[U-Boot] U-boot can verify an HW signature?

[U-Boot] U-boot can verify an HW signature?

[Saverio Mori]

Hi to the community. I have found a lot of material on secure booting and how to sign u-boot an uimage in order to that only trusted sw is load. This is good for my but i have also the opposite problem, that is i have to be sure that my sw is load on an hardware signed in some way. It is possible, and how, implement this feature in u-boot, at least running on iMX6 boards? Thanks!!!

[U-Boot] U-boot can verify an HW signature?

[Breno Matheus Lima]

Hi Saverio,

2018-01-19 11:12 GMT-02:00 Saverio Mori <saverio.mori@gmail.com>:
> Hi to the community. I have found a lot of material on secure booting and how to sign u-boot an uimage in order to that only trusted sw is load. This is good for my but i have also the opposite problem, that is i have to be sure that my sw is load on an hardware signed in some way. It is possible, and how, implement this feature in u-boot, at least running on iMX6 boards? Thanks!!!

Can you please share more details about this verification you want to
achieve? Are you currently running a signed U-Boot in a closed device
(eFuse SEC_CONFIG = 1)?

Thanks,
Breno Lima

[U-Boot] U-boot can verify an HW signature?

[Saverio Mori]

Hi Breno Lima,
For the moment we have not secure boot, we use "plain" u-boot running on
a module board equipped with an "open" i.MX6UL processor, and we are
newbies in the field of secure boot. We wish that our firmware works
only on approved hardware, and not on common one. From what we have
read, secured boot allow that only approved FW works on prepared HW; our
problem is just the reciprocal, i.e. allow running of our FW only on
approved boards. In other words, a secured FW can works on a unsecured
board (while a secured board requires a secured FW), we wish to block
this situation.
All The Best,

Saverio M.

Il 19/01/2018 18:54, Breno Matheus Lima ha scritto:
> Hi Saverio,
>
> 2018-01-19 11:12 GMT-02:00 Saverio Mori <saverio.mori@gmail.com>:
>> Hi to the community. I have found a lot of material on secure booting and how to sign u-boot an uimage in order to that only trusted sw is load. This is good for my but i have also the opposite problem, that is i have to be sure that my sw is load on an hardware signed in some way. It is possible, and how, implement this feature in u-boot, at least running on iMX6 boards? Thanks!!!
> Can you please share more details about this verification you want to
> achieve? Are you currently running a signed U-Boot in a closed device
> (eFuse SEC_CONFIG = 1)?
>
> Thanks,
> Breno Lima



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180119/612e46ca/attachment.sig>

[U-Boot] U-boot can verify an HW signature?

[Breno Matheus Lima]

Hi Saveiro,

2018-01-19 16:45 GMT-02:00 Saverio Mori <saverio.mori@gmail.com>:
> Hi Breno Lima,
> For the moment we have not secure boot, we use "plain" u-boot running on
> a module board equipped with an "open" i.MX6UL processor, and we are
> newbies in the field of secure boot. We wish that our firmware works
> only on approved hardware, and not on common one. From what we have
> read, secured boot allow that only approved FW works on prepared HW; our
> problem is just the reciprocal, i.e. allow running of our FW only on
> approved boards. In other words, a secured FW can works on a unsecured
> board (while a secured board requires a secured FW), we wish to block
> this situation.
> All The Best,

You can have more details about secure boot in doc/README.mxc_hab file.

The application note AN4581 can be also helpful:
https://www.nxp.com/docs/en/application-note/AN4581.pdf

The secure boot is intended to prepare your device to just run
authenticated SW,  once your SRK Hash and SEC_CONFIG fuse are
programmed you can only execute authenticated bootloader on this
device.

If you want that your SW can be only executed on  approved hardware
you can refer to encrypted boot, which is supported on i.MX6UL.

You can find more details in doc/README.mxc_hab file and also in NXP
community. Currently there is no application note provided by NXP
about encrypted boot:
https://community.nxp.com/docs/DOC-330622

Note that dek_blob command can be only executed in closed devices, so
you need to run an authenticated U-Boot to prepare an encrypted boot
image.

Let us know if you have any questions during the process.

Thanks,
Breno Lima

>
> Saverio M.
>
> Il 19/01/2018 18:54, Breno Matheus Lima ha scritto:
>> Hi Saverio,
>>
>> 2018-01-19 11:12 GMT-02:00 Saverio Mori <saverio.mori@gmail.com>:
>>> Hi to the community. I have found a lot of material on secure booting and how to sign u-boot an uimage in order to that only trusted sw is load. This is good for my but i have also the opposite problem, that is i have to be sure that my sw is load on an hardware signed in some way. It is possible, and how, implement this feature in u-boot, at least running on iMX6 boards? Thanks!!!
>> Can you please share more details about this verification you want to
>> achieve? Are you currently running a signed U-Boot in a closed device
>> (eFuse SEC_CONFIG = 1)?
>>
>> Thanks,
>> Breno Lima
>
>
>

[U-Boot] U-boot can verify an HW signature?

