Code signing step by step instructions i.MX8M

NXP Provides documentation for enabling HAB for the i.MX8M Family. The information in this wiki is derived from NXP's documentation.

The U-Boot source code provides a directory with documentation and examples: /blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/

The following documentation is helpful to review:

• U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/introduction_habv4.txt doc/imx/habv4/introduction_habv4.txt]
• U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/guides/mx8m_secure_boot.txt doc/imx/habv4/guides/mx8m_secure_boot.txt]
• NXP AN12263 HABv4 RVT Guidelines and Recommendations

Code signing step by step instructions i.MX8

NXP Provides documentation for enabling AHAB for the i.MX8 Family. The information in this wiki is derived from NXP's documentation.

The U-Boot source code provides a directory with documentation and examples: /blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/

The following documentation is helpful to review:

• U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/introduction_ahab.txt doc/imx/ahab/introduction_ahab.txt]
• U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt]
• U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt]
• NXP AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB

Generate PKI i.MX8M

$ ./hab4_pki_tree.sh

And complete the interactive questions. For example:

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 20
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

Generate Super Root Key (SRK) table

$ cd ../crts/
$ ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1

Generate PKI i.MX8

$ ./ahab_pki_tree.sh

And complete the interactive questions. For example:

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter the digest algorithm to use: sha384
Enter PKI tree duration (years): 20
Do you want the SRK certificates to have the CA flag set? (y/n)?: n

Generate Super Root Key (SRK) table

$ cd ../crts/
$ ../linux64/bin/srktool -a -s sha384 -t SRK1234table.bin -e SRK1234fuse.bin -f 1 -c SRK1_sha384_4096_65537_v3_usr_crt.pem,SRK2_sha384_4096_65537_v3_usr_crt.pem,SRK3_sha384_4096_65537_v3_usr_crt.pem,SRK4_sha384_4096_65537_v3_usr_crt.pem
$ ll SRK1234*
-rw-rw-r-- 1 nate nate   64 Sep 15 14:47 SRK1234fuse.bin
-rw-rw-r-- 1 nate nate 2112 Sep 15 14:47 SRK1234table.bin

Program the SRK (public keys) to the SOC e-fuses i.MX8M

$ cat build_xwayland/deploy/images/{{#var:MACHINE_NAME}/SRK_1_2_3_4_fuse.bin.u-boot-cmds
# Note: These are One-Time Programmable e-fuses. Once you write them you can't go back, so get it right the first time.

fuse prog -y 6 0 0xDA6B9ADB
fuse prog -y 6 1 0xDC9B55A1
fuse prog -y 6 2 0x93D10134
fuse prog -y 6 3 0x5CDC8DA3
fuse prog -y 7 0 0x143709F8
fuse prog -y 7 1 0xC6E305A7
fuse prog -y 7 2 0x3E718DA2
fuse prog -y 7 3 0xC6AC85B6

# After the device successfully boots a signed image without generating any HAB events, it is safe to secure, or 'close', the device.
# This is the last step in the process. Once the fuse is blown, the chip does not load an image that has not been signed using the correct PKI tree.
# Important notes:
# - This is again a One-Time Programmable e-fuse. Once you write it you can't go back, so get it right the first time.
# - If anything in the previous steps wasn't done correctly, the SOM will not boot after writing this bit.

fuse prog 1 3 0x02000000