topic IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE in i.MX Processors

IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE

cristiansicilia — Tue, 23 Aug 2022 06:33:41 GMT

Hello,

I'm trying to configuring secure boot on IMX6.

I followed the guide (https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt?h=imx_v2018.03_4.14.78_1.0.0_ga )

=> hab_version 
HAB version: 4.2

I write the keys in the shadow (the hab_auth_img should work, correct?)

=> fuse override 3 0 0xFBA8C054
Overriding bank 3 word 0x00000000 with 0xfba8c054...
=> fuse override 3 1 0x0EBA35D4
Overriding bank 3 word 0x00000001 with 0x0eba35d4...
=> fuse override 3 2 0x71EB6B8A
Overriding bank 3 word 0x00000002 with 0x71eb6b8a...
=> fuse override 3 3 0xF916FB67
Overriding bank 3 word 0x00000003 with 0xf916fb67...
=> fuse override 3 4 0x70AC4FE5
Overriding bank 3 word 0x00000004 with 0x70ac4fe5...
=> fuse override 3 5 0x71840DDE
Overriding bank 3 word 0x00000005 with 0x71840dde...
=> fuse override 3 6 0x7068C921
Overriding bank 3 word 0x00000006 with 0x7068c921...
=> fuse override 3 7 0xAB611F8B
Overriding bank 3 word 0x00000007 with 0xab611f8b...

I read the kernel image from sdcard to loaddaddress 0x80800000, then I check that at the end of the image we found the IVT and then that the CSF that is all inside. Everything looks good here-

=> read mmc 1 $loadaddr 4000 5808
=> md 81300000 20
81300000: 412000d1 80800000 00000000 00000000 .. A............
81300010: 00000000 81300000 81300020 00000000 ......0. .0.....
81300020: 423800d4 000c00be 00001703 38000000 ..8B...........8
81300030: 000c00ca 001dc501 cc070000 001400ca ................
81300040: 001dc500 cc090000 00008080 2000b000 ............... 
81300050: 1d0800b2 02000000 404004d7 210f01e1 ..........@@...!
81300060: 00000000 03000001 9d199b9f 10844e79 ............yN..
81300070: c8ba9df7 b5b4ae3a 4376c6c8 6aed44c7 ....:.....vC.D.j
=> md 81300bc0 16
81300bc0: b17dd47f 62ca77cc ed2d753b df955029 ..}..w.b;u-.)P..
81300bd0: 54d59846 8dd7c131 cd94da1d edda1953 F..T1.......S...
81300be0: 2b6384be f91d7c4c bc1bb014 00000000 ..c+L|..........
81300bf0: 00000000 00000000 00000000 00000000 ................
81300c00: 00000000 00000000 00000000 00000000 ................
81300c10: 00000000 00000000 ........

I check the current status, there are already two events, probably because the u-boot raise same issue, but at startup the fuse was not set.

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x07 0xcc

STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x14 0x00 0x00 0xc5 0x1d 0x00
0x00 0x00 0x09 0xcc 0x87 0x7f 0xf4 0x00
0x00 0x08 0x2c 0x00

STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

Now I start the hab_auth_img and I get two events

=> hab_auth_img 80800000 00B00BF0 00B00000
hab fuse not enabled

Authenticate image from DDR location 0x80800000...
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66

[ ... omissis ... ]

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x07 0xcc

STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x14 0x00 0x00 0xc5 0x1d 0x00
0x00 0x00 0x09 0xcc 0x80 0x80 0x00 0x00
0x00 0xb0 0x00 0x20

STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

I'm getting this Hab Unsupported Engine error, I don't know if I get this because I'm using the fuse override , or if I produced a bad certificate.

Someone can help me with this?

The cfs file is:

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "/secure-boot/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install NOCAK]
File = "/secure-boot/crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 0
# Authenticate Start Address, Offset, Length and file
Blocks = 0x80800000 0x00000000 0x00B00020 "zImage-signed"

The CFS with full key was this

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "/board/emotiq/secure-boot/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "/secure-boot/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "/secure-boot/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x80800000 0x00000000 0x00B00020 "zImage-signed"

Re: IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE

Harvey021 — Thu, 25 Aug 2022 10:14:28 GMT

Hi @cristiansicilia

> I write the keys in the shadow (the hab_auth_img should work, correct?)

In general, We do blow fuse and comparing SRK Hash. As you see the example in the guide.

> HAB_UNS_ENGINE

What chip of i.MX6 you're performing? It'll be SW if that is i.MX6ULL.

Best regards

Harvey

Re: IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE

cristiansicilia — Fri, 26 Aug 2022 18:17:11 GMT

The CPU is IMX6ULL (MCIMX6Y2DVM09AB), what mean "is the SW", that it do not support the secure-boot?

Re: IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE

Harvey021 — Mon, 29 Aug 2022 02:40:02 GMT

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

It still supports secure boot, just change the "Engine" to SW instead of CAAM.

