Difference between revisions of "AIMLinux/AddOn/Security"

From ESS-WIKI
Jump to: navigation, search
Line 31: Line 31:
 
=== Build secure images ===
 
=== Build secure images ===
  
=== Sign images ===
+
1.Build uboot and kernel image for i.MX6 project (For example: RSB-4411 project). 
 +
 
 +
*You can refer following URL to set up cross compiling environment (Setting up cross compiling environment):
 +
 
 +
           [http://ess-wiki.advantech.com.tw/view/IoTGateway/BSP/Linux/iMX6/Yocto_LBV8_User_Guide#Setting_up_cross_compiling_environment http://ess-wiki.advantech.com.tw/view/IoTGateway/BSP/Linux/iMX6/Yocto_LBV8_User_Guide#Setting_up_cross_compiling_environment]
 +
 
 +
2.get and build u-boot image
 +
 
 +
*git clone [https://github.com/ADVANTECH-Corp/uboot-imx6.git https://github.com/ADVANTECH-Corp/uboot-imx6.git] -b  imx_v2016.03_4.1.15_2.0.0_ga
 +
*cd uboot-imx6/
 +
*source environment for Yocto 2.1:source /opt/poky/2.1/environment-setup-cortexa9hf-neon-poky-linux-gnueabi
 +
*Make sure the following message is defined in "./include/configs/mx6xxxx.h" (For example: mx6rsb4411.h).
 +
 
 +
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; /* uncomment for SECURE mode support */<br/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;#define CONFIG_SECURE_BOOT
 +
 
 +
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; #ifdef CONFIG_SECURE_BOOT<br/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; #ifndef CONFIG_CSF_SIZE<br/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; #define CONFIG_CSF_SIZE 0x4000<br/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; #endif<br/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; #endif
 +
 
 +
*Build SPL and u-boot image for i.MX6 project (For example: RSB-4411 project)
 +
 
 +
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; make mx6qrsb4411a1_1G_defconfig<br/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; make -j4 V=1 u-boot.imx all
 +
 
 +
*You can get SPL (SPL) image and u-boot (u-boot_crc.bin, u-boot_crc.bin.crc) image in uboot-imx6/ directory
 +
 
 +
3.get and build kernel image
 +
 
 +
*git clone [https://github.com/ADVANTECH-Corp/linux-imx6.git https://github.com/ADVANTECH-Corp/linux-imx6.git] -b imx_4.1.15_2.0.0_ga
 +
*cd linux-imx6/
 +
*source environment for Yocto 2.1<br/>source /opt/poky/2.1/environment-setup-cortexa9hf-neon-poky-linux-gnueabi
 +
*Build zImage:<br/>make imx_v7_adv_defconfig<br/>make -j 4 zImage
 +
*You can get zImage image in /arch/arm/boot/zImage directory
 +
 
 +
 
 +
 
 +
 
 +
 
 +
=== Sign uboot image ===
 +
 
 +
1.Copy SPL (SPL) and u-boot (u-boot_crc.bin, u-boot_crc.bin.crc) images to ~/cst-2.3.2/linux64 directory
 +
 
 +
2.Copy spl.csf to ~/cst-2.3.2/linux64 directory
 +
 
 +
*We will use the “HAB Blocks” information from previous section. Build SPL image, message:
 +
*./tools/mkimage -n board/freescale/mx6advantech/mx6qrsb4411a1_4x_MT41K128M16JT-125_1410022609-01.cfg.cfgtmp -T imximage -e 0x00908000 -d spl/u-boot-spl.bin SPL&nbsp;<br/>Image Type: &nbsp; Freescale IMX Boot Image<br/>Image Ver: &nbsp; &nbsp;2 (i.MX53/6/7 compatible)<br/>Mode: &nbsp; &nbsp; &nbsp; &nbsp; DCD<br/>Data Size: &nbsp; &nbsp;57344 Bytes = 56.00 kB = 0.05 MB<br/>Load Address: 00907420<br/>Entry Point: &nbsp;00908000<br/>HAB Blocks: &nbsp; 00907400 00000000 00009c00<br/>DCD Blocks: &nbsp; 00910000 0000002c 00000320
 +
*Open "spl.csf" file to edit the size in the "Blocks = " line...
 +
 
 +
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Blocks = 0x907400 0x0 0x9C00 "SPL"
 +
 
 +
3.We provide a secure SPL image generation script "habsplimagegen.sh". Copy habsplimagegen.sh to ~/cst-2.3.2/linux64 directory
 +
 
