Hello,
The steps I took were the following.
Download u-boot-toradex from git
$: cd && git clone git://git.toradex.com/u-boot-toradex.git
$: cd u-boot-toradex/
$: git checkout 2016.11-toradex
$: export ARCH=arm
$: export CROSS_COMPILE=arm-linux-gnueabihf-
$: make colibri-imx6ull_defconfig
Add security features to .config file
CONFIG_SECURE_BOOT=y
Compile!
$: make V=1
Take note of the output
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 569344 Bytes = 556.00 kB = 0.54 MB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks: 877ff400 00000000 00088c00
Check that hab_status command is present in the .imx file6
$: strings u-boot-nand.imx |grep hab
–
hab exit function fail
hab entry function fail
hab fuse not enabled
hab_auth_img
hab_status
–
Copy the secure u-boot to cst environment
$: cp u-boot-nand.imx ~/cst/release/linux64/bin/
Create CSF file (using HAB blocks info)
$: cd ~/cst/release/linux64/bin/
$: nano csf-uboot
–
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = SW
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x877ff400 0x000 0x88c00 "u-boot-nand.imx"
–
- I saw I had the IVT with an offset of 0x400, I changed that in the CSF file but still didn’t worked
Generate the CSF binary signature
$: ./cst --o csf-uboot.bin --i csf-uboot
Attach CSF signature to U-Boot image
The CSF binary data needs to be concatenated to the image.
• Use the cat command to attach the CSF binary to the end of the image:
$: cat u-boot-nand.imx csf-uboot-padded.bin > u-boot-nand-signed.imx
Note: u-boot-nand-signed.imx has to be 4K multiple
Also, I did this:
Pad u-boot-nand-signed.imx to 4KB multiple (4096 bytes)