Difference between signed u-boot.imx files for UUU and flash

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Difference between signed u-boot.imx files for UUU and flash

2,384 Views
jiang_zhang
Contributor II

I noticed that while signing u-boot.imx image for UUU tool to load into memory, we need to clear the DCD pointer for some type of chips (e.g., i.MX6Dual/Quad and i.MX6Sololite). However, while the signed image on flash and boot from flash, the DCD pointer should not be cleared while generating the CSF binary.

Currently my signed u-boot.imx works if I use UUU tool to load into memory to boot. However, if I store it on flash, always got a signature verification failure, no matter whether the DCD pointer is cleared or not while generating the signature. Is there anything else I need to do while generating the signed image for flash besides not to clear the DCD pointer? Here're some logs:

  1. Loading signed image to memory (i.e. “sudo uuu -v ./u-boot.imx”):

 

U-Boot 2018.03-00015-g8831283426-dirty (Jan 27 2020 - 14:36:33 -0800)

 

CPU:   Freescale i.MX6QP rev1.0 at 792MHz

CPU:   Industrial temperature grade (-40C to 105C) at 38C

Reset cause: POR

Model: ChargePoint i.MX6QP CPNK Board

I2C:   ready

DRAM:  3.8 GiB

board_init >>>>>>>>

set_gpios_input >>>>>>>>

set_gpios >>>>>>>>

set_gpios >>>>>>>>

power_init_board >>>>>>>>

PMIC:  PFUZE100 ID=0x10

MMC:   

Loading Environment from MMC... MMC Device 1 not found

*** Warning - No MMC card found, using default environment

 

Failed (-5)

auto-detected panel HDMI

Display: HDMI (1024x768)

In:    serial

Out:   serial

Err:   serial

Boot from USB for mfgtools

Use default environment for                              mfgtools

Run bootcmd_mfg: run mfgtool_args; echo "Run fastboot ..."; fastboot 0; 

Hit any key to stop autoboot:  0 

Run fastboot ...

Unknown command 'fastboot' - try 'help'

=> hab_status

 

Secure boot disabled

 

HAB Configuration: 0xf0, HAB State: 0x66

No HAB Events Found!

 

 

  1. Store it on flash and boot from flash (“dd if=/home/root/u-boot.imx of=/dev/mmcblk0boot0 bs=512 seek=2”):

 

Loading Environment from MMC... MMC Device 1 not found

*** Warning - No MMC card found, using default environment

 

Failed (-5)

auto-detected panel HDMI

Display: HDMI (1024x768)

In:    serial

Out:   serial

Err:   serial

Normal Boot

Hit any key to stop autoboot:  0

=> hab_status

 

Secure boot disabled

 

HAB Configuration: 0xf0, HAB State: 0x66

 

--------- HAB Event 1 -----------------

event data:

        0xdb 0x00 0x24 0x41 0x33 0x18 0xc0 0x00

        0xca 0x00 0x1c 0x00 0x02 0xc5 0x1d 0x00

        0x00 0x00 0x18 0x04 0x17 0x7f 0xf4 0x00

        0x00 0x08 0x3c 0x00 0x00 0x91 0x00 0x00

        0x00 0x00 0x03 0x00

 

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_SIGNATURE (0x18)

CTX = HAB_CTX_COMMAND (0xC0)

ENG = HAB_ENG_ANY (0x00)

 

 

--------- HAB Event 2 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00

        0x00 0x00 0x00 0x20

 

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_ASSERTION (0x0C)

CTX = HAB_CTX_ASSERT (0xA0)

ENG = HAB_ENG_ANY (0x00)

 

 

--------- HAB Event 3 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c

        0x00 0x00 0x03 0x00

 

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_ASSERTION (0x0C)

CTX = HAB_CTX_ASSERT (0xA0)

ENG = HAB_ENG_ANY (0x00)

 

 

--------- HAB Event 4 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20

        0x00 0x00 0x00 0x01

 

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_ASSERTION (0x0C)

CTX = HAB_CTX_ASSERT (0xA0)

ENG = HAB_ENG_ANY (0x00)

 

 

--------- HAB Event 5 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00

        0x00 0x00 0x00 0x04

 

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_ASSERTION (0x0C)

CTX = HAB_CTX_ASSERT (0xA0)

ENG = HAB_ENG_ANY (0x00)

Labels (4)
8 Replies

2,059 Views
Yuri
NXP Employee
NXP Employee

  The solution was to remove the command to sign the DCD table (in csf file, 0x00910000 0x2C 0x1C4 “u-boot-dtb.imx”). Because the DCD pointer is not cleared by ROM, removing the command to sign the DCD table avoids re-signing the DCD when booting from flash.

