基于NXP iMX8测试Secure Boot功能部署
- 关键词:ARM,Linux,NXP
- 作者:By Toradex秦海
- 摘要:由于NXP从iMX8/iMX8x处理器开始引入了SCU/SECO等底层控制模块来进行包含启动管理等多项底层初始化功能,因此对于Secure Boot功能支持,也同样升级为Advanced High Assurance Boot (AHAB) 特性来配合,以区别于iMX6/iMX8MM/iMX8MP处理器所使用的HABv4特性;AHAB和HABv4都是基于公共密钥加密 (Public Key Cryptography) 和数字签名 (Digital Signature) 技术来实现Secure Boot的
1). 简介
由于NXP从iMX8/iMX8x处理器开始引入了SCU/SECO等底层控制模块来进行包含启动管理等多项底层初始化功能,因此对于Secure Boot功能支持,也同样升级为Advanced High Assurance Boot (AHAB) 特性来配合,以区别于iMX6/iMX8MM/iMX8MP处理器所使用的HABv4特性;AHAB和HABv4都是基于公共密钥加密 (Public Key Cryptography) 和数字签名 (Digital Signature) 技术来实现Secure Boot的,SCU负责协调各个启动组件和流程,SECO用于验证签名的Image文件并授权加载运行,一个简单的流程图参考如下。本文就基于NXP iMX8平台测试部署Secure Boot功能。
本文所演示的平台来自于Toradex Apalis iMX8嵌入式平台,这个平台是基于近年发布的NXP iMX8系列ARM处理器,核心为Cortex-A72/A53。
2. 准备
a). Apalis iMX8 ARM核心版配合Ixora 载板,并连接调试串口用于测试。
b). 参考这里下载Toradex Ycoto Linux BSP5 Image用于后续测试,目前最新的是5.7版本。
3). 生成PKI Tree文件
a). 从NXP官方网站下载Code Signing Tools软件包(需注册),目前最新版本是3.3.1版本,然后解压后使用预设的脚本生成Public Key Infrastructure (PKI) tree,用于后面签名U-boot/Linux Kernel Image文件
--------------------------------
$ cp .../cst-3.3.1.tgz ~/.
$ cd ~
$ tar xvf cst-3.3.1.tgz
$ tree -L 1 cst-3.3.1/
cst-3.3.1/
├── ca
├── code
├── crts
├── docs
├── keys
├── LICENSE.bsd3
├── LICENSE.hidapi
├── LICENSE.openssl
├── linux32
├── linux64
├── mingw32
├── osx
├── Release_Notes.txt
└── Software_Content_Register_CST.txt
--------------------------------
b). 生成PKI TREE
./ 修改CST工具默认的serial和key_pass,本文因为仅测试需要则保持默认没有修改,实际应用可以根据需要自行修改以保证安全
--------------------------------
$ cd ~/cst-3.3.1/keys
### default serial number for OpenSSL certification ###
$ cat serial
1234567C
### default key_pass for protection of private keys
$ cat key_pass.txt
test
test
--------------------------------
./ 运行CST工具预制脚本通过交互方式生成PKI TREE,这里生成一个P384 ECC SRK PKI TREE示例,还可以选择其他选项或者生成包含下级SGK Key的PKI TREE,更多可以参考如下U-Boot源代码中的文档说明
https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/introduction_ahab.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0
--------------------------------
### generate P384 ECC PKI TREE ###
$ ./ahab_pki_tree.sh
...
