1.We release the UUU tool instead of MFG tool for the newer BSP release. In this blog, the UUU version is 1.2.39.
2.We clear the DCD address , then sign the u-boot image, then set the DCD address again for the MFG tool before.
3.This method does not work for UUU tool with i.MX6UL. We will get HAB error events when we try to boot signed image which has no issue with MFG tool by UUU tool.
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00
0x00 0x00 0x0a 0x1c 0x87 0x7f 0xf4 0x00
0x00 0x09 0x6c 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x01 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
=>
UUU doesn’t clear the DCD which MFG tool did before for 6UL, so we don’t need to clear the DCD before signing the image by CST tool.
Below is the code signing steps I used, and I have verified it with HAB closed i,MX6UL device.
1)../linux64/bin/cst -o csf.bin -i uboot_4.14.78_sdp.csf
The content of uboot_4.14.78_sdp.csf can be
----------------------------------------------
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = ANY
[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x877ff400 0x00000000 0x00096c00 "u-boot-dtb.imx"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x00910000 0x0000002c 0x000001e8 "u-boot-dtb.imx"
--------------------------------------
2)cat u-boot-dtb.imx csf.bin > u-boot-signed.bin
method 1: SDP command line mode
uuu.exe -s
U>SDP: dcd -f u-boot-signed.bin
1:1>Start Cmd:SDP: dcd -f u-boot-signed.bin
New USB Device Attached at 1:1
209%1:1>Okay
Okay
U>SDP: write -f u-boot-signed.bin -ivt 0
1:1>Start Cmd:SDP: write -f u-boot-signed.bin -ivt 0
New USB Device Attached at 1:1
100%1:1>Okay
Okay
U>SDP: jump -f u-boot-signed.bin
1:1>Start Cmd:SDP: jump -f u-boot-signed.bin
New USB Device Attached at 1:1
6400%1:1>Okay
Okay
method 2: simple method
uuu.exe u-boot-signed.bin
U-Boot 2018.03-dirty (Feb 25 2019 - 18:15:01 -0800)
CPU: Freescale i.MX6UL rev1.1 528 MHz (running at 396 MHz)
CPU: Industrial temperature grade (-40C to 105C) at 33C
Reset cause: POR
Model: Freescale i.MX6 UltraLite 14x14 EVK Board
Board: MX6UL 14x14 EVK
DRAM: 512 MiB
MMC: FSL_SDHC: 0, FSL_SDHC: 1
Loading Environment from MMC... Card did not respond to voltage select!
*** Warning - No block device, using default environment
Failed (-5)
Display: TFT43AB (480x272)
Video: 480x272x24
In: serial
Out: serial
Err: serial
Card did not respond to voltage select!
flash target is MMC:1
Card did not respond to voltage select!
MMC card init failed!
Card did not respond to voltage select!
** Block device MMC 1 not supported
Net:
Warning: ethernet@020b4000 using MAC address from ROM
eth1: ethernet@020b4000 [PRIME]
Warning: ethernet@02188000 using MAC address from ROM
, eth0: ethernet@02188000
Fastboot: Normal
Boot from USB for mfgtools
Use default environment for mfgtools
Run bootcmd_mfg: run mfgtool_args;if iminfo ${initrd_addr}; then if test ${tee} = yes; then bootm ${tee_addr} ${initrd_addr} ${fdt_addr}; else bootz ${loadaddr} ${initrd_addr} ${fdt_addr}; fi; else echo "Run fastboot ..."; fastboot 0; fi;
Hit any key to stop autoboot: 0
=> hab_status
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!