u-boot.git/doc/README.mxc_hab, branch master Unnamed repository; edit this file 'description' to name the repository. doc: imx: reorganize i.MX documentation 2018-10-22T12:22:42+00:00 Breno Matheus Lima breno.lima@nxp.com 2018-10-10T01:10:27+00:00 df11b0c4d4e3ca3821cf4cc6b13fb9fee1d5f891 Currently the U-Boot doc/ directory contains the following files that are only relevant for i.MX devices: - doc/README.imx25 - doc/README.imx27 - doc/README.imx5 - doc/README.imx6 - doc/README.imximage - doc/README.mxc_hab - doc/README.mxs - doc/README.mxsimage - doc/README.sdp Move all content to a common i.MX folder for a better documentation structure. Signed-off-by: Breno Lima <breno.lima@nxp.com> 
Currently the U-Boot doc/ directory contains the following files
that are only relevant for i.MX devices:

- doc/README.imx25
- doc/README.imx27
- doc/README.imx5
- doc/README.imx6
- doc/README.imximage
- doc/README.mxc_hab
- doc/README.mxs
- doc/README.mxsimage
- doc/README.sdp

Move all content to a common i.MX folder for a better documentation
structure.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
tools/imximage: use 0x prefix in HAB Blocks line 2018-04-15T09:35:21+00:00 Rasmus Villemoes rasmus.villemoes@prevas.dk 2018-03-23T11:08:03+00:00 8519c9c98ad60e9eb6f655bfa8214f53407d86fb The u-boot-ivt.img.log file contains 0x prefixes in the HAB Blocks line, while the SPL.log does not. For consistency, and to make it easier to extract and put into a .csf file for use with NXP's code signing tool, add 0x prefixes here. Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com> Tested-by: Breno Lima <breno.lima@nxp.com> 
The u-boot-ivt.img.log file contains 0x prefixes in the HAB Blocks line,
while the SPL.log does not. For consistency, and to make it easier to
extract and put into a .csf file for use with NXP's code signing tool,
add 0x prefixes here.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
doc: mxc_hab: Update i.MX HAB documentation 2018-03-11T15:00:21+00:00 Breno Lima breno.lima@nxp.com 2018-02-22T00:42:56+00:00 6d7403bf72b5ea46497fe8222d0303cb79563379 The README.mxc_hab is outdated and need improvements, add the following modifications: - Reorganize document and remove duplicate content - Add CST download link - Update CST package name - Align command lines with CST v2.3.3 - Update U-Boot binary name - Remove CSF padding since is not documented in AN4581 Signed-off-by: Breno Lima <breno.lima@nxp.com> 
The README.mxc_hab is outdated and need improvements, add the following
modifications:

- Reorganize document and remove duplicate content
- Add CST download link
- Update CST package name
- Align command lines with CST v2.3.3
- Update U-Boot binary name
- Remove CSF padding since is not documented in AN4581

Signed-off-by: Breno Lima <breno.lima@nxp.com>
doc: mxc_hab: Move HAB related info to the appropriate doc 2018-03-11T15:00:16+00:00 Breno Lima breno.lima@nxp.com 2018-02-22T00:42:55+00:00 b887f0a68e38d18ec93ff9a0b3d2e57597bf8e83 Currently the High Assurance Boot procedure is documented in two places: - doc/README.imx6 - doc/README.mxc_hab It is better to consolidate all HAB related information into README.mxc_hab file, so move the content from README.imx6 to README.mxc_hab. Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com> 
Currently the High Assurance Boot procedure is documented in two
places:

- doc/README.imx6
- doc/README.mxc_hab

It is better to consolidate all HAB related information into
README.mxc_hab file, so move the content from README.imx6 to
README.mxc_hab.

Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
doc: mxc_hab: Improve the config option list 2018-02-04T11:14:10+00:00 Fabio Estevam fabio.estevam@nxp.com 2018-01-21T17:57:32+00:00 79d08029534c6e43905d410c5804cc2fb9984399 The original text is from the time that the config options were not converted to Kconfig. After the conversion to Kconfig only CONFIG_SECURE_BOOT and CONFIG_CMD_DEKBLOB need to be selected by the user. The other config options are automatically selected by the Kconfig logic. Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com> Reviewed-by: Breno Lima <breno.lima@nxp.com> 
The original text is from the time that the config options were not
converted to Kconfig.

After the conversion to Kconfig only CONFIG_SECURE_BOOT and
CONFIG_CMD_DEKBLOB need to be selected by the user.

The other config options are automatically selected by the Kconfig
logic.

Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Breno Lima <breno.lima@nxp.com>
README: mxc_hab: Adapt the CONFIG_SECURE_BOOT text to Kconfig 2017-01-27T09:34:14+00:00 Fabio Estevam fabio.estevam@nxp.com 2017-01-05T23:33:08+00:00 7a037cc91fac1379cd2c2ea3274275c753566e18 Commit 6e1f4d2652e79 ("arm: imx-common: add SECURE_BOOT option to Kconfig") moved the CONFIG_SECURE_BOOT option to Kconfig, so update the mxc_hab README file to reflect that. Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com> Reviewed-by: Gary Bisson <gary.bisson@boundarydevices.com> 
Commit 6e1f4d2652e79 ("arm: imx-common: add SECURE_BOOT option to
Kconfig") moved the CONFIG_SECURE_BOOT option to Kconfig, so update
the mxc_hab README file to reflect that.

Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Gary Bisson <gary.bisson@boundarydevices.com>
Fix mxc_hab documenation 2015-05-15T17:20:46+00:00 Ulises Cardenas Ulises.Cardenas@freescale.com 2015-04-20T18:47:58+00:00 8148b824492e7696a9e72bb5b715720db8fd889e It is necessary to modify the configuration file for the target board. It wasn't well documented that to enable any of the secure boot modes, it is required to add CONFIG_SECURE_BOOT to the board configuration file. Also, fixed a typo in the encrypted boot section. Signed-off-by: Ulises Cardenas <Ulises.Cardenas@freescale.com> 
It is necessary to modify the configuration file for the target
board. It wasn't well documented that to enable any of the secure
boot modes, it is required to add CONFIG_SECURE_BOOT to the board
configuration file.

Also, fixed a typo in the encrypted boot section.

Signed-off-by: Ulises Cardenas <Ulises.Cardenas@freescale.com>
Fix mxc_hab documenation for DEK blob generation 2015-04-08T08:54:10+00:00 Ulises Cardenas Ulises.Cardenas@freescale.com 2015-03-27T14:08:57+00:00 f97d112eb6c18e6947e054ee6b39afea724a7e9a Include/fsl_sec.h defines sec_in and sec_out, according to the platform's endianess. Therefore, CONFIG_SYS_FSL_LE needs to be declared in the configuration file of the target, in order to use enable the DEK blob generation command. This requirement is not explicit in the README.mxc_hab. Signed-off-by: Ulises Cardenas <Ulises.Cardenas@freescale.com> 
Include/fsl_sec.h defines sec_in and sec_out, according to the
platform's endianess. Therefore, CONFIG_SYS_FSL_LE needs to be
declared in the configuration file of the target, in order to use
enable the DEK blob generation command. This requirement is not
explicit in the README.mxc_hab.

Signed-off-by: Ulises Cardenas <Ulises.Cardenas@freescale.com>
imx6: Added DEK blob generator command 2015-03-02T08:57:06+00:00 Raul Cardenas Ulises.Cardenas@freescale.com 2015-02-27T17:22:06+00:00 0200020bc2b8192c31dc57c600865267f51bface Freescale's SEC block has built-in Data Encryption Key(DEK) Blob Protocol which provides a method for protecting a DEK for non-secure memory storage. SEC block protects data in a data structure called a Secret Key Blob, which provides both confidentiality and integrity protection. Every time the blob encapsulation is executed, a AES-256 key is randomly generated to encrypt the DEK. This key is encrypted with the OTP Secret key from SoC. The resulting blob consists of the encrypted AES-256 key, the encrypted DEK, and a 16-bit MAC. During decapsulation, the reverse process is performed to get back the original DEK. A caveat to the blob decapsulation process, is that the DEK is decrypted in secure-memory and can only be read by FSL SEC HW. The DEK is used to decrypt data during encrypted boot. Commands added -------------- dek_blob - encapsulating DEK as a cryptgraphic blob Commands Syntax --------------- dek_blob src dst len Encapsulate and create blob of a len-bits DEK at address src and store the result at address dst. Signed-off-by: Raul Cardenas <Ulises.Cardenas@freescale.com> Signed-off-by: Nitin Garg <nitin.garg@freescale.com> Signed-off-by: Ulises Cardenas <ulises.cardenas@freescale.com> Signed-off-by: Ulises Cardenas-B45798 <Ulises.Cardenas@freescale.com> 
Freescale's SEC block has built-in Data Encryption
Key(DEK) Blob Protocol which provides a method for
protecting a DEK for non-secure memory storage.
SEC block protects data in a data structure called
a Secret Key Blob, which provides both confidentiality
and integrity protection.
Every time the blob encapsulation is executed,
a AES-256 key is randomly generated to encrypt the DEK.
This key is encrypted with the OTP Secret key
from SoC. The resulting blob consists of the encrypted
AES-256 key, the encrypted DEK, and a 16-bit MAC.

During decapsulation, the reverse process is performed
to get back the original DEK. A caveat to the blob
decapsulation process,  is that the DEK is decrypted
in secure-memory and can only be read by FSL SEC HW.
The DEK is used to decrypt data during encrypted boot.

Commands added
--------------
  dek_blob - encapsulating DEK as a cryptgraphic blob

Commands Syntax
---------------
  dek_blob src dst len

    Encapsulate and create blob of a len-bits DEK at
    address src and store the result at address dst.

Signed-off-by: Raul Cardenas <Ulises.Cardenas@freescale.com>
Signed-off-by: Nitin Garg <nitin.garg@freescale.com>

Signed-off-by: Ulises Cardenas <ulises.cardenas@freescale.com>

Signed-off-by: Ulises Cardenas-B45798 <Ulises.Cardenas@freescale.com>
Coding Style cleanup: replace leading SPACEs by TABs 2013-10-14T20:06:54+00:00 Wolfgang Denk wd@denx.de 2013-10-04T15:43:24+00:00 93e1459641e758d2b096d3f1b39414a39bb314f8 Signed-off-by: Wolfgang Denk <wd@denx.de> [trini: Drop changes for PEP 4 following python tools] Signed-off-by: Tom Rini <trini@ti.com> 
Signed-off-by: Wolfgang Denk <wd@denx.de>
[trini: Drop changes for PEP 4 following python tools]
Signed-off-by: Tom Rini <trini@ti.com>