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: y
Enter length for elliptic curve to be used for PKI tree:
Possible values p256, p384, p521: p384
Enter the digest algorithm to use: sha384
Enter PKI tree duration (years): 5
Do you want the SRK certificates to have the CA flag set? (y/n)?: n
### check generated SRK keys ###
$ ls SRK*
SRK1_sha384_secp384r1_v3_usr_key.der SRK2_sha384_secp384r1_v3_usr_key.pem SRK4_sha384_secp384r1_v3_usr_key.der
SRK1_sha384_secp384r1_v3_usr_key.pem SRK3_sha384_secp384r1_v3_usr_key.der SRK4_sha384_secp384r1_v3_usr_key.pem
SRK2_sha384_secp384r1_v3_usr_key.der SRK3_sha384_secp384r1_v3_usr_key.pem
### generate SRK Table 和 SRK Hash ###
$ cd ../crts/
$ ../linux64/bin/srktool -a -s sha384 -t SRK_1_2_3_4_table.bin \
-e SRK_1_2_3_4_fuse.bin -f 1 -c \
SRK1_sha384_secp384r1_v3_usr_crt.pem,\
SRK2_sha384_secp384r1_v3_usr_crt.pem,\
SRK3_sha384_secp384r1_v3_usr_crt.pem,\
SRK4_sha384_secp384r1_v3_usr_crt.pem
### check SRK Table and SRK Hash ###
$ ls SRK_*
SRK_1_2_3_4_fuse.bin SRK_1_2_3_4_table.bin
--------------------------------
c). 上面最后生成的两个文件就是我们后面签名和fuse设备需要用到的,”SRK_1_2_3_4_table.bin” 文件是SRK Table,用于签名Container Image;”SRK_1_2_3_4_fuse.bin” 文件是SRK Hash,用于fuse到Apalis iMX8设备的eFuse。更多CST工具使用说明可以参考如下CST User Guide文档
cst-3.3.1/docs/CST_UG.pdf
4). Boot Container 配置和签名
a). 参考这里说明下载Toradex Ycoto Linux BSP 5.x.y版本U-boot源代码,默认配置并未使能AHAB功能支持,需要在config中使能如下选项,并重新编译生成新的U-Boot文件 ”u-boot.bin”
--------------------------------
→ ARM architecture
[*] Support i.MX8 AHAB features
--------------------------------
b). 参考上面U-boot源码下载编译文章以及下面参考文档,使用编译生成的U-Boot文件生成Apalis iMX8 Boot Container Image文件”flash.bin”
https://www.toradex.cn/blog/nxp-imx8-scfw-heboot-container-image-bian-yi
c). 此时先将上一步骤生成的 “flash.bin” 文件重命名为 “imx-boot”,然后通过这里的说明通过Toradex Easy Installer更新到Apalis iMX8模块并启动进入U-Boot命令行,通过如下命令可以查看AHAB功能以及使能成功,但是由于Boot Container Image并未签名,因此提示 “0xEE” 事件。
--------------------------------
### check AHAB enable status ###
Apalis iMX8 # ahab_status
Lifecycle: 0x0020, NXP closed
SECO Event[0] = 0x0087EE00
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_NO_AUTHENTICATION_IND (0xEE)
sc_seco_get_event: idx: 1, res:3
--------------------------------
d). 通过CST工具对上一步骤使用 imx-mkimage 生成的Boot Container Image “flash.bin” 文件进行签名
--------------------------------
### copy boot container image file to CST tool containing folder ###
$ cp .../imx-mkimage/iMX8QM/flash.bin ~/
### copy CSF template to CST tool containing folder ###
$ cp u-boot-toradex/doc/imx/ahab/csf_examples/csf_boot_image.txt ~/
### modify csf_boot_image.txt to adopt your settings ###
vi csf_boot_image.txt
[Header]
Target = AHAB
Version = 1.0
[Install SRK]
# SRK table generated by srktool
File = "./cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
# Public key certificate in PEM format
Source = "./cst-3.3.1/crts/SRK1_sha384_secp384r1_v3_usr_crt.pem"
# Index of the public key certificate within the SRK table (0 .. 3)
Source index = 0
# Type of SRK set (NXP or OEM)
Source set = OEM
# bitmask of the revoked SRKs
Revocations = 0x0
[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash.bin"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x400 0x590
### sign boot container image ###
./cst-3.3.1/linux64/bin/cst -i csf_boot_image.txt -o flash_signed.bin
Install SRK
Authenticate data
CSF Processed successfully and signed image available in flash_signed.bin
--------------------------------
e). 此时再将上一步骤签名成功的 “flash_signed.bin” 文件重命名为 “imx-boot” 并更新到Apalis iMX8模块上面,此时AHAB状态命令变化如下,因为并未将对应的Hash烧写到Apalis iMX8 eFuse,因此提示 “0xEA” 事件。
--------------------------------
### check AHAB enable status ###
Apalis iMX8 # ahab_status
Lifecycle: 0x0020, NXP closed
SECO Event[0] = 0x0087FA00
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_BAD_KEY_HASH_IND (0xFA)
sc_seco_get_event: idx: 1, res:3
--------------------------------
f). 烧写SRK Hash
./ 签名的Boot Container Image文件要通过iMX8 SOC SRK_HASH[511:0] fuse烧写的SRK Hash进行校验
./ 导出SRK HASH fuse对应数值
--------------------------------
### dump SRK HASH fuse value ###
$ od -t x4 ~/cst-3.3.1/crts/SRK_1_2_3_4_fuse.bin
0000000 7ef8ad2a 4a3e54b6 ffa3df87 1774beb6
0000020 6f7b4d2e a9e90a59 c5fa9ea2 55c59bf4
0000040 b55aa0b9 8b30c2ec 519814df 26a0f058
0000060 52c0edda 7e686983 4bf5f8d7 27d7727a
--------------------------------
./ 进入Apalis iMX8 U-Boot命令行,通过如下命令写入fuses,注意这些fuses都是一次写入的,因此请务必保证一次写入正确。另外不同的SOC有不同的地址,如下只适用于iMX8QM,如果是iMX8X要参考文档修改。
--------------------------------
Apalis iMX8 # fuse prog 0 722 7ef8ad2a
Apalis iMX8 # fuse prog 0 723 4a3e54b6
Apalis iMX8 # fuse prog 0 724 ffa3df87
Apalis iMX8 # fuse prog 0 725 1774beb6
Apalis iMX8 # fuse prog 0 726 6f7b4d2e
...
