iMX7D Plugin mode HAB (High Assurance Boot)

Document created by Qiang Li Employee on Sep 22, 2016Last modified by Karina Valencia Aguilar on Jun 27, 2017
Version 6Show Document
  • View in full screen mode

This doc describe the steps to enable HAB on i.MX7D EVK board with plugin boot mode. The BSP version is L3.14.52_ga_1.1.0 or L4.1.15_ga_1.2.0, the CST tool version is cst-2.3.2.
Since fast authentication is supported after HAB 4.1.2, and the HAB version of i.MX7D is 4.2, we use fast authentication here.
The PC to run the CST tool is Ubuntu 10.04, x86 version.

1. Generate HAB4 Keys and Certificates

1.1. Unpack the CST package, there are seven folders: ca, code, crts, docs, keys, linux32 and linux64
    In "keys" folder, create "serial" file, openSSL uses the contents of this file for the certificate serial numbers.
    In "keys" folder, create "key_pass.txt" file, this file contains your passphrase that will protect the HAB code signing private keys.
    In this example, the content in "serial" file is
        $ cat serial


    The content in "key_pass.txt" file is
        $ cat key_pass.txt


1.2 Prior to running the, ensure that OpenSSL is included in your search path by running
        $ openssl version
        OpenSSL 0.9.8k 25 Mar 2009


1.3 Run the script to generate hab4 keys and certificates
        $ cd keys
        $ ./
        Do you want to use an existing CA key (y/n)?: n
        Do you want to use Elliptic Curve Cryptography (y/n)?: n
        Enter key length in bits for PKI tree: 2048
        Enter PKI tree duration (years): 10
        How many Super Root Keys should be generated? 4
        Do you want the SRK certificates to have the CA flag set? (y/n)?: n
    Since we are verifying fast authentication, answer 'n' here.


1.4 Generating HAB4 SRK tables and efuse Hash
        $ cd ../crts
        $ ../linux32/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c        SRK1_sha256_2048_65537_v3_usr_crt.pem,SRK2_sha256_2048_65537_v3



    SRK_1_2_3_4_fuse.bin is SRK efuse binary file.
    SRK_1_2_3_4_table.bin is SRK table binary file.

2. Program SRK_HASH fuse
2.1 Dump SRK_1_2_3_4_fuse.bin.
        $ od -t x4  SRK_1_2_3_4_fuse.bin
        0000000 ac7ab98f 8febd6b4 b6e15ce3 3e870783
        0000020 6f06d6a9 e1107545 3e19d19c e79d1556


2.2 Boot up the board with Linux rootfs, after log in, program SRK_HASH fuse.
        # echo 0xac7ab98f > /sys/fsl_otp/HW_OCOTP_SRK0
        # echo 0x8febd6b4 > /sys/fsl_otp/HW_OCOTP_SRK1
        # echo 0xb6e15ce3 > /sys/fsl_otp/HW_OCOTP_SRK2
        # echo 0x3e870783 > /sys/fsl_otp/HW_OCOTP_SRK3
        # echo 0x6f06d6a9 > /sys/fsl_otp/HW_OCOTP_SRK4
        # echo 0xe1107545 > /sys/fsl_otp/HW_OCOTP_SRK5
        # echo 0x3e19d19c > /sys/fsl_otp/HW_OCOTP_SRK6
        # echo 0xe79d1556 > /sys/fsl_otp/HW_OCOTP_SRK7

3 Sign u-boot
3.1 Apply the HAB patch and build the u-boot.
    Goto u-boot source code folder and apply the patch:
    $ git apply 0001-iMX7D-SabreSD-enable-HAB-boot-for-plugin-mode.patch
    Build u-boot.

