i.MX 6 Linux High Assurance Boot (HAB) User's Guide
Contents
1. Freescale Semiconductor Document Number IMX6HABUG Rev L3 0 35_ 1 1 0 01 2013 i MX 6 Linux High Assurance Boot HAB User s Guide 1 Overview Contemporary electronic gadgets often have opportunities to do system upgrade The upgrade is so convenient that the end user can retrieve the updated image and do it themselves But this also opens a back door for malware writers They may provide updated image which contains virus and rootkit Once such system is upgraded and used bad consequences can be expected such as theft of critical personal information anonymous monitor on personal activities etc For security consideration it is necessary that the hardware have some mechanism to ensure that the software it is running can be trusted Freescale i MX6 series chip provides High Assurance Boot HAB feature which meets such a requirement OEM can utilize it to make their product reject any system image which is not authorized for running 2 Mechanism An asymmetric encryption is adopted to implement the HAB feature The OEM can use an utility provided by Freescale to generate private key and corresponding public key pairs For any system image they want to release the private key is used to do the encryption This encryption generates a unique identifier for the image which is called a certificate The public key is also attached to the image Before applying the 2013 Freescale Semiconductor Inc nan A WwW N Contents2. Security Configuration Open Hash Algorithm sha256 Engine Configuration 0 Certificate Format X509 Signature Format CMS Install SRK File crts SRK_1 2 3 4 table bin Source index 0 Install CSFK File crts CSF1 1 sha256 2048 65537 v3 usr crt pem Authenticate CSF Install Key Verification index 0 Target index 2 File crts IMG1 1 sha256 2048 65537 v3 usr crt pem Sign padded u boot starting at the IVT through to the end with length 0x2F000 padded u boot length 0x400 IVT offset 0x2EC00 This covers the essential parts IVT boot data and DCD Blocks have the following definition Image block start address on i MX Offset from start of image file Length of block in bytes image data file Authenticate Data Verification index 2 Blocks 0x27800400 0x400 0x2EC00 u boot pad bin ot HHH HH ROM code copies U Boot to DDR location 0x27800000 which is added with 0x400 the initiated blank area size in U Boot image to form the authenticated start address 0x27800400 0x400 and 0x2EC00 is the start address and the length of data to be authenticated in the binary file 8 Create a secure U Boot image generation script habimagegen in u boot directory bin bash echo extend u boot to 0x2F000 objcopy I binary O binary pad to 0x2f000 gap fi11 0x5A u boot bin u boot pad bin echo generate csf data linux cst o u boot_csf bin lt u boot csf i MX 6 Linux High Ass
3. 0 DCD pointer print Sout pack V OxlOBFDFEO Self Pointer print Sout pack V 0x10BFE000 CSF Pointer print Sout pack V 0x0 Reserved close out print Sout pack V 0x0 Boot Data Ox10BFDFEO is the IVT self address after ulmage is copied to DDR 0x10BFE000 is where the CSF data begins 0x 10801000 is jump location However U boot has its own mechanism to jump into the kernel so this jump location is not actually being used The HAB ROM code requires that it must be an address inside the authentication range in our case between 0x10800000 and 0x10BFEO000 File habUimagegen bin bash echo extend uImage to Ox3FDFEO objcopy I binary O binary pad to 0x3fdfe0 gap fil1 0x5A uImage uImage pad bin echo generate IVT genivt i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 Freescale Semiconductor Inc 7 Test Procedure 14 15 16 17 echo attach IVT cat ulmage pad bin ivt bin gt uImage pad ivt bin echo generate csf data linux cst o uImage_csf bin lt ulImage csf echo merge image and csf data cat ulmage pad ivt bin uImage_csf bin gt uImage signed bin echo extend final image to 0x400000 objcopy I binary O binary pad to 0x400000 gap fill 0x5A uImage signed bin ulmage signed pad bin Header Version 4 0 Security Configuration Open Hash Algorithm sha256 Engine Configuration 0 Cert
