”u-boot.bin”
--------------------------------
→?ARM architecture
[*] Support i.MX8 AHAB features
--------------------------------
b).?參考上面U-boot源碼下載編譯文章以及下面參考文檔,使用編譯生成的U-Boot文件生成Apalis iMX8 Boot Container Image文件”flash.bin”
NXP iMX8 SCFW和Boot Container Image編譯
c).?此時先將上一步驟生成的?“flash.bin”?文件重命名為?“imx-boot”,然后通過這里的說明通過Toradex Easy Installer更新到Apalis iMX8模塊并啟動進入U-Boot命令行,通過如下命令可以查看AHAB功能以及使能成功,但是由于Boot Container Image并未簽名,因此提示?“0xEE”?事件。
--------------------------------
### check AHAB enable status ###
Apalis iMX8 # ahab_status
Lifecycle: 0x0020, NXP closed
SECO Event[0] = 0x0087EE00
????????CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
????????IND = AHAB_NO_AUTHENTICATION_IND (0xEE)
sc_seco_get_event: idx: 1, res:3
--------------------------------
d).?通過CST工具對上一步驟使用?imx-mkimage?生成的Boot Container Image?“flash.bin”?文件進行簽名
--------------------------------
### copy boot container image file to CST tool containing folder ###
$ cp .../imx-mkimage/iMX8QM/flash.bin ~/
### copy CSF template to CST tool containing folder ###
$ cp u-boot-toradex/doc/imx/ahab/csf_examples/csf_boot_image.txt?~/
### modify?csf_boot_image.txt?to adopt your settings ###
vi csf_boot_image.txt
[Header]
Target = AHAB
Version = 1.0
[Install SRK]
# SRK table generated by srktool
File = "./cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
# Public key certificate in PEM format
Source = "./cst-3.3.1/crts/SRK1_sha384_secp384r1_v3_usr_crt.pem"
# Index of the public key certificate within the SRK table (0 .. 3)
Source index = 0
# Type of SRK set (NXP or OEM)
Source set = OEM
# bitmask of the revoked SRKs
Revocations = 0x0
[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash.bin"
# Offsets = Container header ?Signature block (printed out by mkimage)
Offsets ??= 0x400 ????????????0x590
### sign boot container image ###
./cst-3.3.1/linux64/bin/cst -i csf_boot_image.txt -o flash_signed.bin
Install SRK
Authenticate data
CSF Processed successfully and signed image available in flash_signed.bin
--------------------------------
e).?此時再將上一步驟簽名成功的?“flash_signed.bin”?文件重命名為?“imx-boot”?并更新到Apalis iMX8模塊上面,此時AHAB狀態命令變化如下,因為并未將對應的Hash燒寫到Apalis iMX8 eFuse,因此提示?“0xEA”?事件。
--------------------------------
### check AHAB enable status ###
Apalis iMX8 # ahab_status
Lifecycle: 0x0020, NXP closed
SECO Event[0] = 0x0087FA00
????????CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
????????IND = AHAB_BAD_KEY_HASH_IND (0xFA)
sc_seco_get_event: idx: 1, res:3
--------------------------------
f).?燒寫SRK Hash
./?簽名的Boot Container Image文件要通過iMX8 SOC SRK_HASH[511:0] fuse燒寫的SRK Hash進行校驗
./?導出SRK HASH fuse對應數值
--------------------------------
### dump SRK HASH fuse value ###
$ od -t x4?~/cst-3.3.1/crts/SRK_1_2_3_4_fuse.bin
0000000 7ef8ad2a 4a3e54b6 ffa3df87 1774beb6
0000020 6f7b4d2e a9e90a59 c5fa9ea2 55c59bf4
0000040 b55aa0b9 8b30c2ec 519814df 26a0f058
0000060 52c0edda 7e686983 4bf5f8d7 27d7727a
--------------------------------
./?進入Apalis iMX8 U-Boot命令行,通過如下命令寫入fuses,注意這些fuses都是一次寫入的,因此請務必保證一次寫入正確。另外不同的SOC有不同的地址,如下只適用于iMX8QM,如果是iMX8X要參考文檔修改。
--------------------------------
Apalis iMX8 #?fuse prog 0 722 7ef8ad2a
Apalis iMX8 #?fuse prog 0 723?4a3e54b6
Apalis iMX8 #?fuse prog 0 724?ffa3df87
Apalis iMX8 #?fuse prog 0 725?1774beb6
Apalis iMX8 #?fuse prog 0 726?6f7b4d2e
...
