AIMLinux/AddOn/Security

From ESS-WIKI
Revision as of 01:52, 16 March 2020 by Yanwei.cao (talk | contribs)
Jump to: navigation, search

Security is becoming a growing concern, especially when these devices connecte to the Internet,how to protect data from tampering, how to protect FW from malicious damage, how to ensure that the device can start safely... these are security considerations. This topic mainly introduces the Security Boot mechanism.

Security Boot[edit]

For security consideration, it is necessary that the hardware have some mechanism to ensure that the software it is running can be trusted. NXP i.MX6 series chip provides High Assurance Boot (HAB) feature which meets such a requirement. OEM can utilize it to make their product reject any system image which is not authorized for running. You can refer the " i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf" file to learn more about HAB introduction,in this topic,we mainly introduce how to implement and test security boot.

Signature

Setup CST enviroment

1.Unpack the Code Siging Tools (CST) package (cst-2.3.2.tar.gz)

2.cd cst-2.3.2/keys

  • Create a text file called serial, which contains 8 digits. For example: Fill in "12356789" to the serial file
  • Create a text file called key_pass.txt, which contains two lines of identical text, such as "advantech_test". For example:

           ~/cst-2.3.2/keys$ cat key_pass.txt
           advantech_test
           advantech_test

  • ./hab4_pki_tree.sh
  • You can now create the signature keys. This script will generate private key and public key pairs in the working directory. For question prompt, enter "n", "n", "4096", "10", "4", "y" one by one.

3.cd ../crts

  • ../linux64/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1
  • Create the fuse table and binary to be flashed later. This command will generate root public key file "SRK_1_2_3_4_table.bin" and its corresponding hash "SRK_1_2_3_4_fuse.bin". The content of the latter will be later on burned to chip eFuse. NOTE: Don't leave space between the pem file names. Otherwise the generated SRK table and fuse file will not be correct.
  • Show "SRK_1_2_3_4_fuse.bin" information. For example:

           ~/cst-2.3.2/crts$ hexdump -C SRK_1_2_3_4_fuse.bin
           00000000 79  f5 61 26 6f cd d4 e9  ae d2 06 ff 5b f8  ea 40  |y.a&o.......[..@|
           00000010 01 1c 32 97 0e e3 6b b0 13 c0 1e c8 88 eb 37 cc  |..2...k.......7.|
           00000020

Build secure images

Sign images

Burn

Test