secure-boot-imx6 manual
medium
- Image Types:
- fixedfunction-armhf
- Image Deployment:
- OSTree
- Type:
- functional
Description
Test that Secure Boot via HAB on the SabreLite board works for bootloader and initial OS image in FIT format.
Pre Conditions
- Requires the DUT to be flashed with a signed U-Boot built with HAB and FIT image support as provided since version 2019.01+dfsg-7co6. U-Boot could be installed from folder installer/mx6qsabrelite-uboot in https://images.apertis.org/release/ corresponding to the release to test
- Requires a DUT with fused SRK hash (it's a irreversible operation! Please refer to the documentation). Or use additional step for 'emulation' if fusing is not possible. Skip it if the board has fused SRK.
- It is expected that DUT is working in "open" HAB mode
- In addition need to use image without signed kernel, for example older OSTree-based image from [v2019 release](https://images.apertis.org/release/v2019/v2019.2/armhf/minimal/)
Execution Steps
- Stop in U-Boot prompt
- **This step is needed only for devices without fused SRK hash** -- emulate the fused Apertis SRK:
- Emulate that device is in 'closed' state:
- Check if flashed U-Boot have HAB support and correct SRK hash fused
- Insert SD-card with flashed Apertis OSTree-based armhf image and start the boot process
- The output must contain following output while loading the image, meaning the Secure Boot is enabled and the image is signed with the proper signature
- Switch off the DUT to clear any signature-related artifacts from the memory
- Power on the device and stop in U-Boot prompt
- **This step is needed only for devices without fused SRK hash** -- emulate the fused Apertis SRK:
- Emulate that device is in 'closed' state:
- Swap the SD-card to another one with flashed old Apertis armhf image with the unsigned kernel, and start the boot process
- The system should be stopped just after kernel load with error below
fuse override 3 0 0xAABBCCDD
fuse override 3 1 0x519690F5
fuse override 3 2 0xE844EB48
fuse override 3 3 0x179B1826
fuse override 3 4 0xEC0F8D7C
fuse override 3 5 0x2F209598
fuse override 3 6 0x9A98BE3
fuse override 3 7 0xAAD9B3D6
$ fuse override 0 6 0x2
$ hab_status
Secure boot enabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
$ run bootcmd
Authenticate image from DDR location 0x12000000...
Secure boot enabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
i.MX HAB verification: image verification passed
## Loading kernel from FIT Image at 12000000 ...
fuse override 3 0 0xAABBCCDD
fuse override 3 1 0x519690F5
fuse override 3 2 0xE844EB48
fuse override 3 3 0x179B1826
fuse override 3 4 0xEC0F8D7C
fuse override 3 5 0x2F209598
fuse override 3 6 0x9A98BE3
fuse override 3 7 0xAAD9B3D6
$ fuse override 0 6 0x2
$ run bootcmd
i.MX HAB verification: IVT not found
### ERROR ### Please RESET the board ###
Expected
Only for devices with fused SRK: U-Boot is signed with a proper signature and ready to be flashed to closed dvices
U-Boot is able to verify and boot signed FIT image
U-Boot hangs in "closed" state trying to boot with unsigned image
Notes
- All commands should be typed in U-Boot CLI
- In the "open" mode HAB will accept the FIT image signed with any signature