https://community.nxp.com/t5/i-MX-Processors/i-MX6Q-Problem-with-secure-boot/m-p/707810#M109978 <HTML><HEAD></HEAD><BODY><P>Hi Tasuku</P><P></P><P>&gt;What does the pattern 1 error indicate?</P><P></P><P>please look at description of events in sect.6.7 Audit Events document HAB4_API.pdf</P><P>included in CST Tool package</P><P><A class="link-titled" href="https://www.nxp.com/webapp/sps/download/view_license.jsp?colCode=IMX_CST_TOOL" title="https://www.nxp.com/webapp/sps/download/view_license.jsp?colCode=IMX_CST_TOOL">NXP® Code Signing Tool for the High Assurance Boot library. Provides software code signing support designed for use with…</A>&nbsp;</P><P>&gt;Why does not error occur in pattern 2?</P><P></P><P>as you correctly noted SRK authentication was skipped for open setting.</P><P></P><P>Best regards<BR />igor<BR />-----------------------------------------------------------------------------------------------------------------------<BR />Note: If this post answers your question, please click the Correct Answer button. Thank you!<BR />-----------------------------------------------------------------------------------------------------------------------</P></BODY></HTML> Wed, 20 Sep 2017 09:35:14 GMT igorpadykov 2017-09-20T09:35:14Z https://community.nxp.com/t5/i-MX-Processors/i-MX6Q-Problem-with-secure-boot/m-p/707809#M109977 <HTML><HEAD></HEAD><BODY><P>Dear NXP community,</P><P><BR />I am developing a custom board based on the imx6qsabresd board.</P><P></P><P>I tried to apply a secure boot, but a problem has occurred.</P><P></P><P>I referred to the following documents and URLs.</P><P>AN4581,IMX6HABUG<BR /><A href="https://boundarydevices.com/high-assurance-boot-hab-dummies/">https://boundarydevices.com/high-assurance-boot-hab-dummies/</A></P><P></P><P>The operations and results I did are as follows.</P><P></P><P>1. Generate PKI tree and SRK table</P><P style="padding-left: 30px;">...<BR /> Do you want to use an existing CA key (y/n)?: n<BR /> Do you want to use Elliptic Curve Cryptography (y/n)?: n<BR /> Enter key length in bits for PKI tree: 2048<BR /> Enter PKI tree duration (years): 10<BR /> How many Super Root Keys should be generated? 4<BR /> Do you want the SRK certificates to have the CA flag set? (y/n)?: y<BR /> ...</P><P style="padding-left: 30px;"><BR /> ~/cst-2.3.2/crts$ ../linux32/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem,./</P><P style="padding-left: 30px;"></P><P>2. Write SRK table to Fuse</P><P></P><P>3. Build secure boot supported u-boot</P><P></P><P>4. Sign a u-boot image</P><P style="padding-left: 30px;">&nbsp;objcopy -I binary -O binary --pad-to 0x51C00 --gap-fill=0x5A u-boot.imx u-boot-pad.imx<BR /> ../linux32/cst --o u-boot_csf.bin --i u-boot.csf<BR /> cat u-boot-pad.imx u-boot_csf.bin &gt; u-boot-signed.imx<BR /> objcopy -I binary -O binary --pad-to 0x53C00 --gap-fill=0x5A u-boot-signed.imx u-boot-signed-pad.imx</P><P style="padding-left: 30px;"></P><P>5. Create an image and start board</P><P></P><P>6. Display authentication status</P><P style="padding-left: 30px;">=&gt; hab_status</P><P style="padding-left: 30px;">Secure boot disabled</P><P style="padding-left: 30px;">HAB Configuration: 0xf0, HAB State: 0x66<BR /> No HAB Events Found!</P><P style="padding-left: 30px;"></P><P>I got the results as expected.<BR />Then, I tried it with an incorrect image.