[Saverio Mori]

Hi Breno Lima,
Thank you very much, indeed this is the answer that i need. Perhaps
could you give me some more details on realizing encrypted boot using
the yocto project platform?
All The Best,

Saverio

Il 20/01/2018 16:00, Breno Matheus Lima ha scritto:
> Hi Saveiro,
>
> 2018-01-19 16:45 GMT-02:00 Saverio Mori <saverio.mori@gmail.com>:
>> Hi Breno Lima,
>> For the moment we have not secure boot, we use "plain" u-boot running on
>> a module board equipped with an "open" i.MX6UL processor, and we are
>> newbies in the field of secure boot. We wish that our firmware works
>> only on approved hardware, and not on common one. From what we have
>> read, secured boot allow that only approved FW works on prepared HW; our
>> problem is just the reciprocal, i.e. allow running of our FW only on
>> approved boards. In other words, a secured FW can works on a unsecured
>> board (while a secured board requires a secured FW), we wish to block
>> this situation.
>> All The Best,
> You can have more details about secure boot in doc/README.mxc_hab file.
>
> The application note AN4581 can be also helpful:
> https://www.nxp.com/docs/en/application-note/AN4581.pdf
>
> The secure boot is intended to prepare your device to just run
> authenticated SW,  once your SRK Hash and SEC_CONFIG fuse are
> programmed you can only execute authenticated bootloader on this
> device.
>
> If you want that your SW can be only executed on  approved hardware
> you can refer to encrypted boot, which is supported on i.MX6UL.
>
> You can find more details in doc/README.mxc_hab file and also in NXP
> community. Currently there is no application note provided by NXP
> about encrypted boot:
> https://community.nxp.com/docs/DOC-330622
>
> Note that dek_blob command can be only executed in closed devices, so
> you need to run an authenticated U-Boot to prepare an encrypted boot
> image.
>
> Let us know if you have any questions during the process.
>
> Thanks,
> Breno Lima
>
>> Saverio M.
>>
>> Il 19/01/2018 18:54, Breno Matheus Lima ha scritto:
>>> Hi Saverio,
>>>
>>> 2018-01-19 11:12 GMT-02:00 Saverio Mori <saverio.mori@gmail.com>:
>>>> Hi to the community. I have found a lot of material on secure booting and how to sign u-boot an uimage in order to that only trusted sw is load. This is good for my but i have also the opposite problem, that is i have to be sure that my sw is load on an hardware signed in some way. It is possible, and how, implement this feature in u-boot, at least running on iMX6 boards? Thanks!!!
>>> Can you please share more details about this verification you want to
>>> achieve? Are you currently running a signed U-Boot in a closed device
>>> (eFuse SEC_CONFIG = 1)?
>>>
>>> Thanks,
>>> Breno Lima
>>
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180124/1b6d8fff/attachment.sig>

[U-Boot] U-boot can verify an HW signature?

[Breno Matheus Lima]

Hi Saverio,

2018-01-24 5:35 GMT-02:00 Saverio Mori <saverio.mori@gmail.com>:
> Hi Breno Lima,
> Thank you very much, indeed this is the answer that i need. Perhaps
> could you give me some more details on realizing encrypted boot using
> the yocto project platform?

Currently is not possible to sign or encrypt a U-Boot image using
Yocto project, the CST (Code Signing Tool) is only available at NXP
portal. You can build U-Boot using Yocto with the following
configurations enabled and sign/encrypt this image with CST.

CONFIG_SECURE_BOOT=y
CONFIG_CMD_DEKBLOB=y

This patch from Fabio Estevam can be also helpful:
https://lists.denx.de/pipermail/u-boot/2018-January/317847.html

Thanks,
Breno Lima

> All The Best,
>
> Saverio
>
> Il 20/01/2018 16:00, Breno Matheus Lima ha scritto:
>> Hi Saveiro,
>>
>> 2018-01-19 16:45 GMT-02:00 Saverio Mori <saverio.mori@gmail.com>:
>>> Hi Breno Lima,
>>> For the moment we have not secure boot, we use "plain" u-boot running on
>>> a module board equipped with an "open" i.MX6UL processor, and we are
>>> newbies in the field of secure boot. We wish that our firmware works
>>> only on approved hardware, and not on common one. From what we have
>>> read, secured boot allow that only approved FW works on prepared HW; our
>>> problem is just the reciprocal, i.e. allow running of our FW only on
>>> approved boards. In other words, a secured FW can works on a unsecured
>>> board (while a secured board requires a secured FW), we wish to block
>>> this situation.
>>> All The Best,
>> You can have more details about secure boot in doc/README.mxc_hab file.
>>
>> The application note AN4581 can be also helpful:
>> https://www.nxp.com/docs/en/application-note/AN4581.pdf
>>
>> The secure boot is intended to prepare your device to just run
>> authenticated SW,  once your SRK Hash and SEC_CONFIG fuse are
>> programmed you can only execute authenticated bootloader on this
>> device.
>>
>> If you want that your SW can be only executed on  approved hardware
>> you can refer to encrypted boot, which is supported on i.MX6UL.
>>
>> You can find more details in doc/README.mxc_hab file and also in NXP
>> community. Currently there is no application note provided by NXP
>> about encrypted boot:
>> https://community.nxp.com/docs/DOC-330622
>>
>> Note that dek_blob command can be only executed in closed devices, so
>> you need to run an authenticated U-Boot to prepare an encrypted boot
>> image.
>>
>> Let us know if you have any questions during the process.
>>
>> Thanks,
>> Breno Lima
>>
>>> Saverio M.
>>>
>>> Il 19/01/2018 18:54, Breno Matheus Lima ha scritto:
>>>> Hi Saverio,
>>>>
>>>> 2018-01-19 11:12 GMT-02:00 Saverio Mori <saverio.mori@gmail.com>:
>>>>> Hi to the community. I have found a lot of material on secure booting and how to sign u-boot an uimage in order to that only trusted sw is load. This is good for my but i have also the opposite problem, that is i have to be sure that my sw is load on an hardware signed in some way. It is possible, and how, implement this feature in u-boot, at least running on iMX6 boards? Thanks!!!
>>>> Can you please share more details about this verification you want to
>>>> achieve? Are you currently running a signed U-Boot in a closed device
>>>> (eFuse SEC_CONFIG = 1)?
>>>>
>>>> Thanks,
>>>> Breno Lima
>>>
>>>
>
>



-- 
Breno Matheus Lima