HAB Integration Difficulties

michaelrobbelot · ‎06-10-2015

Everyone,

I was wondering if someone could help me out with getting the secure bootloader working. Once everything gets placed and placed onto the device using the Windows manufacturing tool, I get the following from the console window at boot:

U-Boot 2009.08-00030-g9752205-dirty (Jun 09 2015 - 10:33:32)

U-Boot code: 278006E0 -> 27835200 BSS: -> 2786FE68

CPU: Freescale i.MX6 family TO1.2 at 792 MHz

Thermal sensor with ratio = 178

Temperature: 30 C, calibration data 0x5694d869

mx6q pll1: 792MHz

mx6q pll2: 528MHz

mx6q pll3: 480MHz

mx6q pll8: 50MHz

ipg clock : 66000000Hz

ipg per clock : 66000000Hz

uart clock : 80000000Hz

cspi clock : 60000000Hz

ahb clock : 132000000Hz

axi clock : 264000000Hz

emi_slow clock: 132000000Hz

ddr clock : 528000000Hz

usdhc1 clock : 198000000Hz

usdhc2 clock : 198000000Hz

usdhc3 clock : 198000000Hz

usdhc4 clock : 198000000Hz

nfc clock : 24000000Hz

Board: i.MX6Q-SABREAUTO: unknown-board Board: 0x63012 [POR ]

Boot Device: MMC

RAM Configuration:

Bank #0: 10000000 1 GB

MMC: FSL_USDHC: 0,FSL_USDHC: 1

*** Warning - bad CRC or MMC, using default environment

In: serial

Out: serial

Err: serial

HAB Configuration: 0xf0, HAB State: 0x66

No HAB Events Found!

Net: got MAC address from IIM:

FEC0 [PRIME]

### main_loop entered: bootdelay=3

### main_loop: bootcmd="booti mmc1"

Hit any key to stop autoboot: 0

kernel @ 10808000 (4435532)

ramdisk @ 11800000 (235409)

Authenticate uImage from DDR location 0x10808000...

ivt_offset = 0x1030000, ivt addr = 0x11838000

Dumping IVT

0xb4253805 0x6845bc02 0xb42eb805 0xa10cfc02

0x0be7e015 0x54bf00ad 0x35f80568 0x6fc02b42

Dumping CSF Header

0xb9811e16 0x1b5cd89b 0x15a11efc 0xad0a8fe0

0x884e7f00 0x42abf804 0x11dfc024 0x99fe0122

0xeff00910 0xff804884 0x1c02442a 0xde012213

0xe6039843 0x0ee6c59e 0x216f7822 0x0a47e012

HAB Configuration: 0xf0, HAB State: 0x66

No HAB Events Found!

Calling authenticate_image in ROM

ivt_offset = 0x1030000

start = 0x10808000

bytes = 0x1032020

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x08 0x41 0x33 0x05 0x0a 0x00

Authentication Failed

So, I get a HAB_INV_INT error, which I guess means something in the IVT isn't configured correctly. From the csf_u-boot.txt file I have

[Authenticate Data]

Verification index = 2

Blocks = 0x27800400 0x400 0x32c00 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"

I use a shell script with sed to update the Blocks line based on how the bootloader build changes.

I am open to any suggestions on how to troubleshoot and correct the HAB event.

Michael Robbeloth

utkarsh_gupta · ‎09-04-2015

Hello Michael,

I will be following up with your query.

After going through the previous messages I feel that you are still having trouble with authenticating bootloader image. I will do my best to resolve this issue.

Please provide me the latest IVT of bootloader and the CSF file being used to analyze this issue. Also I believe you are using mx6q-sabreauto TO1.2 chip?