Apalis iMX8 #?fuse prog 0 736?4bf5f8d7
Apalis iMX8 #?fuse prog 0 737?27d7727a
--------------------------------
為了操作方便,可以將上述命令生成U-Boot腳本文件來執行,或者可以通過類似如下?NXP Universal Update Utility (UUU)工具腳本來進行操作
--------------------------------
# This command will be run when ROM support stream mode
# i.MX8QXP, i.MX8QM
SDPS: boot -f imx-boot
# refer related module tezi image recovery folder uuu.auto file
CFG: FB: -vid 0x0525 -pid 0x4000
CFG: FB: -vid 0x0525 -pid 0x4025
CFG: FB: -vid 0x0525 -pid 0x402F
CFG: FB: -vid 0x0525 -pid 0x4030
CFG: FB: -vid 0x0525 -pid 0x4031
SPDU: delay 1000
FB: ucmd setenv cmd 'fuse prog -y 0'
FB: ucmd ${cmd} 722 0x7ef8ad2a
FB: ucmd ${cmd} 723 0x......
...
FB: ucmd ${cmd} 737 0x27d7727a
FB: done
--------------------------------
e).?SRK HASH燒寫完成后,AHAB狀態命令變化如下,只有如下狀態下close設備才是安全的,否則設備就無法啟動了。
--------------------------------
### check AHAB enable status ###
Apalis iMX8 # ahab_status
Lifecycle: 0x0020, NXP closed
sc_seco_get_event: idx: 1, res:3
No SECO Events Found!
--------------------------------
f).?更多關于此步驟的說明請參考如下文檔
./ U-Boot documentation
mx8_mx8x_secure_boot.txt ? guides ? ahab ? imx ? doc - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules
./ NXP Application Note - AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB
5).?簽名包含Linux kernel?和?Device?Tree文件的OS Container Image?
a).?此步驟為可選步驟,如果不需要Linux Kernel Secure Boot功能則無需操作直接close設備即可。
b).?解壓Toradex Ycoto Linux BSP 5.7 Multimedia Image,獲得LInux Kernel和需要加載的Device Tree文件
--------------------------------
### uncompress BSP Image package ###
$ tar xvf Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20.tar
$ cd Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/
### uncompress boot filesystem ###
$ mkdir bootfs/
$ tar?Jxf?Reference-Minimal-Image-apalis-imx8.bootfs.tar.xz -C bootfs/
### copy Kernel and Device Tree files to imx-mkimage tools related device folder ###
$ cd bootfs/
$ gzip -d Image.gz
$ cp Image imx8qm-apalis-v1.1-eval.dtb .../imx-mkimage/iMX8QM/
--------------------------------
b).?使用?imx-mkimage?工具生成?OS Container Image
./?如下修改默認配置,將Linux Kernel和Device Tree文件的命名和加載地址修改為適合你當前設備定義的配置,Toradex U-Boot默認配置Kernel?加載地址為?“0x96000000”,Device Tree加載地址為?“0x83000000”。
--------------------------------
--- a/iMX8QM/soc.mak?2022-08-19 17:31:57.488554800 +0800
+++ b/iMX8QM/soc.mak?2022-08-22 15:15:45.393002799 +0800
@@ -140,8 +140,8 @@
?flash_scfw: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin
??./$(MKIMG) -soc QM -rev B0 -dcd skip -append $(AHAB_IMG) -c -scfw scfw_tcm.bin -out flash.bin
-flash_kernel: $(MKIMG) Image fsl-imx8qm-mek.dtb
-?./$(MKIMG) -soc QM -rev B0 -c -ap Image a53 0x80280000 --data fsl-imx8qm-mek.dtb 0x83000000 -out flash.bin
+flash_kernel: $(MKIMG) Image imx8qm-apalis-v1.1-eval.dtb
+?./$(MKIMG) -soc QM -rev B0 -c -ap Image a53 0x96000000 --data imx8qm-apalis-v1.1-eval.dtb 0x83000000 -out flash_os.bin
?flash_ca72: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin u-boot-atf.bin
??./$(MKIMG) -soc QM -rev B0 -append $(AHAB_IMG) -c -scfw scfw_tcm.bin -ap u-boot-atf.bin a72 0x80000000 -out flash.bin
--------------------------------
./?生成?OS Container Image?文件?“flash_os.bin”,并記錄生成記錄最后的IVT_OFFSET + IMAGE_OFFSET數值用于后續CSF文件定義。
--------------------------------
$ cd .../imx-mkimage/
$?make SOC=iMX8QM flash_kernel
...
