Secure Boot on imx6ul

prabhunath_gupt — Tue, 07 Jan 2020 17:14:37 GMT

Hi NXP team,

I am currently working on enabling a secure boot in the imx6ul using HABv4. I have followed all the steps which are mentioned in https://www.nxp.com/docs/en/application-note/AN4581.pdf.

Please find the following detailed steps which I have performed to get a secure boot to enable.

1. I am using cst-2.3.2 for generating the PKI tree as below.

go into key directory and run below script

     ./hab4_pki_tree.sh
      Do you want to use an existing CA key (y/n)?: n
      Do you want to use Elliptic Curve Cryptography (y/n)?: n
      Enter key length in bits for PKI tree: 4096
      Enter PKI tree duration (years): 4
      How many Super Root Keys should be generated? 4
      Do you want the SRK certificates to have the CA flag set? (y/n)?: y

2. Go into the crts directory and followed the below step to generate the SRK table.

../linux64/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem

3. Fuse the hash value of the SRK table on-chip as below.

hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin

         0x9D60B98F
         0xAB246CEF
         0x7B02E64A
         0x7B5FA5DD
         0x885CAEEF
         0x7D09B391
         0x79B8B60D
         0xBBB2A18

fuse prog 3 0 0x9D60B98F

fuse prog 3 1 0xAB246CEF

fuse prog 3 2 0x7B02E64A

fuse prog 3 3 0x7B5FA5DD

fuse prog 3 4 0x885CAEEF

fuse prog 3 5 0x7D09B391

fuse prog 3 6 0x79B8B60D

fuse prog 3 7 0xBBB2A18

4. Added CONFIG_SECURE_BOOT=y in u-boot (imx_v2017.03_4.9.11_1.0.0_ga) defconfig file, Compiled the u-boot and got below details form compilation log.

         u-boot-imx-2017.03-r0 do_compile: Image Type: Freescale IMX Boot Image
         Image Ver: 2 (i.MX53/6/7 compatible)
         Mode: DCD
         Data Size: 466944 Bytes = 456.00 KiB = 0.45 MiB
         Load Address: 877ff420
         Entry Point: 87800000
         HAB Blocks: 877ff400 00000000 0006dc00
         DCD Blocks: 00910000 0000002c 000001e8

5. Prepared the CSF file as below.

      [Header]
      Version = 4.1
      Security Configuration = Open
      Hash Algorithm = sha256
      Engine Configuration = 0
      Certificate Format = X509
      Signature Format = CMS
      Engine = CAAM

      [Install SRK]
      File = "../crts/SRK_1_2_3_4_table.bin"
      Source index = 0

      [Install CSFK]
      File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

      [Authenticate CSF]

      [Install Key]
      # Key slot index used to authenticate the key to be installed
      Verification index = 0
      # Key to install
      Target index = 2
      File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

      [Authenticate Data]
      Verification index = 2
      #_ivt_self offset _ad_size
      Blocks = 0x877ff400 0x00000000 0x0006DC00 "./u-boot-pad.imx", \
                     0x00910000 0x0000002c 0x000001e8 "./u-boot-pad.imx"

6. I have tried following different approaches for a secure boot but not able to get any success.

First approach

As my "u-boot.imx" file size is 449536 bytes (0x6DC00) so I have padded up to 450560 bytes (0x6E000) as

objcopy -I binary -O binary --pad-to=0x6E000 --gap-fill=0x00 u-boot.imx u-boot-pad.imx

Clear DCD address using "./mod_4_mfgtool.sh" availbale in "AN4581.pdf" file.

./mod_4_mfgtool.sh clear_dcd_addr u-boot-pad.imx

Genrating csf bin file as below

./cst -o u-boot-csf.bin -i u-boot.csf

Set DCD address

./mod_4_mfgtool.sh set_dcd_addr u-boot-pad.imx

Padded csf binary upto 0x4000 as per "AN4581.pdf and imximage.cfg" files.

objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x00 u-boot-csf.bin u-boot-csf-pad.bin

Append CSF binary to u-boot image.

cat u-boot-pad.imx u-boot-csf-pad.bin > u-boot-sec.imx

Flashed this "u-boot-sec.imx" on the emmc using mfgtool.

Got below HAB events using hab_status command.

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x50

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

Second approach

Change the Authenticate data command in the CSF file.

         [Authenticate Data]
         Verification index = 2
         #_ivt_self offset _ad_size
         Blocks = 0x877ff400 0x00000000 0x0006DC00 "./u-boot.imx", \
                         0x00910000 0x0000002c 0x000001e8 "./u-boot.imx"

Clear DCD address using "./mod_4_mfgtool.sh" availbale in "AN4581.pdf" file.

./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx

Genrating csf bin file as below

./cst -o u-boot-csf.bin -i u-boot.csf

Set DCD address

./mod_4_mfgtool.sh set_dcd_addr u-boot.imx

Append CSF binary to u-boot image.
cat u-boot.imx u-boot-csf.bin > u-boot-intmed.imx
Padded final signed image upto

objcopy -I binary -O binary --pad-to 0x72000 --gap-fill=0x00 u-boot-intmed.imx u-boot-sec.imx

Flashed this "u-boot-sec.imx" on the emmc using mfgtool.

Got the same HAB events as per approach #1

Actually, I have gone through the HAB and CST user guide to debugging the above issue but not able to fix it out. So please help me to fix this issue.

I am using the Mfg tool for flashing the u-boot binary in the eMMc please find the Mfg tool script is attached.

Do I need any changes in the MFG tool script for the secure boot?

Do I need to set any other fuse bit or register for the secure boot?

Can we update the new hash values of the SRK table on SRK fuses?

What I missed in the above two approaches?

After compilation of u-boot got below images

3449176 Jan 7 21:57 u-boot
445213 Jan 7 21:57 u-boot.bin
12462 Jan 7 21:57 u-boot.cfg
445213 Jan 7 21:57 u-boot-dtb.bin
449536 Jan 7 21:57 u-boot.imx
559946 Jan 7 21:57 u-boot.map
414768 Jan 7 21:57 u-boot-nodtb.bin
449536 Jan 7 21:57 u-boot-sd.imx

Re: Secure Boot on imx6ul

igorpadykov — Wed, 08 Jan 2020 00:13:30 GMT

Hi prabhunath

for additional reading and examples one can also look at

AN12056 Encrypted Boot on HABv4 and CAAM Enabled Devices

habv4\imx\doc - uboot-imx - i.MX U-Boot

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Re: Secure Boot on imx6ul

prabhunath_gupt — Wed, 08 Jan 2020 06:54:08 GMT

Hi Igor,

Thanks for the fast response.

I don't want an encrypted boot for my imx6ul chipset. I am trying to sign a u-boot image and try to get no HAb events for this.

I have below queries, so please resolve these queries.

1. Do I need a separate Mfg tool for the secure boot?

2. You can see the CSF file which I am using as above, I have prepared it based on the compilation log from the u-boot. So my question, is the Authenticate Data command is correct or not?

3. Do I pad both u-boot.imx and u-boot-csf.bin file in 4K alignment?

4. Do I need to set any other fuse bit or register for the secure boot?

5. Do I need to use the DCD block in the CSF file?

igorpadykov Please suggest me if I missing anything in my two approaches as above.

i.MX ProcessorsのトピックRe: Secure Boot on imx6ul

Secure Boot on imx6ul

Re: Secure Boot on imx6ul

Re: Secure Boot on imx6ul