Best regards

Harvey

Re: IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE

cristiansicilia — Mon, 29 Aug 2022 11:48:19 GMT

Thanks @Harvey021 for reply,

I changed it to `Engine SW`, but there are something strange.

I tried at startup to load an image, and check it (without setup any fuse), and I obtain this:

Hit any key to stop autoboot: 0 => hab_status Secure boot disabled HAB Configuration: 0xf0, HAB State: 0x66 No HAB Events Found! => read mmc 1 $loadaddr 4000 5808 => md 81300000 20 81300000: 412000d1 80800000 00000000 00000000 .. A............ 81300010: 00000000 81300000 81300020 00000000 ......0. .0..... 81300020: 423000d4 000c00be 00001703 30000000 ..0B...........0 81300030: 000c00ca 00ffc501 c4070000 001400ca ................ 81300040: 00ffc500 c4090000 00008080 2000b000 ............... 81300050: 404004d7 210f01e1 00000000 03000001 ..@@...!........ 81300060: 9d199b9f 10844e79 c8ba9df7 b5b4ae3a ....yN......:... 81300070: 4376c6c8 6aed44c7 8ea56094 8d0d6981 ..vC.D.j.`...i.. => md 81300bc0 16 81300bc0: df650e07 ea875d19 bca01b57 d61a73e4 ..e..]..W....s.. 81300bd0: 63f848ec eb1405b0 2734f114 3dd2e483 .H.c......4'...= 81300be0: a74f0db9 00000000 00000000 00000000 ..O............. 81300bf0: 00000000 00000000 00000000 00000000 ................ 81300c00: 00000000 00000000 00000000 00000000 ................ 81300c10: 00000000 00000000 ........ hab_auth_img 80800000 00B00BF0 00B00000 hab fuse not enabled Authenticate image from DDR location 0x80800000... Secure boot disabled HAB Configuration: 0xf0, HAB State: 0x66 No HAB Events Found!

But overriding the fuse, I get the same result

=> fuse override 3 0 0xFBA8C054 Overriding bank 3 word 0x00000000 with 0xfba8c054... => fuse override 3 1 0x0EBA35D4 Overriding bank 3 word 0x00000001 with 0x0eba35d4... => fuse override 3 2 0x71EB6B8A Overriding bank 3 word 0x00000002 with 0x71eb6b8a... => fuse override 3 3 0xF916FB67 Overriding bank 3 word 0x00000003 with 0xf916fb67... => fuse override 3 4 0x70AC4FE5 Overriding bank 3 word 0x00000004 with 0x70ac4fe5... => fuse override 3 5 0x71840DDE Overriding bank 3 word 0x00000005 with 0x71840dde... => fuse override 3 6 0x7068C921 Overriding bank 3 word 0x00000006 with 0x7068c921... => fuse override 3 7 0xAB611F8B Overriding bank 3 word 0x00000007 with 0xab611f8b... => read mmc 1 $loadaddr 4000 5808 => hab_auth_img 80800000 00B00BF0 00B00000 hab fuse not enabled Authenticate image from DDR location 0x80800000... Secure boot disabled HAB Configuration: 0xf0, HAB State: 0x66 No HAB Events Found!

And also overriding the secure-boot enabled flag

=> fuse override 3 0 0 Overriding bank 3 word 0x00000000 with 0x00000000... => hab_auth_img_or_fail 80800000 00B00BF0 00B00000 Authenticate image from DDR location 0x80800000... Secure boot enabled HAB Configuration: 0xf0, HAB State: 0x66 No HAB Events Found!

I reset every key, but looks the same

=> fuse override 3 1 0 Overriding bank 3 word 0x00000001 with 0x00000000... => fuse override 3 2 0 Overriding bank 3 word 0x00000002 with 0x00000000... => fuse override 3 3 0 Overriding bank 3 word 0x00000003 with 0x00000000... => fuse override 3 4 0 Overriding bank 3 word 0x00000004 with 0x00000000... => fuse override 3 5 0 Overriding bank 3 word 0x00000005 with 0x00000000... => fuse override 3 6 0 Overriding bank 3 word 0x00000006 with 0x00000000... => fuse override 3 7 0 Overriding bank 3 word 0x00000007 with 0x00000000... => hab_auth_img_or_fail 80800000 00B00BF0 00B00000 Authenticate image from DDR location 0x80800000... Secure boot enabled HAB Configuration: 0xf0, HAB State: 0x66 No HAB Events Found! =>

I was expected to se an event if I do not set any keys, but looks accept everything

Thanks

Re: IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE

cristiansicilia — Thu, 01 Sep 2022 09:34:20 GMT

Anyone know why I don't see any events when I do not specify any key?

Re: IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE

cristiansicilia — Tue, 06 Sep 2022 20:46:21 GMT

I try also ANY engine, but it doesn't work.

The Engine = SW looks like a never fail, anyone can help me with this?

Re: IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE

jelenas — Thu, 04 Apr 2024 15:42:57 GMT

Any update on this topic?