CST: CONTAINER 0 offset: 0x0
CST: CONTAINER 0: Signature Block: offset is at 0x110
DONE.
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET
--------------------------------
c).?使用CST工具簽名剛才生成的OS Container Image
./?準備CSF文件
--------------------------------
### copy CSF template to CST tool containing folder ###
$ cp u-boot-toradex/doc/imx/ahab/csf_examples/csf_linux_img.txt?~/
### modify?csf_linux_img.txt?to adopt your settings ###
vi csf_linux_img.txt
[Header]
Target = AHAB
Version = 1.0
[Install SRK]
# SRK table generated by srktool
File = "./cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
# Public key certificate in PEM format
Source = "./cst-3.3.1/crts/SRK1_sha384_secp384r1_v3_usr_crt.pem"
# Index of the public key certificate within the SRK table (0 .. 3)
Source index = 0
# Type of SRK set (NXP or OEM)
Source set = OEM
# bitmask of the revoked SRKs
Revocations = 0x0
[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash_os.bin"
# Offsets = Container header ?Signature block (printed out by mkimage)
Offsets ??= 0x0 ????????????0x110
--------------------------------
./?簽名,獲得簽名好的OS Container Image?文件?“os_cntr_signed.bin”
--------------------------------
$ cp .../imx-mkimage/iMX8QM/flash_os.bin ~/
$?./cst-3.3.1/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin
--------------------------------
6).?部署OS Container Image
a).?將OS Container Image重新部署到剛才解壓的Ycoto Linux Multimedia BSP5.7 bootfs中,并重新創建bootfs?壓縮包
--------------------------------
### copy signed os container image to bsp rootfs folder ###
$ cp os_cntr_signed.bin?.../Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/bootfs/
### remove default boot script and linux kernel/device tree files ###
$ cd .../Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/bootfs/
$ rm boot.scr Image *.dtb
### check bootfs files ###
$ tree -L 2
.
├── dpfw.bin
├── hdmitxfw.bin
├── os_cntr_signed.bin
├── overlays
│?? ├── apalis-imx8_ar0521_overlay.dtbo
│?? ├── apalis-imx8_atmel-mxt_overlay.dtbo
│?? ├── apalis-imx8_hdmi_overlay.dtbo
│?? ├── apalis-imx8_lvds_overlay.dtbo
│?? ├── apalis-imx8_mezzanine-can_overlay.dtbo
│?? ├── apalis-imx8_mezzanine_lvds_overlay.dtbo
│?? ├── apalis-imx8_mezzanine_ov5640_overlay.dtbo
│?? ├── apalis-imx8_ov5640_overlay.dtbo
│?? ├── apalis-imx8_resistive-touch_overlay.dtbo
│?? ├── display-dpi-lt170410_overlay.dtbo
│?? ├── display-edt5.7_overlay.dtbo
│?? ├── display-edt7_overlay.dtbo
│?? ├── display-fullhd_overlay.dtbo
│?? ├── display-lt161010_overlay.dtbo
│?? ├── display-lt170410_overlay.dtbo
│?? ├── display-vga_overlay.dtbo
│?? └── touch-atmel-mxt_overlay.dtbo
└── overlays.txt
1 directory, 21 files
### compress new bootfs package ###
$ tar Jcf ../Reference-Minimal-Image-apalis-imx8.bootfs.tar.xz *
### clear bootfs
$ cd ..
