High Assurance Boot MX8 Sections: Difference between revisions

From Variscite Wiki
No edit summary
No edit summary
Line 25: Line 25:
* NXP AN12312 [https://www.nxp.com/docs/en/application-note/AN12312.pdf Secure Boot on i.MX 8 and i.MX 8X Families using AHAB]
* NXP AN12312 [https://www.nxp.com/docs/en/application-note/AN12312.pdf Secure Boot on i.MX 8 and i.MX 8X Families using AHAB]
<section end=NXP_DOC_ahab/>
<section end=NXP_DOC_ahab/>
= Generate PKI i.MX8M =
<section begin=HAB_PKI_habv4/>
Now, to generate the PKI tree, run the following:
$ ./hab4_pki_tree.sh
And complete the interactive questions. For example:
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 20
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
Generate Super Root Key (SRK) table
$ cd ../crts/
$ ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1
<section end=HAB_PKI_habv4/>
= Generate PKI i.MX8 =
<section begin=HAB_PKI_ahab/>
Now, to generate the PKI tree, run the following:
$ ./ahab_pki_tree.sh
And complete the interactive questions. For example:
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter the digest algorithm to use: sha384
Enter PKI tree duration (years): 20
Do you want the SRK certificates to have the CA flag set? (y/n)?: n
Generate Super Root Key (SRK) table
$ cd ../crts/
$ ../linux64/bin/srktool -a -s sha384 -t SRK1234table.bin -e SRK1234fuse.bin -f 1 -c SRK1_sha384_4096_65537_v3_usr_crt.pem,SRK2_sha384_4096_65537_v3_usr_crt.pem,SRK3_sha384_4096_65537_v3_usr_crt.pem,SRK4_sha384_4096_65537_v3_usr_crt.pem
$ ll SRK1234*
-rw-rw-r-- 1 nate nate  64 Sep 15 14:47 SRK1234fuse.bin
-rw-rw-r-- 1 nate nate 2112 Sep 15 14:47 SRK1234table.bin
<section end=HAB_PKI_ahab/>

Revision as of 21:24, 11 October 2021

Code signing step by step instructions i.MX8M

NXP Provides documentation for enabling HAB for the i.MX8M Family. The information in this wiki is derived from NXP's documentation.

The U-Boot source code provides a directory with documentation and examples: /blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/

The following documentation is helpful to review:

  • U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/introduction_habv4.txt doc/imx/habv4/introduction_habv4.txt]
  • U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/guides/mx8m_secure_boot.txt doc/imx/habv4/guides/mx8m_secure_boot.txt]
  • NXP AN12263 HABv4 RVT Guidelines and Recommendations


Code signing step by step instructions i.MX8

NXP Provides documentation for enabling AHAB for the i.MX8 Family. The information in this wiki is derived from NXP's documentation.

The U-Boot source code provides a directory with documentation and examples: /blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/

The following documentation is helpful to review:

  • U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/introduction_ahab.txt doc/imx/ahab/introduction_ahab.txt]
  • U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt]
  • U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt]
  • NXP AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB


Generate PKI i.MX8M

Now, to generate the PKI tree, run the following:

$ ./hab4_pki_tree.sh

And complete the interactive questions. For example:

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 20
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

Generate Super Root Key (SRK) table

$ cd ../crts/
$ ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1


Generate PKI i.MX8

Now, to generate the PKI tree, run the following:

$ ./ahab_pki_tree.sh

And complete the interactive questions. For example:

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter the digest algorithm to use: sha384
Enter PKI tree duration (years): 20
Do you want the SRK certificates to have the CA flag set? (y/n)?: n

Generate Super Root Key (SRK) table

$ cd ../crts/
$ ../linux64/bin/srktool -a -s sha384 -t SRK1234table.bin -e SRK1234fuse.bin -f 1 -c SRK1_sha384_4096_65537_v3_usr_crt.pem,SRK2_sha384_4096_65537_v3_usr_crt.pem,SRK3_sha384_4096_65537_v3_usr_crt.pem,SRK4_sha384_4096_65537_v3_usr_crt.pem
$ ll SRK1234*
-rw-rw-r-- 1 nate nate   64 Sep 15 14:47 SRK1234fuse.bin
-rw-rw-r-- 1 nate nate 2112 Sep 15 14:47 SRK1234table.bin