Manualshelf

User`s guide

ManualsBrandsCrypto ManualsGadgetsD100
21222324252627282930
Secure Boot with i.MX28 HAB Version 4, Rev. 1
22 Freescale Semiconductor
Encrypted boot and Elftosb
//----------------------------------------------------------
load boot_prep_bin > 0x10;
load boot_prep;
load boot_prep_hab_data > boot_prep:__hab_data;
hab call boot_prep:input_ivt;
//----------------------------------------------------------
// Prepare to boot Linux
//----------------------------------------------------------
load linux_prep_bin > 0x2000;
load linux_prep;
load linux_prep_hab_data > linux_prep:__hab_data;
hab call linux_prep:input_ivt;
//----------------------------------------------------------
// Load and start Linux kernel
//----------------------------------------------------------
load zImage > 0x40008000;
load linux_kernel_hab_data > linux_prep:__hab_data;
hab jump linux_prep:input_ivt;
}
5 Encrypted boot and Elftosb
5.1 i.MX28 encrypted boot in a nut-shell
i.MX28 supports boot images encrypted with AES-128. The entire image including HAB data is
encrypted. The Elftosb tool from Freescale supports encryption of boot images. Elftosb generates a session
key which is used to encrypt the image. The user generates one or more input OTP keys using Keygen
utility. For every input OTP key, elftosb generates an entry in a key dictionary residing inside the SB file.
The dictionary entry consists of CBC-MAC computed over boot image header with OTP key and the
session key encrypted with the OTP key. There is no limit on number of input OTP keys or key dictionary
size.
Any one of the OTP keys in the key dictionary can be burned into i.MX28 CRYPTO fuses.
At boot time, the ROM computes a CBC-MAC over the boot image header with the OTP Key, finds a
matching entry in the key dictionary of the image, decrypts the session key with the OTP key and decrypts
the rest of the image with decrypted session key.
5.2 IMX_ELFTOSB_TOOL
The IMX_ELFTOSB_TOOL package is available on freescale.com.