    $ make distclean
    $ make mx7dsabresd_defconfig
    $ make


    The followed two defines should be enabled in "uboot-imx/include/configs/mx7dsabresd.h" for secure configure and plugin mode.
        #define CONFIG_SECURE_BOOT
        #define CONFIG_USE_PLUGIN


3.2 Create u-boot folder in cst-2.3.2 folder, copy u-boot.imx to u-boot folder. Dump u-boot.imx IVT structures.
    Dump plugin IVT header:
        $ cd u-boot
        $ od -x -N 48 u-boot.imx
        0000000 00d1 4020 042c 0091 0000 0000 0000 0000
        0000020 0420 0091 0400 0091 2400 0091 0000 0000
        0000040 0000 0091 8000 0000 0001 0000 401f e92d


    Plugin IVT header layout is:

Offset   Name                    Value
0           ivt.header              0x402000d1
4           ivt.entry                 0x0091042c
8           ivt.reserved1         0x00000000
12         ivt.dcd_ptr             0x00000000
16         ivt.boot_data_ptr   0x00910420
20         ivt.self                    0x00910400
24         ivt.csf                     0x00912400
28         ivt.reserved2          0x00000000
32         boot_data.start      0x00910000
36         boot_data.size       0x00008000
40         plugin                     0x00000001
    IVT address:  ivt.self = 0x00910400
    Image length: ivt.csf – ivt.self = 0x00912400 - 0x00910400 = 0x2000
    So the [Authenticate Data] field of csf file "csf_u-boot_plugin_ivt1.txt" is
        Verification index = 0
        Blocks = 0x00910400 0x000 0x2000 "u-boot.imx"

    Dump u-boot IVT header:
        $ dd if=u-boot.imx of=u-boot-body.bin bs=1 skip=16384
        $ od -x -N 48 u-boot-body.bin
        0000000 00d1 4020 0000 8780 0000 0000 0000 0000
        0000020 fff4 877f ffd4 877f 8bd4 8785 0000 0000
        0000040 bbd4 877f f000 0005 0000 0000 00be ea00


    U-boot IVT header layout is:

Offset   Name                   Value
0          ivt.header              0x402000d1
4          ivt.entry                 0x87800000
8          ivt.reserved1         0x00000000
12        ivt.dcd_ptr             0x00000000
16        ivt.boot_data_ptr   0x877ffff4
20        ivt.self                    0x877fffd4
24        ivt.csf                    0x87858bd4
28        ivt.reserved2         0x00000000
32        boot_data.start     0x877fbbd4
36        boot_data.size      0x0005F000


    IVT address:  ivt.self = 0x877fffd4
    Image length: ivt.csf – ivt.self = 0x87858bd4 - 0x877fffd4 = 0x58c00
    So the [Authenticate Data] field of csf file "csf_u-boot_plugin_ivt2.txt" is
        Verification index = 0
        Blocks = 0x877fffd4 0x0000 0x58c00 "u-boot-body-pad.bin"


    When enable CONFIG_SECURE_BOOT, boot_data consists of uboot image and csf data, so it's larger than uboot Image length.
    And the u-boot-body.bin should be padded to 0x58c00.


3.3 The command to sign u-boot
        $ ../linux32/cst -o csf_plugin.bin -i csf_u-boot_plugin_ivt1.txt
        $ objcopy -I binary -O binary --pad-to 0x58c00 --gap-fill=0x00 u-boot-body.bin u-boot-body-pad.bin
        $ ../linux32/cst -o csf_u-boot.bin -i csf_u-boot_plugin_ivt2.txt
        $ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 csf_plugin.bin csf_plugin-pad.bin
        $ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 csf_u-boot.bin csf_u-boot-pad.bin
        $ dd if=u-boot.imx of=plugin-body.bin bs=1 count=8192
        $ cat plugin-body.bin csf_plugin-pad.bin u-boot-body-pad.bin csf_u-boot-pad.bin > u-boot-signed.imx


3.4 Download u-boot-signed.imx to SD
        $ sudo dd if=u-boot-signed.imx of=/dev/sdx bs=1K seek=1


3.5 Bootup from SD card, check HAB status by uboot command
        => hab_status
    If see "No HAB Events Found",  the signature is verified successfully.

2 people found this helpful