Hello NXP team,
Hope you are doing well.
Based on your last inputs, I have tested the secure boot feature with legacy PKI tree certificates and it was working fine. Please find below the content for the u-boot CSF file.
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = SW
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0X877FF400 0x0 666624 "u-boot-pad.bin"
With the above CSF file, I am not getting any HAB events and secure boot is working fine.
We want to reduce the boot time and validate the fast authentication feature, please find below the CSF file for the same.
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = SW
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install NOCAK]
File = "../../crts/SRK1_sha256_2048_65537_v3_ca_crt.pem"
[Authenticate CSF]
[Authenticate Data]
Verification index = 0
Blocks = 0X877FF400 0x0 666624 "u-boot-pad.bin"
I am getting below hab events so I need your help to fix this issue.
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x30
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Please find below setup details.
CST tool version : 3.2.0
Custom board having i.MX6ull
Yocto build: Warrior
Please answer the below queries.
Best Regards,
Prabhunath Gupt
Solved! Go to Solution.
@prabhunath_gupt
Hello,
Private keys are mandatory to sign the boot image.
From section 2 (Overview) of AN4581 (i.MX Secure Boot on HABv4 Supported Devices,
Rev. 4, June 2020):
"High Assurance Boot (HAB) authentication is based on public key cryptography
using the RSA or ECDSA algorithms in which image data is signed offline using
a series of private keys. The resulting signed image data is then verified on
the i.MX processor using the corresponding public keys."
Regards,
Yuri.
Thanks @Yuri for your response.
@prabhunath_gupt
Hello,
Private keys are mandatory to sign the boot image.
From section 2 (Overview) of AN4581 (i.MX Secure Boot on HABv4 Supported Devices,
Rev. 4, June 2020):
"High Assurance Boot (HAB) authentication is based on public key cryptography
using the RSA or ECDSA algorithms in which image data is signed offline using
a series of private keys. The resulting signed image data is then verified on
the i.MX processor using the corresponding public keys."
Regards,
Yuri.