Apalis iMX8 # fuse prog 0 736 4bf5f8d7
Apalis iMX8 # fuse prog 0 737 27d7727a
--------------------------------
为了操作方便,可以将上述命令生成U-Boot脚本文件来执行,或者可以通过类似如下 NXP Universal Update Utility (UUU)工具脚本来进行操作
--------------------------------
# This command will be run when ROM support stream mode
# i.MX8QXP, i.MX8QM
SDPS: boot -f imx-boot
# refer related module tezi image recovery folder uuu.auto file
CFG: FB: -vid 0x0525 -pid 0x4000
CFG: FB: -vid 0x0525 -pid 0x4025
CFG: FB: -vid 0x0525 -pid 0x402F
CFG: FB: -vid 0x0525 -pid 0x4030
CFG: FB: -vid 0x0525 -pid 0x4031
SPDU: delay 1000
FB: ucmd setenv cmd 'fuse prog -y 0'
FB: ucmd ${cmd} 722 0x7ef8ad2a
FB: ucmd ${cmd} 723 0x......
...
FB: ucmd ${cmd} 737 0x27d7727a
FB: done
--------------------------------
e). SRK HASH烧写完成后,AHAB状态命令变化如下,只有如下状态下close设备才是安全的,否则设备就无法启动了。
--------------------------------
### check AHAB enable status ###
Apalis iMX8 # ahab_status
Lifecycle: 0x0020, NXP closed
sc_seco_get_event: idx: 1, res:3
No SECO Events Found!
--------------------------------
f). 更多关于此步骤的说明请参考如下文档
./ U-Boot documentation
https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0
./ NXP Application Note - AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB
5). 签名包含Linux kernel 和 Device Tree文件的OS Container Image
a). 此步骤为可选步骤,如果不需要Linux Kernel Secure Boot功能则无需操作直接close设备即可。
b). 解压Toradex Ycoto Linux BSP 5.7 Multimedia Image,获得LInux Kernel和需要加载的Device Tree文件
--------------------------------
### uncompress BSP Image package ###
$ tar xvf Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20.tar
$ cd Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/
### uncompress boot filesystem ###
$ mkdir bootfs/
$ tar Jxf Reference-Minimal-Image-apalis-imx8.bootfs.tar.xz -C bootfs/
### copy Kernel and Device Tree files to imx-mkimage tools related device folder ###
$ cd bootfs/
$ gzip -d Image.gz
$ cp Image imx8qm-apalis-v1.1-eval.dtb .../imx-mkimage/iMX8QM/
--------------------------------
b). 使用 imx-mkimage 工具生成 OS Container Image
./ 如下修改默认配置,将Linux Kernel和Device Tree文件的命名和加载地址修改为适合你当前设备定义的配置,Toradex U-Boot默认配置Kernel 加载地址为 “0x96000000”,Device Tree加载地址为 “0x83000000”。
--------------------------------
--- a/iMX8QM/soc.mak 2022-08-19 17:31:57.488554800 +0800
+++ b/iMX8QM/soc.mak 2022-08-22 15:15:45.393002799 +0800
@@ -140,8 +140,8 @@
flash_scfw: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin
./$(MKIMG) -soc QM -rev B0 -dcd skip -append $(AHAB_IMG) -c -scfw scfw_tcm.bin -out flash.bin
-flash_kernel: $(MKIMG) Image fsl-imx8qm-mek.dtb
- ./$(MKIMG) -soc QM -rev B0 -c -ap Image a53 0x80280000 --data fsl-imx8qm-mek.dtb 0x83000000 -out flash.bin
+flash_kernel: $(MKIMG) Image imx8qm-apalis-v1.1-eval.dtb
+ ./$(MKIMG) -soc QM -rev B0 -c -ap Image a53 0x96000000 --data imx8qm-apalis-v1.1-eval.dtb 0x83000000 -out flash_os.bin
flash_ca72: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin u-boot-atf.bin
./$(MKIMG) -soc QM -rev B0 -append $(AHAB_IMG) -c -scfw scfw_tcm.bin -ap u-boot-atf.bin a72 0x80000000 -out flash.bin
--------------------------------
./ 生成 OS Container Image 文件 “flash_os.bin”,并记录生成记录最后的IVT_OFFSET + IMAGE_OFFSET数值用于后续CSF文件定义。
--------------------------------
$ cd .../imx-mkimage/
$ make SOC=iMX8QM flash_kernel
...
