NXP iMX6ULL-EVK with secure boot enabled by FoundriesFactory¶
The machine imx6ullevk-sec
is the imx6ullevk
machine configured to have
segure boot enabled by default.
The purpose of this machine is to gather the needed configuration to enable secure boot and provide a set of artifacts to help in the process needed to have the hardware board set to secure boot.
Warning
It is recommended to read Secure Boot on IMX before proceeding with the following steps.
How to enable¶
In the ci-scripts
git repository from the FoundriesFactory, update the
factory-config.yml
to include the following configuration:
machines:
- imx6ullevk-sec
mfg_tools:
- machine: imx6ullevk-sec
params:
DISTRO: lmp-mfgtool
IMAGE: mfgtool-files
EXTRA_ARTIFACTS: mfgtool-files.tar.gz
UBOOT_SIGN_ENABLE: "1"
How to use¶
Trigger a platform build and wait until the target is created.
Follow the steps from i.MX 6ULL Evaluation Kit to prepare the hardware and download the same artifacts.
The list of artifacts downloaded should be:
mfgtool-files-imx6ullevk-sec.tar.gz
lmp-factory-image-imx6ullevk-sec.wic.gz
SPL-imx6ullevk-sec
u-boot-imx6ullevk-sec.itb
Expand the tarballs:
gunzip lmp-factory-image-imx6ullevk.wic.gz
tar -zxvf mfgtool-files-imx6ullevk.tar.gz
The resultant directory tree should look like the following:
├── lmp-factory-image-imx6ullevk-sec.wic
├── mfgtool-files-imx6ullevk-sec
│ ├── bootloader.uuu
│ ├── close.uuu
│ ├── full_image.uuu
│ ├── fuse.uuu
│ ├── readme.md
│ ├── SPL-mfgtool
│ ├── u-boot-mfgtool.itb
│ ├── uuu
│ └── uuu.exe
├── mfgtool-files-imx6ullevk-sec.tar.gz
├── SPL-imx6ullevk-sec
└── u-boot-imx6ullevk-sec.itb
Follow readme.md
instructions to sign the SPL images, to fuse, and close the
board.
Warning
The fuse and close procedures are irreversible. The
instructions from the readme.md
file should be followed and executed with
caution and only after understanding the critical implication of those commands.
How to use custom keys¶
Create the keys¶
There are different ways to create and store the needed keys for the secure boot. One important reference to understand how to generate the PKI tree is i.MX Secure Boot on HABv4 Supported Devices application note from NXP.
In addition, the U-Boot project also includes a documentation on Generating a fast authentication PKI tree.
Warning
It is critical that the keys created in this process must be stored in a secure and safe place. When the keys are fused to the board, that board will only boot signed images. So the keys are required in future steps.
Generate the MfgTools scripts¶
There is a set of scripts to help with creating the set of commands used to fuse
the key into the fuse banks of <machine>
, and to close the board which
configures the board to only boot signed images.
- Clone the
lmp-tools
from GitHub
git clone git://github.com/foundriesio/lmp-tools.git
- Export the path to where keys are stored
export KEY_PATH=/path-to-key-files
- Generate the script to fuse the board
cd lmp-tools/
cd security/imx6ull
./gen_fuse.sh -s $KEY_PATH
- Generate the script to close the board
cd lmp-tools/
cd security/imx6ull
./gen_close.sh -s $KEY_PATH
- Install the scripts to the
meta-subscriber-overrides
:
mkdir -p <factory>/meta-subscriber-overrides/recipes-support/mfgtool-files/mfgtool-files/<machine>
cp fuse.uuu <factory>/meta-subscriber-overrides/recipes-support/mfgtool-files/mfgtool-files/<machine>
cp close.uuu <factory>/meta-subscriber-overrides/recipes-support/mfgtool-files/mfgtool-files/<machine>
cat <factory>/meta-subscriber-overrides/recipes-support/mfgtool-files/mfgtool-files_%.bbappend
The content of mfgtool-files_%.bbappend
should be:
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI_append_<machine> = " \
file://fuse.uuu \
file://close.uuu \
"
do_deploy_prepend_<machine>() {
install -d ${DEPLOYDIR}/${PN}
install -m 0644 ${WORKDIR}/fuse.uuu ${DEPLOYDIR}/${PN}/fuse.uuu
install -m 0644 ${WORKDIR}/close.uuu ${DEPLOYDIR}/${PN}/close.uuu
}
Tip
Replace the machine name in case the factory is using a custom machine name.
- Inspect the changes and push it accordingly
git status
The result of git status
should look like:
On branch devel
Your branch is up to date with 'origin/devel'.
Changes to be committed:
(use "git restore --staged <file>..." to unstage)
new file: recipes-support/mfgtool-files/mfgtool-files/<machine>/close.uuu
new file: recipes-support/mfgtool-files/mfgtool-files/<machine>/fuse.uuu
new file: recipes-support/mfgtool-files/mfgtool-files_%.bbappend
The changes add the UUU scripts to the mfgtool-files
artifacts of next
targets. Run the fuse.uuu
and close.uuu
to fuse the custom keys and
close the board, respectively.
Warning
The scripts fuse.uuu
and close.uuu
include commands which
result is irreversible. The scripts should be executed with caution and only
after understanding its critical implications.