Thanks,

Utkarsh

michaelrobbelot · ‎09-09-2015

Utkarsh,

Thank you for your assistance. The board being used is a customized BCM Advanced Research AR6MXQ ,which is based on the mx6q-sabreauto platform (Our BSP contact at BCM Advanced Research may have also contacted their Freescale FAE as I'm the first customer to inquire about this). The final CSF file is as follows (I work from the original template and then use a bash script to modify a copy of it during the build process):

[Header]

Version = 4.1

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/vendor/freescale/cst-2.2/crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/vendor/freescale/cst-2.2/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

Verification index = 0

Target index = 2

File = "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/vendor/freescale/cst-2.2/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with

# length = 0x71000 (padded u-boot length) - 0x400 (IVT offset) = 0x70C00

# This covers the essential parts: IVT, boot data and DCD.

# Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x27800400 0x400 0x32c00 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin",\

0x00910000 0x42c 0x2a0 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"

The IVT is:

00000400 d1 00 20 40 e0 06 80 27 00 00 00 00 2c 04 80 27 |.. @...'....,..'|

00000410 20 04 80 27 00 04 80 27 00 30 83 27 00 00 00 00 | ..'...'.0.'....|

Michael Robbeloth

utkarsh_gupta · ‎09-11-2015

Hello Michael,

The CSF looks alright, presuming that the whole DCD is covered in the blocks statement. Please make sure you have SRKs fused and its an open device.

May I know the HAB events you get while authenticating u-boot? And I believe it is u-boot 2009?

Thanks,

Utkarsh

michaelrobbelot · ‎09-16-2015

Utkarsh,

These are the HAB events: (Yes it's u-boot 2009)

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00

0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00

0x00 0x00 0x16 0x50 0x27 0x80 0x04 0x00

0x00 0x03 0x2c 0x00

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x2c

0x00 0x00 0x02 0xa0

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x06 0xe0

0x00 0x00 0x00 0x04

Authenticate uImage from DDR location 0x10808000...

ivt_offset = 0x1030000, ivt addr = 0x11838000

Dumping IVT

0xb4253805 0x6845bc02 0xb42eb805 0xa10cfc02

0x0be7e015 0x54bf00ad 0x35f80568 0x6fc02b42

Dumping CSF Header

0xb9811e16 0x1b5cd89b 0x15a11efc 0xad0a8fe0

0x884e7f00 0x42abf804 0x11dfc024 0x99fe0122

0xeff00910 0xff804884 0x1c02442a 0xde012213

0xe6039843 0x0ee6c59e 0x216f7822 0x0a47e012

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00

0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00

0x00 0x00 0x16 0x50 0x27 0x80 0x04 0x00

0x00 0x03 0x2c 0x00

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x2c

0x00 0x00 0x02 0xa0

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x06 0xe0

0x00 0x00 0x00 0x04

Calling authenticate_image in ROM

ivt_offset = 0x1030000

start = 0x10808000

bytes = 0x1032020

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x08 0x41 0x33 0x05 0x0a 0x00

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00

0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00

0x00 0x00 0x16 0x50 0x27 0x80 0x04 0x00

0x00 0x03 0x2c 0x00

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x2c

0x00 0x00 0x02 0xa0

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 6 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x06 0xe0

0x00 0x00 0x00 0x04

Authentication Failed

Michael

utkarsh_gupta · ‎09-16-2015

Hello Michael,

from the initial set of hab events which are generated due to u-boot authentication, it seems like either the image's signature has not been found at the right location or the signature itself is not correct. Can you dump the memory that is located at CSF address and match with the signature generated. Also make sure the signature is generated without DCD address in the image (IVT) (As mentioned in Section 6.2 of AN4581)

Thanks,

Utkarsh

michaelrobbelot · ‎09-23-2015

Utkarsh,

I went back and confirmed that the IVT has correctly written to /dev/mmcblk0boot0 after using the manufacturing tool by dumping its contents with busybox hexdump. I then took the CSF address as stored on the device and dumped the memory using a DS-5 debugger to a file to compare with the csf binary generated during the build. They match. I believe I have followed the guidelines in section 6.2 of AN4581. So how do I verify the signature was generated in a way the boot ROM can handle it.

Michael Robbeloth

utkarsh_gupta · ‎09-24-2015

Hi Michael,

You can definitely parse the signature and figure out if all the format is followed properly which could be interpreted by the ROM. I am sure the signature would be generated properly as per the commands given by the user.