CST: CONTAINER 0 offset: 0x0
CST: CONTAINER 0: Signature Block: offset is at 0x110
DONE.
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET
--------------------------------
c). 使用CST工具签名刚才生成的OS Container Image
./ 准备CSF文件
--------------------------------
### copy CSF template to CST tool containing folder ###
$ cp u-boot-toradex/doc/imx/ahab/csf_examples/csf_linux_img.txt ~/
### modify csf_linux_img.txt to adopt your settings ###
vi csf_linux_img.txt
[Header]
Target = AHAB
Version = 1.0
[Install SRK]
# SRK table generated by srktool
File = "./cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
# Public key certificate in PEM format
Source = "./cst-3.3.1/crts/SRK1_sha384_secp384r1_v3_usr_crt.pem"
# Index of the public key certificate within the SRK table (0 .. 3)
Source index = 0
# Type of SRK set (NXP or OEM)
Source set = OEM
# bitmask of the revoked SRKs
Revocations = 0x0
[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash_os.bin"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x0 0x110
--------------------------------
./ 签名,获得签名好的OS Container Image 文件 “os_cntr_signed.bin”
--------------------------------
$ cp .../imx-mkimage/iMX8QM/flash_os.bin ~/
$ ./cst-3.3.1/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin
--------------------------------
6). 部署OS Container Image
a). 将OS Container Image重新部署到刚才解压的Ycoto Linux Multimedia BSP5.7 bootfs中,并重新创建bootfs 压缩包
--------------------------------
### copy signed os container image to bsp rootfs folder ###
$ cp os_cntr_signed.bin .../Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/bootfs/
### remove default boot script and linux kernel/device tree files ###
$ cd .../Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/bootfs/
$ rm boot.scr Image *.dtb
### check bootfs files ###
$ tree -L 2
.
├── dpfw.bin
├── hdmitxfw.bin
├── os_cntr_signed.bin
├── overlays
│ ├── apalis-imx8_ar0521_overlay.dtbo
│ ├── apalis-imx8_atmel-mxt_overlay.dtbo
│ ├── apalis-imx8_hdmi_overlay.dtbo
│ ├── apalis-imx8_lvds_overlay.dtbo
│ ├── apalis-imx8_mezzanine-can_overlay.dtbo
│ ├── apalis-imx8_mezzanine_lvds_overlay.dtbo
│ ├── apalis-imx8_mezzanine_ov5640_overlay.dtbo
│ ├── apalis-imx8_ov5640_overlay.dtbo
│ ├── apalis-imx8_resistive-touch_overlay.dtbo
│ ├── display-dpi-lt170410_overlay.dtbo
│ ├── display-edt5.7_overlay.dtbo
│ ├── display-edt7_overlay.dtbo
│ ├── display-fullhd_overlay.dtbo
│ ├── display-lt161010_overlay.dtbo
│ ├── display-lt170410_overlay.dtbo
│ ├── display-vga_overlay.dtbo
│ └── touch-atmel-mxt_overlay.dtbo
└── overlays.txt
1 directory, 21 files
### compress new bootfs package ###
$ tar Jcf ../Reference-Minimal-Image-apalis-imx8.bootfs.tar.xz *
### clear bootfs
$ cd ..
