https://community.nxp.com/t5/i-MX-Processors/Fast-authentication-secure-boot-for-i-MX6ull/m-p/1159312#M162547 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/99897">@prabhunath_gupt</a>&nbsp;<BR />Hello,</P> <P>&nbsp; Private keys are mandatory to sign the boot image.<BR />&nbsp; From section 2 (Overview) of AN4581 (i.MX Secure Boot on HABv4 Supported Devices,<BR />Rev. 4, June 2020):<BR />&nbsp; "High Assurance Boot (HAB) authentication is based on public key cryptography<BR />using the RSA or ECDSA algorithms in which image data is signed offline using <BR />a series of private keys. The resulting signed image data is then verified on <BR />the i.MX processor using the corresponding public keys."</P> <P>Regards,<BR />Yuri.</P> Fri, 25 Sep 2020 11:15:32 GMT Yuri 2020-09-25T11:15:32Z https://community.nxp.com/t5/i-MX-Processors/Fast-authentication-secure-boot-for-i-MX6ull/m-p/1158417#M162444 <P>Hello NXP team,</P><P>Hope you are doing well.</P><P>Based on your last inputs, I have tested the secure boot feature with legacy PKI tree certificates and it was working fine. Please find below the content for the u-boot CSF file.</P><P><FONT color="#993300"><SPAN>[Header]<BR />Version = 4.2<BR />Hash Algorithm = sha256<BR />Engine Configuration = 0<BR />Certificate Format = X509<BR />Signature Format = CMS<BR />Engine = SW<BR /><BR />[Install SRK]<BR />File = "../../crts/SRK_1_2_3_4_table.bin"<BR />Source index = 0<BR /><BR />[Install CSFK]<BR />File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"<BR /><BR />[Authenticate CSF]<BR /><BR />[Install Key]<BR />Verification index = 0<BR />Target index = 2<BR />File = "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"<BR /><BR />[Authenticate Data]<BR />Verification index = 2<BR />Blocks = 0X877FF400 0x0 666624 "u-boot-pad.bin"</SPAN></FONT></P><P><STRONG>With the above CSF file, I am not getting any HAB events and secure boot is working fine.</STRONG></P><P>We want to reduce the boot time and validate the fast authentication feature, please find below the CSF file for the same.</P><P><FONT color="#993300"><SPAN>[Header]<BR />Version = 4.2<BR />Hash Algorithm = sha256<BR />Engine Configuration = 0<BR />Certificate Format = X509<BR />Signature Format = CMS<BR />Engine = SW<BR /><BR />[Install SRK]<BR />File = "../../crts/SRK_1_2_3_4_table.bin"<BR />Source index = 0<BR /><BR />[Install NOCAK]<BR />File = "../../crts/SRK1_sha256_2048_65537_v3_ca_crt.pem"<BR /><BR />[Authenticate CSF]<BR /><BR />[Authenticate Data]<BR />Verification index = 0<BR />Blocks = 0X877FF400 0x0 666624 "u-boot-pad.bin"</SPAN></FONT></P><P>I am getting below hab events so I need your help to fix this issue.</P><P><FONT color="#003300">HAB Configuration: 0xf0, HAB State: 0x66</FONT></P><P><FONT color="#003300">--------- HAB Event 1 -----------------</FONT><BR /><FONT color="#003300">event data:</FONT><BR /><FONT color="#003300">0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00</FONT><BR /><FONT color="#003300">0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00</FONT><BR /><FONT color="#003300">0x00 0x00 0x00 0x20</FONT></P><P><FONT color="#003300">STS = HAB_FAILURE (0x33)</FONT><BR /><FONT color="#003300">RSN = HAB_INV_ASSERTION (0x0C)</FONT><BR /><FONT color="#003300">CTX = HAB_CTX_ASSERT (0xA0)</FONT><BR /><FONT color="#003300">ENG = HAB_ENG_ANY (0x00)</FONT></P><P><BR /><FONT color="#003300">--------- HAB Event 2 -----------------</FONT><BR /><FONT color="#003300">event data:</FONT><BR /><FONT color="#003300">0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00</FONT><BR /><FONT color="#003300">0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c</FONT><BR /><FONT color="#003300">0x00 0x00 0x01 0xe8</FONT></P><P><FONT color="#003300">STS = HAB_FAILURE (0x33)</FONT><BR /><FONT color="#003300">RSN = HAB_INV_ASSERTION (0x0C)</FONT><BR /><FONT color="#003300">CTX = HAB_CTX_ASSERT (0xA0)</FONT><BR /><FONT color="#003300">ENG = HAB_ENG_ANY (0x00)</FONT></P><P><BR /><FONT color="#003300">--------- HAB Event 3 -----------------</FONT><BR /><FONT color="#003300">event data:</FONT><BR /><FONT color="#003300">0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00</FONT><BR /><FONT color="#003300">0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20</FONT><BR /><FONT color="#003300">0x00 0x00 0x00 0x01</FONT></P><P><FONT color="#003300">STS = HAB_FAILURE (0x33)</FONT><BR /><FONT color="#003300">RSN = HAB_INV_ASSERTION (0x0C)</FONT><BR /><FONT color="#003300">CTX = HAB_CTX_ASSERT (0xA0)</FONT><BR /><FONT color="#003300">ENG = HAB_ENG_ANY (0x00)</FONT></P><P><BR /><FONT color="#003300">--------- HAB Event 4 -----------------</FONT><BR /><FONT color="#003300">event data:</FONT><BR /><FONT color="#003300">0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00</FONT><BR /><FONT color="#003300">0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00</FONT><BR /><FONT color="#003300">0x00 0x00 0x00 0x04</FONT></P><P><FONT color="#003300">STS = HAB_FAILURE (0x33)</FONT><BR /><FONT color="#003300">RSN = HAB_INV_ASSERTION (0x0C)</FONT><BR /><FONT color="#003300">CTX = HAB_CTX_ASSERT (0xA0)</FONT><BR /><FONT color="#003300">ENG = HAB_ENG_ANY (0x00)</FONT></P><P><BR /><FONT color="#003300">--------- HAB Event 5 -----------------</FONT><BR /><FONT color="#003300">event data:</FONT><BR /><FONT color="#003300">0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00</FONT><BR /><FONT color="#003300">0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00</FONT><BR /><FONT color="#003300">0x00 0x00 0x00 0x30</FONT></P><P><FONT color="#003300">STS = HAB_FAILURE (0x33)</FONT><BR /><FONT color="#003300">RSN = HAB_INV_CERTIFICATE (0x21)</FONT><BR /><FONT color="#003300">CTX = HAB_CTX_COMMAND (0xC0)</FONT><BR /><FONT color="#003300">ENG = HAB_ENG_ANY (0x00)</FONT></P><P><STRONG>Please find below setup details.</STRONG></P><P>CST tool version : 3.2.0</P><P>Custom board having i.MX6ull</P><P>Yocto build: Warrior</P><P>&nbsp;</P><P>Please answer the below queries.</P><OL><LI>If my security team will provide 4 SRK certificates only, is it possible to do a secure boot (fast authentication)with those SRK certificates and avoid "hab4_pki_tree.sh" steps for generating key and crts. Please note they will not give me the private key and my custom board having i.MX6ull processor.</LI><LI>Is Fast authentication on the i.MX6ull processor ?</LI></OL><P>&nbsp;</P><P>Best Regards,</P><P>Prabhunath Gupt</P> Thu, 24 Sep 2020 06:50:49 GMT https://community.nxp.com/t5/i-MX-Processors/Fast-authentication-secure-boot-for-i-MX6ull/m-p/1158417#M162444 prabhunath_gupt 2020-09-24T06:50:49Z https://community.nxp.com/t5/i-MX-Processors/Fast-authentication-secure-boot-for-i-MX6ull/m-p/1159312#M162547 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/99897">@prabhunath_gupt</a>&nbsp;<BR />Hello,</P> <P>&nbsp; Private keys are mandatory to sign the boot image.<BR />&nbsp; From section 2 (Overview) of AN4581 (i.MX Secure Boot on HABv4 Supported Devices,<BR />Rev. 4, June 2020):<BR />&nbsp; "High Assurance Boot (HAB) authentication is based on public key cryptography<BR />using the RSA or ECDSA algorithms in which image data is signed offline using <BR />a series of private keys. The resulting signed image data is then verified on <BR />the i.MX processor using the corresponding public keys."</P> <P>Regards,<BR />Yuri.</P> Fri, 25 Sep 2020 11:15:32 GMT https://community.nxp.com/t5/i-MX-Processors/Fast-authentication-secure-boot-for-i-MX6ull/m-p/1159312#M162547 Yuri 2020-09-25T11:15:32Z https://community.nxp.com/t5/i-MX-Processors/Fast-authentication-secure-boot-for-i-MX6ull/m-p/1159747#M162596 <P>Thanks&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/1941">@Yuri</a>&nbsp; for your response.</P> Sun, 27 Sep 2020 15:57:51 GMT https://community.nxp.com/t5/i-MX-Processors/Fast-authentication-secure-boot-for-i-MX6ull/m-p/1159747#M162596 prabhunath_gupt 2020-09-27T15:57:51Z