Address Values in Blocks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Address Values in Blocks

1,116 Views
memrekaraaslan
Contributor II

Hello Community.

I try to secure u-boot for iMX6UL board and I have a question about High Assurance Boot (HABv4). 

I obtained .csf file after sign the u-boot, kernel and SPL. When I  examine into this csf files, I saw the address values. For example:

u-boot-ivt.img.csf 

 

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x177fffc0 0x0000 0x00058020 "u-boot-ivt.img"

and SPL.csf:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x00907400 0x00000000 0x0000bc00 "SPL"

[Unlock]

Engine = CAAM
Features = RNG

and zImage-ivt.csf:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x82000000 0x0000 0x6ad020 "zImage-ivt"

My question is this :

Where do the address values in these blocks come from? I want to know about them. I'd appreciate any help.

Labels (1)
3 Replies

987 Views
Yuri
NXP Employee
NXP Employee

Hello,

 

   Look at Appendix E (Extracting U-boot data for CSF) of app note Secure Boot on i.MX 50, i.MX 53,

i.MX 6 and i.MX 7 Series using HABv4, Rev. 2, 05/2018

https://www.nxp.com/docs/en/application-note/AN4581.pdf 

Have a great day,

Yuri

 

 

-------------------------------------------------------------------------------

Note:

- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored

Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

0 Kudos
Reply

987 Views
memrekaraaslan
Contributor II

Hello again.

I solved the problem . Since my development card is DART-6UL, so I was signing with mx6ul. But I found out my chip is mx6ull. Therefore, when I sign with mx6ull, HAB events do not appear.

I followed this document : http://variwiki.com/index.php?title=High_Assurance_Boot&release=RELEASE_SUMO_V1.1_DART-6UL for Secure Boot. 

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

After this message, I noticed something and I have question marks in my head.  I tested all the conditions and saw the result:

If I have the SPL signed (SPL_signed) file on the SD card, it doesn't matter if u-boot and zImage are signed or not. If the SPL is signed again, I do not receive HAB events. However, if the SPL is unsigned, then I display HAB events even if u-boot and zImage are signed. I tried all the combinations of this trio and I got this result.

                  SPL                            u-boot                        zImage                               HAB Events

  1)            signed                        signed                        signed                                No HAB Events Found

  2)            signed                            X                                 X                                   No HAB Events Found

  3)            unsigned                        X                                 X                                      HAB Events occurs

X : doesn't care  (signed or unsigned)

My question is: Why is only SPL's signature checked?

Does this mean that the device is ready to "closed" when HAB events do not occur (No HAB Events Found!) ?

Thanks.

987 Views
Yuri
NXP Employee
NXP Employee

Hello,

  i.MX boot ROM really checks only the primary bootloader; further activities

regarding trust extension are performed by secondary booloader and are application 

dependent. Look at app  note "HABv4 RVT Guidelines and Recommendations"

for more details.

https://www.nxp.com/docs/en/application-note/AN12263.pdf

Regards,

Yuri.

0 Kudos
Reply