HAB events on i.mx6

zbigniewbauer · ‎09-24-2020

I'm trying to enable high assurance boot on i.MX6Q rev1.6.
I'm using U-Boot 2017.03
The following settings are enabled in u-boot:
CONFIG_SECURE_BOOT=y
CONFIG_SYS_FSL_SEC_LE
CONFIG_SYS_FSL_SEC_COMPAT 4
CONFIG_FSL_CAAM
CONFIG_CMD_RNG_SELF_TEST=y

The u-boot build output:
...
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 618496 Bytes = 604.00 KiB = 0.59 MiB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 177ff400 00000000 00092c00
DCD Blocks: 00910000 0000002c 000002f8

I generated keys with cts-3.3-1, using the following setting:

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 30
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

I flashed the fuses. The values read from fuses match the output of
hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
command.

u-boot.csf used for signing:

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../cst-3.3.1/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
Engine = CAAM
Features = RNG

[Install Key]
Verification index = 0
Target index = 2
File = "../cst-3.3.1/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x177FF400 0x0 0x00092c00 "u-boot-dtb.imx"

To sign the u-boot I used the following commands:
../cst-3.3.1/linux64/bin/cst --o u-boot_csf.bin --i u-boot.csf
Output:
Install SRK
Install CSFK
Authenticate CSF
Install key
Authenticate data
CSF Processed successfully and signed data available in u-boot_csf.bin

cat u-boot-dtb.imx u-boot_csf.bin > u-boot-signed.imx
objcopy -I binary -O binary --pad-to 0x0094c00 --gap-fill=0x00 u-boot-signed.imx u-boot-signed-pad.imx

The signed u-boot image was flashed to e-MMC.
After reboot I used hab_status to verify signed u-boot

hab_status

Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66

The hab_status output doesn't show "No HAB Events Found!" message. No any other errors/events are displayed.

The same keys and signing procedure works fine on board with iMX6QP rev1.0.
The "No HAB Events Found!" message is present when running hab_status command.

Any ideas why No HAB Events Found! is missing when running hab_status on iMX6Q rev1.6?

Can anyone provide more information about how to fix this?

kobusg · ‎10-14-2020

Have there been any updates to this issue? We are experiencing the same HAB errors with the latest batch of i.mx6 devices.

zbigniewbauer · ‎09-28-2020

More info.

Looks like this is know issue for iMX6Q Rev. 1.6:
https://community.nxp.com/t5/i-MX-Processors/U-boot-hab-status-indicate-warnings-but-no-events-are-d...
I applied the patch: https://mirrors.edge.kernel.org/caf_patches/external/imxsupport/uboot-imx/imx_v2016.03_4.1.15_2.0.0_...

The output of rng_self_test command is:

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

I tried to run RNG initialization, but I still get the same HAB_WARNING.

How to fix this? Is it safe to lock the device?

igorpadykov · ‎09-28-2020

Hi zbigniewbauer

U-Boot 2017.03 is old version, please try latest and follow guidelines below

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4?h=imx_v2020.04_5.4.24_2.1.0

Best regards
igor

zbigniewbauer · ‎09-29-2020

Hi Igor,

I tried u-boot imx_v2020.04_5.4.24_2.1.0. The mkimage output is:

Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 622688 Bytes = 608.09 KiB = 0.59 MiB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 0x177ff400 0x00000000 0x00095c00
DCD Blocks: 0x0000002c 0x00910000 0x000002f8

I modified root/doc/imx/habv4/csf_examples/mx6_mx7/csf_uboot.txt:

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
File = "../cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../cst-3.3.1/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File = "../cst-3.3.1/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x00000000 0x00095c00 "u-boot-dtb.imx"

I used https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.t... instructions for u-boot signing:

../cst-3.3.1/linux64/bin/cst -i u-boot.csf -o csf_uboot.bin
cat u-boot-dtb.imx csf_uboot.bin > u-boot-signed.imx

After flashing eMMC with signed u-boot and running hab_status I got:

hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

Any ideas? Can I ignore this warning and close the device?

Regards,
Z

Yu-Shu_Huang · ‎02-17-2022

Hi all,

I have the same issue with U-Boot 2020.04 but on imx6 solo-x rev1.4
We had checked eFUSE value and SRK Fuse, they are matched

No idea why it doesn't show up "No HAB Events Found"...
How to read HAB event data meaning in HAB Event 1 ?
Does HAB event data have document ?

If anyone have idea please help
Thank you

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x08 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

=>

YairBA · ‎02-22-2022

Hi Yu-Shu_Huang,

HAB event data meaning can be found here:

./arch/arm/mach-imx/hab.c
./arch/arm/include/asm/mach-imx/hab.h

Both inside U-Boot source code.

I have the same warning on i.MX6DL silicon version 1.4 while for the exact same images on i.MX6DL silicon version 1.3 there is no warning and I get the "No HAB Events Found!".

I closed (program SEC_CONFIG[1]) the device (i.MX6DL silicon version 1.4) and I can boot a signed images without any problem (but the warning message is still there).

Yair

Yu-Shu_Huang · ‎02-23-2022

Hello @YairBA

Thank you for sharing your experience.
Let me feel confident to close the the device

Yuri · ‎02-18-2022

@Yu-Shu_Huang
Hello,

look at the following:

https://community.nxp.com/t5/i-MX-Processors/HAB-status-reports-warning-event/m-p/1047502

Regards,
Yuri.

Yu-Shu_Huang · ‎02-21-2022

Hello @Yuri

Thank you !
Let me give a try and get back to you

shunnianzhai · ‎11-07-2021

Hi All,

I encountered the same issue with imx6q rev 1.6.

I am also using u-boot 2020.04.

Has anyone found the solution to fix the issue?

Thanks and regards,

Shunnian

YairBA · ‎05-19-2021

Hi,

Were you able to overcome this problem? If yes, how?

Thanks in advance,

Yair

HAB events on i.mx6

HAB events on i.mx6

i.MX6Quad

Security