This section is very platform dependent and we Strongly suggest reading the security chapter of the LSDK document first before running any real instructions on the device.
In order to build a secure solution, you need to boot the board securely. Steps to do so can be found in LSDK document’s “security chapter”.
Prepare Secure Bootstrap Image¶
Generate key pair using CST tool.
CST tool can be built from source and key pair generation is one of the functionality. Generally, the key pair should be generated once and keep safe. The private key will be used to sign images and the public key will be fused into the device to verify the image signature.
# build cst tool from source $ flex-builder -c cst $ cd <flex-builder dir>/packages/apps/cst # generate RSA key pair: srk.pub and srk.pri, 1024bit $ ./gen_keys 1024
Download the pre-built secure bootstrap images according to the following table. For demonstration purposes only, all pre-built secure bootstrap images are built using the same key pair.
Version Platform Images v1909 LS1012ARDB secure_ls1012ardb-qspi.img v1909 LS1012ARDB bl2_qspi_ls1012ardb.pbl v1909 LS1012AFRWY secure_ls1012afrwy-qspi.img v1909 LS1012AFRWY bl2_qspi_ls1012afrwy.pbl v1909 LS1043ARDB secure_ls1043ardb-nor.img v1909 LS1043ARDB bl2_nor_ls1043ardb.pbl v1909 LS1046ARDB secure_ls1046ardb-qspi.img v1909 LS1046ARDB bl2_qspi_ls1046ardb.pbl v1909 LS1046AFRAWY secure_ls1046afrwy-qspi.img v1909 LS1046AFRAWY bl2_qspi_ls1046afrwy.pbl v1909 LS1088ARDB_PB secure_ls1088ardb-pb-qspi.img v1909 LS1088ARDB_PB bl2_qspi_ls1088ardb-pb.pbl v1909 LS2088ARDB secure_ls2088ardb-nor.img v1909 LS2088ARDB bl2_nor_ls2088ardb.pbl v1909 LS1028ARDB secure_lS1028ardb-xspi.img v1909 LS1028ARDB bl2_xspi_ls1028ardb.pbl v1909 LX2160ARDB secure_lx2160ardb-xspi.img v1909 LX2160ARDB bl2_xspi_lx2160ardb.pbl v1909 demo key pair srk.tgz
Build the secure bootstrap image
For build the secure bootstrap image with the specified key pair , please refer to Bootstrap.
Prepare Secure Solution Image¶
- Specify the key pairs for secure boot in configs/build_lsdk.cfg
- Building EdgeScale agents as introduced in LSDK user guide. See more at 3. Deploy EdgeScale agents on the device.
Create Device and Bootup in Secure Mode¶
- Create device via EdgeScale dashboard or escli command line tools.
- Program secure bootstrap image into the device. See more at Bootstrap.
Enforce the Secure Boot¶
In production systems, secure boot is enforced via blowing the ITS fuse.
In development environment, if you are booting the board securely using SB_EN bit, you need to ensure that ITS bit is set. This can be done via code-warrior (ccs). For this you would need to put the core in boot hold-off by setting the corresponding bit in RCW.
- Set the ITS bit through CCS when the system is in boot hold off state.
#Boot up the system #Connect CodeWarrior/ccs #Set the ITS bit if ITS not fused $ ccs::write_mem <dap chain position> 0x1e80200 4 0 0x00000004 #Get the Core Out of Boot Hold-Off $ ccs::write_mem <dap chain position> 0x1ee00e4 4 0 0x1
Read Pub Key From Device¶
This public key is derived from srk.pub generated by CST tool and used for device authentication. mp_app is part of the secure object library and is integrated with LSDK rootfs.
- Get MP public key:
- Boot up system with secure mode.
- Get public key in the device with tool mp_app:
mp_app -p Public key x part = 671fe89daca42004d648b2ad7ddeb2a0ca7e47556e73f376aab45061fca74603 Public key y part = 9519e09aab4da3a972511d3ca7e842e8bb1d02e744cc85ff4e65c0ca6fbb7376 Public key in form of x followed by y is saved in pub_key file
Upload Device db to Cloud¶
To securely enroll the device to the cloud, some data from the device needs to be uploaded to the cloud. This data includes:
- Manufacturing Protection Public Key - Public part of the ECC key pair generated after secure boot process. Steps are given in the Section “Read pub key from device”.
- Factory UID or FUID
3. OEM UID (To obtain 2 and 3, please refer to the SoC SFP block memory map from the Reference Manual)
#csv file schema: FUID, OEMID, SK_PUB_X, SK_PUB_Y, MODEL_ID $ escli device upload-db -f <db.csv>
- Create device on dashboard with SN: <FUID>:<OEMID>