topic Re: iMX6SoloX - fast authentication - uImage signing. in i.MX Processors

iMX6SoloX - fast authentication - uImage signing.

arkadiuszkaras — Wed, 29 Mar 2017 06:40:12 GMT

Hello all,

O have a question regarding secure boot on iMX6SoloX processor, in fast authentication mode.

I have manage to boot successfully signed u-boot image in fast authentication mode.

I have generated 4 SRK keys for HAB, as described in MX6UL HAB (High Assurance Boot) https://community.nxp.com/docs/DOC-275249.

For signing u-boot I use following file:

#Illustrative Command Sequence File Description
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install NOCAK]
File = "crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
Engine = CAAM
Features = RNG

[Authenticate Data]
# Key slot index 0 used to authenticate the image data
Verification index = 0
Blocks = 0x8bfff7d0 0x00000000 0x00058000 "u-boot-pad.imx"‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Now, I want also to check signature for uImage, but I want to use different key for that.

I tried with following configuration first:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install NOCAK]
File = "crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
Engine = CAAM
Features = RNG

[Authenticate Data]
Verification index = 0
Blocks = 0x80810000 0x0 0x385020 "uImage.pad.ivt"
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

It works properly with "SRK1_sha256_2048_65537_v3_usr_crt.pem" key, but if I try to use different certificate (i.e. SRK2_sha256_2048_65537_v3_usr_crt.pem) I always got signature check failure.

So my question is - is it possible to sign uImage with different key than u-boot in case of fast authentication mode ?

Regards

Arek Karaś

Re: iMX6SoloX - fast authentication - uImage signing.

satyadamarla — Wed, 29 Mar 2017 08:17:29 GMT

Hello Arek,

Have you tried with Source Index = 1 (for SRK2)? I think this is the reason.

Greets,

Satya

Re: iMX6SoloX - fast authentication - uImage signing.

arkadiuszkaras — Wed, 29 Mar 2017 08:39:38 GMT

Hello Satya,

I have tried it already, it does not work, here are logs from u-boot:

Authenticate image from DDR location 0x80810000...

ivt_offset = 0x385000, ivt addr = 0x80b95000
Dumping IVT
80b95000: 412000d1 80810000 00000000 00000000    .. A............
80b95010: 00000000 80b95000 80b95020 00000000    .....P.. P......
Dumping CSF Header
80b95020: 413800d4 000c00be 00011703 38000000    ..8A...........8
80b95030: 000c00ca 0000c501 c8070000 1d0800b2    ................
80b95040: 02000000 001400ca 0000c500 c8090000    ................
80b95050: 00008180 20503800 404004d7 210f01e1    .....8P ..@@...!

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!


Calling authenticate_image in ROM
        ivt_offset = 0x385000
        start = 0x80810000
        bytes = 0x387020

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x14 0x41 0x33 0x0f 0xc0 0x00
        0xbe 0x00 0x0c 0x00 0x03 0x17 0x01 0x00
        0x00 0x00 0x00 0x38
Authenticate uImage Fail, Please check

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: iMX6SoloX - fast authentication - uImage signing.

satyadamarla — Wed, 29 Mar 2017 12:08:23 GMT

I tried to analyse the error: SRCE - Status Reason Context Engine

0x33 - HAB_FAILURE

0x0F - Invalid Index

0xC0 - CSF or DCD problem. I think it is CSF here

0x00 - Any Engine

So, I can only imagine a Index Error.

"src is the source key index within the Super-Root Key Table (with 0 denoting the first key in the table)," (Pg 31, HAB4_API.pdf). This should indicate which SRK has to be used.

Unfortunately, I dont have time to check fast authentication.

Anyway Good Luck,

Satya

Re: iMX6SoloX - fast authentication - uImage signing.

arkadiuszkaras — Wed, 29 Mar 2017 12:20:13 GMT

Hello Satya,

should I report this through support request ?

Regards

Arek

Re: iMX6SoloX - fast authentication - uImage signing.

satyadamarla — Wed, 29 Mar 2017 12:44:49 GMT

Arek,

I wouls suggest you to wait for a day or two and then perhaps do that. There are people like Yuri and Igor who usually reply. They are the experts.

Cheers,

Satya

PS: I hope your Verfication Index is always 0 (zero) for Fast Authentication in spite of your Source index which should be the SRK key you want to use. 0 indicates SRK based authentication, 1 for CSF and 2 for Image key.

Re: iMX6SoloX - fast authentication - uImage signing.

arkadiuszkaras — Wed, 29 Mar 2017 12:55:27 GMT

Hello Satya,

thanks for answer.

Yes, verification index is 0.

Regards

Arek

Re: iMX6SoloX - fast authentication - uImage signing.

b36401 — Mon, 03 Apr 2017 05:33:53 GMT

Please create a technical case regarding to HAB issues.
Please refer this document regarding to case creation:
https://community.nxp.com/thread/381898

Re: iMX6SoloX - fast authentication - uImage signing.

linderpi — Fri, 27 Jan 2023 13:51:17 GMT

Do you have a solution to this? I have the same problem with an i.MX8MM and HAB fast authentication enabled.