</P><P></P><P>Pattern1 Without signature<BR /> As a result, an error occurred as follows</P><P style="padding-left: 30px;">=&gt; hab_status<BR /> <BR /> Secure boot disabled<BR /> <BR /> HAB Configuration: 0xf0, HAB State: 0x66<BR /> <BR /> --------- HAB Event 1 -----------------<BR /> event data:<BR /> 0xdb 0x00 0x08 0x41 0x33 0x11 0xcf 0x00<BR /> <BR /> --------- HAB Event 2 -----------------<BR /> event data:<BR /> 0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00<BR /> 0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00<BR /> 0x00 0x00 0x00 0x20<BR /> <BR /> --------- HAB Event 3 -----------------<BR /> event data:<BR /> 0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00<BR /> 0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c<BR /> 0x00 0x00 0x02 0xf8<BR /> <BR /> --------- HAB Event 4 -----------------<BR /> event data:<BR /> 0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00<BR /> 0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20<BR /> 0x00 0x00 0x00 0x01<BR /> <BR /> --------- HAB Event 5 -----------------<BR /> event data:<BR /> 0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00<BR /> 0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00<BR /> 0x00 0x00 0x00 0x04</P><P style="padding-left: 30px;"></P><P>Pattern2 Corrupted image</P><P style="padding-left: 30px;">Use the binary editor and edit parts that are not signatures</P><P style="padding-left: 30px;"></P><P>Pattern3 Different keys</P><P style="padding-left: 30px;">Generate key using different&nbsp;passphrase</P><P></P><P>Patterns 2 and 3 were the same result</P><P style="padding-left: 30px;">=&gt; hab_status</P><P style="padding-left: 30px;">Secure boot disabled</P><P style="padding-left: 30px;">HAB Configuration: 0xf0, HAB State: 0x66<BR /> No HAB Events Found!</P><P style="padding-left: 30px;"></P><P>The result was different from what I expected.</P><P></P><P>I found the following description.<BR /><A _jive_internal="true" data-containerid="2004" data-containertype="14" data-objectid="459077" data-objecttype="1" href="https://community.nxp.com/thread/459077">https://community.nxp.com/message/937925</A></P><P></P><P>From the description, I thought SRK authentication was skipped for open setting.</P><P></P><P>However, I do not know why Pattern 2 does not cause an error.</P><P></P><P>What does the pattern 1 error indicate?</P><P>Why does not error occur in pattern 2?</P><P></P><P>Is something wrong with my operation?</P><P>The board remains at the OPEN setting.</P><P></P><P><SPAN style="color: #51626f; background-color: #ffffff;">Best regard,</SPAN></P><P><SPAN style="color: #51626f; background-color: #ffffff;">Tasuku.</SPAN></P></BODY></HTML> Wed, 20 Sep 2017 01:53:39 GMT https://community.nxp.com/t5/i-MX-Processors/i-MX6Q-Problem-with-secure-boot/m-p/707809#M109977 tasukuwatanabe 2017-09-20T01:53:39Z https://community.nxp.com/t5/i-MX-Processors/i-MX6Q-Problem-with-secure-boot/m-p/707810#M109978 <HTML><HEAD></HEAD><BODY><P>Hi Tasuku</P><P></P><P>&gt;What does the pattern 1 error indicate?</P><P></P><P>please look at description of events in sect.6.7 Audit Events document HAB4_API.pdf</P><P>included in CST Tool package</P><P><A class="link-titled" href="https://www.nxp.com/webapp/sps/download/view_license.jsp?colCode=IMX_CST_TOOL" title="https://www.nxp.com/webapp/sps/download/view_license.jsp?colCode=IMX_CST_TOOL">NXP® Code Signing Tool for the High Assurance Boot library. Provides software code signing support designed for use with…</A>&nbsp;</P><P>&gt;Why does not error occur in pattern 2?</P><P></P><P>as you correctly noted SRK authentication was skipped for open setting.</P><P></P><P>Best regards<BR />igor<BR />-----------------------------------------------------------------------------------------------------------------------<BR />Note: If this post answers your question, please click the Correct Answer button. Thank you!<BR />-----------------------------------------------------------------------------------------------------------------------</P></BODY></HTML> Wed, 20 Sep 2017 09:35:14 GMT https://community.nxp.com/t5/i-MX-Processors/i-MX6Q-Problem-with-secure-boot/m-p/707810#M109978 igorpadykov 2017-09-20T09:35:14Z