Does toradex-u-boot support rsa key verfication?

Hi all, I can see there is a support from the boot rom code for signed key verification (Secured boot). I think, it only helps for kernel and boot loader images not for rootfs with read/write. So I am looking for a RSA key verification method from the u-boot to verify rootfs before we mount it. Any ideas?

Using apalis imx6 dev kit.

thanks,
Manickaraj

Hi

We have no experience with secure boot as e.g. provided by the NXP HAB mechanisms.
You could refer to the ‘Security Reference Manual for i.MX 6’ and ‘AN4581 Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4’ available here for some additional information.

The U-Boot source tree we use provides code for generic verification of images and also some NXP specific extensions which may or may not be of use. However none of these are enabled in the binary U-Boot we provide.
e.g. have a look here and here.
Note that we now boot with an SPL, e.g. the bootrom loads SPL which then loads U-Boot.
Thus the bootrom would verify the SPL and you would need to add verification of the loaded U-Boot to SPL.

Please also have a look at our partner ‘Prove & Run’ which provides services which secure your embedded device.

Max

Hi Max,

Thank you for your answer. I have read HABv4 document and the problem is burning the FUSE makes the board unusable during development phase. I compiled the u-boot source (2015.04) included in BSP v2.6.1 with CONFIG_SECURE_BOOT option in include/configs/apalis_imx6.h . Just flashing the uboot bin adds two more u-boot commands hab_status & hab_auth_img. But I have not created the signed image using Code Signing Tool yet. Is there way to test the final image before blowing the FUSE?

Hi

I really meant it when I wrote ‘We have no experience with secure boot as e.g. provided by the NXP HAB mechanisms.’.

Max