Hello Community.
I try to secure u-boot for iMX6UL board and I have a question about High Assurance Boot (HABv4).
I obtained .csf file after sign the u-boot, kernel and SPL. When I examine into this csf files, I saw the address values. For example:
u-boot-ivt.img.csf
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x177fffc0 0x0000 0x00058020 "u-boot-ivt.img"
and SPL.csf:
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x00907400 0x00000000 0x0000bc00 "SPL"
[Unlock]
Engine = CAAM
Features = RNG
and zImage-ivt.csf:
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x82000000 0x0000 0x6ad020 "zImage-ivt"
My question is this :
Where do the address values in these blocks come from? I want to know about them. I'd appreciate any help.
Hello,
Look at Appendix E (Extracting U-boot data for CSF) of app note Secure Boot on i.MX 50, i.MX 53,
i.MX 6 and i.MX 7 Series using HABv4, Rev. 2, 05/2018
https://www.nxp.com/docs/en/application-note/AN4581.pdf
Have a great day,
Yuri
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
Hello again.
I solved the problem . Since my development card is DART-6UL, so I was signing with mx6ul. But I found out my chip is mx6ull. Therefore, when I sign with mx6ull, HAB events do not appear.
I followed this document : http://variwiki.com/index.php?title=High_Assurance_Boot&release=RELEASE_SUMO_V1.1_DART-6UL for Secure Boot.
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
After this message, I noticed something and I have question marks in my head. I tested all the conditions and saw the result:
If I have the SPL signed (SPL_signed) file on the SD card, it doesn't matter if u-boot and zImage are signed or not. If the SPL is signed again, I do not receive HAB events. However, if the SPL is unsigned, then I display HAB events even if u-boot and zImage are signed. I tried all the combinations of this trio and I got this result.
SPL u-boot zImage HAB Events
1) signed signed signed No HAB Events Found
2) signed X X No HAB Events Found
3) unsigned X X HAB Events occurs
X : doesn't care (signed or unsigned)
My question is: Why is only SPL's signature checked?
Does this mean that the device is ready to "closed" when HAB events do not occur (No HAB Events Found!) ?
Thanks.
Hello,
i.MX boot ROM really checks only the primary bootloader; further activities
regarding trust extension are performed by secondary booloader and are application
dependent. Look at app note "HABv4 RVT Guidelines and Recommendations"
for more details.
https://www.nxp.com/docs/en/application-note/AN12263.pdf
Regards,
Yuri.