From ee0c538951018759eff4038db75e61b1cd040307 Mon Sep 17 00:00:00 2001 From: Otavio Salvador Date: Tue, 17 Feb 2015 10:42:44 -0200 Subject: mmc: fsl_esdhc: Add support to force VSELECT set Some boards cannot do voltage negotiation but need to set the VSELECT bit forcely to ensure it to work at 1.8V. This commit adds CONFIG_SYS_FSL_ESDHC_FORCE_VSELECT flag for this use. Signed-off-by: Otavio Salvador --- doc/README.fsl-esdhc | 1 + 1 file changed, 1 insertion(+) (limited to 'doc') diff --git a/doc/README.fsl-esdhc b/doc/README.fsl-esdhc index b70f271d1a..619c6b2d07 100644 --- a/doc/README.fsl-esdhc +++ b/doc/README.fsl-esdhc @@ -1,5 +1,6 @@ CONFIG_SYS_FSL_ESDHC_LE means ESDHC IP is in little-endian mode. CONFIG_SYS_FSL_ESDHC_BE means ESDHC IP is in big-endian mode. +CONFIG_SYS_FSL_ESDHC_FORCE_VSELECT forces to run at 1.8V. Accessing ESDHC registers can be determined by ESDHC IP's endian mode or processor's endian mode. -- cgit v1.2.1 From 0200020bc2b8192c31dc57c600865267f51bface Mon Sep 17 00:00:00 2001 From: Raul Cardenas Date: Fri, 27 Feb 2015 11:22:06 -0600 Subject: imx6: Added DEK blob generator command Freescale's SEC block has built-in Data Encryption Key(DEK) Blob Protocol which provides a method for protecting a DEK for non-secure memory storage. SEC block protects data in a data structure called a Secret Key Blob, which provides both confidentiality and integrity protection. Every time the blob encapsulation is executed, a AES-256 key is randomly generated to encrypt the DEK. This key is encrypted with the OTP Secret key from SoC. The resulting blob consists of the encrypted AES-256 key, the encrypted DEK, and a 16-bit MAC. During decapsulation, the reverse process is performed to get back the original DEK. A caveat to the blob decapsulation process, is that the DEK is decrypted in secure-memory and can only be read by FSL SEC HW. The DEK is used to decrypt data during encrypted boot. Commands added -------------- dek_blob - encapsulating DEK as a cryptgraphic blob Commands Syntax --------------- dek_blob src dst len Encapsulate and create blob of a len-bits DEK at address src and store the result at address dst. Signed-off-by: Raul Cardenas Signed-off-by: Nitin Garg Signed-off-by: Ulises Cardenas Signed-off-by: Ulises Cardenas-B45798 --- doc/README.mxc_hab | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) (limited to 'doc') diff --git a/doc/README.mxc_hab b/doc/README.mxc_hab index 43e64a2797..e9340dd14c 100644 --- a/doc/README.mxc_hab +++ b/doc/README.mxc_hab @@ -46,3 +46,51 @@ cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx NOTE: U-Boot_CSF.bin needs to be padded to the value specified in the imximage.cfg file. + +Setup U-Boot Image for Encrypted Boot +------------------------------------- +An authenticated U-Boot image is used as starting point for +Encrypted Boot. The image is encrypted by Freescale's Code +Signing Tool (CST). The CST replaces only the image data of +u-boot.imx with the encrypted data. The Initial Vector Table, +DCD, and Boot data, remains in plaintext. + +The image data is encrypted with a Encryption Key (DEK). +Therefore, this key is needed to decrypt the data during the +booting process. The DEK is protected by wrapping it in a Blob, +which needs to be appended to the U-Boot image and specified in +the CSF file. + +The DEK blob is generated by an authenticated U-Boot image with +the dek_blob cmd enabled. The image used for DEK blob generation +needs to have the following configurations enabled: + +CONFIG_SECURE_BOOT +CONFIG_SYS_FSL_SEC_COMPAT 4 /* HAB version */ +CONFIG_FSL_CAAM +CONFIG_CMD_DEKBLOB + +Note: The encrypted boot feature is only supported by HABv4 or +greater. + +The dek_blob command then can be used to generate the DEK blob of +a DEK previously loaded in memory. The command is used as follows: + +dek_blob +example: dek_blob 0x10800000 0x10801000 192 + +The resulting DEK blob then is used to construct the encrypted +U-Boot image. Note that the blob needs to be transferred back +to the host.Then the following commands are used to construct +the final image. + +objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ + U-Boot_CSF.bin U-Boot_CSF_pad.bin +cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx +objcopy -I binary -O binary --pad-to --gap-fill=0x00 \ + u-boot-signed.imx u-boot-signed-pad.bin +cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx + + NOTE: u-boot-signed.bin needs to be padded to the value + equivalent to the address in which the DEK blob is specified + in the CSF. -- cgit v1.2.1