 +
4../habsplimagegen.sh
 +
 
 +
*This will create certified SPL image "spl_signed"
 +
 
 +
5.Copy "uboot_normal.csf" file to ~/cst-2.3.2/linux64 directory
 +
 
 +
*We will use the “HAB Blocks” information from previous section. Build u-boot image, message:<br/>./tools/mkimage -n board/freescale/mx6advantech/mx6qrsb4411a1_4x_MT41K128M16JT-125_1410022609-01.cfg.cfgtmp -T imximage -e 0x26800000 -d u-boot.bin u-boot.imx&nbsp;<br/>./tools/mkimage -A arm -T firmware -C none -O u-boot -a 0x26800000 -e 0 -n "U-Boot 2016.03-dirty for mx6advantech board" -d u-boot.bin u-boot.img&nbsp;<br/>Image Type: &nbsp; Freescale IMX Boot Image<br/>Image Ver: &nbsp; &nbsp;2 (i.MX53/6/7 compatible)<br/>Mode: &nbsp; &nbsp; &nbsp; &nbsp; DCD<br/>Data Size: &nbsp; &nbsp;335872 Bytes = 328.00 kB = 0.32 MB<br/>Load Address: 267ff420<br/>Entry Point: &nbsp;26800000<br/>HAB Blocks: &nbsp; 267ff400 00000000 0004dc00<br/>DCD Blocks: &nbsp; 00910000 0000002c 00000320
 +
*Open "uboot_normal.csf" file to edit the size in the "Blocks = " line...<br/>Blocks = 0x267FF400 0x0 0x4DC00 "u-boot_crc.bin"
 +
 
 +
6.We provide a secure u-boot image generation script " habubootimagegen.sh". Copy habubootimagegen.sh to ~/cst-2.3.2/linux64 directory
 +
 
 +
7../habubootimagegen.sh:This will create certified u-boot image "u-boot_normal_signed.bin".
 +
 
 +
=== Sign kernel image ===
 +
 
 +
1.Copy zImage to cst-2.3.2/linux64 directory
 +
 
 +
2.Copy genIVT file to cst-2.3.2/linux64 directory
 +
 
 +
*Get zImage length<br/>hexdump -C zImage | tail -n 1<br/>Example log:<br/>00638f58
 +
*The hexdump command above allows to learn the zImage size. Then you can modify the genIVT to reflect the proper sizes, in our example, the size of the zImage was "638f58" so the next 4kB boundary was "0x639000" as you can see in the genIVT. We need to edit genIVT file.
 +
*Self Pointer: "0x10800000 + 0x639000 = 0x10E39000"<br/>print $out pack("V", 0x10E39000); # Self Pointer
 +
*CSF Pointer: 0x10E39000 + 0x20<br/>print $out pack("V", 0x10E39020); # CSF Pointer
 +
 
 +
3.Copy "zImage.csf" file to cst-2.3.2/linux64 directory
 +
 
 +
4.The "zImage.csf" file for the zImage in order to create the CSF blob and generate the signed image.
 +
 
 +
*Edit the size in the "Blocks = " line...<br/>Blocks = 0x10800000 0x0 0x639020 "zImage-pad-ivt.bin"
 +
 
 +
5.Copy "habZimagegen.sh" file to cst-2.3.2/linux64 directory
 +
 
 +
*We need to edit habZimagegen.sh file<br/>echo "extend zImage to 0x639000..."<br/>objcopy -I binary -O binary --pad-to=0x639000 --gap-fill=0x00 zImage zImage-pad.bin
 +
 
 +
6.Execute "habZimagegen.sh" to generate "zImage_signed" file.
 +
 
 +
./ habZimagegen.sh
  
 
== <span style="font-size: 15.6px;">'''Burn'''</span> ==
 
== <span style="font-size: 15.6px;">'''Burn'''</span> ==
 +
 +
1.Copy "spl_signed", "u-boot_crc.bin.crc", "u-boot_normal_signed.bin", " zImage_signed " to USB disk
 +
 +
2.Burn the chip fuse to enable HAB boot
 +
 +
*The fuse table generated in the third point is what needs to be flashed to the device. However, the hexdump command above doesn’t show the values in their correct endianness, instead the command below will be more useful.
 +
*
 +
 +
The following command gives you what needs to be flashed in the proper order. Dump the content of the eFuse file in ~/cst-2.3.2/crts directory. They will be burned to chip with kernel utilities.<br/>hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin
 +
 +
Log message:<br/>0x2661F579<br/>0xE9D4CD6F<br/>0xFF06D2AE<br/>0x40EAF85B<br/>0x97321C01<br/>0xB06BE30E<br/>0xC81EC013<br/>0xCC37EB88
 +
 +
*!!! CAUTION!!! Make sure you perform all the steps correctly. Otherwise you may damage a chip permanently. It is strongly recommended that a socket board is used, so in the worst case scenario, we can change a chip without totally damaging the board.
  
 
== <span style="font-size: 15.6px;">'''Test'''</span> ==
 
== <span style="font-size: 15.6px;">'''Test'''</span> ==

Revision as of 03:26, 16 March 2020

Security is becoming a growing concern, especially when these devices connecte to the Internet,how to protect data from tampering, how to protect FW from malicious damage, how to ensure that the device can start safely... these are security considerations. This topic mainly introduces the Security Boot mechanism.

Security Boot[edit]

For security consideration, it is necessary that the hardware have some mechanism to ensure that the software it is running can be trusted. NXP i.MX6 series chip provides High Assurance Boot (HAB) feature which meets such a requirement. OEM can utilize it to make their product reject any system image which is not authorized for running. You can refer the " i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf" file to learn more about HAB introduction,in this topic,we mainly introduce how to implement and test security boot.

Signature

Setup CST enviroment

1.Unpack the Code Siging Tools (CST) package (cst-2.3.2.tar.gz)

2.cd cst-2.3.2/keys

  • Create a text file called serial, which contains 8 digits. For example: Fill in "12356789" to the serial file
  • Create a text file called key_pass.txt, which contains two lines of identical text, such as "advantech_test". For example:

           ~/cst-2.3.2/keys$ cat key_pass.txt
           advantech_test
           advantech_test

  • ./hab4_pki_tree.sh
  • You can now create the signature keys. This script will generate private key and public key pairs in the working directory. For question prompt, enter "n", "n", "4096", "10", "4", "y" one by one.

3.cd ../crts

  • ../linux64/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1
  • Create the fuse table and binary to be flashed later. This command will generate root public key file "SRK_1_2_3_4_table.bin" and its corresponding hash "SRK_1_2_3_4_fuse.bin". The content of the latter will be later on burned to chip eFuse. NOTE: Don't leave space between the pem file names. Otherwise the generated SRK table and fuse file will not be correct.
  • Show "SRK_1_2_3_4_fuse.bin" information. For example:

           ~/cst-2.3.2/crts$ hexdump -C SRK_1_2_3_4_fuse.bin
           00000000 79  f5 61 26 6f cd d4 e9  ae d2 06 ff 5b f8  ea 40  |y.a&o.......[..@|
           00000010 01 1c 32 97 0e e3 6b b0 13 c0 1e c8 88 eb 37 cc  |..2...k.......7.|
           00000020

Build secure images

1.Build uboot and kernel image for i.MX6 project (For example: RSB-4411 project). 

  • You can refer following URL to set up cross compiling environment (Setting up cross compiling environment):

           http://ess-wiki.advantech.com.tw/view/IoTGateway/BSP/Linux/iMX6/Yocto_LBV8_User_Guide#Setting_up_cross_compiling_environment

2.get and build u-boot image

  • git clone https://github.com/ADVANTECH-Corp/uboot-imx6.git -b  imx_v2016.03_4.1.15_2.0.0_ga
  • cd uboot-imx6/
  • source environment for Yocto 2.1:source /opt/poky/2.1/environment-setup-cortexa9hf-neon-poky-linux-gnueabi
  • Make sure the following message is defined in "./include/configs/mx6xxxx.h" (For example: mx6rsb4411.h).

            /* uncomment for SECURE mode support */
           #define CONFIG_SECURE_BOOT

          #ifdef CONFIG_SECURE_BOOT
          #ifndef CONFIG_CSF_SIZE
          #define CONFIG_CSF_SIZE 0x4000
          #endif
          #endif

  • Build SPL and u-boot image for i.MX6 project (For example: RSB-4411 project)

          make mx6qrsb4411a1_1G_defconfig
          make -j4 V=1 u-boot.imx all

  • You can get SPL (SPL) image and u-boot (u-boot_crc.bin, u-boot_crc.bin.crc) image in uboot-imx6/ directory

3.get and build kernel image

  • git clone https://github.com/ADVANTECH-Corp/linux-imx6.git -b imx_4.1.15_2.0.0_ga
  • cd linux-imx6/
  • source environment for Yocto 2.1
    source /opt/poky/2.1/environment-setup-cortexa9hf-neon-poky-linux-gnueabi
  • Build zImage:
    make imx_v7_adv_defconfig
    make -j 4 zImage
  • You can get zImage image in /arch/arm/boot/zImage directory



Sign uboot image

1.Copy SPL (SPL) and u-boot (u-boot_crc.bin, u-boot_crc.bin.crc) images to ~/cst-2.3.2/linux64 directory

2.Copy spl.csf to ~/cst-2.3.2/linux64 directory

  • We will use the “HAB Blocks” information from previous section. Build SPL image, message:
  • ./tools/mkimage -n board/freescale/mx6advantech/mx6qrsb4411a1_4x_MT41K128M16JT-125_1410022609-01.cfg.cfgtmp -T imximage -e 0x00908000 -d spl/u-boot-spl.bin SPL 
    Image Type:   Freescale IMX Boot Image
    Image Ver:    2 (i.MX53/6/7 compatible)
    Mode:         DCD
    Data Size:    57344 Bytes = 56.00 kB = 0.05 MB
    Load Address: 00907420
    Entry Point:  00908000
    HAB Blocks:   00907400 00000000 00009c00
    DCD Blocks:   00910000 0000002c 00000320
  • Open "spl.csf" file to edit the size in the "Blocks = " line...

