Manualshelf

User`s guide

ManualsBrandsCrypto ManualsGadgetsD100
11121314151617181920
Secure Boot with i.MX28 HAB Version 4, Rev. 1
Freescale Semiconductor 19
Signed U-Boot and Linux kernel example
The HAB data is generated using the code signing tool. Section 8, “Example CSF text files for
reference,” illustrates sample CSF files including u-boot.csf and boot_prep.csf.
cst –o boot_prep_hab_data < boot_prep.csf
cst –o power_prep_hab_data < power_prep.csf
cst –o uboot_hab_data < u-boot.csf
4. Finally the elftosb tool is used to generate the signed SB file. Elftosb is described in
Section 5.2, “IMX_ELFTOSB_TOOL.”
./elftosb -z -V -f imx28 -c ./uboot_ivt.bd –o imx28_ivt_uboot.sb
Here are the steps to generate a signed Linux kernel SB file.
1. The source code changes described in section 3.3 are required for all three bootlets: power_prep,
boot_prep and linux_prep.
2. Build the three ELF files for power_prep, boot_prep and linux_prep. Follow the instructions in
the BSP guide to build the three bootlets.
3. Next step is to generate HAB data for the Linux kernel binary file (zImage) and the 3 bootlets
using the Freescale code signing tool. The ELF files should be first converted to binary using the
GNU objcopy command.
objcopy -I elf32-little -O binary –gap-fill 0xFF power_prep power_prep.bin
objcopy -I elf32-little -O binarygap-fill 0xFF boot_prep boot_prep.bin
objcopy -I elf32-little -O binary –gap-fill 0xFF linux_prep linux_prep.bin
The BSP design of linux_prep is a little complex in that it is executed twice. The first instance it is
executed using the CALL HAB command and second instance using the JUMP HAB command.
The execution flow can better be understood using Section 4.2, “Sample boot descriptor file used
for Linux kernel image.” The first execution modifies the memory at byte offset 0x24 to 1. If we
want to authenticate the entire linux_prep for both executions then we will have to generate two
signatures. The first signature will be used with CALL HAB with offset 0x24 showing original
value ‘0’ and second signature used for authenticating linux_prep with JUMP HAB showing a
value of 1 at offset 0x24. We do this by first copying linux_prep, bin to linux_kernel.bin, then
manually modify byte 0x24 to 1 using a hex editor and include linux_kernel.bin in linux_kernel.csf
for signature generation.
cp linux_prep.bin linux_kernel.bin
using a hex editor set byte 0x24 to 1
The HAB data is generated using the code signing tool. Section 8, “Example CSF text files for
reference,” illustrates sample CSF files including linux_prep.csf and linux_kernel.csf.
cst –o boot_prep_hab_data < boot_prep.csf
cst –o power_prep_hab_data < power_prep.csf
cst –o linux_prep_hab_data < linux_prep.csf
cst –o linux_kernel_hab_data < linux_kernel.csf
4. Finally the elftosb tool is used to generate the signed SB file. Elftosb is described in
Section 5.2, “IMX_ELFTOSB_TOOL.”
./elftosb -z -V -f imx28 -c ./linux_ivt.bd –o imx28_ivt_linux.sb