secure boot on imx6q

brian_kim — Wed, 22 Jun 2016 09:02:21 GMT

I am trying to finalize setting up secure boot on our custom board with i.MX6.

Now, hab_status returned events (failure) but I don't know why it returned failure message.

This is sequnce and log about my work.

./hab4_pki_tree.sh

Do you want to use an existing CA key (y/n)?: n

Do you want to use Elliptic Curve Cryptography (y/n)?: n

Enter key length in bits for PKI tree: 2048

Enter PKI tree duration (years): 10

How many Super Root Keys should be generated? 4

Do you want the SRK certificates to have the CA flag set? (y/n)?: y

./srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c \

./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem,\

./SRK3_sha256_2048_65537_v3_ca_crt.pem,./SRK4_sha256_2048_65537_v3_ca_crt.pem -f 1

hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin

get 8 keys

4) in uboot prompt

fuse prog 3 0 key00

fuse prog 3 7 key07

5) add CONFIG_SECURE_BOOT

imx6q_uboot/include/configs$ vi xxx_config.h

/* uncomment for SECURE mode support */

#define CONFIG_SECURE_BOOT

#ifdef CONFIG_SECURE_BOOT

#ifndef CONFIG_CSF_SIZE

#define CONFIG_CSF_SIZE 0x4000

#endif

6) make u-boot.imx

dd if=./u-boot.imx bs=4 count=12 2>/dev/null | hexdump -v -e '/4 "%04_ax: "' -e '/4 "%08X" "\n"'

0000: 402000D1

0004: 17800000

0008: 00000000

000c: 177FF42C

0010: 177FF420

0014: 177FF400

0018: 00000000

001c: 00000000

0020: 177FF000

0024: 00070000

0028: 00000000

002c: 401803D2

cat csf-uboot

=====================================================

#Illustrative Command Sequence File Description

[Header]

Version = 4.1

Hash Algorithm = sha256

Engine = ANY

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0 # Index of the key location in the SRK table to be installed

[Install CSFK]

# Key used to authenticate the CSF data

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

# Key slot index used to authenticate the key to be installed

Verification index = 0

# Target key slot in HAB key store where key will be installed

Target Index = 2

# Key to install

File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]

# Key slot index used to authenticate the image data

Verification index = 2

# Address Offset Length Data File Path

Blocks = 0x177FF400 0x000 0x6fc00 "./bin/u-boot.imx"

======================================================

0x6fc00 is size of u-boot.imx

./cst -o csf-uboot.bin -i csf-uboot

cat ./bin/u-boot.imx csf-uboot.bin > u-boot-signed.imx

10)

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c

0x00 0x00 0x03 0x18

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00

0x00 0x00 0x00 0x04

What is the reason of issue ?

Re: secure boot on imx6q

brian_kim — Fri, 24 Jun 2016 00:15:58 GMT

I was solved problem with below URL.

Encrypted boot loader on SabreSD i.MX6q board

Re: secure boot on imx6q

kinezo — Fri, 11 Aug 2017 13:52:09 GMT

Hey brian.kim‌, what part of the solution in that URL helped you fix your problem? I'm having the exact same HAB Events as you showed above, and I can't find a definitive answer as to how to fix this "HAB_INV_ADDRESS" (0x22) error.

topic Re: secure boot on imx6q in i.MX Processors

secure boot on imx6q

Re: secure boot on imx6q

Re: secure boot on imx6q