基于NXP iMX8测试Secure Boot功能部署

Posted 2023-02-20 toradexsh

By Toradex秦海

1). 简介

由于NXP从iMX8/iMX8x处理器开始引入了SCU/SECO等底层控制模块来进行包含启动管理等多项底层初始化功能，因此对于Secure Boot功能支持，也同样升级为Advanced High Assurance Boot (AHAB) 特性来配合，以区别于iMX6/iMX8MM/iMX8MP处理器所使用的HABv4特性；AHAB和HABv4都是基于公共密钥加密 (Public Key Cryptography) 和数字签名 (Digital Signature) 技术来实现Secure Boot的，SCU负责协调各个启动组件和流程，SECO用于验证签名的Image文件并授权加载运行，一个简单的流程图参考如下。本文就基于NXP iMX8平台测试部署Secure Boot功能。

本文所演示的平台来自于Toradex Apalis iMX8嵌入式平台，这个平台是基于近年发布的NXP iMX8系列ARM处理器，核心为Cortex-A72/A53。

2. 准备

a). Apalis iMX8 ARM核心版配合Ixora 载板，并连接调试串口用于测试。

b). 参考这里下载Toradex Ycoto Linux BSP5 Image用于后续测试，目前最新的是5.7版本。

3). 生成PKI Tree文件

a). 从NXP官方网站下载Code Signing Tools软件包（需注册），目前最新版本是3.3.1版本，然后解压后使用预设的脚本生成Public Key Infrastructure (PKI) tree，用于后面签名U-boot/Linux Kernel Image文件

--------------------------------

$ cp .../cst-3.3.1.tgz ~/.

$ cd ~

$ tar xvf cst-3.3.1.tgz

$ tree -L 1 cst-3.3.1/

cst-3.3.1/

├── ca

├── code

├── crts

├── docs

├── keys

├── LICENSE.bsd3

├── LICENSE.hidapi

├── LICENSE.openssl

├── linux32

├── linux64

├── mingw32

├── osx

├── Release_Notes.txt

└── Software_Content_Register_CST.txt

--------------------------------

b). 生成PKI TREE

./ 修改CST工具默认的serial和key_pass，本文因为仅测试需要则保持默认没有修改，实际应用可以根据需要自行修改以保证安全

--------------------------------

$ cd ~/cst-3.3.1/keys

### default serial number for OpenSSL certification ###

$ cat serial

1234567C

### default key_pass for protection of private keys

$ cat key_pass.txt

test

test

--------------------------------

./ 运行CST工具预制脚本通过交互方式生成PKI TREE，这里生成一个P384 ECC SRK PKI TREE示例，还可以选择其他选项或者生成包含下级SGK Key的PKI TREE，更多可以参考如下U-Boot源代码中的文档说明

https://git.toradex.cn/cgit/u-boot-toradex.git/tree/doc/imx/ahab/introduction_ahab.txt?h=toradex_imx_v2020.04_5.4.70_2.3.0

--------------------------------

### generate P384 ECC PKI TREE ###

$ ./ahab_pki_tree.sh

  ...

  Do you want to use an existing CA key (y/n)?: n

  Do you want to use Elliptic Curve Cryptography (y/n)?: y

  Enter length for elliptic curve to be used for PKI tree:

  Possible values p256, p384, p521:  p384

  Enter the digest algorithm to use: sha384

  Enter PKI tree duration (years): 5

  Do you want the SRK certificates to have the CA flag set? (y/n)?: n

### check generated SRK keys ###

$ ls SRK*

SRK1_sha384_secp384r1_v3_usr_key.der  SRK2_sha384_secp384r1_v3_usr_key.pem  SRK4_sha384_secp384r1_v3_usr_key.der

SRK1_sha384_secp384r1_v3_usr_key.pem  SRK3_sha384_secp384r1_v3_usr_key.der  SRK4_sha384_secp384r1_v3_usr_key.pem