2,059 Views
jiang_zhang
Contributor II

Summary: 

1. When signing image for UUU loading, the DCD pointer in u-boot-dtb.imx needs to be cleared to generate the CSF binary data, but when appending the CSF binary, it needs to append to the original u-boot-dtb.imx WITHOUT clearing the DCD pointer. 

2. When signing image for flash booting, no need to clear the DCD pointer in the u-boot-dtb.imx, but in the CSF text file, DO NOT sign the block of DCD data. 

2,059 Views
Yuri
NXP Employee
NXP Employee

 

Hello,

 

  I've sent You directly some comments. 

Have a great day,

Yuri

 

 

-------------------------------------------------------------------------------

Note:

- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored

 

Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

0 Kudos

2,059 Views
jiang_zhang
Contributor II

Hi Yuri,

Thanks for the information. I read through the file "Mx6 HAB (High Assurance Boot)_NXP Community.pdf" and I am following the instructions from step 1 to step 6.4 except:

  • Step 1: Using CST 3.2.0 instead of 2.0.0;

  • Step 3: Using modified U-Boot source code based on IMX u-boot 4.14.78.1.0.0.GA release, so I am not able to patch 0001-enable-hab-on-uboot-2009.08.patch, and the size of u-boot.bin is different.

  • Step 6.1: I cannot find the section 6.2 in AN4581 (Rev. 1 10/2015, Rev. 2 05/2018 and Rev. 3 10/2019). Which version of AN4581 it refers to?

In step 6.4, the signed imx image can be loaded into memory successfully and hab_status shows no HAB_Event.

However, in step 6.5, an error happens:

$ ./cst_sign u-boot.bin

ivt_self: e30043ff

ivt_csf: e01441a1

dcd_len: b58a

uboot ivt is not correct

Not sure why this error is caused. However, I looked into the cst_sign scripts and it seems it’s same as what is decribed in step 6.3 but make the length handling generic for any length.

However, this document didn’t mention anything different between signing a u-boot.imx to be stored on flash and signing a u-boot.imx to be loaded into memory via UUU tool. SO my question is:

  • Is there any difference between signing a u-boot.imx for flash and for UUU download?

  • If yes, what’s the difference? If not, why the same signed u-boot.imx image works while downloaded via UUU tool but not working if stored on flash and boot from flash?

Let me know if anything I didn’t state clearly. Thanks!

Jiang

0 Kudos

2,059 Views
Yuri
NXP Employee
NXP Employee

Hello,

  generally there are several U-boot configurations, depending on boot device. 

For example, look at Table 3 (U-Boot configuration) of "i.MX_Yocto_Project_User's_Guide.pdf".

https://www.nxp.com/webapp/Download?colCode=L4.19.35_1.1.0_LINUX_DOCS  

Regards,

Yuri.

0 Kudos

2,060 Views
jiang_zhang
Contributor II

Hi Yuri,

I took a look at the Table 3 but I am not sure if this applies the u-boot code I am using (imx_v2018.03_ 4.14.98_2.0.0_ga). I did a search and couldn’t find the file local.conf. Also I didn’t find UBOOT_CONFIG. Only found CONFIG_ENV_VARS_UBOOT_CONFIG, which seems not the same. However, could you please tell me why the UBOOT_CONFIG matters and how it impacts the HAB verification? Maybe I can try to find where I should change in my code.

Thanks!

Jiang

0 Kudos

2,060 Views
Yuri
NXP Employee
NXP Employee

Hello,

  it is needed to build U-boot just for the assumed boot device.

https://www.nxp.com/webapp/Download?colCode=imx-yocto-L4.14.98_2.0.0_ga 

Regards,

Yuri.

0 Kudos

2,060 Views
jiang_zhang
Contributor II

Hello Yuri,

I don’t find the configuration you mentioned. Also, the same u-boot build can boot up to the u-boot prompt either it’s from being loaded via UUU tool or it’s booting from flash, except the hab_status command tells the signature verification failed while booting from flash. However booting from UUU tool seems OK. BTW, the board is fused with the SRK value but not enforce the HAB yet.

0 Kudos