secure-boot-imx6 manual

medium

Image Types:
minimal-armhf
Image Deployment:
OSTree
Type:
functional

Description

Test that Secure Boot via HAB on the SabreLite board works for bootloader and initial OS image in FIT format.

Pre Conditions

  1. Requires the DUT to be flashed with a signed U-Boot built with HAB and FIT image support as provided since version 2019.01+dfsg-7co6. U-Boot could be installed with [public U-Boot installer v2021dev1.0](https://images.apertis.org/release/v2021dev1/v2021dev1.0/installer/mx6qsabrelite-uboot/) or any newer version.
  2. Requires a DUT with fused SRK hash (it's a irreversible operation! Please refer to the documentation)
  3. It is expected that DUT is working in "open" HAB mode
  4. In addition need to use image without signed kernel, for example older OSTree-based image from [v2019 release](https://images.apertis.org/release/v2019/v2019.2/armhf/minimal/)

Execution Steps

  1. Stop in U-Boot prompt
  2. Check if flashed U-Boot have HAB support and correct SRK hash fused
    3. $ hab_status

    Secure boot disabled

    HAB Configuration: 0xf0, HAB State: 0x66

    No HAB Events Found!

  3. Insert SD-card with flashed Apertis OSTree-based armhf image and start the boot process
    4. $ run bootcmd
  4. The output must contain following output while loading the image, meaning the Secure Boot is enabled and the image is signed with the proper signature

    5. hab fuse not enabled

    Authenticate image from DDR location 0x12000000...

    Secure boot disabled

    HAB Configuration: 0xf0, HAB State: 0x66

    No HAB Events Found!

    i.MX HAB verification: image verification passed

    ## Loading kernel from FIT Image at 12000000 ...

  5. Switch off the DUT to clear any signature-related artifacts from the memory
  6. Power on the device and stop in U-Boot prompt
  7. Emulate that device is in 'closed' state:
    8. $ fuse override 0 6 0x2
  8. Swap the SD-card to another one with flashed old Apertis armhf image with the unsigned kernel, and start the boot process
    9. $ run bootcmd
  9. The system should be stopped just after kernel load with error below

    10. i.MX HAB verification: IVT not found

    ### ERROR ### Please RESET the board ###

Expected

U-Boot is booted without HAB validation errors

U-Boot is able to verify and boot signed FIT image

U-Boot hangs in "closed" state trying to boot with unsigned image

Notes

  • All commands should be typed in U-Boot CLI
  • In the "open" mode HAB will accept the FIT image signed with any signature