SRK2_sha384_secp384r1_v3_usr_key.der  SRK3_sha384_secp384r1_v3_usr_key.pem

### generate SRK Table 和 SRK Hash ###

$ cd ../crts/

$ ../linux64/bin/srktool -a -s sha384 -t SRK_1_2_3_4_table.bin \\

      -e SRK_1_2_3_4_fuse.bin -f 1 -c \\

      SRK1_sha384_secp384r1_v3_usr_crt.pem,\\

      SRK2_sha384_secp384r1_v3_usr_crt.pem,\\

      SRK3_sha384_secp384r1_v3_usr_crt.pem,\\

      SRK4_sha384_secp384r1_v3_usr_crt.pem

### check SRK Table and SRK Hash ###

$ ls SRK_*

SRK_1_2_3_4_fuse.bin  SRK_1_2_3_4_table.bin

--------------------------------

c). 上面最后生成的两个文件就是我们后面签名和fuse设备需要用到的，”SRK_1_2_3_4_table.bin” 文件是SRK Table，用于签名Container Image；”SRK_1_2_3_4_fuse.bin” 文件是SRK Hash，用于fuse到Apalis iMX8设备的eFuse。更多CST工具使用说明可以参考如下CST User Guide文档

cst-3.3.1/docs/CST_UG.pdf

 

 

4). Boot Container 配置和签名

a). 参考这里说明下载Toradex Ycoto Linux BSP 5.x.y版本U-boot源代码，默认配置并未使能AHAB功能支持，需要在config中使能如下选项，并重新编译生成新的U-Boot文件 ”u-boot.bin”

--------------------------------

→ ARM architecture

[*] Support i.MX8 AHAB features

--------------------------------

b). 参考上面U-boot源码下载编译文章以及下面参考文档，使用编译生成的U-Boot文件生成Apalis iMX8 Boot Container Image文件”flash.bin”

NXP iMX8 SCFW和Boot Container Image编译

c). 此时先将上一步骤生成的 “flash.bin” 文件重命名为 “imx-boot”，然后通过这里的说明通过Toradex Easy Installer更新到Apalis iMX8模块并启动进入U-Boot命令行，通过如下命令可以查看AHAB功能以及使能成功，但是由于Boot Container Image并未签名，因此提示 “0xEE” 事件。

--------------------------------

### check AHAB enable status ###

Apalis iMX8 # ahab_status

Lifecycle: 0x0020, NXP closed

SECO Event[0] = 0x0087EE00

        CMD = AHAB_AUTH_CONTAINER_REQ (0x87)

        IND = AHAB_NO_AUTHENTICATION_IND (0xEE)

sc_seco_get_event: idx: 1, res:3

--------------------------------

d). 通过CST工具对上一步骤使用 imx-mkimage 生成的Boot Container Image “flash.bin” 文件进行签名

--------------------------------

### copy boot container image file to CST tool containing folder ###

$ cp .../imx-mkimage/iMX8QM/flash.bin ~/

### copy CSF template to CST tool containing folder ###

$ cp u-boot-toradex/doc/imx/ahab/csf_examples/csf_boot_image.txt ~/

### modify csf_boot_image.txt to adopt your settings ###

vi csf_boot_image.txt

[Header]

Target = AHAB

Version = 1.0

[Install SRK]

# SRK table generated by srktool

File = "./cst-3.3.1/crts/SRK_1_2_3_4_table.bin"

# Public key certificate in PEM format

Source = "./cst-3.3.1/crts/SRK1_sha384_secp384r1_v3_usr_crt.pem"

# Index of the public key certificate within the SRK table (0 .. 3)

Source index = 0

# Type of SRK set (NXP or OEM)

Source set = OEM

# bitmask of the revoked SRKs

Revocations = 0x0

[Authenticate Data]

# Binary to be signed generated by mkimage

File = "flash.bin"

# Offsets = Container header  Signature block (printed out by mkimage)

Offsets   = 0x400             0x590

### sign boot container image ###

./cst-3.3.1/linux64/bin/cst -i csf_boot_image.txt -o flash_signed.bin

Install SRK

Authenticate data

CSF Processed successfully and signed image available in flash_signed.bin

--------------------------------

e). 此时再将上一步骤签名成功的 “flash_signed.bin” 文件重命名为 “imx-boot” 并更新到Apalis iMX8模块上面，此时AHAB状态命令变化如下，因为并未将对应的Hash烧写到Apalis iMX8 eFuse，因此提示 “0xEA” 事件。

--------------------------------

### check AHAB enable status ###

Apalis iMX8 # ahab_status

Lifecycle: 0x0020, NXP closed

SECO Event[0] = 0x0087FA00

        CMD = AHAB_AUTH_CONTAINER_REQ (0x87)

