secure-boot-imx6 manual

medium

Image Types:
fixedfunction-armhf
Image Deployment:
OSTree
Type:
functional

Description

Test that Secure Boot via HAB on the SabreLite board works for bootloader and initial OS image in FIT format.


Pre Conditions

  1. Requires the DUT to be flashed with a signed U-Boot built with HAB and FIT image support as provided since version 2019.01+dfsg-7co6. U-Boot could be installed with [public U-Boot installer v2021.0](https://images.apertis.org/release/v2021/v2021.0/installer/mx6qsabrelite-uboot/) or any newer version.
  2. Requires a DUT with fused SRK hash (it's a irreversible operation! Please refer to the documentation). Or use additional step for 'emulation' if fusing is not possible. Skip it if the board has fused SRK.
  3. It is expected that DUT is working in "open" HAB mode
  4. In addition need to use image without signed kernel, for example older OSTree-based image from [v2019 release](https://images.apertis.org/release/v2019/v2019.2/armhf/minimal/)

Execution Steps

  1. Stop in U-Boot prompt
  2. **This step is needed only for devices without fused SRK hash** -- emulate the fused Apertis SRK:
  3. fuse override 3 0 0xAABBCCDD

    fuse override 3 1 0x519690F5

    fuse override 3 2 0xE844EB48

    fuse override 3 3 0x179B1826

    fuse override 3 4 0xEC0F8D7C

    fuse override 3 5 0x2F209598

    fuse override 3 6 0x9A98BE3

    fuse override 3 7 0xAAD9B3D6

  4. Emulate that device is in 'closed' state:
  5. $ fuse override 0 6 0x2
  6. Check if flashed U-Boot have HAB support and correct SRK hash fused
  7. $ hab_status

    Secure boot enabled

    HAB Configuration: 0xf0, HAB State: 0x66

    No HAB Events Found!

  8. Insert SD-card with flashed Apertis OSTree-based armhf image and start the boot process
  9. $ run bootcmd
  10. The output must contain following output while loading the image, meaning the Secure Boot is enabled and the image is signed with the proper signature
  11. Authenticate image from DDR location 0x12000000...

    Secure boot enabled

    HAB Configuration: 0xf0, HAB State: 0x66

    No HAB Events Found!

    i.MX HAB verification: image verification passed

    ## Loading kernel from FIT Image at 12000000 ...

  12. Switch off the DUT to clear any signature-related artifacts from the memory
  13. Power on the device and stop in U-Boot prompt
  14. **This step is needed only for devices without fused SRK hash** -- emulate the fused Apertis SRK:
  15. fuse override 3 0 0xAABBCCDD

    fuse override 3 1 0x519690F5

    fuse override 3 2 0xE844EB48

    fuse override 3 3 0x179B1826

    fuse override 3 4 0xEC0F8D7C

    fuse override 3 5 0x2F209598

    fuse override 3 6 0x9A98BE3

    fuse override 3 7 0xAAD9B3D6

  16. Emulate that device is in 'closed' state:
  17. $ fuse override 0 6 0x2
  18. Swap the SD-card to another one with flashed old Apertis armhf image with the unsigned kernel, and start the boot process
  19. $ run bootcmd
  20. The system should be stopped just after kernel load with error below
  21. i.MX HAB verification: IVT not found

    ### ERROR ### Please RESET the board ###


Expected

Only for devices with fused SRK: U-Boot is signed with a proper signature and ready to be flashed to closed dvices

U-Boot is able to verify and boot signed FIT image

U-Boot hangs in "closed" state trying to boot with unsigned image

Notes

  • All commands should be typed in U-Boot CLI
  • In the "open" mode HAB will accept the FIT image signed with any signature