Boot validation fails for MX6Q

manra2021 · ‎12-23-2021

We are trying to implement the chain of trust using the HAB support for IMX6Q.

So far we followed the same instructions provided on this site https://boundarydevices.com/high-assurance-boot-hab-dummies/

The generation of fuses, the keys, signing, etc works just fine.. there is no error reported.

We are also considering that the following command:

hexdump -e '/4 "0x"' -e '/4 "%X""n"' < SRK_1_2_3_4_fuse.bin

Works for IMX6Q.

The problem: U-Boot signatures are OK, HAB reports no errors upon U-Boot entry.
U-Boot then loads the signed boot script from flash. Signature validation fails. These errors are displayed: (copy from a previous comment):
db 00 14 41
33 28 33 00 FAILURE, INV_CALL, CTX_TARGET

00 01 00 00
00 30 80 17
f0 00 00 00

db 00 24 41
33 30 ee 1d FAILURE, ENG_FAIL, CTX_EXIT, ENG_CAAM
00 04 00 02
00 00 00 00
55 55 00 03
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 06

Why ? What we are doing wrong ? We are using a board called Trizeps VII from K&K with IMX6Q (https://www.keith-koep.com/en/products/som-system-on-module/trizeps-product-family/trizeps-vii)

manra2021 · ‎12-27-2021

@Yuri I added more details on the message above. Yes we do have the IVT. Please, let me know if you need more info.

manra2021 · ‎12-26-2021

Hi @Yuri

More technical details about the problem: (could be sent to external parties to ask for help):

CSF example is attached. (engine = SW, blocks = IVT (0x20) + image (0x4))
High-level system overview:
Plugin enabled. Plugin load addr = 0x907000. Plugin size (padded, with CSF) = 0x3000.
U-boot body load addr = 0x17800000.
The problem: U-Boot signatures are OK, HAB reports no errors upon U-Boot entry.
U-Boot then loads the signed boot script from flash. Signature validation fails. These errors are displayed: (copy from a previous comment):
db 00 14 41
33 28 33 00 FAILURE, INV_CALL, CTX_TARGET
00 01 00 00
00 30 80 17
f0 00 00 00
db 00 24 41
33 30 ee 1d FAILURE, ENG_FAIL, CTX_EXIT, ENG_CAAM
00 04 00 02
00 00 00 00
55 55 00 03
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 06
The following experiments (below) do not affect the secure boot substantially: they do NOT break the Plugin + U-Boot body signature validation (it’s OK in all cases), but do NOT fix the boot script signature validation.
When I choose CSF engine = SW, the 1st error is shorter, and it’s longer for engine = CAAM:
- SW engine:
db 00 14 41
33 28 33 00 FAILURE, INV_CALL, CTX_TARGET
00 01 00 00
00 30 80 17
f0 00 00 00
- CAAM engine:
db 00 24 41
33 28 c0 00 FAILURE, INV_CALL, CTX_COMMAND
ca 00 1c 00 // these bytes match the U-Boot body’s CSF binary file. (last binary validated by HAB).
02 c5 1d 00
00 00 16 44
17 80 04 00
00 00 00 60
17 80 2c a0
00 07 c5 d4
When I add another hab_rvt_exit() call just before the hab_rvt_entry() in the authenticate_image(), I get a new error before the 2 errors I got previously:
db 00 08 41
33 28 ee 00 FAILURE, INV_CALL, CTX_EXIT
When I change the U-Boot Body’s CSF file (adjust Blocks section to only validate 4 bytes), the error matches the change:
db 00 24 41
33 28 c0 00 FAILURE, INV_CALL, CTX_COMMAND
ca 00 1c 00
02 c5 1d 00
00 00 16 44
17 80 04 00
00 00 00 60
17 80 2c a0
00 00 00 04
When I Unlock RNG / MID in CSF file, the errors do not change.
When I put a “return” in the authenticate_image() just after the hab_rvt_entry(), the 2nd error disappears (as expected), meaning that the 1st error is logged in hab_rvt_entry(), and the 2nd is in hab_rvt_authenticate_image().
I’ve disabled the CONFIG_FSL_CAAM in U-Boot, the errors are still there.
From the above observations, it looks like the HAB library didn’t finish validating the previous image. But it returned successfully. Thus, it’s not possible to validate any subsequent image using HAB.

Yuri · ‎12-23-2021

@manra2021
Hello,

how the signed boot script is prepared? Has it IVT?

Regards,
Yuri.

Boot validation fails for MX6Q

Boot validation fails for MX6Q

i.MX6 All

i.MX6Quad

Security