HAB in Uboot 2019.07

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HAB in Uboot 2019.07

1,138 Views
deven_solanki
Contributor III

Hi Community,

Here are my environment details,  i.MX6Quad 1GB module, Kernel: 4.9, Uboot: 2019.07.

I am trying to get Secure boot. I am following documents like AN4581 and High Assurance Boot (HAB) for dummies .

Here is a procedure which I follow,

A) Compiled Uboot with CONFIG_SECURE_BOOT enable. and make V=1.

B) Run hab4_pki_tree.sh in Code Signing Tool release version 3.1.0.

$ ./hab4_pki_tree.sh

$ ../linux64/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c \

./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1

$ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin

0x94153933

.

.

.

.

.

.

0xXXXX90

C) Generate CSF binaries for SPL and u-boot-ivt.img as below. For CSF file see the attachment.

$ ./cst --o  csf-SPL.bin --i csf-uboot-SPL
CSF Processed successfully and signed data available in csf-SPL.bin

$ ./cst --o csf-uboot-ivt.bin --i csf-uboot-ivt
"CSF Processed successfully and signed data available in csf-uboot-ivt.bin

D) Concat both CSF binaries.

$ cat u-boot-ivt.img csf-uboot-ivt.bin > u-boot-ivt_signed.img

$ cat SPL csf-SPL.bin > SPL_signed

E) Flashed SPL_signed and u-boot-ivt_signed.img in module.

F) Programmed the fuse in Uboot with fuse command.

-> fuse prog -y 3 0 0x94153933 (similar for other banks also with respected values.)

Now I checked hab_status and I got as below,

-> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

No HAB Events Found!

Still, I didn't close the device. Because I have below doubts related to that,

1. Which binary should I sign?

I am getting executables like u-boot-dtb.img , u-boot-ivt.img, SPL . I am confused which to sign.

2. Can I use directly the concatenated image(SPL_signed) as below?

$ ./cst --o csf-SPL.bin --i csf-uboot-SPL

$ cat SPL csf-SPL.bin > SPL_signed

In some documents, to align the image they are filling junk value with objcopy command. Whether it is required here also?

3. How can I confirm whether I did all steps correctly or not?

4. Is it mandatory to use signed Kernel image ? Can I use only signed Uboot alone?

5. How to sign the Uboot for imx_usb_loader?

Thanks in advance

Regards,

Deven

Labels (2)
0 Kudos
Reply
1 Reply

1,012 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Generally Your understanding is correct. Note, the recent U-boot, used by NXP
is 2019.04. So, please use its recommendations.

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4?h=imx_v2019.04_5.4.3_2.0.0

https://source.codeaurora.org/external/imx/uboot-imx/tree/?h=imx_v2019.04_5.4.3_2.0.0

  

Note, it is possible to use signed U-boot only; this is application dependent.
 
 imx_usb_loader is not supported by NXP, nevertheless You may look at the following:
 
Recover your device 

Regards,

Yuri.

0 Kudos
Reply