$ rm -rf bootfs/
--------------------------------
b).?修改BSP package中的?“u-boot-initial-env-sd”?文件,增加如下環境變量用于Secure Boot
./?命令方式格式
--------------------------------
### set boot device info mmc 0:1 ###
Apalis iMX8 # setenv pre_boot 'devnum=0; if mmc dev ${devnum}; then devtype=mmc; setenv load_cmd \"load ${devtype} ${devnum}:1\"; fi'
### signed os container image loading info ###
Apalis iMX8 # setenv cntr_addr '0x98000000'
Apalis iMX8 # setenv cntr_file 'os_cntr_signed.bin'
Apalis iMX8 # setenv cntr_load '${load_cmd} ${cntr_addr} ${cntr_file}'
### authenticate signed os container image ###
Apalis iMX8 # setenv auth_os 'auth_cntr ${cntr_addr}'
### device tree overlay apply ###
Apalis iMX8 # setenv overlays_file 'overlays.txt'
Apalis iMX8 # setenv overlays_prefix 'overlays/'
Apalis iMX8 # setenv load_overlays_file '${load_cmd} ${loadaddr} ${overlays_file} && env import -t ${loadaddr} ${filesize}'
Apalis iMX8 # setenv fdt_resize 'fdt addr ${fdt_addr_r} && fdt resize 0x20000'
Apalis iMX8 #?setenv?apply_overlays 'for overlay_file in ${fdt_overlays}; do echo Applying Overlay: ${overlay_file} && ${load_cmd} ${loadaddr} ${overlays_prefix}\${overlay_file} && fdt apply ${loadaddr}; env set overlay_file; done; true'
Apalis iMX8 # setenv bootcmd_overlays 'run load_overlays_file && run fdt_resize && run apply_overlays'
### kernel/dtb loading ###
Apalis iMX8 # setenv bootcmd_boot 'echo "Bootargs: \${bootargs}" && booti ${kernel_addr_r} - ${fdt_addr_r}'
### config for all boot process ###
Apalis iMX8 # setenv bootcmd_run 'run pre_boot && run cntr_load && run auth_os && run bootcmd_overlays && run finduuid && run setup && run bootcmd_boot; echo "Booting from ${devtype} failed!" && false'
### auto run config ###
Apalis iMX8 # setenv bootcmd 'run bootcmd_run'
--------------------------------
./?文件方式定義
--------------------------------
---?a/u-boot-initial-env-sd?2022-08-29 17:22:27.668166883 +0800
+++?b/u-boot-initial-env-sd?2022-08-29 17:52:18.795402902 +0800
@@ -1,4 +1,4 @@
-bootcmd=run distro_bootcmd
+bootcmd=run bootcmd_run
?bootdelay=1
?baudrate=115200
?ipaddr=192.168.10.2
@@ -71,4 +71,16 @@
?video=imxdpufb5:off video=imxdpufb6:off video=imxdpufb7:off
?setup=run loadhdp; hdp load ${hdp_addr}; run mmcargs
?defargs=pci=nomsi
-
+pre_boot=devnum=0; if mmc dev ${devnum}; then devtype=mmc; setenv load_cmd "load ${devtype} ${devnum}:1"; fi
+cntr_addr=0x98000000
+cntr_file=os_cntr_signed.bin
+cntr_load=${load_cmd} ${cntr_addr} ${cntr_file}
+auth_os=auth_cntr ${cntr_addr}
+overlays_file=overlays.txt
+overlays_prefix=overlays/
+load_overlays_file=${load_cmd} ${loadaddr} ${overlays_file} && env import -t ${loadaddr} ${filesize}
+fdt_resize=fdt addr ${fdt_addr_r} && fdt resize 0x20000
+apply_overlays=for overlay_file in ${fdt_overlays}; do echo Applying Overlay: ${overlay_file} && ${load_cmd} ${loadaddr} ${overlays_prefix}${overlay_file} && fdt apply ${loadaddr}; env set overlay_file; done; true
+bootcmd_overlays=run load_overlays_file && run fdt_resize && run apply_overlays
+bootcmd_boot=echo "Bootargs: ${bootargs}" && booti ${kernel_addr_r} - ${fdt_addr_r}
+bootcmd_run=run pre_boot && run cntr_load && run auth_os && run bootcmd_overlays && run finduuid && run setup && run bootcmd_boot; echo "Booting from ${devtype} failed!" && false
--------------------------------
c).?需要注意的是由于Kernel階段的Secure Boot相關認證和加載都是基于U-Boot命令行來實現的, 因此如果要讓這個啟動機制更加安全可靠,則要讓U-Boot保持在上述安全啟動路徑,而不能通過其他啟動介質或者腳本來啟動而繞開Secure Boot,比如Toradex U-Boot默認是使能Distro Boot功能的,可以自動掃描外設介質的啟動腳本,那么這個功能就需要關閉掉,類似這樣的U-Boot定制化需要自行根據實際使用場景來配置。
7).?部署測試
a).?參考這里將上述制作的支持Secure Boot的Image通過Toradex Easy Installer更新到Apalis iMX8模塊
./啟動后首先進入U-Boot命令行下,測試AHAB狀態
--------------------------------
Apalis iMX8 # ahab_status
Lifecycle: 0x0020, NXP closed
sc_seco_get_event: idx: 0, res:3
No SECO Events Found!
