search

nxp-mcuxpresso / spsdk

Secure Provisioning SDK (SPSDK) is unified, reliable and easy to use SW library working across NXP MCU portfolio providing strong foundation from quick customer prototyping up to production deployment.
Other
55 stars 24 forks source link

i.MX93 sign os container #75

Open yodakohl opened 1 month ago

yodakohl commented 1 month ago

Is it possible to sign a os container for i.MX93 (linux + initramfs + dtb) using the spsdk? If yes how does the yaml file have to look like?

marekvi95 commented 1 month ago

Hi,

As far as I know, only the U-Boot - two AHAB image container sets (u-boot, bl31, lpddrx, atf, ele firmware...) are authenticated by edge lock enclave. So only the u-boot must be signed. To build a signed u-boot refer to the documentation https://spsdk.readthedocs.io/en/latest/examples/imx93/imx93_signed_ahab_uboot.html Just SRK table and signing key/signature provider needs to be specified.

In the upcoming SPSDK release 2.3, that will be released by the end of this week, we are adding command for signing the existing AHAB image/image container set without the need for parsing. We will also provide command for replacing the u-boot in existing WIC file (standard Yocto distribution).

I am referring to the standard BSP Yocto Linux distribution for SD/EMMC. https://www.nxp.com/docs/en/user-guide/IMX_LINUX_USERS_GUIDE.pdf

yodakohl commented 1 month ago

We are trying to switch from https://github.com/nxp-imx-support/meta-nxp-security-reference-design that was using NXP CST.

This had the option to sing a container that is verified by u-boot using the auth_cntr command.

The code for the os-container signing is here: https://github.com/nxp-imx-support/meta-nxp-security-reference-design/blob/scarthgap-6.6.23-2.0.0/meta-secure-boot/recipes-secure-boot/linux/linux-imx-signature.bb

marekvi95 commented 1 month ago

Hi, I have contacted CST team and this is their response:

For Code Signing tool, we do enable signing OS images for additional image authentication based on customer needs. OS Image is still stored in “AHAB container” format. Here is example process for this with CST: first OS image needs to be packaged in AHAB container by imx-mkimage tool, then container is signed by CST.

Looking at the code for nxpimage ahab sign, it looks like the parse in ahab_sign_image can handle being given stand-alone AHAB container and return it signed. So it seems there needs to be additional guidance given on how to package Linux OS in AHAB container with SPSDK.

So I guess that signing should work. You can also try parsing your existing Linux container using the nxpimage bootable-image parse and use the parsed configuration file for building the new image. We have implemented full AHAB specification in SPSDK, so you can create any container you want by just specifying images and their load addresses.