HAB events on i.mx6

cancel
Showing results for 
Search instead for 
Did you mean: 

HAB events on i.mx6

164 Views
Contributor II

I'm trying to enable high assurance boot on i.MX6Q rev1.6.
I'm using U-Boot 2017.03
The following settings are enabled in u-boot:
CONFIG_SECURE_BOOT=y
CONFIG_SYS_FSL_SEC_LE
CONFIG_SYS_FSL_SEC_COMPAT 4
CONFIG_FSL_CAAM
CONFIG_CMD_RNG_SELF_TEST=y

The u-boot build output:
...
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 618496 Bytes = 604.00 KiB = 0.59 MiB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 177ff400 00000000 00092c00
DCD Blocks: 00910000 0000002c 000002f8


I generated keys with cts-3.3-1, using the following setting:

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 30
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

I flashed the fuses. The values read from fuses match the output of
hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
command.

u-boot.csf used for signing:


[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../cst-3.3.1/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]


[Unlock]
Engine = CAAM
Features = RNG

[Install Key]
Verification index = 0
Target index = 2
File = "../cst-3.3.1/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x177FF400 0x0 0x00092c00 "u-boot-dtb.imx"


To sign the u-boot I used the following commands:
../cst-3.3.1/linux64/bin/cst --o u-boot_csf.bin --i u-boot.csf
Output:
Install SRK
Install CSFK
Authenticate CSF
Install key
Authenticate data
CSF Processed successfully and signed data available in u-boot_csf.bin

cat u-boot-dtb.imx u-boot_csf.bin > u-boot-signed.imx
objcopy -I binary -O binary --pad-to 0x0094c00 --gap-fill=0x00 u-boot-signed.imx u-boot-signed-pad.imx

The signed u-boot image was flashed to e-MMC.
After reboot I used hab_status to verify signed u-boot

hab_status

Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66

The hab_status output doesn't show "No HAB Events Found!" message. No any other errors/events are displayed.


The same keys and signing procedure works fine on board with iMX6QP rev1.0.
The "No HAB Events Found!" message is present when running hab_status command.

 

Any ideas why No HAB Events Found! is missing when running hab_status on iMX6Q rev1.6?

Can anyone provide more information about how to fix this?

Labels (2)
0 Kudos
4 Replies

79 Views
Contributor I

Have there been any updates to this issue? We are experiencing the same HAB errors with the latest batch of i.mx6 devices. 

0 Kudos

147 Views
Contributor II

More info.

Looks like this is know issue for iMX6Q Rev. 1.6:
https://community.nxp.com/t5/i-MX-Processors/U-boot-hab-status-indicate-warnings-but-no-events-are-d...
I applied the patch: https://mirrors.edge.kernel.org/caf_patches/external/imxsupport/uboot-imx/imx_v2016.03_4.1.15_2.0.0_...

The output of rng_self_test command is:

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

I tried to run RNG initialization, but I still get the same HAB_WARNING.

How to fix this? Is it safe to lock the device?

0 Kudos

138 Views
NXP TechSupport
NXP TechSupport

Hi zbigniewbauer


U-Boot 2017.03 is old version, please try latest and follow guidelines below

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4?h=imx_v2020.04_5.4.24_2.1.0

 

Best regards
igor

0 Kudos

131 Views
Contributor II

Hi Igor,

I tried u-boot imx_v2020.04_5.4.24_2.1.0. The mkimage output is:

Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 622688 Bytes = 608.09 KiB = 0.59 MiB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 0x177ff400 0x00000000 0x00095c00
DCD Blocks: 0x0000002c 0x00910000 0x000002f8

I modified root/doc/imx/habv4/csf_examples/mx6_mx7/csf_uboot.txt:

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
File = "../cst-3.3.1/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../cst-3.3.1/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File = "../cst-3.3.1/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x00000000 0x00095c00 "u-boot-dtb.imx"

I used https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.t... instructions for u-boot signing:

../cst-3.3.1/linux64/bin/cst -i u-boot.csf -o csf_uboot.bin
cat u-boot-dtb.imx csf_uboot.bin > u-boot-signed.imx

After flashing eMMC with signed u-boot and running hab_status I got:

hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

 

Any ideas? Can I ignore this warning and close the device?

Regards,
Z

 

 

 

 

 

 

0 Kudos