Hello,
I have some problems for encrypting u-boot with SPL, on iMX6UL.
SIGNING :
I have signed u-boot with SPL for iMX6UL, and it works ("No HAB events found" message). I used those 4 files :
//============================
// 1) SPL.log
//============================
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 53248 Bytes = 52.00 KiB = 0.05 MiB
Load Address: 00908420
Entry Point: 00909000
HAB Blocks: 00908400 00000000 0000ac00
DCD Blocks: 00910000 0000002c 00000004
//============================
// 2) SPL.csf
//============================
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x00908400 0x00000000 0x0000ac00 "SPL"
[Unlock]
Engine = CAAM
Features = RNG
//============================
// 3) u-boot-ivt.img.log
//============================
Image Name: U-Boot 2017.03-27251-g01c382a fo
Created: Fri Jul 27 16:12:28 2018
Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
Data Size: 364480 Bytes = 355.94 KiB = 0.35 MiB
Load Address: 86000000
Entry Point: 00000000
HAB Blocks: 0x85ffffc0 0x0000 0x00057020
//============================
// 4) u-boot-ivt.img.csf
//============================
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x85ffffc0 0x0000 0x00057020 "u-boot-ivt.img"
ENCRYPTION :
Then, I tried to modify u-boot CSF file because I also want to encrypt u-boot. Based on the questions already asked on NXP forum and on others websites, I have tried many things for 2 days but it does NOT work. Here is what I did (in bold : added/modified parts - in red : address/length that are probably wrong) :
//============================
// 4) u-boot-ivt.img.csf
//============================
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x85ffffc0 0x0000 0x00000030 "u-boot-ivt.img"
Explanation : 0x30 = 0x2c + 0x4 (see "SPL.log" file)
#Encrypt the boot image and create a DEK
[Install Secret Key]
Verification Index = 0
Target Index = 0
Key = "dek.bin"
Key Length = 128
Blob Address = 0x86058f98
Explanation :
0x86058f98 = 0x86000000 [load address] - 0x40 [header size] + 0x57020 [uboot size] + 0x2000 [csf size] - 0x48 [blob size]
#Provide DEK blob location to decrypt
[Decrypt Data]
Verification Index = 0
Mac Bytes = 16
Blocks = 0x86000000 0x00000040 0x00056fe0 "u-boot-ivt.img"
Explanation :
0x86000000 is load address (see "u-boot-ivt.img.log" file)...which is not the same as entry point address (problem ?)
0x40 = 0x86000000 - 0x85ffffc0
0x56fe0 = 0x57020 - 0x40
This was followed by the following u-boot commands...
=> load mmc 0 0x80800000 dek.bin
=> dcache off
=> icache off
=> dek_blob 0x80800000 0x86058f98 128
=> fatwrite mmc 0 0x86058f98 dek_blob.bin 0x48
...and by the following host commands :
$ objcopy -I binary -O binary --pad-to=0x1fb8 --gap-fill=0x00 u-boot-ivt.img_csf.bin u-boot-ivt.img_csf.bin
$ cat u-boot-ivt.img u-boot-ivt.img_csf.bin dek_blob.bin > u-boot-ivt.img_signed_encrypted
Explanation : 0x1fb8 [padding] + 0x48 [blob size] = 0x2000 because DEK blob is supposed to be included in CSF region (which size is 0x2000)
REFERENCES :
High Assurance Boot (HAB) for dummies - Boundary Devices
Encrypted boot loader on SabreSD i.MX6q board | NXP Community
Encrypted boot loader on SabreSD i.MX6q board
u-boot/README.mxc_hab at master · theopolis/u-boot · GitHub
https://community.nxp.com/message/845992?commentID=845992#comment-845992
Signed and encrypted boot in i.MX6UL
Multi-stage Secure Boot in iMX6 through SPL & u-boot.img
QUESTIONS (to make u-boot encryption work) :
1) What value should I use for :
- authenticated data length (instead of 0x30, if it is wrong) ?
- decrypted data start address (instead of 0x86000000, if it is wrong) ?
- offset for decryption (instead of 0x40, if it is wrong) ?
- decrypted data length (instead of 0x56fe0, if it is wrong) ?
2) Is there anything else to modify in u-boot CSF file ?
3) Is there anything to modify in SPL CSF file ?
