topic while generating HAB4 PKI Tree,hab4_pki_tree script giving error 140453821149632:error:2406F079:rand in i.MX Processors

while generating HAB4 PKI Tree,hab4_pki_tree script giving error 140453821149632:error:2406F079:rand

pawar_123_y — Mon, 22 Nov 2021 11:11:13 GMT

Hello,

I am trying to install Softhsm for ubuntu18.4 . when I generate tree structure for HAB4 by the hab4_pki_tree.sh script it gives error random number generator:RAND_load_file:Cannot open file.

here is full log.

sudo ./hab4_pki_tree.sh
[sudo] password for acclivis:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This script is a part of the Code signing tools for Freescale's
High Assurance Boot. It generates a basic PKI tree. The PKI
tree consists of one or more Super Root Keys (SRK), with each
SRK having two subordinate keys:
+ a Command Sequence File (CSF) key
+ Image key.
Additional keys can be added to the PKI tree but a separate
script is available for this. This this script assumes openssl
is installed on your system and is included in your search
path. Finally, the private keys generated are password
protectedwith the password provided by the file key_pass.txt.
The format of the file is the password repeated twice:
my_password
my_password
All private keys in the PKI tree are in PKCS #8 format will be
protected by the same password.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

+++++++++++++++++++++++++++++++++++++
+ Generating CA key and certificate +
+++++++++++++++++++++++++++++++++++++

Generating a RSA private key
.....................................................................................................................................................................................+++++
...........................+++++
writing new private key to 'temp_ca.pem'
-----

++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................................................................................................+++++
........................................+++++
e is 65537 (0x010001)
Can't load /home/acclivis/.rnd into RNG
140080975962560:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/acclivis/.rnd
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'SRK1_sha256_2048_65537_v3_ca'
Certificate is to be certified until Nov 20 11:08:48 2031 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating CSF key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus (2 primes)
..............................................+++++
...........................................................+++++
e is 65537 (0x010001)
Can't load /home/acclivis/.rnd into RNG
140207436272064:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/acclivis/.rnd
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CSF1_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Nov 20 11:08:48 2031 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Please guide me on this.Thank you.

Re: while generating HAB4 PKI Tree,hab4_pki_tree script giving error 140453821149632:error:2406F079:

Zhiming_Liu — Tue, 23 Nov 2021 02:13:35 GMT

Try this ,and you will also need this https://community.nxp.com/t5/i-MX-Processors/Patch-for-u-boot-imx-Using-FIT-and-HAB-in-bootm-command/td-p/1164472

cd ~ && openssl rand -writerand .rnd

Re: while generating HAB4 PKI Tree,hab4_pki_tree script giving error 140453821149632:error:2406F079:

pawar_123_y — Wed, 24 Nov 2021 09:39:32 GMT

Thanks.

Re: while generating HAB4 PKI Tree,hab4_pki_tree script giving error 140453821149632:error:2406F079:

pawar_123_y — Wed, 24 Nov 2021 11:18:18 GMT

Can you please help me with error. I am trying to generate the CSF binary signature. using " cst -i imx-boot.csf -o imx-boot.csf.bin" command.

following is log of command

PKCS#11: Initializing the engine
Found 1 slot
Format not recognized!
The certificate ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The legacy ENGINE_pkcs11 ID format is also still accepted for now
Format not recognized!
The certificate ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The legacy ENGINE_pkcs11 ID format is also still accepted for now
139987367705472:error:80064064:pkcs11 engine:ctx_load_cert:invalid id:eng_back.c:425:
Public key certificate is invalid in file ./CSF1_1_sha256_2048_65537_v3_usr_crt.pem

imx_boot.csf file is as follows

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509

Signature Format = CMS

[Install SRK]
File = "./SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "./CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = MID
[Unlock]
Engine = CAAM
Features = MFG
[Install Key]
Verification index = 0
Target index = 2
File = "./IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x7e0fc0 0x0 0x2bc00 "flash.bin"

Re: while generating HAB4 PKI Tree,hab4_pki_tree script giving error 140453821149632:error:2406F079:

Zhiming_Liu — Thu, 25 Nov 2021 02:38:57 GMT

Please follow https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/introduction_habv4.txt?h=lf-5.10.52-2.1.0

There will be no error.

Re: while generating HAB4 PKI Tree,hab4_pki_tree script giving error 140453821149632:error:2406F079:

pawar_123_y — Thu, 25 Nov 2021 11:55:01 GMT

Thanks, I have checked link you share.

my updated u-boot.cfg file is as follows.

[Header]
Version = 4.1
#Security Configuration = Open
Hash Algorithm = SHA256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = Any

[Install SRK]
File ="../../crts/SRK_1_2_3_4_table.bin"
Source index = 0
Hash Algorithm = SHA256

[Install CSFK]
File ="../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
Certificate Format = X509

[Authenticate CSF]
Engine = DCP
Engine Configuration = 0
Signature Format = CMS

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
file ="../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
Certificate Format = X509

[Authenticate Data]
Verification index = 2
Engine = DCP
Blocks = 0x01000000 0x0 0x10000 “flash.bin”
#0xf8000000 0x0 0x10000 “flash.bin”
#0xf801000 0x0 0x1000 “xyz.bin”
Engine Configuration = 0
Signature Format = CMS

here i am getting error on "Blocks = 0x01000000 0x0 0x10000 “flash.bin" " line num 35.

1) I am using ubuntu machine for sign image.which offset i need to you here?

2)To generate out.bin from input hab4.csf and public key certificate to encrypt symmetric
key(s)
cst -o out.bin --cert dek_protection_crt.pem -i example.csf

what is dek_protection_crt.pem here.

Thanks.