4. 0x27800000 is the ddr location where the U Boot image is copied to by ROM code u boot signed pad bin will be generated which is the U Boot image with signature 2 Generation of secure ulmage gt mk_secure_uimage 0x10800000 0x 10800000 is the ddr location where the ulmage is copied to by U Boot code ulmage signed pad bin will be generated which is the ulmage with signature Please contact Freescale to get these scripts i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 Freescale Semiconductor Inc 13 How to Reach Us Home Page freescale com Web Support freescale com support Document Number IMK6HABUG Rev L3 0 35_1 1 0 01 2013 Information in this document is provided solely to enable system and software implementers to use Freescale products There are no express or implied copyright licenses granted hereunder to design or fabricate any integrated circuits based on the information in this document Freescale reserves the right to make changes without further notice to any products herein Freescale makes no warranty representation or guarantee regarding the suitability of its products for any particular purpose nor does Freescale assume any liability arising out of the application or use of any product or circuit and specifically disclaims any and all liability including without limitation consequential or incidental damages Typical parameters that may be provided in Fre
5. B actually works e Corrupt u boot signed pad bin Make a backup first Use hex editor tools such as ghex2 to open the u boot signed pad bin and go to some byte before 0x2F000 The value should be 0x5A Change it to something else and save it Now the U Boot has been changed but the certificate does not change accordingly A mismatch will occur during the authentication e Flash the corrupted u boot signed pad bin to SD card and try to boot the board again This time ROM code will meet an authentication failure and will not jump into U Boot So there will be nothing shown on the terminal e Change back to the original u boot signed pad bin e Do the same thing to ulmage signed pad bin corrupt value before location 0x003F_DFEO e Flash the corrupted ulmage to SD card and try to boot it U Boot will find an authentication fail and break the boot process Some dump information like the following will show in the terminal Verifying Checksum OK Authenticate uImage from DDR location 0x10800000 HAB Configuration Oxcc HAB State 0x99 nesese ses HAB Event 1 event data Oxdb 0x00 Oxlc 0x41 0x33 0x18 OxcO 0x00 Oxca 0x00 0x14 0x00 0x02 Oxc5 0x00 0x00 0x00 0x00 Ox0d 0x34 0x10 0x80 0x00 0x00 0x00 Ox3f OxeO 0x00 Authenticate UImage Fail Please check MX6Q ARM2 U Boot gt An event data is dumped out This means an authentication failure e Change back to uncorrupted uImage The boot will work again After ste
6. OVVIE W canen S 1 CTA WMS EEN E AE E O N E 1 Tapie mentation BeRmeO een Mere Meet Pern S 3 Test Procedi nienie 5 Dynamically Allocate HAB Data 0 ee 11 A Y Xs e freescale Mechanism new system the public key is used to decrypt the certificate Then a comparison is performed to check if the certificate and the image match The image is considered trusted only if a match occurs Otherwise the image is deemed as unsafe and will not be permitted to be loaded and run This process is called authentication A hacker can only have access to the public key Per the property of asymmetric encryption private key which the O0EM uses cannot be deduced from that Without the private key the hacker cannot attach a valid certificate for his malicious system image HAB will reject it in a very early stage The OEM will burn the digest hash of the public key to the eFuses of i MX6 chip Once burned it cannot be modified This prevents the possibility that the hacker use another pair of private and public key to cheat Figures below provide a more precise illustration Private Key Secret eccesscececcocsscsesecscesees Freescale Utility Certificate Private Key Figure 2 Certificate Generation i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 2 Freescale Semiconductor Inc Implementation Authentication Result eFuse Validation Compare P