$ rm -rf bootfs/
--------------------------------
b). 修改BSP package中的 “u-boot-initial-env-sd” 文件,增加如下环境变量用于Secure Boot
./ 命令方式格式
--------------------------------
### set boot device info mmc 0:1 ###
Apalis iMX8 # setenv pre_boot 'devnum=0; if mmc dev ${devnum}; then devtype=mmc; setenv load_cmd \"load ${devtype} ${devnum}:1\"; fi'
### signed os container image loading info ###
Apalis iMX8 # setenv cntr_addr '0x98000000'
Apalis iMX8 # setenv cntr_file 'os_cntr_signed.bin'
Apalis iMX8 # setenv cntr_load '${load_cmd} ${cntr_addr} ${cntr_file}'
### authenticate signed os container image ###
Apalis iMX8 # setenv auth_os 'auth_cntr ${cntr_addr}'
### device tree overlay apply ###
Apalis iMX8 # setenv overlays_file 'overlays.txt'
Apalis iMX8 # setenv overlays_prefix 'overlays/'
Apalis iMX8 # setenv load_overlays_file '${load_cmd} ${loadaddr} ${overlays_file} && env import -t ${loadaddr} ${filesize}'
Apalis iMX8 # setenv fdt_resize 'fdt addr ${fdt_addr_r} && fdt resize 0x20000'
Apalis iMX8 # setenv apply_overlays 'for overlay_file in ${fdt_overlays}; do echo Applying Overlay: ${overlay_file} && ${load_cmd} ${loadaddr} ${overlays_prefix}\${overlay_file} && fdt apply ${loadaddr}; env set overlay_file; done; true'
Apalis iMX8 # setenv bootcmd_overlays 'run load_overlays_file && run fdt_resize && run apply_overlays'
### kernel/dtb loading ###
Apalis iMX8 # setenv bootcmd_boot 'echo "Bootargs: \${bootargs}" && booti ${kernel_addr_r} - ${fdt_addr_r}'
### config for all boot process ###
Apalis iMX8 # setenv bootcmd_run 'run pre_boot && run cntr_load && run auth_os && run bootcmd_overlays && run finduuid && run setup && run bootcmd_boot; echo "Booting from ${devtype} failed!" && false'
### auto run config ###
Apalis iMX8 # setenv bootcmd 'run bootcmd_run'
--------------------------------
./ 文件方式定义
--------------------------------
--- a/u-boot-initial-env-sd 2022-08-29 17:22:27.668166883 +0800
+++ b/u-boot-initial-env-sd 2022-08-29 17:52:18.795402902 +0800
@@ -1,4 +1,4 @@
-bootcmd=run distro_bootcmd
+bootcmd=run bootcmd_run
bootdelay=1
baudrate=115200
ipaddr=192.168.10.2
@@ -71,4 +71,16 @@
video=imxdpufb5:off video=imxdpufb6:off video=imxdpufb7:off
setup=run loadhdp; hdp load ${hdp_addr}; run mmcargs
defargs=pci=nomsi
-
+pre_boot=devnum=0; if mmc dev ${devnum}; then devtype=mmc; setenv load_cmd "load ${devtype} ${devnum}:1"; fi
+cntr_addr=0x98000000
+cntr_file=os_cntr_signed.bin
+cntr_load=${load_cmd} ${cntr_addr} ${cntr_file}
+auth_os=auth_cntr ${cntr_addr}
+overlays_file=overlays.txt
+overlays_prefix=overlays/
+load_overlays_file=${load_cmd} ${loadaddr} ${overlays_file} && env import -t ${loadaddr} ${filesize}
+fdt_resize=fdt addr ${fdt_addr_r} && fdt resize 0x20000
+apply_overlays=for overlay_file in ${fdt_overlays}; do echo Applying Overlay: ${overlay_file} && ${load_cmd} ${loadaddr} ${overlays_prefix}${overlay_file} && fdt apply ${loadaddr}; env set overlay_file; done; true
+bootcmd_overlays=run load_overlays_file && run fdt_resize && run apply_overlays
+bootcmd_boot=echo "Bootargs: ${bootargs}" && booti ${kernel_addr_r} - ${fdt_addr_r}
+bootcmd_run=run pre_boot && run cntr_load && run auth_os && run bootcmd_overlays && run finduuid && run setup && run bootcmd_boot; echo "Booting from ${devtype} failed!" && false
--------------------------------
c). 需要注意的是由于Kernel阶段的Secure Boot相关认证和加载都是基于U-Boot命令行来实现的, 因此如果要让这个启动机制更加安全可靠,则要让U-Boot保持在上述安全启动路径,而不能通过其他启动介质或者脚本来启动而绕开Secure Boot,比如Toradex U-Boot默认是使能Distro Boot功能的,可以自动扫描外设介质的启动脚本,那么这个功能就需要关闭掉,类似这样的U-Boot定制化需要自行根据实际使用场景来配置。
7). 部署测试
a). 参考这里将上述制作的支持Secure Boot的Image通过Toradex Easy Installer更新到Apalis iMX8模块
./启动后首先进入U-Boot命令行下,测试AHAB状态
--------------------------------
Apalis iMX8 # ahab_status
Lifecycle: 0x0020, NXP closed
sc_seco_get_event: idx: 0, res:3
No SECO Events Found!
