We want to use HAB(high assurance boot) on i.mx6.
BSP: L4.1.15_1.0.0-ga_images_MX6QDLSOLO.tar.gz Yocto
We have three files u-boot.imx, zImage and imx6dl-sabresd.dtb which are produced by the BSP..
According to the document AN4581.pdf and the URL High Assurance Boot (HAB) for dummies - Boundary Devices .
1. Execute "~/cst-2.3.2/keys$ ./hab4_pki_tree.sh" to generate key files.
2. Execute 8 "fuse prog -y 3 0 ...." to fuse the key into the CPU."
3. Execute "./cst --o u-boot_csf.bin --i u-boot.csf", "cat u-boot.imx u-boot_csf.bin > u-boot_signed.imx", and I am sure the u-boot_signed.imx is correct by the proving of the command "hab_status"
4. Execute "fuse prog 0 6 0x2" to close the device.
5. use var-genIVT to generate ivt.bin
6. "objcopy -I binary -O binary --pad-to=0x469000 --gap-fill=0x00 zImage zImage-pad.bin
7. "cat zImage-pad.bin ivt.bin > zImage-pad-ivt.bin"
8. "./cst --o zImage_csf.bin --i zImage.csf"
9. "cat zImage-pad-ivt.bin zImage_csf.bin > zImage_signed"
I am sure the zImage_signed is correct, because "hab_auth_img" answers "No HAB Events Found!"
I don't treat the dtb file, because it doesn't matter.
But it is stock at the dumping message as below:
hub 1-1:1.0: USB hub found
hub 1-1:1.0: 4 ports detected
usb 1-1.2: new high-speed USB device number 3 using ci_hdrc
The normal situation should be go with below messages.
caam 2100000.caam: Entropy delay = 3200
caam 2100000.caam: Instantiated RNG4 SH0
caam 2100000.caam: Instantiated RNG4 SH1
caam 2100000.caam: device ID = 0x0a16010000000100 (Era -524)
caam 2100000.caam: job rings = 2, qi = 0
caam algorithms registered in /proc/crypto
caam_jr 2101000.jr0: registering rng-caam
platform caam_sm: blkkey_ex: 4 keystore units available
platform caam_sm: 64-bit clear key:
I tried "fuse prog 1 0 0x00100000" on the other board, but it is still the same.
How should I do to make it work?
Solved! Go to Solution.
I have seen similar issue in the past, this issue was fixed in the commit below:
linux-imx.git - i.MX Linux Kernel
Applying this modification or upgrading Kernel to imx_4.1.15_2.0.0_GA may help.
Thanks,
Breno Lima
I have seen similar issue in the past, this issue was fixed in the commit below:
linux-imx.git - i.MX Linux Kernel
Applying this modification or upgrading Kernel to imx_4.1.15_2.0.0_GA may help.
Thanks,
Breno Lima
Hello,
As I see, U-boot and kernel can run - this means both pass HAB checking, and kernel hangs in
CAAM initialization. Please verify Your system regarding RNG, as described in section 3.3.2 (RNG
Trim fuses) of app note AN4581, Rev. 1, 10/2015.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Yuri
I tried "fuse override 1 0 0x00100000" and "run boot cmd", but it doesn't work.
I also "fuse prog 1 01 0x00100000" in another board but doesn't work neither.
I ever tried add below in u-boot.csf and zImage.csf, then "cst" it to be the signing file and append to the corresponding files. Doesn't work again.
[Unlock]
Engine = CAAM
Features = RNG
Do you have any idea ?
Wich
Hello,
let me look at the CSF and full boot console log.
Regards,
Yuri.
Hi Yuri
Do you have any idea?
I got the same result on MCIMX6Q-SDP board with the original u-boot and zImage.
Wich
Hello,
Looks like the Unlock section is commented (#) in Your files.
#[Unlock]
#Engine = CAAM
#Features = RNG
Regards,
Yuri.
Hi Yuri
I only enable Unlock section, but it doesn't work.
I only use "fuse override 1 0 0x00100000", but it doesn't work.
I both enable Unlock section and use "fuse override 1 0 0x00100000", but it still doesn't work.
Wich
Hi Yuri
I comment the part of [Unlock] in both csf files.
I do "fuse override 1 0 0x00100000", but doesn't work.
I add some log in drvers/crypto/caam/ctrl.c.
I think it is stock around "comp_params = rd_reg32(&ctrl->perfmon.comp_parms_ms);" of function caam_probe().