Professional Documents
Culture Documents
Signing Bootloaders
A proprietary tool called sectools is required to sign the SBL. Sectools can be
obtained through Arrow Electronics or Qualcomm. The tool computes the
signature and appends the signature along with the certificates to the SBL
image. The tool additionally generates a sec.dat file containing root public key
hash and other security configurations that is flashed onto the processor.
1. Create a root public / private key pair and certificate using openssl
As of writing this blog, the steps are only integrated into the Qualcomm
Android builds (LA) and additional steps need to be taken for
Qualcomm/Linaro Linux builds (LE). The high level process is to sign the
boot.img is:
6. Extract the public key out of the cert using openssl and place it in
platform/msm_shared/certificate.c of LK bootloader source
The Snapdragon processors have a OTP fuse bank region referred to as eFuses
(QFPROM) which can be used to store disk encryption keys. The Qualcomm
android build for Dragonboard 410c (APQ8016) comes with so!ware support
for full disk encryption by leveraging Qualcomm secure execution
environment (QSEE) so!ware running on ARM TrustZone to read the keys from
eFuses. As of writing this blog, so!ware support for full disk encryption does
not exist for the Qualcomm Linux builds. To further complicate things, Linux
does not execute at a security level that can directly access the region of
eFuses where the keys are stored leading to key management complexity.
As an alternative, since SBL executes at a security level that can access the
eFuses, the SBL can be modified to read the keys and pass it on to Linux kernel
via internal SRAM. The Linux kernel can then mount the encrypted RFS and
erase the keys from internal SRAM. Since only signed SBL can run on the
device, we need not worry about unauthorized firmware being able to access
the RFS encryption key stored in eFuses.
3. Review the permissions to the security related eFuses and lock further
modifications to this fuse bank
The above steps can be achieved by blowing appropriate fuse bits using
Sectools.
Conclusion
Qualcomm Snapdragon processors have excellent hardware support for
implementing security on embedded/IoT devices. While Qualcomm Android
so!ware leverages the hardware support, enabling similar hardware security
support in Linux is a bit more cumbersome at the moment. Once the missing
support is added, secure boot and chain of trust can be established and easily
verified on a development board such as Dragonboard 410c.
Timesys is a partner of Arrow Electronics and has access to SBL source code,
Sectools and Qualcomm Processor documentation available only under NDA.
We can build, customize SBL (including DDR timing/calibration, custom
security features etc.) for your custom product use. Timesys has expertise in
enabling secure boot and establishing chain of trust on products using
Qualcomm Snapdragon processors. Contact us to help accelerate securing
your Qualcomm Snapdragon based product.
About Timesys
Timesys has extensive experience with embedded system development and
lifecycle management. Timesys has been instrumental in working with global
leader semiconductor manufacturers with smart, quick and quality solutions for
highly complex systems with accelerated product innovation and multiple
product variants.
This site uses Akismet to reduce spam. Learn how your comment data is
processed.