        IND = AHAB_BAD_KEY_HASH_IND (0xFA)

sc_seco_get_event: idx: 1, res:3

--------------------------------

f). 烧写SRK Hash

./ 签名的Boot Container Image文件要通过iMX8 SOC SRK_HASH[511:0] fuse烧写的SRK Hash进行校验

./ 导出SRK HASH fuse对应数值

--------------------------------

### dump SRK HASH fuse value ###

$ od -t x4 ~/cst-3.3.1/crts/SRK_1_2_3_4_fuse.bin

0000000 7ef8ad2a 4a3e54b6 ffa3df87 1774beb6

0000020 6f7b4d2e a9e90a59 c5fa9ea2 55c59bf4

0000040 b55aa0b9 8b30c2ec 519814df 26a0f058

0000060 52c0edda 7e686983 4bf5f8d7 27d7727a

--------------------------------

./ 进入Apalis iMX8 U-Boot命令行，通过如下命令写入fuses，注意这些fuses都是一次写入的，因此请务必保证一次写入正确。另外不同的SOC有不同的地址，如下只适用于iMX8QM，如果是iMX8X要参考文档修改。

--------------------------------

Apalis iMX8 # fuse prog 0 722 7ef8ad2a

Apalis iMX8 # fuse prog 0 723 4a3e54b6

Apalis iMX8 # fuse prog 0 724 ffa3df87

Apalis iMX8 # fuse prog 0 725 1774beb6

Apalis iMX8 # fuse prog 0 726 6f7b4d2e

...

Apalis iMX8 # fuse prog 0 736 4bf5f8d7

Apalis iMX8 # fuse prog 0 737 27d7727a

--------------------------------

为了操作方便，可以将上述命令生成U-Boot脚本文件来执行，或者可以通过类似如下 NXP Universal Update Utility (UUU)工具脚本来进行操作

--------------------------------

# This command will be run when ROM support stream mode

# i.MX8QXP, i.MX8QM

SDPS: boot -f imx-boot

# refer related module tezi image recovery folder uuu.auto file

CFG: FB: -vid 0x0525 -pid 0x4000

CFG: FB: -vid 0x0525 -pid 0x4025

CFG: FB: -vid 0x0525 -pid 0x402F

CFG: FB: -vid 0x0525 -pid 0x4030

CFG: FB: -vid 0x0525 -pid 0x4031

SPDU: delay 1000

FB: ucmd setenv cmd 'fuse prog -y 0'

FB: ucmd $cmd 722 0x7ef8ad2a

FB: ucmd $cmd 723 0x......

...

FB: ucmd $cmd 737 0x27d7727a

FB: done

--------------------------------

e). SRK HASH烧写完成后，AHAB状态命令变化如下，只有如下状态下close设备才是安全的，否则设备就无法启动了。

--------------------------------

### check AHAB enable status ###

Apalis iMX8 # ahab_status

Lifecycle: 0x0020, NXP closed

sc_seco_get_event: idx: 1, res:3

No SECO Events Found!

--------------------------------

f). 更多关于此步骤的说明请参考如下文档

./ U-Boot documentation

mx8_mx8x_secure_boot.txt « guides « ahab « imx « doc - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules

./ NXP Application Note - AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB

5). 签名包含Linux kernel 和 Device Tree文件的OS Container Image 

a). 此步骤为可选步骤，如果不需要Linux Kernel Secure Boot功能则无需操作直接close设备即可。

b). 解压Toradex Ycoto Linux BSP 5.7 Multimedia Image，获得LInux Kernel和需要加载的Device Tree文件

--------------------------------

### uncompress BSP Image package ###

$ tar xvf Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20.tar

$ cd Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/

### uncompress boot filesystem ###

$ mkdir bootfs/

$ tar Jxf Reference-Minimal-Image-apalis-imx8.bootfs.tar.xz -C bootfs/

### copy Kernel and Device Tree files to imx-mkimage tools related device folder ###

$ cd bootfs/

$ gzip -d Image.gz

$ cp Image imx8qm-apalis-v1.1-eval.dtb .../imx-mkimage/iMX8QM/

--------------------------------

b). 使用 imx-mkimage 工具生成 OS Container Image

./ 如下修改默认配置，将Linux Kernel和Device Tree文件的命名和加载地址修改为适合你当前设备定义的配置，Toradex U-Boot默认配置Kernel 加载地址为 “0x96000000”，Device Tree加载地址为 “0x83000000”。

--------------------------------

--- a/iMX8QM/soc.mak 2022-08-19 17:31:57.488554800 +0800

+++ b/iMX8QM/soc.mak 2022-08-22 15:15:45.393002799 +0800

@@ -140,8 +140,8 @@

 flash_scfw: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin

  ./$(MKIMG) -soc QM -rev B0 -dcd skip -append $(AHAB_IMG) -c -scfw scfw_tcm.bin -out flash.bin

