- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
Hello NXP team,
Hope you are doing well.
Based on your last inputs, I have tested the secure boot feature with legacy PKI tree certificates and it was working fine. Please find below the content for the u-boot CSF file.
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = SW
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0X877FF400 0x0 666624 "u-boot-pad.bin"
With the above CSF file, I am not getting any HAB events and secure boot is working fine.
We want to reduce the boot time and validate the fast authentication feature, please find below the CSF file for the same.
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = SW
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install NOCAK]
File = "../../crts/SRK1_sha256_2048_65537_v3_ca_crt.pem"
[Authenticate CSF]
[Authenticate Data]
Verification index = 0
Blocks = 0X877FF400 0x0 666624 "u-boot-pad.bin"
I am getting below hab events so I need your help to fix this issue.
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x30
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Please find below setup details.
CST tool version : 3.2.0
Custom board having i.MX6ull
Yocto build: Warrior
Please answer the below queries.
- If my security team will provide 4 SRK certificates only, is it possible to do a secure boot (fast authentication)with those SRK certificates and avoid "hab4_pki_tree.sh" steps for generating key and crts. Please note they will not give me the private key and my custom board having i.MX6ull processor.
- Is Fast authentication on the i.MX6ull processor ?
Best Regards,
Prabhunath Gupt
已解决! 转到解答。
@prabhunath_gupt
Hello,
Private keys are mandatory to sign the boot image.
From section 2 (Overview) of AN4581 (i.MX Secure Boot on HABv4 Supported Devices,
Rev. 4, June 2020):
"High Assurance Boot (HAB) authentication is based on public key cryptography
using the RSA or ECDSA algorithms in which image data is signed offline using
a series of private keys. The resulting signed image data is then verified on
the i.MX processor using the corresponding public keys."
Regards,
Yuri.
@prabhunath_gupt
Hello,
Private keys are mandatory to sign the boot image.
From section 2 (Overview) of AN4581 (i.MX Secure Boot on HABv4 Supported Devices,
Rev. 4, June 2020):
"High Assurance Boot (HAB) authentication is based on public key cryptography
using the RSA or ECDSA algorithms in which image data is signed offline using
a series of private keys. The resulting signed image data is then verified on
the i.MX processor using the corresponding public keys."
Regards,
Yuri.
