AIMLinux/AddOn/Security
Security is becoming a growing concern, especially when these devices connecte to the Internet,how to protect data from tampering, how to protect FW from malicious damage, how to ensure that the device can start safely... these are security considerations. This topic mainly introduces the Security Boot mechanism.
Contents
Security Boot[edit]
For security consideration, it is necessary that the hardware have some mechanism to ensure that the software it is running can be trusted. NXP i.MX6 series chip provides High Assurance Boot (HAB) feature which meets such a requirement. OEM can utilize it to make their product reject any system image which is not authorized for running. You can refer the " i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf" file to learn more about HAB introduction,in this topic,we mainly introduce how to implement and test security boot.
Signature
Setup CST enviroment
1.Unpack the Code Siging Tools (CST) package (cst-2.3.2.tar.gz)
2.cd cst-2.3.2/keys
- Create a text file called serial, which contains 8 digits. For example: Fill in "12356789" to the serial file
- Create a text file called key_pass.txt, which contains two lines of identical text, such as "advantech_test". For example:
~/cst-2.3.2/keys$ cat key_pass.txt
advantech_test
advantech_test
- ./hab4_pki_tree.sh
- You can now create the signature keys. This script will generate private key and public key pairs in the working directory. For question prompt, enter "n", "n", "4096", "10", "4", "y" one by one.
3.cd ../crts
- ../linux64/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1
- Create the fuse table and binary to be flashed later. This command will generate root public key file "SRK_1_2_3_4_table.bin" and its corresponding hash "SRK_1_2_3_4_fuse.bin". The content of the latter will be later on burned to chip eFuse. NOTE: Don't leave space between the pem file names. Otherwise the generated SRK table and fuse file will not be correct.
- Show "SRK_1_2_3_4_fuse.bin" information. For example:
~/cst-2.3.2/crts$ hexdump -C SRK_1_2_3_4_fuse.bin
00000000 79 f5 61 26 6f cd d4 e9? ae d2 06 ff 5b f8 ea 40? |y.a&o.......[..@|
00000010 01 1c 32 97 0e e3 6b b0? 13 c0 1e c8 88 eb 37 cc? |..2...k.......7.|
00000020