Vybrid and HAB authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Vybrid and HAB authentication

1,865 Views
twong
Contributor II

Hello,

 

I am having trouble getting HAB authentication to work on the TWR-VF65GS10 and am wondering what I am missing or what I can try to do to get it to work. The compiler I am using is IAR Embedded Workbench.

 

In my situation, I have 2 tower boards: one in open state that I am using for reference and the other in closed state with the SRK values generated by the cst 2.3.1 package written to the OCOTP_SRK fuses. I can still debug using JTAG on the closed board.

 

I created a program blink.bin (attached along with linker file sram_iar_a5.icf) that will boot from the SD card and then continuously blink the LEDs on the tower board based on the example in \Freescale\Freescale_MQX_4_2\mqx\examples\bootloader_vybrid. I booted blink.bin from the SD card on the open board and confirmed that it worked but after following the signing steps on blink.bin I cannot get the signed image to boot from the SD card on the closed board.

 

So far, I have been using AN4581 as a guide.

 

From there I generated the PKI tree and SRK table.

 

I programmed the fuses and verified with the debugger (OCOTP_SRK#) that they were actually programmed.

(Do I have the order and endianess correct in the example below?)

 

eg.

hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin

0x00112233

0x44556677

0x8899AABB

0xCCDDEEFF

0x00112233

0x44556677

0x8899AABB

0xCCDDEEFF

 

166388_166388.pngpastedImage_3.png

 

Next, I closed the board by programming Bank 0, Word 6, Byte 0 to 0x02 (verified with OCOTP_CFG5).

 

Next, I took blink.bin and padded with zeros at the end to align it with 0x1000 size to make blink_padded.bin (attached)

(Am I padding the wrong area?).

 

Then I ran the following to generate blink_csf.bin (attached) using blink.csf file (attached) and concatenated blink_padded.bin + blink_csf.bin = blink_signed.bin (attached) :

 

thomas@thomas-VirtualBox:~/cst/cst-2.3.1/blink$ ../linux64/cst --o blink_csf.bin < blink.csf
CSF Processed successfully and signed data available in blink_csf.bin
thomas@thomas-VirtualBox:~/cst/cst-2.3.1/blink$ cat blink_padded.bin blink_csf.bin > blink_signed.bin

 

Next on Windows I copied the blink_signed.bin image onto the SD card:

C:\Freescale\Freescale_MQX_4_2\tools\ddcopy>ddcopy.exe infile=blink_signed.bin outdevice=u: seek=0x400 obs=512
start copying
done

 

Then I tried to boot using the SD card on the closed board with the jumpers as shown but blink does not seem to be able to run.

(Do I have some jumper(s) in the wrong place?)

 

166389_166389.pngpastedImage_4.png

 

I took the same SD card and booted it on the open board and it was able to run so I think it must have something to do with the HAB.

 

From AN4581, I understand that iMX6 has a hab_status command that can be enabled in U-Boot to look at the events that were generated. I was able to compile and run U-Boot on the Vybrid tower with the instructions here u-boot on the Vybrid tower board in a few commands and added #define CONFIG_SECURE_BOOT to vf610twr.h but I don't think there is support for the hab_status command for Vybrid on U-Boot? Is there another way to examine the events that are generated to try to figure out what exactly the HAB is dissatisfied with?

 

Any advice would be appreciated.

 

Thanks,

Thomas

Original Attachment has been moved to: blink_csf.bin.zip

Original Attachment has been moved to: blink.csf.zip

Original Attachment has been moved to: blink_padded.bin.zip

Original Attachment has been moved to: sram_iar_a5.icf.zip

Original Attachment has been moved to: blink_signed.bin.zip

Original Attachment has been moved to: blink.bin.zip

Labels (2)
Tags (2)
0 Kudos
Reply
4 Replies

1,407 Views
Yuri
NXP Employee
NXP Employee

Hello,

 

  Please create request in order to get detailed example for i.MX6, which hope - helps. 

https://community.nxp.com/docs/DOC-329745 

Have a great day,

Yuri

 

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer

button. Thank you!

------------------------------------------------------------------------------

0 Kudos
Reply

1,407 Views
twong
Contributor II

Tried adjusting values so address of CSF is aligned with 0x1000 but closed board still won't boot though.

Padded blink.bin to create blink_padded.bin with file size of 0x20C00 = 0x21000 - 0x400 (ivt starts right at the beginning of file in blink.bin, not at byte 0x400 of file in blink.bin)

Adjusted blink.csf blocks line to:

Blocks = 0x3f040400 0x000 0x20C00 "/home/thomas/cst/cst-2.3.1/blink/blink_padded.bin"

From CST User guide:

List of one or more data blocks. Each
block is specified by four parameters:
source file (must be binary),
starting load address in memory
starting offset within the source file
length (in bytes)

The layout of SD card should be:

-- 0x0

blank

-- 0x400 -- (blink_padded.bin)

ivt, dcd, boot_data

program

padding

-- 0x21000 -- (blink_csf.bin)

csf data

padding

-- 0x22000

The SRAM layout should then be:

-- 0x3f040400

ivt, dcd, boot_data

program

padding

-- 0x3f061000

csf data

padding

-- 0x3f062000

0 Kudos
Reply

1,407 Views
twong
Contributor II

It appears my locked board is preproduction as referenced here https://community.nxp.com/thread/314356. All the OTPMK values were 0 so I burned in random values to the OTPMK fuses.

The closed board still won't boot though.

0 Kudos
Reply

1,407 Views
twong
Contributor II

In vybrid reference manual, it states that there is a csf value inside the ivt which points to the csf. In my binaries, the values are 0. I used a hex editor to modify the ivt (7th uint32_t) in the binary to 0x3f060400 (start of ivt 0x3f040400 + padded binary size 0x20000), the address csf should be at in memory.

Also tried padding the end of the signed file to 0x1000 size.

Changed version value in csf header value from 4.1 to 4.0.

None of the above got it to work though.

0 Kudos
Reply