On Tue, Sep 19, 2023 at 04:15:52PM +0200, Ahmad Fatoum wrote: > We could use some extra documentation on how to use the hab command to > fuse a SoC and what output should be expected. Add this to the > documentation. Procedure was done with HABv4 on i.MX8MM, which is not > yet upstream[1], but should be equivalent for i.MX6. Nice read! thanks, applied Sascha > > [1]: https://lore.barebox.org/barebox/20230705144219.504194-1-r.czerwinski@xxxxxxxxxxxxxx/ > > Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> > --- > Documentation/boards/imx.rst | 47 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 47 insertions(+) > > diff --git a/Documentation/boards/imx.rst b/Documentation/boards/imx.rst > index 17465efdd9be..5a4f52b392d5 100644 > --- a/Documentation/boards/imx.rst > +++ b/Documentation/boards/imx.rst > @@ -178,6 +178,53 @@ It must be included in the board's flash header: > > Analogous to HABv4 options and a template exist for HABv3. > > +To verify HAB working as intended, install the ``barebox-*-s.img`` onto the > +boot medium and trigger a power-on reset. barebox will read the HAB log on > +startup and report any errors it finds. A good unfused boot looks like this:: > + > + HABv4: Status: Operation completed successfully (0xf0) > + HABv4: Config: Non-secure IC (0xf0) > + HABv4: State: Non-secure state (0x66) > + HABv4: No HAB Failure Events Found! > + > +To have the bootrom verify the barebox binary, the SRK hash needs to be burnt > +into the fuses. As fuses can't be unburnt, the ``hab`` command should be used > +instead of direct device access to not risk writing unrelated fuses:: > + > + barebox$ hab -p -s SRK_1_2_3_4_fuse.bin > + > +Afterwards, images signed with a different key will trigger errors at barebox > +startup, but system will still be able to boot to shell. > + > +To have the BootROM refuse booting differently signed images, the ``SRK_LOCK`` > +fuse needs to be burnt:: > + > + barebox$ hab -p -l > + > +On next startup, barebox will report that the system is now locked:: > + > + HABv4: Status: Operation completed successfully (0xf0) > + HABv4: Config: Secure IC (0xcc) > + HABv4: State: Trusted state (0x99) > + HABv4: No HAB Failure Events Found! > + > +This can also be seen with the ``hab -i`` command:: > + > + Current SRK hash: <some non-zero value> > + secure mode > + > +Similarly, on supported SoCs, the ``bootrom -l`` command will indicate that > +device is closed. Example output after booting via ``imx-usb-loader``:: > + > + > + [e0] Internal use > + [11] Boot mode is Boot from Serial Download > + [23] Secure config is Closed > + [41] FUSE_SEL_VALUE Fuse is blown > + [d0] Enters serial download processing > + [a0] Image authentication result: PASS (0x000000f0) @3506438144 ticks > + [00] End of list > + > Secure Boot on i.MX6 > ~~~~~~~~~~~~~~~~~~~~ > > -- > 2.39.2 > > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
