[S32G] OTA with Secure Boot

This document introduces how to burn s32g firmware(images) into the SD card with the secure boot. When the secure boot was enabled in one s32g SoC, wrong security configurations would lead to the SoC boot failure. We should be mindful of the security configurations such as the correct kernel public key and signed kernel image.

1. Obtaining Firmware

The security team has provided a script to obtain s32g firmware in the docker build environment. You can run the get_firmware.sh to archive this function, as a result, all firmware about the OTA will be written to the ota_fw directory. The s32g SoC images are outlined below figure:

  • fip.bin: ATF and U-boot firmware

  • fip.s32: IVT and ATF firmware

  • rsa2048_public.der : image public key

  • sec-boot.itb : Signed Linux Kernel (dtb + ramdisk + kernel)

  • u-boot-flashenv-sd.bin: uboot env

2. Burning images into SD card

We can divide an SD card into three sections that are no filesystem (boot section), FAT32 (kernel section), and EXT4 (RootFS section).

The fip.bin, fip.s32, and uboot env binary are populated into the no filesystem boot section while the public key and signed Linux kernel are copied to the FAT32 format filesystem kernel section.

Assuming the file name mapped to the SD card is /dev/sdx and the FAT32 kernel partition is mounted on /mnt. Please note that all arguments in using the dd command are vital.

# Burning fip.s32
sudo dd if=fip.s32 of=/dev/sdx seek=512 skip=512 iflag=skip_bytes oflag=seek_bytes conv=notrunc,fsync && sleep 1 && sync

# Burning fip.bin
sudo dd if=fip.bin of=/dev/sdx seek=386112 oflag=seek_bytes conv=notrunc,fsync && sleep 1 && sync

# uboot env
sudo dd if=u-boot-flashenv-sd.bin of=/dev/sdx bs=1 seek=1966080 oflag=seek_bytes conv=notrunc,fsync && sleep 1 && sync

# kernel and public key
sudo cp --verbose -rf sec-boot.itb /mnt
sudo cp --verbose -rf rsa2048_public.der /mnt

Note, the hse_secboot_enable will overlap the IVT at 0 addresses.

3. Notes

The secure boot is a verifying chain of ATF -> UBOOT-> Kernel, as a result, one of them is changed leading to boot Linux failure. All images should be re-burned when you use the OTA.

Before the first time booting, the SoC will execute the uboot command hse_secboot_enable rsa2048_public.der which will provision the public key and secure images to the HSE firmware of the s32g SoC. The process is shown in the following figure:

After the command is finished, simply reset the board to boot in secure mode. To verify if the board has booted in secure mode, check the BOOT_SEQ bit in the IVT, at offset 0x28:

上一页How to download and build S32g Secure boot image下一页RT117x_Documents

最后更新于