--------------------------------
./?然后重新啟動,查看啟動log,Secure Boot成功完整加載U-Boot、Linux Kernel和Rootfs
--------------------------------
U-Boot 2020.04-06964-g33bb8e9683 (Aug 15 2022 - 15:32:22 +0800)
CPU: ??NXP i.MX8QM RevB A53 at 1200 MHz
DRAM: ?4 GiB
MMC: ??FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMC... OK
In: ???serial
Out: ??serial
Err: ??serial
Model: Toradex Apalis iMX8 QuadMax 4GB Wi-Fi / BT IT V1.1B, Serial# 06738378
?BuildInfo:
??- SCFW 216a2c2e, SECO-FW c9de51c0, IMX-MKIMAGE fe124bce, ATF 2fa8c63
??- U-Boot 2020.04-06964-g33bb8e9683
switch to partitions #0, OK
mmc0(part 0) is current device
flash target is MMC:0
Net: ??eth0: ethernet@5b040000
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot: ?0
switch to partitions #0, OK
mmc0(part 0) is current device
25877504 bytes read in 787 ms (31.4 MiB/s)
Authenticate OS container at 0x98000000
43 bytes read in 12 ms (2.9 KiB/s)
Applying Overlay: apalis-imx8_hdmi_overlay.dtbo
2177 bytes read in 31 ms (68.4 KiB/s)
106496 bytes read in 16 ms (6.3 MiB/s)
Loading hdp firmware from 0x000000009c000000 offset 0x0000000000002000
Loading hdp firmware Complete
Bootargs: console=ttyLP1 earlycon,115200 root=PARTUUID=e8daf485-02 rootwait mmcdev=0
## Flattened Device Tree blob at 83000000
???Booting using the fdt blob at 0x83000000
???Loading Device Tree to 00000000fd5fc000, end 00000000fd648fff ... OK
Starting kernel ...
[ ???0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[ ???0.000000] Linux version 5.4.193-5.7.0+git.f78299297185 (oe-user@oe-host) (gcc version 9.2
...
[ ?OK ?] Started Start a wayland application.
[ ?OK ?] Reached target Multi-User System.
[ ?OK ?] Reached target Graphical Interface.
?????????Starting Update UTMP about System Runlevel Changes...
[ ?OK ?] Started Update UTMP about System Runlevel Changes.
TDX Wayland with XWayland 5.7.0+build.20 (dunfell) apalis-imx8-06738378 ttyLP1
Apalis-iMX8_Reference-Multimedia-Image
apalis-imx8-06738378 login:
--------------------------------
b). Close設備
經過上述測試已經確認從U-Boot到Linux Kernel Secure Boot正常,即可以在U-Boot命令行下面執行下面命令Close設備,請注意此操作之后,沒有簽名的Image就無法再在此模塊加載運行了,因此請謹慎操作。
--------------------------------
Apalis iMX8 # ahab_close
--------------------------------
10).?總結
本文基于NXP iMX8處理器演示了基于AHAB的Secure Boot功能,設計U-Boot和Linux Kernel、Device Tree等,至于Rootfs的加密,則需要配置類似Squashfs只讀文件系統配合initramfs最小啟動鏡像進行加解密掛載啟動,可以結合參考如下兩篇文章,本文不做具體測試。
./?嵌入式?ARM?平臺使用dm-crypt加密磁盤分區
./?使用Squashfs和Overlayfs提高嵌入式Linux文件系統可靠性
參考文檔
introduction_ahab.txt ? ahab ? imx ? doc - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules
mx8_mx8x_secure_boot.txt ? guides ? ahab ? imx ? doc - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules
NXP Application Note AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB
?
總結
以上是生活随笔為你收集整理的基于NXP iMX8测试Secure Boot功能部署的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 日志log4cxx 封装、实例讲解、配置
- 下一篇: C++多线程 例子