By now, most engineers have heard of Secure Boot and the benefits of using it. However, after briefly reviewing the documentation, Secure Boot appears too complicated and time consuming and is set aside as a nice-to-have in the future. Does this sound familiar?

With Variscite’s integration of Secure Boot and Yocto, it has never been easier to enable Secure Boot on your Variscite i.MX8 based product. While manually building and signing your images outside of the Yocto build system requires many steps and creates opportunities for human error, using Yocto to automate signing your images saves time, is easily reproducible, can be distributed to many developers, and requires only a small configuration in local.conf.

What is Secure Boot and why should you use it?

Secure Boot is the process of authenticating the boot images and operating system in your product. It enables you to trust that the software running in your product is authentic and has not been modified or replaced by a third party. Among other things, this prevents your product from being repurposed or infected with malicious boot or operating system software.

How does it work?

The i.MX8 (i.MX8Q and i.MX8X) and i.MX8M (i.MX8M, i.MX8M Mini, i.MX8M Nano and i.MX8M Plus) SoC families have an optional hardware feature to enable Secure Boot. The i.MX8M family features High Assurance Boot (HAB), and the i.MX8 family features Advanced High Assurance Boot (AHAB). While the architecture for each family is slightly different, they both achieve the same end result.

The HAB/AHAB authentication is based on public key cryptography. Authentication is achieved using a Super Root Key (SRK), which is an RSA key pair. The boot images are signed offline using the private key. The resulting signed images are then verified on the i.MX processor using the corresponding public key. The public key is included in the final binary and a hash of the public key is programmed in the SoC, in One-Time Programmable e-fuses, for establishing the root of trust.

The first boot image is authenticated by the i.MX ROM bootloader. Each image then calls the HAB/AHAB API to authenticate the next image, to establish a chain of trust.

How do I get started?

Varsicite’s Yocto layer, meta-variscite-hab, makes it easy to get started using Secure Boot on your product. The general process is:

Follow Variscite’s wiki guide “Build Yocto from Source Code” to setup your Yocto Build environment

  1. Download NXP’s Code Signing Tool (CST)
  2. Use CST to generate a Public Key Infrastructure (PKI) tree. This only needs to be done once.
  3. Configure meta-variscite-hab in conf/local.conf with customer specific information
  4. Use bitbake to build a signed SD card image
  5. U-Boot: Program i.MX SoC e-fuses with SRK public key hash
  6. U-Boot: Verify signed image by running hab_status or ahab_status
  7. U-Boot: Close the device by writing to a dedicated SoC e-fuse

For a full step by step walkthrough, please visit Variscite’s software wiki for your Variscite SoM: