AHAB implementation in iMX8QXP-MEK (B0)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AHAB implementation in iMX8QXP-MEK (B0)

597 Views
Syed_Ahmed
Contributor I

Hi,

We were planning to do AHAB implementation in iMX8QXP-MEK. We downloaded Yocto 5.10.35 from NXP and enabled AHAB_BOOT in Bootloader. We were able to get binaries signed using the CST tool. We were getting only AHAB_BAD_KEY_HASH_IND which is expected when e-fuse is not done. Now we need to build a kernel image that will have AHAB security.  We created and copied a signed os_cntr.bin file to SD. When we run auth_cntr, we get the below error.

Is it expected? If expected, is there a way to check that a secure boot is available in the kernel before e-fuse and close?

 

=> auth_cntr 0x98000000
Authenticate OS container at 0x98000000
sc_seco_authenticate: res:3
Authenticate container hdr failed, return -22
=> ahab_status
Lifecycle: 0x0020, NXP closed

SECO Event[0] = 0x0087FA00
        CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
        IND = AHAB_BAD_KEY_HASH_IND (0xFA)

SECO Event[1] = 0x0087FA00
        CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
        IND = AHAB_BAD_KEY_HASH_IND (0xFA)

SECO Event[2] = 0x0087F729
        CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
        IND = Unknown Indicator (0xF7)

sc_seco_get_event: idx: 3, res:3

 

0 Kudos
3 Replies

558 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi 

Generate a hash value based on container.

> openssl dgst -sha384 -binary -out hash384 <your container>

verification operation

> openssl pkeyutl -veryify -in hash384 -sigfile <your container> -certin -inkey <your cert> -pkeyopt digest:sha384

As this openssl is open source, you can obtain assistance using openssl help. 

 

Best regards

Harvey

 

0 Kudos

568 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Syed_Ahmed 

1, Have you programmed fuse? 

2, You can refer to our cmd in uboot, try to load the container, and then verify the container to check, it looks like there is an error in the container header part of the verification.

3, openssl is an option to verify container before fuse.

 

Best regards

Harvey

0 Kudos

567 Views
Syed_Ahmed
Contributor I

Hi @Harvey021 

We have to ensure the binaries are secure before fusing the board. Can you give some steps to verify the container through OpenSSL?

 

0 Kudos