HAB events on i.mx6

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HAB events on i.mx6

3,380 Views
zbigniewbauer
Contributor II

I'm trying to enable high assurance boot on i.MX6Q rev1.6.
I'm using U-Boot 2017.03
The following settings are enabled in u-boot:
CONFIG_SECURE_BOOT=y
CONFIG_SYS_FSL_SEC_LE
CONFIG_SYS_FSL_SEC_COMPAT 4
CONFIG_FSL_CAAM
CONFIG_CMD_RNG_SELF_TEST=y

The u-boot build output:
...
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 618496 Bytes = 604.00 KiB = 0.59 MiB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 177ff400 00000000 00092c00
DCD Blocks: 00910000 0000002c 000002f8


I generated keys with cts-3.3-1, using the following setting:

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 30
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

I flashed the fuses. The values read from fuses match the output of
hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
command.

u-boot.csf used for signing:


[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../cst-3.3.1/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]


[Unlock]
Engine = CAAM
Features = RNG

[Install Key]
Verification index = 0
Target index = 2
File = "../cst-3.3.1/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x177FF400 0x0 0x00092c00 "u-boot-dtb.imx"


To sign the u-boot I used the following commands:
../cst-3.3.1/linux64/bin/cst --o u-boot_csf.bin --i u-boot.csf
Output:
Install SRK
Install CSFK
Authenticate CSF
Install key
Authenticate data
CSF Processed successfully and signed data available in u-boot_csf.bin

cat u-boot-dtb.imx u-boot_csf.bin > u-boot-signed.imx
objcopy -I binary -O binary --pad-to 0x0094c00 --gap-fill=0x00 u-boot-signed.imx u-boot-signed-pad.imx

The signed u-boot image was flashed to e-MMC.
After reboot I used hab_status to verify signed u-boot

hab_status

Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66

The hab_status output doesn't show "No HAB Events Found!" message. No any other errors/events are displayed.


The same keys and signing procedure works fine on board with iMX6QP rev1.0.
The "No HAB Events Found!" message is present when running hab_status command.

 

Any ideas why No HAB Events Found! is missing when running hab_status on iMX6Q rev1.6?

Can anyone provide more information about how to fix this?

Labels (2)
0 Kudos
Reply
11 Replies

3,292 Views
kobusg
Contributor I

Have there been any updates to this issue? We are experiencing the same HAB errors with the latest batch of i.mx6 devices. 

0 Kudos
Reply

3,360 Views
zbigniewbauer
Contributor II

More info.

Looks like this is know issue for iMX6Q Rev. 1.6:
https://community.nxp.com/t5/i-MX-Processors/U-boot-hab-status-indicate-warnings-but-no-events-are-d...
I applied the patch: https://mirrors.edge.kernel.org/caf_patches/external/imxsupport/uboot-imx/imx_v2016.03_4.1.15_2.0.0_...

The output of rng_self_test command is:

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

I tried to run RNG initialization, but I still get the same HAB_WARNING.

How to fix this? Is it safe to lock the device?

0 Kudos
Reply

3,351 Views
igorpadykov
NXP Employee
NXP Employee

Hi zbigniewbauer


U-Boot 2017.03 is old version, please try latest and follow guidelines below

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4?h=imx_v2020.04_5.4.24_2.1.0

 

Best regards
igor

0 Kudos
Reply

3,344 Views
zbigniewbauer
Contributor II

Hi Igor,

I tried u-boot imx_v2020.04_5.4.24_2.1.0. The mkimage output is:

Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 622688 Bytes = 608.09 KiB = 0.59 MiB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 0x177ff400 0x00000000 0x00095c00
DCD Blocks: 0x0000002c 0x00910000 0x000002f8

I modified root/doc/imx/habv4/csf_examples/mx6_mx7/csf_uboot.txt:

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
File = "../cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../cst-3.3.1/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File = "../cst-3.3.1/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x00000000 0x00095c00 "u-boot-dtb.imx"

I used https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.t... instructions for u-boot signing:

../cst-3.3.1/linux64/bin/cst -i u-boot.csf -o csf_uboot.bin
cat u-boot-dtb.imx csf_uboot.bin > u-boot-signed.imx

After flashing eMMC with signed u-boot and running hab_status I got:

hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

 

Any ideas? Can I ignore this warning and close the device?

Regards,
Z

 

 

 

 

 

 

0 Kudos
Reply

2,391 Views
Yu-Shu_Huang
Contributor I

Hi all,

I have the same issue with U-Boot 2020.04 but on imx6 solo-x rev1.4
We had checked eFUSE value and SRK Fuse, they are matched

No idea why it doesn't show up "No HAB Events Found"...
How to read HAB event data meaning in HAB Event 1 ?
Does HAB event data have document ?

If anyone have idea please help
Thank you

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x08 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

=>

 

0 Kudos
Reply

2,349 Views
YairBA
Contributor II

Hi Yu-Shu_Huang,

HAB event data meaning can be found here:

./arch/arm/mach-imx/hab.c
./arch/arm/include/asm/mach-imx/hab.h

Both inside U-Boot source code.

I have the same warning on i.MX6DL silicon version 1.4 while for the exact same images on i.MX6DL silicon version 1.3 there is no warning and I get the "No HAB Events Found!".

I closed (program SEC_CONFIG[1]) the device (i.MX6DL silicon version 1.4) and I can boot a signed images without any problem (but the warning message is still there).

Yair

0 Kudos
Reply

2,336 Views
Yu-Shu_Huang
Contributor I

Hello @YairBA

Thank you for sharing your experience.
Let me feel confident to close the the device

0 Kudos
Reply

2,381 Views
Yuri
NXP Employee
NXP Employee
0 Kudos
Reply

2,362 Views
Yu-Shu_Huang
Contributor I

Hello @Yuri 

Thank you !
Let me give a try and get back to you

0 Kudos
Reply

2,613 Views
shunnianzhai
Contributor III

Hi All,

I encountered the same issue with imx6q rev 1.6.

I am also using u-boot 2020.04.

Has anyone found the solution to fix the issue?

Thanks and regards,

Shunnian

Tags (2)
0 Kudos
Reply

2,893 Views
YairBA
Contributor II

Hi,

Were you able to overcome this problem? If yes, how?
 
Thanks in advance,
Yair
 
 
 
0 Kudos
Reply