-flash_kernel: $(MKIMG) Image fsl-imx8qm-mek.dtb

- ./$(MKIMG) -soc QM -rev B0 -c -ap Image a53 0x80280000 --data fsl-imx8qm-mek.dtb 0x83000000 -out flash.bin

+flash_kernel: $(MKIMG) Image imx8qm-apalis-v1.1-eval.dtb

+ ./$(MKIMG) -soc QM -rev B0 -c -ap Image a53 0x96000000 --data imx8qm-apalis-v1.1-eval.dtb 0x83000000 -out flash_os.bin

 flash_ca72: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin u-boot-atf.bin

  ./$(MKIMG) -soc QM -rev B0 -append $(AHAB_IMG) -c -scfw scfw_tcm.bin -ap u-boot-atf.bin a72 0x80000000 -out flash.bin

--------------------------------

./ 生成 OS Container Image 文件 “flash_os.bin”，并记录生成记录最后的IVT_OFFSET + IMAGE_OFFSET数值用于后续CSF文件定义。

--------------------------------

$ cd .../imx-mkimage/

$ make SOC=iMX8QM flash_kernel

...

CST: CONTAINER 0 offset: 0x0

CST: CONTAINER 0: Signature Block: offset is at 0x110

DONE.

Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET

--------------------------------

c). 使用CST工具签名刚才生成的OS Container Image

./ 准备CSF文件

--------------------------------

### copy CSF template to CST tool containing folder ###

$ cp u-boot-toradex/doc/imx/ahab/csf_examples/csf_linux_img.txt ~/

### modify csf_linux_img.txt to adopt your settings ###

vi csf_linux_img.txt

[Header]

Target = AHAB

Version = 1.0

[Install SRK]

# SRK table generated by srktool

File = "./cst-3.3.1/crts/SRK_1_2_3_4_table.bin"

# Public key certificate in PEM format

Source = "./cst-3.3.1/crts/SRK1_sha384_secp384r1_v3_usr_crt.pem"

# Index of the public key certificate within the SRK table (0 .. 3)

Source index = 0

# Type of SRK set (NXP or OEM)

Source set = OEM

# bitmask of the revoked SRKs

Revocations = 0x0

[Authenticate Data]

# Binary to be signed generated by mkimage

File = "flash_os.bin"

# Offsets = Container header  Signature block (printed out by mkimage)

Offsets   = 0x0             0x110

--------------------------------

./ 签名，获得签名好的OS Container Image 文件 “os_cntr_signed.bin”

--------------------------------

$ cp .../imx-mkimage/iMX8QM/flash_os.bin ~/

$ ./cst-3.3.1/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin

--------------------------------

6). 部署OS Container Image

a). 将OS Container Image重新部署到刚才解压的Ycoto Linux Multimedia BSP5.7 bootfs中，并重新创建bootfs 压缩包

--------------------------------

### copy signed os container image to bsp rootfs folder ###

$ cp os_cntr_signed.bin .../Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/bootfs/

### remove default boot script and linux kernel/device tree files ###

$ cd .../Apalis-iMX8_Reference-Multimedia-Image-Tezi_5.7.0+build.20/bootfs/

$ rm boot.scr Image *.dtb

### check bootfs files ###

$ tree -L 2

.

├── dpfw.bin

├── hdmitxfw.bin

├── os_cntr_signed.bin

├── overlays

│   ├── apalis-imx8_ar0521_overlay.dtbo

│   ├── apalis-imx8_atmel-mxt_overlay.dtbo

│   ├── apalis-imx8_hdmi_overlay.dtbo

│   ├── apalis-imx8_lvds_overlay.dtbo

│   ├── apalis-imx8_mezzanine-can_overlay.dtbo

│   ├── apalis-imx8_mezzanine_lvds_overlay.dtbo

│   ├── apalis-imx8_mezzanine_ov5640_overlay.dtbo

│   ├── apalis-imx8_ov5640_overlay.dtbo

│   ├── apalis-imx8_resistive-touch_overlay.dtbo

│   ├── display-dpi-lt170410_overlay.dtbo

│   ├── display-edt5.7_overlay.dtbo

│   ├── display-edt7_overlay.dtbo

│   ├── display-fullhd_overlay.dtbo

│   ├── display-lt161010_overlay.dtbo

│   ├── display-lt170410_overlay.dtbo

│   ├── display-vga_overlay.dtbo

│   └── touch-atmel-mxt_overlay.dtbo

└── overlays.txt

1 directory, 21 files

### compress new bootfs package ###

$ tar Jcf ../Reference-Minimal-Image-apalis-imx8.bootfs.tar.xz *

### clear bootfs

$ cd ..

