Kernel authentication issue with HAB

ganesh_k — Thu, 12 Aug 2021 12:15:31 GMT

Hi All,

I m trying to implement secure boot on imx6ulevk
https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt?h=imx_v2019.04_5.4.3_2.0.0

with help of above document, I can able to sign and authenticate uboot with fuse as open, below is the log for hab_status:

=> hab_status Secure boot disabled HAB Configuration: 0xf0, HAB State: 0x66 No HAB Events Found! =>

Now I tried to sign and authenticate Linux fitImage, fitImage is authenticating and loading properly.
Below is the boot log:

switch to partitions #0, OK mmc1(part 0) is current device switch to partitions #0, OK mmc1(part 0) is current device 10542944 bytes read in 267 ms (37.7 MiB/s) Booting from mmc ... 10542944 bytes read in 267 ms (37.7 MiB/s) hab fuse not enabled Authenticate image from DDR location 0x83000000... Secure boot disabled HAB Configuration: 0xf0, HAB State: 0x66 No HAB Events Found! ## Loading kernel from FIT Image at 83000000 ... Using 'conf-imx6ul-pds.dtb' configuration Verifying Hash Integrity ... OK Trying 'kernel-1' kernel subimage Description: Linux kernel Type: Kernel Image Compression: uncompressed Data Start: 0x830000e0 Data Size: 10504440 Bytes = 10 MiB Architecture: ARM OS: Linux Load Address: 0x80800000 Entry Point: 0x80800000 Hash algo: sha256 Hash value: 1b7abd41dffe4ae2dfb9e9a17c016c680539a791ef61010a4b70d3b481237fc8 Verifying Hash Integrity ... sha256+ OK ## Loading fdt from FIT Image at 83000000 ... Using 'conf-imx6ul-pds.dtb' configuration Verifying Hash Integrity ... OK Trying 'fdt-imx6ul-pds.dtb' fdt subimage Description: Flattened Device Tree blob Type: Flat Device Tree Compression: uncompressed Data Start: 0x83a04ae4 Data Size: 32036 Bytes = 31.3 KiB Architecture: ARM Hash algo: sha256 Hash value: 7fd68eccd6a191a0d69f70fb7c08d30b208cba93aa15186804697db4c84af7fe Verifying Hash Integrity ... sha256+ OK Booting using the fdt blob at 0x83a04ae4 Loading Kernel Image Using Device Tree in place at 83a04ae4, end 83a0f807 ft_system_setup for mx6 Starting kernel ...

Details:

fitImage loadaddress = "0x83000000"
fitImage size = "0xA0CB3C"
padded fitImage size = "0xA0D000"

genIVT file:

#! /usr/bin/perl -w use strict; open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!"; print $out pack("V", 0x412000D1); # IVT Header print $out pack("V", 0x83000000); # Jump Location print $out pack("V", 0x0); # Reserved print $out pack("V", 0x0); # DCD pointer print $out pack("V", 0x0); # Boot Data print $out pack("V", 0x83A0D000); # Self Pointer print $out pack("V", 0x83A0D020); # CSF Pointer print $out pack("V", 0x0); # Reserved close($out);

but when I try to authenticate fitImage from uboot with hab_auth_img, im getting the below error:

=> load mmc 1 0x83000000 fitImage-without-ramfs_signed.bin 10542944 bytes read in 267 ms (37.7 MiB/s) => hab_auth_img 0x83000000 0xA0D000 hab fuse not enabled Authenticate image from DDR location 0x83000000... Error: CSF lies outside the image bounds

Please suggest me if I m doing something wrong.

Thanks & Regards

Ganesh.K

Re: Kernel authentication issue with HAB

igorpadykov — Tue, 24 Aug 2021 06:04:00 GMT

Hi Ganesh

internal team notified me that this issue is already considered internally.

Best regards
igor

Re: Kernel authentication issue with HAB

_sanath_ — Thu, 21 Jul 2022 11:01:10 GMT

Hello,

I am facing the same issue with iMX8mm evk board.

Did you find any working solution for this?

Any inputs from @igorpadykov is much appreciated.

Thanks and regards

Sanath

i.MX ProcessorsのトピックRe: Kernel authentication issue with HAB

Kernel authentication issue with HAB

Re: Kernel authentication issue with HAB

Re: Kernel authentication issue with HAB