AHAB: validating signed OS container

OlegHahm · ‎09-01-2021

Hi there,

I've managed successfully to create signed container files that will boot (mostly following https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.t...and https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab/guides/mx8_mx8x_spl_secure_bo...) without any SECO events after programming the fuses.

However, when I boot the signed Linux container, it will boot even if I have signed it with the wrong keys. I haven't yet closed the device, but I would have expected some sort of warning or the like anyway. Is there any way to check whether the authentication of the kernel container was successful or not without closing the device?

igorpadykov · ‎09-14-2021

Hi Oliver

answer from team:

---------------------

If your test chip is not closed, then even the os container authentication failed, it won't effect the kernal boot.

For os container, you can authenticate it by "auth_cntr addr" command in uboot.

Then after run the command, you can use ahab_status to see if there are increasing ahab events, which is caused by authenticating os container, then you can know if the os container is signed correctly or not.

---------------------

Best regards
igor

AHAB: validating signed OS container

AHAB: validating signed OS container

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus

Linux

Security