7. escale data sheets and or specifications can and do vary in different applications and actual performance may vary over time All operating parameters including typicals must be validated for each customer application by customer s technical experts Freescale does not convey any license under its patent rights nor the rights of others Freescale sells products pursuant to standard terms and conditions of sale which can be found at the following address freescale com SalesTermsandConditions Freescale and the Freescale logo are trademarks of Freescale Semiconductor Inc Reg U S Pat amp Tm Off All other product or service names are the property of their respective owners ARM is the registered trademark of ARM Limited ARM Cortex Ag is a trademark of ARM Limited Freescale Semiconductor Inc 2013 All rights reserved wo 2 freescale
8. grep SRK xargs cat e Burn OTPMK These fuse values are necessary to enable the hardware secure logic in the chip gt echo echo echo echo echo echo echo echo 0x975b69a7 gt HW _OCOTP_OTPMKO OxafaeOb5d gt HW_OCOTP_OTPMK1 0x6 780499 gt HW OCOTP_OTPMK2 0x3dda7a47 gt HW _OCOTP_OTPMK3 0x76fcba3c gt HW _OCOTP_OTPMK4 Ox6d5c9ef6 gt HW _OCOTP_OTPMK5 0xb166b40a gt HW OCOTP_OTPMK6 0x8f 449c5d gt HW OCOTP_OTPMK7 e Turn on chip HAB NOTE CAUTION Make sure you perform all the steps correctly After this step there will be no way back and a chip may permanently be bricked Turn on RNG_TRIM gt echo 0x00040000 gt HW _OCOTP MEMO Put SEC_CONFIG to close turn on chip security i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 Freescale Semiconductor Inc Test Procedure gt echo 0x2 gt HW _OCOTP CFG5 19 Boot the board again the security patch should work now Successful authentication will give the following dump message in U Boot load Boot Device SD HAB Configuration Oxcc HAB State 0x99 No HAB Events Found I2Cc ready Verifying Checksum OK Authenticate uImage from DDR location 0x10800000 HAB Configuration Oxcc HAB State 0x99 No HAB Events Found Loading Kernel Image OK No HAB Events Found means no problem is found in authentication and the image can be trusted 20 Do a corruption experiment to verify that HA
9. ificate Format X509 Signature Format CMS Install SRK File crts SRK_1 2 3 4 table bin Source index 0 Install CSFK File crts CSF1 1 sha256 2048 65537 v3 usr crt pem Authenticate CSF Install Key Verification index 0 Target index 2 File crts IMG1 1 sha256 2048 65537 v3 usr crt pem Sign padded uImage start at address 0x10800000 length 0x3FE0000 This covers the essential parts original uImage and the attached IVT Blocks have the following definition Image block start address on i MX Offset from start of image file Length of block in bytes image data file Authenticate Data Verification index 2 Blocks 0x10800000 0x0 Ox003FE000 uImage pad ivt bin H HHHH 0x10800000 is where the ulmage starts in DDR 0x0 and 0x003FE000 is the start address and length to be authenticated in the binary chmod u x habUimagegen genIVT Build ulmage as you normally would and copy it to BLN_CST_MAIN_01 00 00 uImage directory habUimagegen This will create certified ulmage ulmage signed pad bin NOTE Step 13 to step 16 generate secure ulmage using a static HAB DATA allocation method It is only used to demonstrate the signature process For practical usage a dynamic HAB DATA allocation method should be employed Please refer to Dynamically Allocate HAB Data for details Burn the u boot signed pad bin and ulmage signed pad bin to SD card The kernel should start up successfully by now At this
10. lmage For security hardware to work CAAM related clocks CGO 4 6 must be open In the original U Boot these clocks are closed by default hab_caam_clock_enable and hab caam_clock_ disable are created to open and close them The generation of CSF data is not in the scope of this document CST tool will be used for this purpose The tool is introduced in HAB Code Signing Tool User s Guide which is included in the CST tool package The second stage is the authentication of ulmage by U Boot authenticate image is called by U Boot to verify ulmage when executing bootm At this time the ulmage together with its CSF data should have been located in DDR The new ulmage layout is shown in Figure 5 i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 4 Freescale Semiconductor Inc Test Procedure 0x0 0x10800000 0x40 Image Data Fill Data CSF Data Fill Data Signature Ox003FDFEO 0x003FE000 0x00400000 Figure 5 HAB ulmage Layout The ulmage will be read from boot medium to DDR location 0x10800000 The CSF data pointer in IVT should consider this extra offset 4 Test Procedure The following procedures suppose you have a PC running Ubuntu and a MX6Q_ARM2 board with MX6Q TO1 1 chip mounted For a different environment the steps may differ 1 AUN Retrieve the CST Tool http www freescale com webapp sps download mod_down
