Secure boot problem on i.MX6

frédéric — Thu, 30 Oct 2014 14:48:23 GMT

I am using u-boot 2014.04 on a i.MX6 board (based on a nitrogen6x), I read documentation and posts here on the forum, I took multiple guides

i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf, How-to enable HAB in i.MX6.pdf, AN4581.pdf, secure_boot_on_imx6.pdf, HAB4_API.pdf, HABCST_UG.pdf, etc

Then the BLN_CST_MAIN_02.01.01.tar.gz package, I was not able to find the secureboot_scripts.tar.gz package, according to the doc I need it because my uboot is bigger than 0x2F000 so I cannot statically allocate HAB data.

I found the secure script utilities in imx-linux-test.git in /test/mxc_secureboot/V2012, there is no 2014 version but after looking at the script they look ok and automatize the job instead of doing it by hand.

I followed the guide from i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf and installed the script according to the README from test/mxc_secureboot/V2012/README.

I generated the keys with hab4_pki_tree.sh then the SRK file with srktool utility, it created a SRK_1_2_3_4_fuse.bin (32 bytes) and SRK_1_2_3_4_table.bin file (1088 bytes).

I enabled CONFIG_SECURE_BOOT in u-boot and compiled it, it complained about a missing authenticate_image() but I ported a patch from

http://git.denx.de/cgi-bin/gitweb.cgi?p=u-boot/u-boot-imx.git;a=commit;h=36c1ca4d46ef11ac7b3c0afb5c42dadb4e8773f3

I then followed the README, copied u-boot.imx in BLN/u-boot, run ./mk_secure_uboot, it generated this u-boot.csf

[Header]

    Version = 4.0

    Security Configuration = Open

    Hash Algorithm = sha256

    Engine Configuration = 0

    Certificate Format = X509

    Signature Format = CMS

[Install SRK]

    File = "../crts/SRK_1_2_3_4_table.bin"

    Source index = 0

[Install CSFK]

    File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]

    Verification index = 0

    Target index = 2

    File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with

# length = 0x5B000

# This covers the essential parts: IVT, boot data and DCD.

# Blocks have the following definition:

#    Image block start address on i.MX, Offset from start of image file,

#    Length of block in bytes, image data file

[Authenticate Data]

    Verification index = 2

    Blocks = 0x177FF400 0x0 0x5B000 "u-boot-pad.imx"

The script generated a u-boot_csf.bin which is 3896 bytes long, doing a hexdump on it I can see it contain various strings like "OpenSSL Generated Certificate" or "SRK1_sha256_2048_65537_v3_ca"

It also generated the habimagegen script as follow:

#! /bin/bash

echo "extend u-boot to 0x5B000..."

objcopy -I binary -O binary --pad-to 0x5B000 --gap-fill=0x5A u-boot.imx u-boot-pad.imx

echo "generate csf data..."

../linux/cst --o u-boot_csf.bin < u-boot.csf

echo "merge image and csf data..."

cat u-boot-pad.imx u-boot_csf.bin > u-boot-signed.imx

echo "extend final image to 0x5D000..."

objcopy -I binary -O binary --pad-to 0x5D000 --gap-fill=0x5A u-boot-signed.imx u-boot-signed-pad.imx

echo "u-boot-signed-pad.imx is ready"

When I boot my u-boot, I have an event for invalid address

U-Boot > hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

If I understand the IVT, it seems the CSF/hab_data is populated

00000000 d1 00 20 40 00 00 80 17 00 00 00 00 2c f4 7f 17 |.. @........,...|

00000010 20 f4 7f 17 00 f4 7f 17 00 a0 85 17 00 00 00 00 | ...............|

00000020 00 f0 7f 17 00 d0 05 00 00 00 00 00 d2 03 18 40 |...............@|

00000030 cc 03 14 04 02 0e 05 a8 00 00 00 30 02 0e 05 b0 |...........0....|

Also mkimage shows the same as before, I thought it would show "HAB Blocks: XXXXXXX" at the end

./mkimage -l u-boot-signed-pad.imx

Image Type:   Freescale IMX Boot Image

Image Ver:    2 (i.MX53/6 compatible)

Data Size:    372736 Bytes = 364.00 kB = 0.36 MB

Load Address: 177ff420

Entry Point: 17800000

In a lot of doc there is change to be made to either flash_header.S or to u-boot.lds to insert the CSF or hab_data, I cannot find any info about __hab_data in my u-boot sources, nor changes in lds script.

I checked the u-boot sources from u-boot-fslc.git and u-boot-imx.git and there is no reference to hab_data anywhere.

EDIT : just saw that the CSF pointer is at 1785a000 but I think it should be at 1785b000

If I change the CSF pointer to 1785b000 however, the HAB event report 0x11 invalid CSF, so not sure if value is right or not...

Any help would be appreciated!

Re: Secure boot problem on i.MX6

frédéric — Fri, 31 Oct 2014 14:31:09 GMT

Answer to myself, I needed the tools/mkimage utility from the freescale git (I used the one from imx_v2013.04_3.10.17_1.0.0_ga), I had the one from boundary git...

Now it works, closed mode, secure boot enabled!

Re: Secure boot problem on i.MX6

supriyac — Mon, 21 Mar 2016 10:20:48 GMT

Hello,

Am trying secure boot on SabreSD (Uboot-2015.07). Even am getting the same issue as yours.

Could you please be more specific on how to use mkimage utility for getting "secure boot enabled"?

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

Thank you in advance

-Supriya

i.MX ProcessorsのトピックRe: Secure boot problem on i.MX6

Secure boot problem on i.MX6

Re: Secure boot problem on i.MX6

Re: Secure boot problem on i.MX6