$ rm -rf bootfs/

--------------------------------

b). 修改BSP package中的 “u-boot-initial-env-sd” 文件，增加如下环境变量用于Secure Boot

./ 命令方式格式

--------------------------------

### set boot device info mmc 0:1 ###

Apalis iMX8 # setenv pre_boot 'devnum=0; if mmc dev $devnum; then devtype=mmc; setenv load_cmd \\"load $devtype $devnum:1\\"; fi'

### signed os container image loading info ###

Apalis iMX8 # setenv cntr_addr '0x98000000'

Apalis iMX8 # setenv cntr_file 'os_cntr_signed.bin'

Apalis iMX8 # setenv cntr_load '$load_cmd $cntr_addr $cntr_file'

### authenticate signed os container image ###

Apalis iMX8 # setenv auth_os 'auth_cntr $cntr_addr'

### device tree overlay apply ###

Apalis iMX8 # setenv overlays_file 'overlays.txt'

Apalis iMX8 # setenv overlays_prefix 'overlays/'

Apalis iMX8 # setenv load_overlays_file '$load_cmd $loadaddr $overlays_file && env import -t $loadaddr $filesize'

Apalis iMX8 # setenv fdt_resize 'fdt addr $fdt_addr_r && fdt resize 0x20000'

Apalis iMX8 # setenv apply_overlays 'for overlay_file in $fdt_overlays; do echo Applying Overlay: $overlay_file && $load_cmd $loadaddr $overlays_prefix\\$overlay_file && fdt apply $loadaddr; env set overlay_file; done; true'

Apalis iMX8 # setenv bootcmd_overlays 'run load_overlays_file && run fdt_resize && run apply_overlays'

### kernel/dtb loading ###

Apalis iMX8 # setenv bootcmd_boot 'echo "Bootargs: \\$bootargs" && booti $kernel_addr_r - $fdt_addr_r'

### config for all boot process ###

Apalis iMX8 # setenv bootcmd_run 'run pre_boot && run cntr_load && run auth_os && run bootcmd_overlays && run finduuid && run setup && run bootcmd_boot; echo "Booting from $devtype failed!" && false'

### auto run config ###

Apalis iMX8 # setenv bootcmd 'run bootcmd_run'

--------------------------------

./ 文件方式定义

--------------------------------

--- a/u-boot-initial-env-sd 2022-08-29 17:22:27.668166883 +0800

+++ b/u-boot-initial-env-sd 2022-08-29 17:52:18.795402902 +0800

@@ -1,4 +1,4 @@

-bootcmd=run distro_bootcmd

+bootcmd=run bootcmd_run

 bootdelay=1

 baudrate=115200

 ipaddr=192.168.10.2

@@ -71,4 +71,16 @@

 video=imxdpufb5:off video=imxdpufb6:off video=imxdpufb7:off

 setup=run loadhdp; hdp load $hdp_addr; run mmcargs

 defargs=pci=nomsi

-

+pre_boot=devnum=0; if mmc dev $devnum; then devtype=mmc; setenv load_cmd "load $devtype $devnum:1"; fi

+cntr_addr=0x98000000

+cntr_file=os_cntr_signed.bin

+cntr_load=$load_cmd $cntr_addr $cntr_file

+auth_os=auth_cntr $cntr_addr

+overlays_file=overlays.txt

+overlays_prefix=overlays/

+load_overlays_file=$load_cmd $loadaddr $overlays_file && env import -t $loadaddr $filesize

+fdt_resize=fdt addr $fdt_addr_r && fdt resize 0x20000

+apply_overlays=for overlay_file in $fdt_overlays; do echo Applying Overlay: $overlay_file && $load_cmd $loadaddr $overlays_prefix$overlay_file && fdt apply $loadaddr; env set overlay_file; done; true

+bootcmd_overlays=run load_overlays_file && run fdt_resize && run apply_overlays

+bootcmd_boot=echo "Bootargs: $bootargs" && booti $kernel_addr_r - $fdt_addr_r

+bootcmd_run=run pre_boot && run cntr_load && run auth_os && run bootcmd_overlays && run finduuid && run setup && run bootcmd_boot; echo "Booting from $devtype failed!" && false

