I have followed the exact steps of the PDF "Steps for Single Secure Boot for Android BSP" and Android Security Guide for Keys generation but after flashing I'm unable to achieve secure boot as the HAB status is not correct, What needs to be done to enable the secure boot process?
These are all the steps that I followed precisely to do the secure boot and attached the screenshots as well:
1. Build image with IMX_HAB enabled
Prepared the build environment and ran the following commands in the /android_build directory
export AARCH32_GCC_CROSS_COMPILE=/opt/arm-gnu-toolchain-12.3.rel1-x86_64-arm-none-eabi/bin/arm-none-eabi-
export AARCH64_GCC_CROSS_COMPILE=/opt/arm-gnu-toolchain-12.3.rel1-x86_64-aarch64-none-linux-gnu/bin/aarch64-none-linux-gnu-
export CLANG_PATH=/opt/prebuilt-android-clang
export LIBCLANG_PATH=/opt/prebuilt-android-clang/clang-r510928/lib
export PATH=/opt/prebuilt-android-kernel-build-tools/linux-x86/bin:$PATH
export PATH=/opt/prebuilt-android-rust/linux-x86/1.73.0b/bin:$PATH
export PATH=/opt/prebuilt-android-clang-tools/linux-x86/bin:$PATH
2. Built the images to be signed
I have enabled the configuration of CONFIG_IMX_HAB=y in the following files of imx8mp under the directory ./vendor/nxp-opensource/uboot-imx/configs/
imx8mp_iwg40m_4gb_android_defconfig
imx8mp_iwg40m_4gb_android_dual_defconfig
imx8mp_iwg40m_4gb_android_uuu_defconfig
imx8mp_iwg40m_osm_4gb_android_defconfig
imx8mp_iwg40m_osm_4gb_android_uuu_defconfig
imx8mp_iwg40m_0sm_4gb_usbotg_android_defconfig
Then again built the image
source build/envsetup.sh
lunch iwg40m_8mp-trunk_staging-userdebug
./imx-make.sh -j4 2>&1 | tee build-log.txt
3. Generation of Keys and Certificates
- Download Code Signing Tool (CST) from NXP official website. Decompress the package with the following command: tar zxvf cst-3.1.0.tgz
- Generate the HABv4 PKI tree. After the tool package is decompressed, enter the directory of ${CST}/keys/, and execute the following command: ./hab4_pki_tree.sh
- Then entered some parameters based on the output.
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 5
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y - Generate AHAB SRK tables and eFuse hash. Enter the directory of ${CST}/crts/, and execute the following command:
../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e \ SRK_1_2_3_4_fuse.bin -d sha256 -c \ SRK1_sha256_2048_65537_v3_ca_crt.pem,\ SRK2_sha256_2048_65537_v3_ca_crt.pem,\ SRK3_sha256_2048_65537_v3_ca_crt.pem,\ SRK4_sha256_2048_65537_v3_ca_crt.pem
After the preceding commands are executed successfully. The SRK table and its SHA256 value are generated and saved respectively in two files under ${CST}/crts/.
f. Dump the SRK hash value. Change directory to crts/ in Code Signing Tool (CST). Execute the following command to dump the SRK hash value:
hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
4. Configure csf files with UUU defconfig and signing
Copy a template of csf files from the directory android_build/vendor/nxp-opensource/uboot-imx/doc/imx/habv4/csf_examples/mx8m/ to the directory /cst/linux64/bin/
cp~/android_build/vendor/nxpopensource/ubootimx/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt /cst-3.4.1/linux64/bin
cp~/android_build/vendor/nxpopensource/ubootimx/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt /cst-3.4.1/linux64/bin
cp~/android_build/vendor/nxpopensource/ubootimx/doc/imx/habv4/csf_examples/mx8m/csf_fit_fdt.txt /cst-3.4.1/linux64/bin
Copy the image files to be signed for single boot:
cp ~/android_build/out/target/product/imx8mp_iwg40m/u-boot-imx8mp-iwg40m-4gb.imx /cst-3.4.1/linux64/bin
cp ~/android_build/out/target/product/imx8mp_iwg40m/u-boot-imx8mp-iwg40m-4gb-uuu.imx /cst-3.4.1/linux64/bin
To configure each CSFs file for its offset and Blocks: They can be obtained from the build log - make_android.txt and configure each of the csf text files from the Block addresses obtained from the build_log.txt
- Csf_spl_uuu.txt
- Csf_fit_uuu.txt
- Csf_fit_fdt.txt
signing spl and fit:
./bin/cst -i csf_spl_uuu.txt -o csf_spl_uuu.bin
./bin/cst -i csf_fit_uuu.txt -o csf_fit_uuu.bin
dd if=csf_spl_uuu.bin of=u-boot-imx8mp-iwg40m-4gb.imx seek=$ ((0x2de00)) bs=1 conv=notrunc
dd if=csf_fit_uuu.bin of=u-boot-imx8mp-iwg40m-4gb-uuu.imx seek=$((0x58c20)) bs=1 conv=notrunc
signing fit_fdt
./bin/cst -i csf_fit_fdt_uuu.txt -o csf_fit_fdt_uuu.bin
dd if=csf_fit_fdt_uuu.bin of=u-boot-imx8mp-iwg40m-4gb-uuu.imx seek=$((0x5ac20)) bs=1 conv=notrunc
Copying the image:
After the image is signed with the keys in /cst/release/linux64/bin then again copy the image back to the flashing directory of /android_build.
Flashing the device:
5. HAB events test and close device
After flashing the board, the HAB event is displayed as:
iWave-G40 >hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xbd 0xc0
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x0
0x00 0x00 0x00 0x00 0x40 0x1f 0xad 0xc0
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x2c 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x24 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x0d 0x4c 0x40 0x20 0x00 0x00
0x00 0x13 0xe0 0x10 0x40 0x33 0xe0 0x10
0x00 0x01 0x01 0x30 0x00 0x97 0x00 0x00
0x00 0x00 0xaa 0x70
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x2c 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x24 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x0d 0x4c 0x40 0x20 0x00 0x00
0x00 0x13 0xe0 0x10 0x40 0x33 0xe0 0x10
0x00 0x01 0x01 0x30 0x00 0x97 0x00 0x00
0x00 0x00 0xaa 0x70
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Hello,
The detailed description of the event data is located in HAB4_API.pdf, please check in the link below:
https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/MCX/481/1/HAB4_API.pdf
It seems that you haven't signed the part of "u-boot-imx8mp-iwg40m-4gb.imx"