aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorBreno Lima <breno.lima@nxp.com>2021-03-25 17:30:13 +0800
committerStefano Babic <sbabic@denx.de>2021-04-08 09:18:29 +0200
commit58f75efeaf30c786c26fade79d127c988b813751 (patch)
tree879fcf202ba79b90202aacd7a497fade2bcead05 /doc
parentf217470b392806be340e9c03d46e98bb29d7caec (diff)
downloadu-boot-58f75efeaf30c786c26fade79d127c988b813751.zip
u-boot-58f75efeaf30c786c26fade79d127c988b813751.tar.gz
u-boot-58f75efeaf30c786c26fade79d127c988b813751.tar.bz2
mx7ulp: hab: Add hab_status command for HABv4 M4 boot
When booting in low power or dual boot modes the M4 binary is authenticated by the M4 ROM code. Add an option in hab_status command so users can retrieve M4 HAB failure and warning events. => hab_status m4 Secure boot disabled HAB Configuration: 0xf0, HAB State: 0x66 No HAB Events Found! Add command documentation in mx6_mx7_secure_boot.txt guide. As HAB M4 API cannot be called from A7 core the code is parsing the M4 HAB persistent memory region. The HAB persistent memory stores HAB events, public keys and others HAB related information. The HAB persistent memory region addresses and sizes can be found in AN12263 "HABv4 RVT Guidelines and Recommendations". Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com> Reviewed-by: Ye Li <ye.li@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
Diffstat (limited to 'doc')
-rw-r--r--doc/imx/habv4/guides/mx6_mx7_secure_boot.txt25
1 files changed, 25 insertions, 0 deletions
diff --git a/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt b/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt
index 20fff93..53f71fb 100644
--- a/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt
+++ b/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt
@@ -213,6 +213,30 @@ the example below:
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
+1.6.1 Verifying HAB events in i.MX7ULP
+---------------------------------------
+
+When booting i.MX7ULP in low power or dual boot modes the M4 binary is
+authenticated by an independent HAB in M4 ROM code using a
+different SRK key set.
+
+The U-Boot provides a M4 option in hab_status command so users can retrieve
+M4 HAB failure and warning events.
+
+- Verify HAB M4 events:
+
+ => hab_status m4
+
+ Secure boot disabled
+
+ HAB Configuration: 0xf0, HAB State: 0x66
+ No HAB Events Found!
+
+As HAB M4 API cannot be called from A7 core the command is parsing the M4 HAB
+persistent memory region, M4 software should not modify this reserved region.
+
+Details about HAB persistent memory region can be found in AN12263[2].
+
1.7 Closing the device
-----------------------
@@ -400,3 +424,4 @@ If no HAB events were found the zImage is successfully signed.
References:
[1] AN4581: "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using
HABv4" - Rev 2.
+[2] AN12263: "HABv4 RVT Guidelines and Recommendations" - Rev 0.