Crypto D100 Betriebsanweisung PDF herunterladen (Seite 15)

Secure Boot with i.MX28 HAB Version 4, Rev. 1

Freescale Semiconductor 15

Designing for code signing

../linux/srktool –h 4 –t SRK_1_2_3_4_table.bin –e SRK_1_2_3_4_fuse.bin –d sha256 –c

./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem,./SRK3_sh

a256_2048_65537_v3_ca_crt.pem,./ SRK4_sha256_2048_65537_v3_ca_crt.pem –f 1

For details on key generation with the CST, see HAB CST User Guide.

NOTE

Section 6, “Manage the electrical fuses,” provides guidance on how to blow

fuses, and which fuses must be blown for a secure product.

3.2.3 Generating the binary CSF and signatures

The HAB CST User Guide (listed in Section 1.5, “References”) explains in detail how to use CSF input

file with CST tool to generate CSF binary data and signatures. Refer to Section 4 of the HAB CST User

Guide (HABCST_UG_Rev_1.pdf) available in the Code Signing Tool package, downloadable on the

website freescale.com.

3.3 How to assemble the HAB data with the boot image

This section lists out typical code changes needed to accommodate HAB data (including the binary CSF,

certificates and signatures) and the IVT data structure. The purpose is to create a boot image that is

organized as represented by Figure 5.

The following definitions will be referred to in the steps below:

• __hab_data: symbol name for the start of HAB data in memory

• input_ivt: symbol name for start of IVT data in memory

1. The first step is to modify the linker file to preserve space and a symbol name “__hab_data” for

HAB data. Also make sure input_ivt and CSF are not located at address 0. Below are the

typical linker file changes in bold italic, with the __hab_data symbol name and reserving

0x2000 bytes for *csf.

OUTPUT_ARCH(arm)

ENTRY(_start)

SECTIONS

{

/* Image loaded at address 0x10 to avoid input_ivt at 0 */

. = 0x00000010;

. = ALIGN(4);

. = BASE_ADDR;

.text : { *(.text) }

.rodata : { *(.rodata) }

.data : { *(.data) }

/* Allow the section for future growth with padding

to a known length */

. = BASE_ADDR + 0x2A000;

1 2 ... 10 11 12 13 14 15 16 17 18 19 20 ... 30 31

Keine Kommentare

Crypto D100 Betriebsanweisung Seite 15