          Blocks = 0x907400 0x0 0x9C00 "SPL"

3.We provide a secure SPL image generation script "habsplimagegen.sh". Copy habsplimagegen.sh to ~/cst-2.3.2/linux64 directory

4../habsplimagegen.sh

  • This will create certified SPL image "spl_signed"

5.Copy "uboot_normal.csf" file to ~/cst-2.3.2/linux64 directory

  • We will use the “HAB Blocks” information from previous section. Build u-boot image, message:
    ./tools/mkimage -n board/freescale/mx6advantech/mx6qrsb4411a1_4x_MT41K128M16JT-125_1410022609-01.cfg.cfgtmp -T imximage -e 0x26800000 -d u-boot.bin u-boot.imx 
    ./tools/mkimage -A arm -T firmware -C none -O u-boot -a 0x26800000 -e 0 -n "U-Boot 2016.03-dirty for mx6advantech board" -d u-boot.bin u-boot.img 
    Image Type:   Freescale IMX Boot Image
    Image Ver:    2 (i.MX53/6/7 compatible)
    Mode:         DCD
    Data Size:    335872 Bytes = 328.00 kB = 0.32 MB
    Load Address: 267ff420
    Entry Point:  26800000
    HAB Blocks:   267ff400 00000000 0004dc00
    DCD Blocks:   00910000 0000002c 00000320
  • Open "uboot_normal.csf" file to edit the size in the "Blocks = " line...
    Blocks = 0x267FF400 0x0 0x4DC00 "u-boot_crc.bin"

6.We provide a secure u-boot image generation script " habubootimagegen.sh". Copy habubootimagegen.sh to ~/cst-2.3.2/linux64 directory

7../habubootimagegen.sh:This will create certified u-boot image "u-boot_normal_signed.bin".

Sign kernel image

1.Copy zImage to cst-2.3.2/linux64 directory

2.Copy genIVT file to cst-2.3.2/linux64 directory

  • Get zImage length
    hexdump -C zImage | tail -n 1
    Example log:
    00638f58
  • The hexdump command above allows to learn the zImage size. Then you can modify the genIVT to reflect the proper sizes, in our example, the size of the zImage was "638f58" so the next 4kB boundary was "0x639000" as you can see in the genIVT. We need to edit genIVT file.
  • Self Pointer: "0x10800000 + 0x639000 = 0x10E39000"
    print $out pack("V", 0x10E39000); # Self Pointer
  • CSF Pointer: 0x10E39000 + 0x20
    print $out pack("V", 0x10E39020); # CSF Pointer

3.Copy "zImage.csf" file to cst-2.3.2/linux64 directory

4.The "zImage.csf" file for the zImage in order to create the CSF blob and generate the signed image.

  • Edit the size in the "Blocks = " line...
    Blocks = 0x10800000 0x0 0x639020 "zImage-pad-ivt.bin"

5.Copy "habZimagegen.sh" file to cst-2.3.2/linux64 directory

  • We need to edit habZimagegen.sh file
    echo "extend zImage to 0x639000..."
    objcopy -I binary -O binary --pad-to=0x639000 --gap-fill=0x00 zImage zImage-pad.bin

6.Execute "habZimagegen.sh" to generate "zImage_signed" file.

./ habZimagegen.sh

Burn

1.Copy "spl_signed", "u-boot_crc.bin.crc", "u-boot_normal_signed.bin", " zImage_signed " to USB disk

2.Burn the chip fuse to enable HAB boot

  • The fuse table generated in the third point is what needs to be flashed to the device. However, the hexdump command above doesn’t show the values in their correct endianness, instead the command below will be more useful.

The following command gives you what needs to be flashed in the proper order. Dump the content of the eFuse file in ~/cst-2.3.2/crts directory. They will be burned to chip with kernel utilities.
hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin

Log message:
0x2661F579
0xE9D4CD6F
0xFF06D2AE
0x40EAF85B
0x97321C01
0xB06BE30E
0xC81EC013
0xCC37EB88

  • !!! CAUTION!!! Make sure you perform all the steps correctly. Otherwise you may damage a chip permanently. It is strongly recommended that a socket board is used, so in the worst case scenario, we can change a chip without totally damaging the board.

Test