imx6q secure boot HAB error

rakesh3 — Fri, 10 Mar 2023 17:11:57 GMT

Hi team,

i am using the imx6q device where i am implementing the secure boot. I have signed the u-boot and followed below steps.But getting 6 errors ..

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x02 0x90

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

Actually there are two kind of events (HAB_ENG_FAIL and HAB_INV_ADDRESS). I don't fully understand HAB event 1. if I use u-boot-2018.05 from u-boot official website, it will have HAB event 2 to 6, and HAB event 1 is gone. I really have a concern about HAB_INV_ADDRESS. I check CSF PTR by od command on u-boot.imx image, and it matches with the value on the target board eMMC area.

$ od -X -N 0x20 u-boot.imx
0000000 402000d1 17800000 00000000 177ff42c
0000020 177ff420 177ff400 178b4000 00000000
0000040

=> md 0x177ff400

177ff400: 402000d1 17800000 00000000 177ff42c .. @........,...
177ff410: 177ff420 177ff400 178b4000 00000000 ........@......
177ff420: 177ff000 000b500c 00000000 409002d2 .....P.........@
177ff430: 048c02cc 68400c02 3f3fc000 6c400c02 ......@h..??..@l
177ff440: 30fc3000 70400c02 00c0ff0f 74400c02 .0.0..@p......@t
177ff450: 0ff0f03f 78400c02 00f3ff00 7c400c02 ?.....@x......@|
177ff460: c300000f 80400c02 ff030000 60400c02 ......@.......@`
177ff470: fb000000 10000e02 cf0000f0 18000e02 ................

...

=> md 0x178b400

178b4000: 425000d4 000c00be 00001703 50000000 ..PB...........P
178b4010: 020c00be 01000009 90040000 000c00ca ................
178b4020: 001dc501 e4070000 000c00be 02000009 ................
178b4030: e8090000 001400ca 001dc502 3c0d0000 ...............<
178b4040: 00f47f17 004c0b00 1d0800b2 02000000 ......L.........
178b4050: 404004d7 210f01e1 80000000 03000001 ..@@...!........
178b4060: c9a7d4b7 bd2d20b5 31fbf7ac 747d2c6b ..... -....1k,}t
178b4070: 671958b5 783295ec c87a6b80 43432646 .X.g..2x.kz.F&CC

...

Also, you can see there is the valid data in CSF section on the target board. I set the size of CSF file in imximage.cfg as 0x2000. I'm enclosed csf file for your reference.

#Illustrative Command Sequence File Description

[Header]
2 Version = 4.2
3 Hash Algorithm = sha256
4 Engine Configuration = 0
5 Certificate Format = X509
6 Signature Format = CMS
7 Engine = CAAM
8
9 [Install SRK]
10 # Index of the key location in the SRK table to be installed
11 File = "../../crts/SRK_1_2_3_4_table.bin"
12 Source index = 0
13
14 [Install CSFK]
15 # Key used to authenticate the CSF data
16 File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
17
18 [Authenticate CSF]
19
20 [Install Key]
21 # Key slot index used to authenticate the key to be installed
22 Verification index = 0
23 # Target key slot in HAB key store where key will be installed
24 Target Index = 2
25 # Key to install
26 File= "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
27
28 [Authenticate Data]
29 # Key slot index used to authenticate the image data
30 Verification index = 2
31 # Authenticate Start Address, Offset, Length and file
32 #Blocks = 0x177ff400 0x00000000 0x00091c00 "u-boot-dtb.imx"
33 Blocks = 0x177ff400 0x00000000 0x00092c00 "u-boot-dtb.imx", \
34 0x00910000 0x0000002c 0x000002f8 "u-boot-dtb.imx"
35
36 [Unlock]
37 Engine = CAAM
38 Features = RNG

The following are the couple of commands to generate u-boot signed image file

$ ../linux64/bin/cst --o u-boot_csf.bin --i u-boot.csf
$ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 u-boot_csf.bin u-boot_csf_pad.bin
$ cat u-boot.imx u-boot_csf_pad.bin > u-boot-signed.imx

Please suggest on this issue.

Regards,

Rakesh

Re: imx6q secure boot HAB error

Bio_TICFSL — Mon, 13 Mar 2023 14:30:57 GMT

Hello,

Please read the HAB CST UG and the HAB V4 API RM.

Regards

Re: imx6q secure boot HAB error

rakesh3 — Tue, 14 Mar 2023 07:27:35 GMT

Thanks for reply,

Could you please give me any link of this doc.

Regards,

Re: imx6q secure boot HAB error

rakesh3 — Thu, 16 Mar 2023 09:58:06 GMT

Hi ,

I read the document, the failure its indicating is the INSERTION API, means some of component like IVT, data, DCD is not properly signed.

and other is the invalid digital signature of address.

I have doubt like , we have to use the same data from u-boot-dtb.imx.log file in the csf-u-boot.txt CSF file in authentication Block field.

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
Engine = DCP
# Authenticate Start Address, Offset, Length and file
#Blocks = 0x177ff400 0x00000000 0x00091c00 "u-boot-dtb.imx"
Blocks = 0x177ff400 0x00000000 0x00092c00 "u-boot-dtb.imx"

Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 610400 Bytes = 596.09 KiB = 0.58 MiB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 0x177ff400 0x00000000 0x00092c00
DCD Blocks: 0x00910000 0x0000002c 0x000002f8

Am i going in right direction, Any input on this would be appreciable.

Regards,

Rakesh

topic Re: imx6q secure boot HAB error in i.MX Processors

imx6q secure boot HAB error

Re: imx6q secure boot HAB error

Re: imx6q secure boot HAB error

Re: imx6q secure boot HAB error