Cannot boot with closed device of HAB on i.mx6 .

cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot boot with closed device of HAB on i.mx6 .

Jump to solution
1,015 Views
wichlin
Contributor II

We want to use HAB(high assurance boot) on i.mx6.
BSP: L4.1.15_1.0.0-ga_images_MX6QDLSOLO.tar.gz Yocto
We have three files u-boot.imx, zImage and imx6dl-sabresd.dtb which are produced by the BSP..
According to the document AN4581.pdf and the URL High Assurance Boot (HAB) for dummies - Boundary Devices .
1. Execute "~/cst-2.3.2/keys$ ./hab4_pki_tree.sh" to generate key files.
2. Execute 8 "fuse prog -y 3 0 ...." to fuse the key into the CPU."
3. Execute "./cst --o u-boot_csf.bin --i u-boot.csf", "cat u-boot.imx u-boot_csf.bin > u-boot_signed.imx", and I am sure the u-boot_signed.imx is correct by the proving of the command "hab_status"
4. Execute "fuse prog 0 6 0x2" to close the device.
5. use var-genIVT to generate ivt.bin
6. "objcopy -I binary -O binary --pad-to=0x469000 --gap-fill=0x00 zImage zImage-pad.bin
7. "cat zImage-pad.bin ivt.bin > zImage-pad-ivt.bin"
8. "./cst --o zImage_csf.bin --i zImage.csf"
9. "cat zImage-pad-ivt.bin zImage_csf.bin > zImage_signed"
I am sure the zImage_signed is correct, because "hab_auth_img" answers "No HAB Events Found!"

I don't treat the dtb file, because it doesn't matter.

But it is stock at the dumping message as below:
hub 1-1:1.0: USB hub found
hub 1-1:1.0: 4 ports detected
usb 1-1.2: new high-speed USB device number 3 using ci_hdrc

The normal situation should be go with below messages.
caam 2100000.caam: Entropy delay = 3200
caam 2100000.caam: Instantiated RNG4 SH0
caam 2100000.caam: Instantiated RNG4 SH1
caam 2100000.caam: device ID = 0x0a16010000000100 (Era -524)
caam 2100000.caam: job rings = 2, qi = 0
caam algorithms registered in /proc/crypto
caam_jr 2101000.jr0: registering rng-caam
platform caam_sm: blkkey_ex: 4 keystore units available
platform caam_sm: 64-bit clear key:


I tried "fuse prog 1 0 0x00100000" on the other board, but it is still the same.

How should I do to make it work?

Labels (4)
1 Solution
385 Views
brenolima
NXP Employee
NXP Employee

Hi wichlin and Yuri

I have seen similar issue in the past, this issue was fixed in the commit below:

linux-imx.git - i.MX Linux Kernel 

Applying this modification or upgrading Kernel to imx_4.1.15_2.0.0_GA may help.

Thanks,

Breno Lima

View solution in original post

8 Replies
386 Views
brenolima
NXP Employee
NXP Employee

Hi wichlin and Yuri

I have seen similar issue in the past, this issue was fixed in the commit below:

linux-imx.git - i.MX Linux Kernel 

Applying this modification or upgrading Kernel to imx_4.1.15_2.0.0_GA may help.

Thanks,

Breno Lima

View solution in original post

385 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,


  As I see, U-boot and kernel can run - this means both pass HAB checking, and kernel hangs in

CAAM initialization. Please verify Your system regarding RNG, as described in section 3.3.2 (RNG

Trim fuses) of app note AN4581, Rev. 1, 10/2015.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
385 Views
wichlin
Contributor II

Hi Yuri

I tried "fuse override 1 0 0x00100000" and "run boot cmd", but it doesn't work.

I also "fuse prog 1 01 0x00100000" in another board but doesn't work neither.

I ever tried add below in u-boot.csf and zImage.csf, then "cst" it to be the signing file and append to the corresponding files. Doesn't work again.

[Unlock]
Engine = CAAM
Features = RNG

Do you have any idea ?

Wich

0 Kudos
385 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,

  let me look at the CSF and full boot console log.

Regards,

Yuri.

0 Kudos
385 Views
wichlin
Contributor II

Hi Yuri

Do you have any idea?

I got the same result on MCIMX6Q-SDP board with the original u-boot and zImage.

Wich

0 Kudos
385 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,

  Looks like the  Unlock section is commented (#) in Your files.

#[Unlock]
#Engine = CAAM
#Features = RNG

Regards,

Yuri.

0 Kudos
385 Views
wichlin
Contributor II

Hi Yuri

I only enable Unlock section, but it doesn't work.

I only use "fuse override 1 0 0x00100000", but it doesn't work.

I both enable Unlock section and use "fuse override 1 0 0x00100000", but it still doesn't work.

Wich

0 Kudos
385 Views
wichlin
Contributor II

Hi Yuri

I comment the part of [Unlock] in both csf files.

I do "fuse override 1 0 0x00100000", but doesn't work.

I add some log in drvers/crypto/caam/ctrl.c.

I think it is stock around "comp_params = rd_reg32(&ctrl->perfmon.comp_parms_ms);" of function caam_probe().

0 Kudos