Even if SuperRootKey differ, in Open-Mode, we can see No HAB Event.

george · ‎08-09-2015

Dear All,

We certified Code using cst-2.3.1.

It is working correctly in Open-Mode and Closed-Mode.

However, we have one question.

The device which burned different SuperRootKey is not boot in Closed-Mode-Configuration.

However, Also on the device which burned different SuperRootKey in Open-Mode-Configuration, we can see No HAB Event.

I can understand boot also on device which burned different SuperRootKey in Open-Mode-Configuration, and I think that it has some HAB Event.

However, it does not have HAB Event.

Is this the correct behavior?

Best Regards,

George

george · ‎08-20-2015

Dear Yuri,

I found the following descriptions in AN4581 which you showed.

Doesn't this mean that our experience was the correct behavior?

---------

7 Troubleshooting

7.1 SRK Authentication for i.MX 6 Series in Open Configuration

There is a known limitation about the verification of the SRK table in the ROM of i.MX 6 Series devices.

In these devices, the intent was to only verify the SRK table hash, when the SRK fuse field was non-zero

for Open configuration. However, for i.MX 6 Series in Open configuration, the HAB always skips the

verification of the SRK table, regardless of whether the SRK fuse field has been provisioned or not.

This means that it is necessary to ensure that the SRK field is correctly programmed, prior to moving the

i.MX 6 Series security configuration to Closed. It is highly recommended to use the srktool included as

part of the CST release. The byte ordering of the SRK table hash value should be correct to ensure proper

operation.

NOTE

Failing to follow the steps in provisioning the SRK hash eFuses correctly

results in a device that will not boot in Closed configuration.

---------

Best Regards,

George

元の投稿で解決策を見る

Yuri · ‎08-09-2015

George, hello !

As known (app note AN4581), the first step, performed by HAB, during secure boot
is to install the SRK. The boot ROM calculates SHA-256 hash of the SRK table, attached
to the binary CSF data, and checks it, using the reference value from the OTP fuses.
So, SRK modifying will provide HAB issues.

Please check carefully all stage of HAB usage in Your case. Please refer to the

following

“Mx6 HAB (High Assurance Boot)”

https://community.freescale.com/docs/DOC-96451

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

george · ‎08-20-2015