bank = 4
word = 2
-And the U-boot command would be:
+And the U-Boot command would be:
=> fuse read 4 2
Reading bank 4:
bank = 4
word = 3
-And the U-boot command would be:
+And the U-Boot command would be:
=> fuse read 4 3
Reading bank 4:
2. Using imx_usb_loader for first install with SPL
--------------------------------------------------
-imx_usb_loader is a very nice tool by BoundaryDevice that
+imx_usb_loader is a very nice tool by Boundary Devices that
allow to install U-Boot without a JTAG debugger, using
the USB boot mode as described in the manual. It is
a replacement for Freescale's MFGTOOLS.
sudo ../imx_usb_loader/imx_usb -v u-boot.imx
-Getting U-Boot when SPL support is active, it requires
-two downloads. imx_usb_loader downloads the SPL into
-OCRAM and starts it. SPL will check for a valid u-boot.img, and
-because it is not found, it will wait for it using the y-modem
-protocol via the console.
-
-A first install is then possible by combining imx_usb_loader with
-another tool such as kermit.
-
-sudo ../imx_usb_loader/imx_usb -v SPL
-kermit kermit_uboot
-
-and kermit_uboot contains something like this (set line should be adjusted):
-
-set line /dev/ttyUSB1
-set speed 115200
-SET CARRIER-WATCH OFF
-set flow-control none
-set handshake none
-set prefixing all
-set file type bin
-set protocol ymodem
-send u-boot.img
-c
-
-The last "c" command tells kermit (from ckermit package in most distros)
-to switch from command line mode to communication mode, and when the
-script is finished, the U-Boot prompt is shown in the same shell.
+In order to load SPL and u-boot.img via imx_usb_loader tool,
+please refer to doc/README.sdp.
+
+3. Using Secure Boot on i.MX6 machines with SPL support
+-------------------------------------------------------
+
+This version of U-Boot is able to build a signable version of the SPL
+as well as a signable version of the U-Boot image. The signature can
+be verified through High Assurance Boot (HAB).
+
+CONFIG_SECURE_BOOT is needed to build those two binaries.
+After building, you need to create a command sequence file and use
+Freescales Code Signing Tool to sign both binaries. After creation,
+the mkimage tool outputs the required information about the HAB Blocks
+parameter for the CSF. During the build, the information is preserved
+in log files named as the binaries. (SPL.log and u-boot-ivt.log).
+
+More information about the CSF and HAB can be found in the AN4581.
+https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
+
+We don't want to explain how to create a PKI tree or SRK table as
+this is well explained in the Application Note.
+
+Example Output of the SPL (imximage) creation:
+ Image Type: Freescale IMX Boot Image
+ Image Ver: 2 (i.MX53/6/7 compatible)
+ Mode: DCD
+ Data Size: 61440 Bytes = 60.00 kB = 0.06 MB
+ Load Address: 00907420
+ Entry Point: 00908000
+ HAB Blocks: 00907400 00000000 0000cc00
+
+Example Output of the u-boot-ivt.img (firmware_ivt) creation:
+ Image Name: U-Boot 2016.11-rc1-31589-g2a4411
+ Created: Sat Nov 5 21:53:28 2016
+ Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
+ Data Size: 352192 Bytes = 343.94 kB = 0.34 MB
+ Load Address: 17800000
+ Entry Point: 00000000
+ HAB Blocks: 0x177fffc0 0x0000 0x00054020
+
+The CST (Code Signing Tool) can be downloaded from NXP.
+# Compile CSF and create signature
+./cst --o csf-u-boot.bin < command_sequence_uboot.csf
+./cst --o csf-SPL.bin < command_sequence_spl.csf
+# Append compiled CSF to Binary
+cat SPL csf-SPL.bin > SPL-signed
+cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
+
+These two signed binaries can be used on an i.MX6 in closed
+configuration when the according SRK Table Hash has been flashed.
projects / people / ms / u-boot.git / blobdiff