i.MX6UL bootloader code signing method for UUU tool

[Background]
[Reason]
[code signing steps]
Commands in CST3.1 terminal
Commands in UUU window
Commands in 6UL console

[Background]

1.We release the UUU tool instead of MFG tool for the newer BSP release. In this blog, the UUU version is 1.2.39.

2.We clear the DCD address , then sign the u-boot image, then set the DCD address again for the MFG tool before.

3.This method does not work for UUU tool with i.MX6UL. We will get HAB error events when we try to boot signed image which has no issue with MFG tool by UUU tool.

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00
0x00 0x00 0x0a 0x1c 0x87 0x7f 0xf4 0x00
0x00 0x09 0x6c 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x01 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

=>

[Reason]

UUU doesn’t clear the DCD which MFG tool did before for 6UL, so we don’t need to clear the DCD before signing the image by CST tool.

[code signing steps]

Below is the code signing steps I used, and I have verified it with HAB closed i,MX6UL device.

Commands in CST3.1 terminal

1）../linux64/bin/cst -o csf.bin -i uboot_4.14.78_sdp.csf

The content of uboot_4.14.78_sdp.csf can be

----------------------------------------------

[Header]

Version = 4.2

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

Engine = ANY

[Install SRK]

# Index of the key location in the SRK table to be installed

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

# Key used to authenticate the CSF data

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]

# Key slot index used to authenticate the key to be installed

Verification index = 0

# Target key slot in HAB key store where key will be installed

Target Index = 2

# Key to install

File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]

# Key slot index used to authenticate the image data

Verification index = 2

# Authenticate Start Address, Offset, Length and file

Blocks = 0x877ff400 0x00000000 0x00096c00 "u-boot-dtb.imx"

[Authenticate Data]

# Key slot index used to authenticate the image data

Verification index = 2

# Authenticate Start Address, Offset, Length and file

Blocks = 0x00910000 0x0000002c 0x000001e8 "u-boot-dtb.imx"

--------------------------------------

2）cat u-boot-dtb.imx csf.bin > u-boot-signed.bin

Commands in UUU window

method 1: SDP command line mode

uuu.exe -s

U>SDP: dcd -f u-boot-signed.bin

1:1>Start Cmd:SDP: dcd -f u-boot-signed.bin

New USB Device Attached at 1:1

209%1:1>Okay

Okay

U>SDP: write -f u-boot-signed.bin -ivt 0

1:1>Start Cmd:SDP: write -f u-boot-signed.bin -ivt 0

New USB Device Attached at 1:1

100%1:1>Okay

Okay

U>SDP: jump -f u-boot-signed.bin

1:1>Start Cmd:SDP: jump -f u-boot-signed.bin

New USB Device Attached at 1:1

6400%1:1>Okay

Okay

method 2: simple method

uuu.exe u-boot-signed.bin

Commands in 6UL console

U-Boot 2018.03-dirty (Feb 25 2019 - 18:15:01 -0800)

CPU: Freescale i.MX6UL rev1.1 528 MHz (running at 396 MHz)

CPU: Industrial temperature grade (-40C to 105C) at 33C

Reset cause: POR

Model: Freescale i.MX6 UltraLite 14x14 EVK Board

Board: MX6UL 14x14 EVK

DRAM: 512 MiB

MMC: FSL_SDHC: 0, FSL_SDHC: 1

Loading Environment from MMC... Card did not respond to voltage select!

*** Warning - No block device, using default environment

Failed (-5)

Display: TFT43AB (480x272)

Video: 480x272x24

In: serial

Out: serial

Err: serial

Card did not respond to voltage select!

flash target is MMC:1

Card did not respond to voltage select!

MMC card init failed!

Card did not respond to voltage select!

** Block device MMC 1 not supported

Net:

Warning: ethernet@020b4000 using MAC address from ROM

eth1: ethernet@020b4000 [PRIME]

Warning: ethernet@02188000 using MAC address from ROM

, eth0: ethernet@02188000

Fastboot: Normal

Boot from USB for mfgtools

Use default environment for mfgtools

Run bootcmd_mfg: run mfgtool_args;if iminfo ${initrd_addr}; then if test ${tee} = yes; then bootm ${tee_addr} ${initrd_addr} ${fdt_addr}; else bootz ${loadaddr} ${initrd_addr} ${fdt_addr}; fi; else echo "Run fastboot ..."; fastboot 0; fi;

Hit any key to stop autoboot: 0

=> hab_status

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

No HAB Events Found!