11. load jsp colCode IMX_CST_TOOL amp appType moderatedWithoutFAE amp fpsp 1 amp WT_TYPE Initialization Boot Device 20Driver 20Code 20Generation amp WT_VENDOR FREESCALE amp WT_FILE_FORMAT zip amp WT_ASSET Downloads amp sr 15 amp Paren t_nodeId 1255017883505753547804 amp Parent_pageType product NOTE It may take several days before Freescale sends you the download link Unzip BLN_CST_MAIN_01 00 00 zip chmod u x linux keys fromdos keys sh cd keys i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 Freescale Semiconductor Inc 5 Test Procedure e Create a text file called serial which contains 8 digits e Create a text file called key_pass txt which contains two lines of identical text such as cst_test e hab4_pki_tree sh e For question prompt enter n 2048 10 4 one by one e This script will generate private key and public key pairs in the working directory 6 cd crts linux srktool h 4 t SRK_1 2 3 4 table bin e SRK_1 2 3 4 fuse bin d sha256 c SRK1_sha256_ 2048 65537 v3_ca_crt pem SRK2_sha256 2048 65537 v3_ca_crt pem SRK3_sha256_2 048 65537 v3_ca_crt pem SRK4_ sha256 2048 65537 v3_ca_crt pem f 1 NOTE Don t leave space between the pem file names Otherwise the generated SRK table and fuse file will not be correct 7 Create a u boot directory in BLN_CST_MAIN_01 00 00 make an u boot csf file in it Header Version 4 0
12. p 1 through step 20 we can verify that the secure boot works fine i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 10 Freescale Semiconductor Inc Dynamically Allocate HAB Data 5 Dynamically Allocate HAB Data The implementation described earlier has some limitations If you take U Boot as example an important assumption is that the original U Boot size is less than 0x2F000 On this premise we can statically allocate HAB Data to 0x2F000 without causing any problem However when this assumption doesn t hold the static way is not a good idea The HAB Data address is determined by the linker script file u boot 1ds Using the static way this file has the following settings ALIGN 4 _end_of copy TEXT BASE 0x2F000 _ hab data 0x2000 _ hab data_end _ bss start The location counter is first put to a fixed location TEXT_BASE 0x2F000 from where the hab data begins When the original U Boot size is larger than 0x2F000 this will cause overlap between HAB Data and the original U Boot sections causing the linkage fail To avoid this issue we turn to use a dynamic way of putting the HAB Data With this method the u boot 1ds is changed to the following ALIGN 4 _end_ of copy ALIGN 0x1000 _ hab data 0x2000 _ hab data_end __bss_start Instead of statically placing the location counter an ALIGN sta
13. point the whole HAB chain is not actually enabled because the default chip secure config is open which ignores any authentication error and continues the boot process We will enable it in the next step i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 Freescale Semiconductor Inc Test Procedure 18 Burn the chip fuse to enable HAB boot NOTE CAUTION Make sure you perform all the steps correctly Otherwise you may damage a chip permanently It is strongly recommended that a socket board is used so in the worst case scenario we can change a chip without totally damaging the board e Burn the SRK table Take this fuse file as example Remember you may have totally different fuse value Dump the content of the eFuse file gt hexdump e 4 0x e 4 Sx n SRK 1 2 3 4 fuse bin gt OxFDF28547 0x27 0D6AC6 0xEE44AD7B 0x58B0724 0x49DA1948 0xB4374A3F OxFFEFED48 0x4247C04F They will be burned to chip with kernel utilities Normal boot into kernel cd sys fsl_otp Use the 8 dwords generated in last step and burn them to SRK fuse one by one gt echo 0xfdf28547 echo 0x270d6ac6 echo 0Oxee44ad7b echo 0x058b0724 echo 0x49da1948 echo 0xb4374a3f HW_OCOTP_SRK5 echo Oxffefed48 HW_OCOTP_SRK6 echo 0x4247c04f gt HW_OCOTP_ SRK7 Verify that the correct value has been burned HW_OCOTP_SRKO HW_OCOTP_SRK1 HW_OCOTP_SRK2 HW_OCOTP_SRK3 HW_OCOTP_SRK4 VVVVV VV gt ls
