-----------------------------------
1.1 MAC Address: It is stored in fuse bank 4, with the 32 lsbs in word 2 and the
- 16 msbs in word 3.
+ 16 msbs in word 3[15:0].
+ For i.MX6SX and i.MX6UL, they have two MAC addresses. The second MAC address
+ is stored in fuse bank 4, with the 16 lsb in word 3[31:16] and the 32 msbs in
+ word 4.
Example:
bank = 4
word = 2
-And the U-boot command would be:
+And the U-Boot command would be:
=> fuse read 4 2
Reading bank 4:
bank = 4
word = 3
-And the U-boot command would be:
+And the U-Boot command would be:
=> fuse read 4 3
Reading bank 4:
2. Using imx_usb_loader for first install with SPL
--------------------------------------------------
-imx_usb_loader is a very nice tool by BoundaryDevice that
+imx_usb_loader is a very nice tool by Boundary Devices that
allow to install U-Boot without a JTAG debugger, using
the USB boot mode as described in the manual. It is
a replacement for Freescale's MFGTOOLS.
The last "c" command tells kermit (from ckermit package in most distros)
to switch from command line mode to communication mode, and when the
script is finished, the U-Boot prompt is shown in the same shell.
+
+3. Using Secure Boot on i.MX6 machines with SPL support
+-------------------------------------------------------
+
+This version of U-Boot is able to build a signable version of the SPL
+as well as a signable version of the U-Boot image. The signature can
+be verified through High Assurance Boot (HAB).
+
+CONFIG_SECURE_BOOT is needed to build those two binaries.
+After building, you need to create a command sequence file and use
+Freescales Code Signing Tool to sign both binaries. After creation,
+the mkimage tool outputs the required information about the HAB Blocks
+parameter for the CSF. During the build, the information is preserved
+in log files named as the binaries. (SPL.log and u-boot-ivt.log).
+
+More information about the CSF and HAB can be found in the AN4581.
+https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
+
+We don't want to explain how to create a PKI tree or SRK table as
+this is well explained in the Application Note.
+
+Example Output of the SPL (imximage) creation:
+ Image Type: Freescale IMX Boot Image
+ Image Ver: 2 (i.MX53/6/7 compatible)
+ Mode: DCD
+ Data Size: 61440 Bytes = 60.00 kB = 0.06 MB
+ Load Address: 00907420
+ Entry Point: 00908000
+ HAB Blocks: 00907400 00000000 0000cc00
+
+Example Output of the u-boot-ivt.img (firmware_ivt) creation:
+ Image Name: U-Boot 2016.11-rc1-31589-g2a4411
+ Created: Sat Nov 5 21:53:28 2016
+ Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
+ Data Size: 352192 Bytes = 343.94 kB = 0.34 MB
+ Load Address: 17800000
+ Entry Point: 00000000
+ HAB Blocks: 0x177fffc0 0x0000 0x00054020
+
+The CST (Code Signing Tool) can be downloaded from NXP.
+# Compile CSF and create signature
+./cst --o csf-u-boot.bin < command_sequence_uboot.csf
+./cst --o csf-SPL.bin < command_sequence_spl.csf
+# Append compiled CSF to Binary
+cat SPL csf-SPL.bin > SPL-signed
+cat u-boot-ivt.img csf-u-boot.bin > u-boot-signed.img
+
+These two signed binaries can be used on an i.MX6 in closed
+configuration when the according SRK Table Hash has been flashed.
\ No newline at end of file