It seems like you have followed all the required steps to create an authentic image but still facing issues. I would suggest you to send me the test images for u-boot and kernel and the let me know the board you are using to accomplish this. I will try to replicate the issue and figure out what could be going wrong.

Thanks,

Utkarsh

michaelrobbelot · ‎06-11-2015

Ulises,

Thank you for getting back to me. I'll go ahead and figure out how to integrate this into the overall Android build. I was surprised that this information is not included in DOC-96451 or AN4581 unless I just completely overlooked it.

I'll reply to this thread once I get this done. If it all works I'll just mark you reply as the answer.

Michael Robbeloth

raulcardenas-b4 · ‎06-10-2015

Hi Micheal,

It looks to me that your image is missing an IVT. You should have 2 different IVTs, one for the U-boot and one for the linux image. The IVT for U-boot is generated by U-boot. However, you will need to build the second one, you can modify the following script to meet your image requirements:

------------- file content begin -------------

#! /usr/bin/perl -w

use strict;

open(my $out, '>:raw', 'ivt.bin') or die "Unable to open:"

print $out pack("V", 0x402000D1); # Signature

print $out pack("V", 0x10801000); # Jump Location

print $out pack("V", 0x0); # Reserved

print $out pack("V", 0x0); # DCD pointer

print $out pack("V", 0x0); # Boot Data

print $out pack("V", 0x10BFDFE0); # Self Pointer

print $out pack("V", 0x10BFE000); # CSF Pointer

print $out pack("V", 0x0); # Reserved

close($out);

------------- file content end -------------

0x10BFDFE0 is the IVT self address after zImage is copied to DDR. 0x10BFE000 is where the CSF data begins.

0x10801000 is jump location. However, U-boot has its own mechanism to jump into the kernel so this jump location is

not actually being used. The HAB ROM code requires

Then you will need to follow the same procedure as you did for u-boot, but this time for the zImage. Probably something like this:

echo "attach IVT..."

cat ivt.bin zImage.bin > ivt-zImage.bin

echo "generate csf data..."

../linux/cst --o zImage_csf.bin < zImage.csf

echo "merge image and csf data..."

cat ivt-zImage.bin zImage_csf.bin > zImage-signed.bin

Then finally, burn the "u-boot-signed-pad.bin" and "zImage-signed.bin" to the SD card.

Hope this helps.

Ulises Cardenas

michaelrobbelot · ‎07-23-2015

Ulises,

I was able to finally revisit this issue and provide the signed kernel, which was reintegrated back into boot.img (this required modification to the AOSP build scripts to get the information in a dynamic manner). However, I am still experiencing the same error state. Do you have anything else that I could try at this point or a contact that I can speak to about this issue (you can send me a private message if needed). This is really needed for us to support a customer needing Widevine on our device. Thank you.

Michael Robbeloth

michaelrobbelot · ‎07-27-2015

Ulises,

Okay, I forgot to account for the information in downloading and executing a signed image with the manufacturing tool in DOC-96451/AN4581. Now, instead of getting No HAB events followed by HAB event 1 after "Calling uImage from DDR location 0x10808000" I now get the following before and then after the authenticate_image call:

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00

0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00

0x00 0x00 0x16 0x50 0x27 0x80 0x04 0x00

0x00 0x03 0x2c 0x00

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x2c

0x00 0x00 0x02 0xa0

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x06 0xe0

0x00 0x00 0x00 0x04

Authenticate uImage from DDR location 0x10808000...

ivt_offset = 0x1030000, ivt addr = 0x11838000

Dumping IVT

0xb4253805 0x6845bc02 0xb42eb805 0xa10cfc02

0x0be7e015 0x54bf00ad 0x35f80568 0x6fc02b42

Dumping CSF Header

0xb9811e16 0x1b5cd89b 0x15a11efc 0xad0a8fe0

0x884e7f00 0x42abf804 0x11dfc024 0x99fe0122

0xeff00910 0xff804884 0x1c02442a 0xde012213

0xe6039843 0x0ee6c59e 0x216f7822 0x0a47e012

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00

0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00

0x00 0x00 0x16 0x50 0x27 0x80 0x04 0x00

0x00 0x03 0x2c 0x00

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x2c

0x00 0x00 0x02 0xa0

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x06 0xe0

0x00 0x00 0x00 0x04

Calling authenticate_image in ROM

ivt_offset = 0x1030000

start = 0x10808000

bytes = 0x1032020

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x08 0x41 0x33 0x05 0x0a 0x00

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00

0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00

0x00 0x00 0x16 0x50 0x27 0x80 0x04 0x00

0x00 0x03 0x2c 0x00

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x2c

0x00 0x00 0x02 0xa0

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 6 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x27 0x80 0x06 0xe0

0x00 0x00 0x00 0x04

Authentication Failed

The authenticate data sections from my csf_u-boot file are:

[Authenticate Data]

Verification index = 2

Blocks = 0x27800400 0x400 0x32c00 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"

# This one is for the DCD

[Authenticate Data]

Verification index = 2

Blocks = 0x2780040c 0x42c 0x2a0 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"

So the first two sets of HAB events come from signing of the bootloader, the last set from the signing of the kernel. I'm pretty much at a loss for how to proceed at this point and would appreciate any response you or someone else in the community could offer, thank you.

Michael Robbeloth

raulcardenas-b4 · ‎07-29-2015

ok, since there are multiple points of failure, lets try to narrow your issue.

The first series of events are parsed to:

------------+----+------+----+-------------------------------------------------

Persistent | T | L | P | Contents

Memory | a | e | a |

Record | g | n | r |

Type | | g | |

| | t | |

| | h | |

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x001c|0x41| SRCE Field: 33 18 c0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_SIGNATURE (0x18)

| | | | CTX = HAB_CTX_COMMAND (0xC0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Cmd Field: 0xca001400

| | | | CMD: HAB_CMD_AUT_DAT (0xca)

| | | | LEN: 0x0014

| | | | FLG: 0x00

| | | | FLAGS: AUT_DAT_CLR (0x00)

| | | | KPEC Field: 0x02c50000

| | | | KEY: 0x02

| | | | PCL: HAB_PCL_CMS (0xC5)

| | | | Sig. Start: 0x00001650

| | | | Blk start/bytes:

| | | | 27 80 04 00 00 03 2c 00

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 27 80 04 00 00 00 00 20

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 27 80 04 2c 00 00 02 a0

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 27 80 04 20 00 00 00 01

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 27 80 06 e0 00 00 00 04

------------+----+------+----+-------------------------------------------------

This tells me that you signature is invalid. I would like to see your CSF and are you making sure that the CSF binary is appended to your uboot at the location that is pointed by your IVT?

First step is to boot uboot without any HAB events, then you can proceed in loading and booting your android image.

-Ulises

michaelrobbelot · ‎07-29-2015

Ulises,

Thank you for getting back to me. My csf is as follows:

[Header]

Version = 4.1

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/vendor/freescale/cst-2.2/crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/vendor/freescale/cst-2.2/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

Verification index = 0

Target index = 2

File = "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/vendor/freescale/cst-2.2/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with

# length = 0x71000 (padded u-boot length) - 0x400 (IVT offset) = 0x70C00

# This covers the essential parts: IVT, boot data and DCD.

# Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x27800400 0x400 0x32c00 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"

# This one is for the DCD

[Authenticate Data]

Verification index = 2

Blocks = 0x00910000 0x42c 0x2a0 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"

mrobbeloth@scorpion:~/projects/quad_src_main_4.3/myandroid/bootable/bootloader/uboot-imx$ cat csf_u-boot.txt

[Header]

Version = 4.1

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/vendor/freescale/cst-2.2/crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/vendor/freescale/cst-2.2/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

Verification index = 0

Target index = 2

File = "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/vendor/freescale/cst-2.2/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with

# length = 0x71000 (padded u-boot length) - 0x400 (IVT offset) = 0x70C00

# This covers the essential parts: IVT, boot data and DCD.

# Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x27800400 0x400 0x32c00 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"

# This one is for the DCD

[Authenticate Data]

Verification index = 2

Blocks = 0x00910000 0x42c 0x2a0 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"

Yes, I was able to confirm that I am appending the CSF to the end of the bootloader by hex dumping the tail end of the bootloader and comparing to the binary generated by the cst tool (the booloader does get padded one last time to the next 4k boundary after this step).

Michael Robbeloth

raulcardenas-b4 · ‎07-29-2015

Your csf looks ok, and it sounds that you dont have any HAB event by just booting the bootloader right? (before any image authentication takes place)

Yes, I was able to confirm that I am appending the CSF to the end of the bootloader by hex dumping the tail end of the bootloader and comparing to the binary generated by the cst tool (the booloader does get padded one last time to the next 4k boundary after this step).

Ok, great.

[Authenticate Data]
Verification index = 2
Blocks = 0x27800400 0x400 0x32c00 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"
# This one is for the DCD
[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x42c 0x2a0 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"

Here, I would collapse the two together.

[Authenticate Data]

Verification index = 2

Blocks = 0x27800400 0x400 0x32c00 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin" \

0x00910000 0x42c 0x2a0 "/home/mrobbeloth/projects/quad_src_main_4.3/myandroid/out/target/product/ar6mx/u-boot-6q-pad.bin"

Can you provide me the hexdump of the image from 0x0000 to 0x430? Also, did you zeroed out the dcd address on your ivt before running cst?

Ulises

michaelrobbelot · ‎07-29-2015

Ulises,

You commented that I should restructure part of the csf file to just have one authenticate data command section, but I came across this thread Re: HAB secure serial boot on mx6 showing two separate sections: one for the IVT, one for the DCD. Can you clarify this discrepancy?

Michael Robbeloth

raulcardenas-b4 · ‎07-29-2015

Yes, their problem is that they used "blocks = " again. it should be only one with a series of blocks concatenated by a comma

michaelrobbelot · ‎07-29-2015

Here you go:

00000000 b6 01 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 |................|

00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

*

00000400 d1 00 20 40 e0 06 80 27 00 00 00 00 2c 04 80 27 |.. @...'....,..'|

00000410 20 04 80 27 00 04 80 27 00 30 83 27 00 00 00 00 | ..'...'.0.'....|

00000420 00 00 80 27 00 56 03 00 00 00 00 00 d2 02 a0 40 |...'.V.........@|

00000430

Yes, I followed the instructions to clear the dcd address before running cst and reset it after running cst. My dcd_addr.bin extracted the correct address from 0x40c (skip 1036)

$ hexdump -C dcd_addr.bin

00000000 2c 04 80 27 |,..'|

00000004

Michael Robbeloth

raulcardenas-b4 · ‎07-29-2015

Everything looks correct.

Make sure your size in boot data, covers the size of the bootloader + csf.bin.

Did you append and ivt and csf.bin to your android image?

michaelrobbelot · ‎07-30-2015

Ulises,

Okay, so boot_data length is 0x35600, but I noticed in flash_header.S tthat image_len, which includes __hab_data_end, is 0x32600 once I plugged in all the numbers. Is this an issue or do I need to do something else to determine if boot_data length has the correct value.

I have attached the ivt and csf to the bootloader as described in the documentation and to the kernel binary as you described. Of course, modifying the kernel binary in /out (which is also the zImage) required repackaging the boot.img binary with mkbootimg tool. Do I need to do something else or differently?

Michael Robbeloth

michaelrobbelot · ‎07-31-2015

Ulises,

Yes, I remember applying a patch set back when I started working on this (I've been revisiting this from time to time, but would like to get it resolved). The patch set I originally applied is at: Modifications needed to enable secure bootloader · PDi-Communication-Systems-Inc/u-boot_v2009.08@975...

In particular, there is a u-boot.lds. Can you verify if the changes to this file look okay or if I need to change something here. I"ll try a few things in the mean time.

For the time being, my company will only migrate to a new u-boot version when switching to a new BSP version to stay aligned with our BSP vendor. If you don't think this will work under u-boot v2009, that would be go to know so I'm not wasting time on it.

Michael Robbeloth

HAB Integration Difficulties

HAB Integration Difficulties

Android

i.MX6_All

Linux