14. tement is used to put location counter to the next 0x 1000 alignment address after all U Bboot sections preventing the overlap introduced by static address assignment With this change the U Boot layout can be revised as shown in the figure below i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 Freescale Semiconductor Inc 11 Dynamically Allocate HAB Data 0x0 ddr_load_addr Remaining U Boot Fill Data CSF Data Fill Data Figure 6 HAB U Boot Layout Dynamic Way End of U Boot Signature ALIGN 0x1000 4 0x2000 Similarly ulmage layout can be revised as shown in the figure below i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 12 Freescale Semiconductor Inc Dynamically Allocate HAB Data 0x0 ddr_load_addr 7777 0x40 Image Data End of ulmage Rial ALIGN 0x1000 CSF Data 0x2000 Figure 7 HAB ulmage Layout Dynamic Way With these layout changes all the CSF configuration file and signature scripts should be changed accordingly We have made this procedure automatic with a set of file templates and scripts They make the generation of secure U Boot and ulmage quite simple All you need to provide is the ddr location where the U Boot and ulmage is located All other signature works are performed automatically 1 Generation of secure U Boot gt mk_secure_uboot 0x27800000
15. ublic Key Certificate Figure 3 Authenticate process Run time 3 Implementation The first stage of HAB is the authentication of U Boot A CST tool is used to generate the CSF data which includes public key certificate and instruction of authentication process The CSF data is attached to the original u boot bin The process is called Signature The IVT should be modified to contain a pointer to the CSF data The original u boot bin image size is around 0x27000 to 0x28000 For convenience we first extend its size to Ox2F000 with fill 0x5A Then concatenate it with the CSF data The combined image is again extended to a fixed length 0x31000 which is used as the IVT image size parameter The new memory layout is shown in the following image i MX 6 Linux High Assurance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 Freescale Semiconductor Inc 3 Implementation Remaining U Boot Signature Fill Data CSF Data Fill Data HAB APIs are ROM implemented The entry table is located in a fixed location in the ROM We export them so that we can have some information about the secure boot process and utilize it in a subsequent boot phase For convenience some wrapper APIs are implemented based on the HAB APIs Ox2F000 0x31000 Figure 4 HAB U Boot Layout get_hab_ status is used to dump information of authentication result authenticate image is used by U Uoot to authenticate u
16. urance Boot HAB User s Guide Rev L3 0 35_ 1 1 0 01 2013 6 Freescale Semiconductor Inc 11 12 13 Test Procedure echo merge image and csf data cat u boot pad bin u boot_csf bin gt u boot signed bin echo extend final image to 0x31000 objcopy I binary O binary pad to 0x31000 gap fi11 0x5A u boot signed bin u boot signed pad bin echo u boot signed pad bin is ready chmod u x habimagegen Build secure U Boot The building process is the same as generating normal U Boot NOTE Make sure the macro CONFIG_SECURE_BOOT is defined in include configs mx6q_arm2 h Copy u boot bin to BLN_CST_MAIN_01 00 00 u boot directory habimagegen This will create certified U Boot image u boot signed pad bin NOTE Step 7 to step 12 generate secure U Boot image using a static HAB DATA allocation method It is only used to demonstrate the signature process For practical usage a dynamic HAB DATA allocation method should be employed Please refer to Dynamically Allocate HAB Data for details Create an ulmage directory in BLN_CST_MAIN_01 00 00 Make habUimagegen and genIVT script in it An ulmage csf should also be created File genIVT usr bin perl w use strict open my Sout gt raw ivt bin or die Unable to open print Sout pack V 0x402000D1 Signature print Sout pack V 0x10801000 Jump Location print Sout pack V 0x0 Reserved print Sout pack V 0x
Download Pdf Manuals
Related Search