i.MX Secure Boot on HABv4 Supported Devices.i.MX Applications Processor Trust Architecture.The boot ROM authenticates SPL, SPL authenticates U-Boot, and U-Boot authenticates the Linux kernel. Once the initial bootloader is authenticated and executed, the chain of trust continues by authenticating each of the next loaded images before executing them.Į.g. If the SRK verification is successful, this establishes the root of trust, and the remainder of the signature can be processed to authenticate the image. HAB evaluates the SRK table included in the signature by hashing it and comparing the result to the SRK fuse values. The signed image data is verified on the i.MX processor using the corresponding public keys. Authentication of the software images on the target during boot time. ![]() This allows you to test the sign-authenticate process and verify that it was done correctly before completely and permanently “closing” the processor to only execute your signed images.ģ. You have the option to let the processor keep running unsigned images, while creating useful HAB messages, until you decide to “close” it by writing a dedicated bit using another eFuse. A table of the public SRKs are hashed and permanently written to the SOC using eFuses. The key structure is called a PKI tree and Super Root Keys (SRK) are components of it. Fusing the i.MX SOC with the corresponding public keys. This is done using NXP's Code Signing Tool, and Variscite's scripts, which make the process extremely easy and simple.Ģ. The image data is signed offline using a series of private keys. Offline signing of the software images using private keys. HAB authentication is based on public key cryptography using the RSA algorithm.ġ. It also provides a mechanism to establish a chain of trust for the remaining software components (such as the kernel image) and thus to establish a secure state of the system. HAB enables the boot ROM to authenticate the initial software image by using digital signatures. The boot ROM is responsible for loading the initial software image from the boot medium (usually this initial software is a bootloader such as SPL/U-Boot. It incorporates boot ROM level security which cannot be altered after programming the appropriate one-time electrically programmable fuses (eFuses). HAB is an optional feature in the i.MX SOC family, which allows you to make sure only software images signed by you can be executed on the SOC.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |