High Assurance Boot MX8 Sections: Difference between revisions
From Variscite Wiki
No edit summary |
No edit summary |
||
| Line 25: | Line 25: | ||
* NXP AN12312 [https://www.nxp.com/docs/en/application-note/AN12312.pdf Secure Boot on i.MX 8 and i.MX 8X Families using AHAB] | * NXP AN12312 [https://www.nxp.com/docs/en/application-note/AN12312.pdf Secure Boot on i.MX 8 and i.MX 8X Families using AHAB] | ||
<section end=NXP_DOC_ahab/> | <section end=NXP_DOC_ahab/> | ||
= Generate PKI i.MX8M = | |||
<section begin=HAB_PKI_habv4/> | |||
Now, to generate the PKI tree, run the following: | |||
$ ./hab4_pki_tree.sh | |||
And complete the interactive questions. For example: | |||
Do you want to use an existing CA key (y/n)?: n | |||
Do you want to use Elliptic Curve Cryptography (y/n)?: n | |||
Enter key length in bits for PKI tree: 4096 | |||
Enter PKI tree duration (years): 20 | |||
How many Super Root Keys should be generated? 4 | |||
Do you want the SRK certificates to have the CA flag set? (y/n)?: y | |||
Generate Super Root Key (SRK) table | |||
$ cd ../crts/ | |||
$ ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1 | |||
<section end=HAB_PKI_habv4/> | |||
= Generate PKI i.MX8 = | |||
<section begin=HAB_PKI_ahab/> | |||
Now, to generate the PKI tree, run the following: | |||
$ ./ahab_pki_tree.sh | |||
And complete the interactive questions. For example: | |||
Do you want to use an existing CA key (y/n)?: n | |||
Do you want to use Elliptic Curve Cryptography (y/n)?: n | |||
Enter key length in bits for PKI tree: 4096 | |||
Enter the digest algorithm to use: sha384 | |||
Enter PKI tree duration (years): 20 | |||
Do you want the SRK certificates to have the CA flag set? (y/n)?: n | |||
Generate Super Root Key (SRK) table | |||
$ cd ../crts/ | |||
$ ../linux64/bin/srktool -a -s sha384 -t SRK1234table.bin -e SRK1234fuse.bin -f 1 -c SRK1_sha384_4096_65537_v3_usr_crt.pem,SRK2_sha384_4096_65537_v3_usr_crt.pem,SRK3_sha384_4096_65537_v3_usr_crt.pem,SRK4_sha384_4096_65537_v3_usr_crt.pem | |||
$ ll SRK1234* | |||
-rw-rw-r-- 1 nate nate 64 Sep 15 14:47 SRK1234fuse.bin | |||
-rw-rw-r-- 1 nate nate 2112 Sep 15 14:47 SRK1234table.bin | |||
<section end=HAB_PKI_ahab/> | |||
Revision as of 21:24, 11 October 2021
Code signing step by step instructions i.MX8M
NXP Provides documentation for enabling HAB for the i.MX8M Family. The information in this wiki is derived from NXP's documentation.
The U-Boot source code provides a directory with documentation and examples: /blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/
The following documentation is helpful to review:
- U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/introduction_habv4.txt doc/imx/habv4/introduction_habv4.txt]
- U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/guides/mx8m_secure_boot.txt doc/imx/habv4/guides/mx8m_secure_boot.txt]
- NXP AN12263 HABv4 RVT Guidelines and Recommendations
Code signing step by step instructions i.MX8
NXP Provides documentation for enabling AHAB for the i.MX8 Family. The information in this wiki is derived from NXP's documentation.
The U-Boot source code provides a directory with documentation and examples: /blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/
The following documentation is helpful to review:
- U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/introduction_ahab.txt doc/imx/ahab/introduction_ahab.txt]
- U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt]
- U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt]
- NXP AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB
Generate PKI i.MX8M
Now, to generate the PKI tree, run the following:
$ ./hab4_pki_tree.sh
And complete the interactive questions. For example:
Do you want to use an existing CA key (y/n)?: n Do you want to use Elliptic Curve Cryptography (y/n)?: n Enter key length in bits for PKI tree: 4096 Enter PKI tree duration (years): 20 How many Super Root Keys should be generated? 4 Do you want the SRK certificates to have the CA flag set? (y/n)?: y
Generate Super Root Key (SRK) table
$ cd ../crts/ $ ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1
Generate PKI i.MX8
Now, to generate the PKI tree, run the following:
$ ./ahab_pki_tree.sh
And complete the interactive questions. For example:
Do you want to use an existing CA key (y/n)?: n Do you want to use Elliptic Curve Cryptography (y/n)?: n Enter key length in bits for PKI tree: 4096 Enter the digest algorithm to use: sha384 Enter PKI tree duration (years): 20 Do you want the SRK certificates to have the CA flag set? (y/n)?: n
Generate Super Root Key (SRK) table
$ cd ../crts/ $ ../linux64/bin/srktool -a -s sha384 -t SRK1234table.bin -e SRK1234fuse.bin -f 1 -c SRK1_sha384_4096_65537_v3_usr_crt.pem,SRK2_sha384_4096_65537_v3_usr_crt.pem,SRK3_sha384_4096_65537_v3_usr_crt.pem,SRK4_sha384_4096_65537_v3_usr_crt.pem $ ll SRK1234* -rw-rw-r-- 1 nate nate 64 Sep 15 14:47 SRK1234fuse.bin -rw-rw-r-- 1 nate nate 2112 Sep 15 14:47 SRK1234table.bin