--------------------------------
./ 然后重新启动,查看启动log,Secure Boot成功完整加载U-Boot、Linux Kernel和Rootfs
--------------------------------
U-Boot 2020.04-06964-g33bb8e9683 (Aug 15 2022 - 15:32:22 +0800)
CPU: NXP i.MX8QM RevB A53 at 1200 MHz
DRAM: 4 GiB
MMC: FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMC... OK
In: serial
Out: serial
Err: serial
Model: Toradex Apalis iMX8 QuadMax 4GB Wi-Fi / BT IT V1.1B, Serial# 06738378
BuildInfo:
- SCFW 216a2c2e, SECO-FW c9de51c0, IMX-MKIMAGE fe124bce, ATF 2fa8c63
- U-Boot 2020.04-06964-g33bb8e9683
switch to partitions #0, OK
mmc0(part 0) is current device
flash target is MMC:0
Net: eth0: ethernet@5b040000
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot: 0
switch to partitions #0, OK
mmc0(part 0) is current device
25877504 bytes read in 787 ms (31.4 MiB/s)
Authenticate OS container at 0x98000000
43 bytes read in 12 ms (2.9 KiB/s)
Applying Overlay: apalis-imx8_hdmi_overlay.dtbo
2177 bytes read in 31 ms (68.4 KiB/s)
106496 bytes read in 16 ms (6.3 MiB/s)
Loading hdp firmware from 0x000000009c000000 offset 0x0000000000002000
Loading hdp firmware Complete
Bootargs: console=ttyLP1 earlycon,115200 root=PARTUUID=e8daf485-02 rootwait mmcdev=0
## Flattened Device Tree blob at 83000000
Booting using the fdt blob at 0x83000000
Loading Device Tree to 00000000fd5fc000, end 00000000fd648fff ... OK
Starting kernel ...
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[ 0.000000] Linux version 5.4.193-5.7.0+git.f78299297185 (oe-user@oe-host) (gcc version 9.2
...
[ OK ] Started Start a wayland application.
[ OK ] Reached target Multi-User System.
[ OK ] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[ OK ] Started Update UTMP about System Runlevel Changes.
TDX Wayland with XWayland 5.7.0+build.20 (dunfell) apalis-imx8-06738378 ttyLP1
Apalis-iMX8_Reference-Multimedia-Image
apalis-imx8-06738378 login:
--------------------------------
b). Close设备
经过上述测试已经确认从U-Boot到Linux Kernel Secure Boot正常,即可以在U-Boot命令行下面执行下面命令Close设备,请注意此操作之后,没有签名的Image就无法再在此模块加载运行了,因此请谨慎操作。
--------------------------------
Apalis iMX8 # ahab_close
--------------------------------
10). 总结
本文基于NXP iMX8处理器演示了基于AHAB的Secure Boot功能,设计U-Boot和Linux Kernel、Device Tree等,至于Rootfs的加密,则需要配置类似Squashfs只读文件系统配合initramfs最小启动镜像进行加解密挂载启动,可以结合参考如下两篇文章,本文不做具体测试。
./ 嵌入式 ARM 平台使用dm-crypt加密磁盘分区
./ 使用Squashfs和Overlayfs提高嵌入式Linux文件系统可靠性
参考文档
https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/introduction_ahab.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0
https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0
NXP Application Note AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB