HAB Secure Boot blocking

Hi,

according to 

i.MX8MP Secure boot.pdf

that you linked in your previous post, the Fit CSF needs to be in the middle of flash.bin file. According to the authentication instructions, the artefacts that are authenticated are in consecutive memory.

Regarding your suggestions:

1. Try to secure boot an imx8mm in open device

I have 2 devices with the same fuses set except one is in secure mode and the other one is in open mode. uboot is installed on an SD card so I can exchange the content very easy.

Sign SPL part in flash.bin first, then check hab_status at u-boot prompt.

Simply signing the SPL part and running hab_status does not give any events. However, the device does not boot on the secure mode device.

Sign FIT part in flash.bin, check hab_status at u-boot prompt.

When I sign the FIT part, reboot and run hab_status, there are no events, however, when I force the check with 

hab_auth_img 0x401fcdc0 0x3020 0x1000

Then I get the events as described above.

When I try to boot this uboot on a closed secure mode device it gets stuck after SPL. Indicating that authentication failed.

My SPL and FIT CSF files are identical to yours. It does not boot up.

I am pretty lost here and require further assistance. Is there a possibility to get a paid remote session with assistance?

Hi,

1.  It seems there is no hab event for authenticate SPL/FIT image in open device, right?
2. "hab_auth_img" can't be used to authenticate FIT image if there are multi-line blocks in FIT csf file.
3.  Double check fuse hash programmed in closed device
     Usage:
   • fuse read 6 4
   • fuse read 7 4
4. Can you share how you close the device?
5. Can you provide boot log in closed device?

Best regards

Harvey

Let me answer your questions:

1. It seems there is no hab event for authenticate SPL/FIT image in open device, right?

Correct. If I boot up the open device and issue hab_status, there are no events

u-boot=> hab_status
Secure boot disabled
HAB Configuration: 0xf0,
HAB State: 0x66
No HAB Events Found!

I cannot do this on the closed device as it does not boot far enough for me to enter uboot cli.

2. "hab_auth_img" can't be used to authenticate FIT image if there are multi-line blocks in FIT csf file.

OK, thanks for the info.

3. Double check fuse hash programmed in closed device

On the closed device I cannot boot into uboot cli. I am very certain, that the fuses are set the same way they are on the open device:

u-boot=> fuse read 6 0
Reading bank 6: Word 0x00000000: adda8b8a
u-boot=> fuse read 6 1
Reading bank 6: Word 0x00000001: 3bbf6cfe
u-boot=> fuse read 6 2
Reading bank 6: Word 0x00000002: 69d96f10
u-boot=> fuse read 6 3
Reading bank 6: Word 0x00000003: 90dd2a87
u-boot=> fuse read 7 0
Reading bank 7: Word 0x00000000: eb00cc86
u-boot=> fuse read 7 1
Reading bank 7: Word 0x00000001: 3053b038
u-boot=> fuse read 7 2
Reading bank 7: Word 0x00000002: 7d669ee3
u-boot=> fuse read 7 3
Reading bank 7: Word 0x00000003: d140b92a

4. Can you share how you close the device?

I followed the documentation in mx8m_secure_boot.txt and did:

fuse prog 1 3 0x2000000

I wanted to do the remainder of the recommended fuses once I can verify that secure mode works.

5. Can you provide boot log in closed device?

The closed device gets stuck at the shown point.

U-Boot SPL 2019.04-kuk_imx_v2019.04_5.4.3_2.0.0+gb770149574 (Sep 20 2021 - 08:39:56 +0000)
Choose dram_timing_v1r2_2GB_K4F6E3S4HM
DDRINFO: start DRAM init
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from MMC1

Authenticate image from DDR location 0x401fcdc0...

I am really looking for consultation here. Any help is appreciated. Can we arrange a call?

Two more aspects as below might be helpful for you. 

• To dump the SRK hash fuse values in host machine: 

hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin

        and then compare it with the fused hash in SoC.

• To your close device, check ROM log and HAB event by reference to these two documents, which can help for further troubleshooting.(HAB Persistent memory in various MPU and MCU chips... - NXP Community) (https://www.nxp.com/webapp/Download?colCode=AN12853)
• For professional engineering services, you can request a quote at (Professional Engineering Services | NXP Semiconductors)

Best regards

Harvey

Is there any more that I can do to help you helping me?

Hi,

thanks for answering. I can gladly provide all necessary files. These are dev builds and all key material is ephemeral.

We use Yocto dunfell. For u-boot we use v2019.04 with patches from our vendor.

I attached
- unsigned flash.bin

- signed flash.bin

- ivt of spl

- ivt of fit

- csf of spl

- csf of fit

Please let me know if I can assist more.

Thanks in advance for your help!

Hi 

Here is a secure boot reference document on i.mx8mp(be similar with i.mx8mm), it lists key points about sign SPL & FIT. You can check these points compared with your previous steps.

One suggestion is, you can just sign SPL first, if SPL verify successful, then sign FIT.

And can you share the full log of mkimake 'flash.bin' (including full log of mkimake print_fit_hab, note there are part of information missed on your post), and its corresponding spl/fit csf files(plain text)?

Then We can be more clear about your sign process.

Best regards

Harvey

Hey, thanks for taking your time to reply.

Despite not knowing about the document before, I did exactly as described in the document based on the information that is available in the u-boot documentation.

As I described in my initial post, signing and verifying SPL works. Signing FIT is what seems to be the culprit.

For clarification kuk-trizeps8.dtb and kuk-trizeps8mini.dtb are the same file in my setup.

The output of print_fit_hab.sh is:

> $ TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 ./print_fit_hab.sh 0x60000 kuk-trizeps8mini.dtb
0x40200000 0x5AC00 0xC4E08
0x402C4E08 0x11FA08 0x82FB
0x920000 0x127D04 0xB160
0xBE000000 0x132E64 0x3E228

The run of mkimage flash.bin produces the following output:

NOTE: building iMX8MM -  flash_trizeps8
./../scripts/pad_image.sh bl31.bin
bl31.bin is padded to 45408
DEK_BLOB_LOAD_ADDR=0x40400000 TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 ./mkimage_fit_atf.sh kuk-trizeps8.dtb > u-boot-trizeps8.its
bl31.bin size:
45408
Building with TEE support, make sure your bl31 is compiled with spd. If you do not want tee, please delete tee.bin
tee.bin size:
254504
Building with encrypted boot support, make sure to replace DEK Blob in final image.
u-boot-nodtb.bin size:
806408
kuk-trizeps8.dtb size:
33531
./mkimage_uboot -E -p 0x3000 -f u-boot-trizeps8.its u-boot-trizeps8.itb
u-boot-trizeps8.its:7.11-14.5: Warning (unit_address_vs_reg): /images/uboot@1: node has a unit name, but no reg property
u-boot-trizeps8.its:15.9-20.5: Warning (unit_address_vs_reg): /images/fdt@1: node has a unit name, but no reg property
u-boot-trizeps8.its:21.9-29.5: Warning (unit_address_vs_reg): /images/atf@1: node has a unit name, but no reg property
u-boot-trizeps8.its:30.9-38.5: Warning (unit_address_vs_reg): /images/tee@1: node has a unit name, but no reg property
u-boot-trizeps8.its:39.14-45.5: Warning (unit_address_vs_reg): /images/dek_blob@1: node has a unit name, but no reg property
u-boot-trizeps8.its:50.12-55.5: Warning (unit_address_vs_reg): /configurations/config@1: node has a unit name, but no reg property
FIT description: Configuration to load ATF before U-Boot
Created:         Sun Sep  4 17:51:40 2022
 Image 0 (uboot@1)
  Description:  U-Boot (64-bit)
  Created:      Sun Sep  4 17:51:40 2022
  Type:         Standalone Program
  Compression:  uncompressed
  Data Size:    806408 Bytes = 787.51 KiB = 0.77 MiB
  Architecture: AArch64
  Load Address: 0x40200000
  Entry Point:  unavailable
 Image 1 (fdt@1)
  Description:  kuk-trizeps8
  Created:      Sun Sep  4 17:51:40 2022
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    33531 Bytes = 32.75 KiB = 0.03 MiB
  Architecture: Unknown Architecture
 Image 2 (atf@1)
  Description:  ARM Trusted Firmware
  Created:      Sun Sep  4 17:51:40 2022
  Type:         Firmware
  Compression:  uncompressed
  Data Size:    45408 Bytes = 44.34 KiB = 0.04 MiB
  Architecture: AArch64
  OS:           Unknown OS
  Load Address: 0x00920000
 Image 3 (tee@1)
  Description:  TEE firmware
  Created:      Sun Sep  4 17:51:40 2022
  Type:         Firmware
  Compression:  uncompressed
  Data Size:    254504 Bytes = 248.54 KiB = 0.24 MiB
  Architecture: AArch64
  OS:           Unknown OS
  Load Address: 0xbe000000
 Image 4 (dek_blob@1)
  Description:  dek_blob
  Created:      Sun Sep  4 17:51:40 2022
  Type:         Script
  Compression:  uncompressed
  Data Size:    96 Bytes = 0.09 KiB = 0.00 MiB
 Default Configuration: 'config@1'
 Configuration 0 (config@1)
  Description:  kuk-trizeps8
  Kernel:       unavailable
  Firmware:     uboot@1
  FDT:          fdt@1
  Loadables:    dek_blob@1
                atf@1
                tee@1
./mkimage_imx8 -fit -loader u-boot-spl-ddr.bin 0x7E1000 -second_loader u-boot-trizeps8.itb 0x40200000 0x60000 -out flash.bin
Platform:       i.MX8M (mScale)
Using FIT image
LOADER IMAGE:   u-boot-spl-ddr.bin start addr: 0x007e1000
SECOND LOADER IMAGE:    u-boot-trizeps8.itb start addr: 0x40200000 offset: 0x00060000
Output:         flash.bin
========= IVT HEADER [HDMI FW] =========
header.tag:             0x0
header.length:          0x0
header.version:         0x0
entry:                  0x0
reserved1:              0x0
dcd_ptr:                0x0
boot_data_ptr:          0x0
self:                   0x0
csf:                    0x0
reserved2:              0x0
boot_data.start:        0x0
boot_data.size:         0x0
boot_data.plugin:       0x0
========= IVT HEADER [PLUGIN] =========
header.tag:             0x0
header.length:          0x0
header.version:         0x0
entry:                  0x0
reserved1:              0x0
dcd_ptr:                0x0
boot_data_ptr:          0x0
self:                   0x0
csf:                    0x0
reserved2:              0x0
boot_data.start:        0x0
boot_data.size:         0x0
boot_data.plugin:       0x0
========= IVT HEADER [LOADER IMAGE] =========
header.tag:             0xd1
header.length:          0x2000
header.version:         0x41
entry:                  0x7e1000
reserved1:              0x57c00
dcd_ptr:                0x0
boot_data_ptr:          0x7e0fe0
self:                   0x7e0fc0
csf:                    0x8187c0
reserved2:              0x0
boot_data.start:        0x7e0bc0
boot_data.size:         0x39c60
boot_data.plugin:       0x0
========= OFFSET dump =========
Loader IMAGE:
 header_image_off       0x0
 dcd_off                0x0
 image_off              0x40
 csf_off                0x37800
 spl hab block:         0x7e0fc0 0x0 0x37800

Second Loader IMAGE:
 sld_header_off         0x57c00
 sld_csf_off            0x58c20
 sld hab block:         0x401fcdc0 0x57c00 0x1020

For completion, here is my SPL CSF

[Header]
    Version = 4.2
    Hash Algorithm = sha256
    Engine = CAAM
    Certificate Format = X509
    Signature Format = CMS

[Install SRK]
    File = "${PREFIX}/usr/share/cst/crts/SRK_1_2_3_4_table.bin"
    Source index = 2

[Install NOCAK]
    File = "${PREFIX}/usr/share/cst/crts/SRK3_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Authenticate Data]
    Verification index = 0
    Blocks = 0x7e0fc0 0x0 0x37800 "${PREFIX}/flash.bin"

And here is the full FIT CSF:

[Header]
    Version = 4.2
    Hash Algorithm = sha256
    Engine = CAAM
    Certificate Format = X509
    Signature Format = CMS

[Install SRK]
    File = "${PREFIX}/usr/share/cst/crts/SRK_1_2_3_4_table.bin"
    Source index = 2

[Install NOCAK]
    File = "${PREFIX}/usr/share/cst/crts/SRK3_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]
[Authenticate Data]
    Verification index = 0
    Blocks = 0x401fcdc0 0x57c00 0x1020 "${PREFIX}/flash.bin", \
0x40200000 0x5AC00 0xC4E08 "${PREFIX}/flash.bin", \
0x402C4E08 0x11FA08 0x82FB "${PREFIX}/flash.bin", \
0x920000 0x127D04 0xB160 "${PREFIX}/flash.bin", \
0xBE000000 0x132E64 0x3E228 "${PREFIX}/flash.bin"

As described in the initial post, this does produce invalid signature events. If I remove the last 4 lines (uboot, uboot-fdt, atf and optee), then there are no HAB events in the output, but the image fails to verify on a secure boot enabled device.