High Assurance Boot MX8 Sections

From Variscite Wiki
Revision as of 22:24, 11 October 2021 by Nate (talk | contribs)

Code signing step by step instructions i.MX8M

NXP Provides documentation for enabling HAB for the i.MX8M Family. The information in this wiki is derived from NXP's documentation.

The U-Boot source code provides a directory with documentation and examples: /blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/

The following documentation is helpful to review:

  • U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/introduction_habv4.txt doc/imx/habv4/introduction_habv4.txt]
  • U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/habv4/guides/mx8m_secure_boot.txt doc/imx/habv4/guides/mx8m_secure_boot.txt]
  • NXP AN12263 HABv4 RVT Guidelines and Recommendations


Code signing step by step instructions i.MX8

NXP Provides documentation for enabling AHAB for the i.MX8 Family. The information in this wiki is derived from NXP's documentation.

The U-Boot source code provides a directory with documentation and examples: /blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/

The following documentation is helpful to review:

  • U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/introduction_ahab.txt doc/imx/ahab/introduction_ahab.txt]
  • U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt]
  • U-Boot [/blob/imx_v2020.04_5.4.70_2.3.2_var01/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt]
  • NXP AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB


Generate PKI i.MX8M

Now, to generate the PKI tree, run the following: 

$ ./hab4_pki_tree.sh

And complete the interactive questions. For example: 

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 20
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

Generate Super Root Key (SRK) table 

$ cd ../crts/
$ ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1


Generate PKI i.MX8

Now, to generate the PKI tree, run the following: 

$ ./ahab_pki_tree.sh

And complete the interactive questions. For example: 

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter the digest algorithm to use: sha384
Enter PKI tree duration (years): 20
Do you want the SRK certificates to have the CA flag set? (y/n)?: n

Generate Super Root Key (SRK) table 

$ cd ../crts/
$ ../linux64/bin/srktool -a -s sha384 -t SRK1234table.bin -e SRK1234fuse.bin -f 1 -c SRK1_sha384_4096_65537_v3_usr_crt.pem,SRK2_sha384_4096_65537_v3_usr_crt.pem,SRK3_sha384_4096_65537_v3_usr_crt.pem,SRK4_sha384_4096_65537_v3_usr_crt.pem
$ ll SRK1234*
-rw-rw-r-- 1 nate nate   64 Sep 15 14:47 SRK1234fuse.bin
-rw-rw-r-- 1 nate nate 2112 Sep 15 14:47 SRK1234table.bin
Retrieved from "https://variwiki.com/index.php?title=High_Assurance_Boot_MX8_Sections&oldid=18061"
Latest Modules
Support
Variscite Support Center
Contact Support
Product Longevity
Product Compliance Policy
Blog
Variscite Training
Variscite Website
This page was last edited on 11 October 2021, at 22:24.

© 2024 Variscite. All rights reserved