4) Is there anything else that I am missing ?
Any help will be appreciated... :-)
Julien
Here is the last version of what I did (which still does NOT work)...
Please find the memory layout picture to make things clear...
If somebody has any idea to help me... :smileyhappy:
//============================
// 1) SPL.csf
//============================
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Unlock]
Engine = CAAM
Features = RNG
[Authenticate Data]
# Key slot index used to authenticate the header
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x00908400 0x00000000 0x00000c00 "SPL"
#Encrypt the SPL image and create a DEK
[Install Secret Key]
Verification Index = 0
Target Index = 0
Key = "dek.bin"
Key Length = 128
Blob Address = 0x00914fb8
#Provide DEK blob location to decrypt
[Decrypt Data]
Verification Index = 0
Mac Bytes = 16
Blocks = 0x00909000 0x00000c00 0x0000a000 "SPL"
//============================
// 2) u-boot-ivt.csf
//============================
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Unlock]
Engine = CAAM
Features = RNG
[Authenticate Data]
# Key slot index used to authenticate the IVT
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x86056fc0 0x00057000 0x00000020 "u-boot-ivt.img"
#Encrypt the boot image and create a DEK
[Install Secret Key]
Verification Index = 0
Target Index = 0
Key = "dek.bin"
Key Length = 128
Blob Address = 0x86058f98
#Provide DEK blob location to decrypt
[Decrypt Data]
Verification Index = 0
Mac Bytes = 16
Blocks = 0x86000000 0x00000040 0x00056fc0 "u-boot-ivt.img"
STEPS :
1-2) ... [cst tool used to generate files, included a signed zImage]
3) Copy DEK onto SD card :
sudo cp dek_SPL.bin /media/julien/BOOT-VARSOM/dek_SPL.bin
sudo cp dek_u-boot-ivt.img.bin /media/julien/BOOT-VARSOM/dek_u-boot-ivt.img.bin
4) Power on the board from eMMC, and press any key to enter into u-boot prompt :
4.1) Load DEK binary from SD card
=> load mmc 0 0x909000 dek_SPL.bin
=> load mmc 0 0x86000000 dek_u-boot-ivt.img.bin
4.2) Disable cache memory
=> icache off
=> dcache off
4.3) Create DEK blob
=> dek_blob 0x909000 0x914fb8 128
=> dek_blob 0x86000000 0x86058f98 128
4.4) Copy DEK blob binary onto SD card
=> fatwrite mmc 0 0x914fb8 dek_blob_SPL.bin 0x48
=> fatwrite mmc 0 0x86058f98 dek_blob_u-boot-ivt.img.bin 0x48
5) Back on host, copy DEK blob from SD card :
sudo cp /media/julien/BOOT-VARSOM/dek_blob_SPL.bin ./dek_blob_SPL.bin
sudo cp /media/julien/BOOT-VARSOM/dek_blob_u-boot-ivt.img.bin ./dek_blob_u-boot-ivt.img.bin
6) Pad CSF :
objcopy -I binary -O binary --pad-to=0x1fb8 --gap-fill=0x00 SPL_csf.bin SPL_csf.bin
objcopy -I binary -O binary --pad-to=0x1fb8 --gap-fill=0x00 u-boot-ivt.img_csf.bin u-boot-ivt.img_csf.bin
7) Concatenate [Image + CSF + DEK blob] to generate [Image_signed_encrypted] :
cat SPL SPL_csf.bin dek_blob_SPL.bin > SPL_signed_encrypted
cat u-boot-ivt.img u-boot-ivt.img_csf.bin dek_blob_u-boot-ivt.img.bin > u-boot-ivt.img_signed_encrypted
8) Copy images onto SD card :
sudo cp zImage-ivt_signed /media/julien/rootfs/opt/images/Debian/zImage
sudo cp SPL_signed_encrypted /media/julien/rootfs/opt/images/Debian/SPL.mmc
sudo cp u-boot-ivt.img_signed_encrypted /media/julien/rootfs/opt/images/Debian/u-boot.img.mmc
9) Power on the board from SD card, and flash images onto eMMC
Thank you.
Julien
Hello,
If You use the CST 3.0 - please try the previous release CST 2.3
Have a great day,
Yuri
------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer
button. Thank you!