d3be1ab1fc
This patch adds high assurance boot support (HABv4) image generation to barebox, currently tested on i.MX6 only. In order to build a signed barebox image, add a new image target to images/Makefile.imx as illustrated in the diff below: - - - a/images/Makefile.imx + + + b/images/Makefile.imx @@ -163,10 +163,14 @@ image-$(CONFIG_MACH_SABRELITE) += barebox-freescale-imx6dl-sabrelite.img pblx-$(CONFIG_MACH_SABRESD) += start_imx6q_sabresd CFG_start_imx6q_sabresd.pblx.imximg = $(board)/freescale-mx6-sabresd/flash-header-mx6-sabresd.imxcfg FILE_barebox-freescale-imx6q-sabresd.img = start_imx6q_sabresd.pblx.imximg image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd.img +CSF_start_imx6q_sabresd.pblx.imximg = $(havb4_imx6csf) +FILE_barebox-freescale-imx6q-sabresd-signed.img = start_imx6q_sabresd.pblx.imximg.signed +image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd-signed.img + Here the default i.MX6 CSF file $(havb4_imx6csf) is used, it's generated during build on from the template "scripts/habv4/habv4-imx6.csf.in". You can configure the paths to the SRK table and certificates via: System Type -> i.MX specific settings -> HABv4 support. The proprietary tool "cst" by Freescale tool is expected in the PATH. Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
38 lines
743 B
Text
38 lines
743 B
Text
[Header]
|
|
Version = 4.1
|
|
Hash Algorithm = sha256
|
|
Engine Configuration = 0
|
|
Certificate Format = X509
|
|
Signature Format = CMS
|
|
Engine = CAAM
|
|
|
|
[Install SRK]
|
|
File = "@TABLE_BIN@"
|
|
# SRK index within SRK-Table 0..3
|
|
Source index = 0
|
|
|
|
[Install CSFK]
|
|
File = "@CSF_CRT_PEM@"
|
|
|
|
[Authenticate CSF]
|
|
|
|
[Unlock]
|
|
Engine = CAAM
|
|
Features = RNG
|
|
|
|
[Install Key]
|
|
# verification key index in key store (0, 2...5)
|
|
Verification index = 0
|
|
# target key index in key store (2...5)
|
|
Target index = 2
|
|
File = "@IMG_CRT_PEM@"
|
|
|
|
[Authenticate Data]
|
|
# verification key index in key store (2...5)
|
|
Verification index = 2
|
|
# "starting load address in memory"
|
|
# "starting offset within the source file"
|
|
# "length (in bytes)"
|
|
# "file (binary)"
|
|
Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
|