imx8mm HAB Questions

maxvde — Mon, 07 Oct 2024 08:34:02 GMT

Hi,

I have a few questions about how to use the meta-secure-boot layer from the i.MX8M security reference design.

How do I prove that the U-Boot SPL is correctly checked by the HAB at boot when loading via uuu?
Is it enough that it starts and that I see the "U-Boot SPL 2024.04+g674440bc73e+p0 (Jun 06 2024 - 10:05:34 +0000)" banner?
There doesn't seem to be an early printing of the HAB status at that stage, so I have concerns about it having the correct signing information and I would not want to set the device to closed state before knowing for sure that the SPL is correctly signed. The board is currently open, so it starts the SPL regardless of whether the HAB signing data is correct.
Is it possible to load the `signed-imx-boot-imx8mm-ebp001-sd.bin-flash_evk` via uuu while developing or does uuu somehow alter the transmitted data, which then breaks HAB?
Is it possible to load the `signed-Image-imx8mm-ebp001.bin` U-Boot via uuu while developing?
Or, do I need to flash the full `core-image-minimal-secure-boot-imx8mm-ebp001.rootfs.wic.zst` file to eMMC and make sure that my development board is booting directly from eMMC when it powers on?
In other words, is the security reference design targeting a flash boot rather than a USB SDP boot?

I'm using the meta-secure-boot layer with no changes, and the CST and its keys seem to all be recognized and used correctly after I set up the `csf_hab4.cfg` to point to them. The bitbake command completes without error.

I seem to be getting HAB Events with our images when loading these signed objects with a uuu script containing roughly the following instructions and the default loading addresses:

# Use signed image even on open dev boards

SDP: boot -f "signed-imx-boot-imx8mm-ebp001-sd.bin-flash_evk"

SDPV: delay 1000

SDPV: write -f "signed-imx-boot-imx8mm-ebp001-sd.bin-flash_evk" -skipspl

SDPV: jump

# -----------------------------------------------

# Boot to eMMC

# -----------------------------------------------

# Kernel location, plain kernel, no initramfs

# loadaddr=0x40400000

FB: delay 1000

FB: ucmd setenv fastboot_buffer ${loadaddr}

FB: download -f signed-Image-imx8mm-ebp001.bin

# Device Tree location

# fdt_addr=0x43000000

FB: ucmd setenv fastboot_buffer ${fdt_addr}

FB: download -f imx8mm-ebp001.dtb

# Booting from eMMC:

# Set root= to correct mmcblk0 partition

FB: ucmd setenv bootargs console=ttymxc1,115200 root=/dev/mmcblk2p2 debug ignore_loglevel

FB: acmd booti ${loadaddr} - ${fdt_addr}

I see the following HAB Event:

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x08 0x43 0x33 0x05 0x0a 0x00

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_IVT (0x05)

CTX = HAB_CTX_AUTHENTICATE (0x0A)

ENG = HAB_ENG_ANY (0x00)

Re: imx8mm HAB Questions

Harvey021 — Thu, 10 Oct 2024 03:20:23 GMT

Hi,

The main features supported by the HABv4 are:
• Authentication of software loaded from any boot device supported, including the Serial Download Protocol (SDP).
• Authenticated USB download fail-over on any security failure.

Regards

Harvey

i.MX ProcessorsのトピックRe: imx8mm HAB Questions

imx8mm HAB Questions

Re: imx8mm HAB Questions