--------------------------------

c). 需要注意的是由于Kernel阶段的Secure Boot相关认证和加载都是基于U-Boot命令行来实现的， 因此如果要让这个启动机制更加安全可靠，则要让U-Boot保持在上述安全启动路径，而不能通过其他启动介质或者脚本来启动而绕开Secure Boot，比如Toradex U-Boot默认是使能Distro Boot功能的，可以自动扫描外设介质的启动脚本，那么这个功能就需要关闭掉，类似这样的U-Boot定制化需要自行根据实际使用场景来配置。

7). 部署测试

a). 参考这里将上述制作的支持Secure Boot的Image通过Toradex Easy Installer更新到Apalis iMX8模块

./启动后首先进入U-Boot命令行下，测试AHAB状态

--------------------------------

Apalis iMX8 # ahab_status

Lifecycle: 0x0020, NXP closed

sc_seco_get_event: idx: 0, res:3

No SECO Events Found!

--------------------------------

./ 然后重新启动，查看启动log，Secure Boot成功完整加载U-Boot、Linux Kernel和Rootfs

--------------------------------

U-Boot 2020.04-06964-g33bb8e9683 (Aug 15 2022 - 15:32:22 +0800)

CPU:   NXP i.MX8QM RevB A53 at 1200 MHz

DRAM:  4 GiB

MMC:   FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2

Loading Environment from MMC... OK

In:    serial

Out:   serial

Err:   serial

Model: Toradex Apalis iMX8 QuadMax 4GB Wi-Fi / BT IT V1.1B, Serial# 06738378

 BuildInfo:

  - SCFW 216a2c2e, SECO-FW c9de51c0, IMX-MKIMAGE fe124bce, ATF 2fa8c63

  - U-Boot 2020.04-06964-g33bb8e9683

switch to partitions #0, OK

mmc0(part 0) is current device

flash target is MMC:0

Net:   eth0: ethernet@5b040000

Fastboot: Normal

Normal Boot

Hit any key to stop autoboot:  0

switch to partitions #0, OK

mmc0(part 0) is current device

25877504 bytes read in 787 ms (31.4 MiB/s)

Authenticate OS container at 0x98000000

43 bytes read in 12 ms (2.9 KiB/s)

Applying Overlay: apalis-imx8_hdmi_overlay.dtbo

2177 bytes read in 31 ms (68.4 KiB/s)

106496 bytes read in 16 ms (6.3 MiB/s)

Loading hdp firmware from 0x000000009c000000 offset 0x0000000000002000

Loading hdp firmware Complete

Bootargs: console=ttyLP1 earlycon,115200 root=PARTUUID=e8daf485-02 rootwait mmcdev=0

## Flattened Device Tree blob at 83000000

   Booting using the fdt blob at 0x83000000

   Loading Device Tree to 00000000fd5fc000, end 00000000fd648fff ... OK

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]

[    0.000000] Linux version 5.4.193-5.7.0+git.f78299297185 (oe-user@oe-host) (gcc version 9.2

...

[  OK  ] Started Start a wayland application.

[  OK  ] Reached target Multi-User System.

[  OK  ] Reached target Graphical Interface.

         Starting Update UTMP about System Runlevel Changes...

[  OK  ] Started Update UTMP about System Runlevel Changes.

TDX Wayland with XWayland 5.7.0+build.20 (dunfell) apalis-imx8-06738378 ttyLP1

Apalis-iMX8_Reference-Multimedia-Image

apalis-imx8-06738378 login:

--------------------------------

b). Close设备

经过上述测试已经确认从U-Boot到Linux Kernel Secure Boot正常，即可以在U-Boot命令行下面执行下面命令Close设备，请注意此操作之后，没有签名的Image就无法再在此模块加载运行了，因此请谨慎操作。

--------------------------------

Apalis iMX8 # ahab_close

--------------------------------

10). 总结

本文基于NXP iMX8处理器演示了基于AHAB的Secure Boot功能，设计U-Boot和Linux Kernel、Device Tree等，至于Rootfs的加密，则需要配置类似Squashfs只读文件系统配合initramfs最小启动镜像进行加解密挂载启动，可以结合参考如下两篇文章，本文不做具体测试。

./ 嵌入式 ARM 平台使用dm-crypt加密磁盘分区

./ 使用Squashfs和Overlayfs提高嵌入式Linux文件系统可靠性

参考文档

introduction_ahab.txt « ahab « imx « doc - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules

mx8_mx8x_secure_boot.txt « guides « ahab « imx « doc - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules

NXP Application Note AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB