secureboot

Signed-off-by: Holger Dengler <dengler@linutronix.de>

1 files changed, 111 insertions, 0 deletions

diff --git a/security/secureboot/frm_secboot_hab.tex b/security/secureboot/frm_secboot_hab.tex
new file mode 100644
index 0000000..1d1c925
--- /dev/null
+++ b/security/secureboot/frm_secboot_hab.tex
@@ -0,0 +1,111 @@
+% ----------------------------
+\subsection{NXP High Assurance Boot (i.mx-Family)}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{i.mx Boot}
+\begin{itemize}
+\item High Assurance Boot (HAB)
+\item v4.x in i.mx6/7/8
+\item Boot-Image Verification
+\item Key-Hash in One-Time-Programmable (OTP) Memory/Fuses
+\item PKI:
+ \begin{itemize}
+ \item up to 4 Storage Root Keys (SRK)
+ \item separate Sequence and Image Key Trees
+ \item Field Key-Revoke possible (only SRK 0-2)
+ \item ECC (only for SRK-CA)
+ \end{itemize}
+\item Cryptographic Methods:
+ \begin{itemize}
+ \item sha256
+ \item RSA-4096
+ \item ECC (SRK CA only)
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{HAB Boot Image}
+\begin{columns}[onlytextwidth]
+ \begin{column}{0.5\textwidth}
+  \begin{itemize}
+  \item Image Vector Table
+  \item Device Configuration Data
+  \item Bootloader
+  \item opt.: Command Sequence
+  \end{itemize}
+ \end{column}
+ \begin{column}{0.5\textwidth}
+  \begin{figure}[h]
+  \centering
+  \includegraphics[width=6cm]{images/imx-hab-image.png}
+  \end{figure}
+ \end{column}
+\end{columns}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{HAB Boot Sequence}
+\begin{columns}[onlytextwidth]
+ \begin{column}{0.5\textwidth}
+  \begin{enumerate}
+  \begin{scriptsize}
+  \item configure HAB
+  \item verify SRK Table
+  \item process Command Sequence \\
+        (unprotected part)
+   \begin{enumerate}
+   \begin{scriptsize}
+   \item install single SRK PubK
+   \item verify CSFK Certificate \\
+         (w/ installed SRK)
+   \item install CSFK PubK
+   \item verify protected CSF Part \\
+         (w/ installed CSFK)
+   \end{scriptsize}
+   \end{enumerate}
+  \item process Command Sequence \\
+        (protected part)
+   \begin{enumerate}
+   \begin{scriptsize}
+   \item configure Crypt-Infrastructure
+   \item verify IMGK Certificate \\
+         (w/ installed SRK)
+   \item install IMGK PubK
+   \item verify Image \\
+         (w/ installed IMGK)
+   \item execute Image
+   \end{scriptsize}
+   \end{enumerate}
+  \end{scriptsize}
+  \end{enumerate}
+ \end{column}
+ \begin{column}{0.5\textwidth}
+  \begin{figure}[h]
+  \centering
+  \includegraphics[width=3cm]{images/imx-hab-csf.png}
+  \end{figure}
+ \end{column}
+\end{columns}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{HAB: SRK Table Verification}
+ \begin{figure}[h]
+ \centering
+ \includegraphics[width=7cm]{images/imx-hab-verifysrk.png}
+ \end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{HAB: Key Hierarchy}
+ \begin{figure}[h]
+ \centering
+ \includegraphics[width=8cm]{images/imx-hab-keyhierarchy.png}
+ \end{figure}
+\end{frame}