HAB on iMX6

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

HAB on iMX6

3,665 次查看
saisuryanarayan
Contributor I

Hello,

     Currently i am working on HAB support in imx6 for u-boot and my u-boot version is 2014.04 . I have enabled HAB by defining CONFIG_SECURE_BOOT in my u-boot configuration file. I followed document provided by freescale (AN4581.pdf) . In that document mentioned that to enable HAB we need to change u-boot.lds and flash_header.S for specicfying IVT details ...etc.But my u-boot doesn't have flash_header.S file and when i added "TEXT_BASE" details to u-boot.lds it is giving error.

     So what are the changed i need to do to have HAB in 2014.04 version u-boot .

I hope you guys could help me, thanks a lot !

     SaiSurya

0 项奖励
回复
12 回复数

2,677 次查看
kapilruchandani
Contributor I

I am also facing same issue with exactly similar log. I tried the cache flush but it didn't work. saisuryanarayan‌: did you figure out the resolution?

here is my u-boot.csf

[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

#[Unlock]
# Engine = CAAM
# Features = RNG

[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with
# length = 0x70C00
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x177FF400 0x0 0x70C00 "u-boot-pad.imx"

and hab_status:

Secure boot disabled

HAB Configuration: 0x00, HAB State: 0x00

--------- HAB Event 1 -----------------
event data:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00
0x10 0x05 0xf7 0x17 0x1c 0x05 0xf7 0x17
0x10 0x05 0xf7 0x17 0x06 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0xd4 0x90 0xf5 0x17
0x5c 0xde 0x4b 0x17 0x08 0x08 0x08 0x20
0x30 0x20 0x00 0x20 0x6b 0x65 0x79 0x20
0x74 0x6f 0x20 0x73 0x74 0x6f 0x70 0x20
0x61 0x75 0x74 0x6f 0x62 0x6f 0x6f 0x74
0x3a 0x20 0x20 0x33 0x20 0x00 0x6c 0x65
0x64 0x0a 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x29 0x02 0x00 0x00 0x00 0x00 0x00 0x00

STS = HAB_SUCCESS (0xF0)
RSN = HAB_RSN_ANY (0x00)
CTX = HAB_CTX_ANY(0x00)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00
0x10 0x05 0xf7 0x17 0x1c 0x05 0xf7 0x17
0x10 0x05 0xf7 0x17 0x06 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0xd4 0x90 0xf5 0x17
0x5c 0xde 0x4b 0x17 0x08 0x08 0x08 0x20
0x30 0x20 0x00 0x20 0x6b 0x65 0x79 0x20
0x74 0x6f 0x20 0x73 0x74 0x6f 0x70 0x20
0x61 0x75 0x74 0x6f 0x62 0x6f 0x6f 0x74
0x3a 0x20 0x20 0x33 0x20 0x00 0x6c 0x65
0x64 0x0a 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x29 0x02 0x00 0x00 0x00 0x00 0x00 0x00

STS = HAB_SUCCESS (0xF0)
RSN = HAB_RSN_ANY (0x00)
CTX = HAB_CTX_ANY(0x00)
ENG = HAB_ENG_ANY (0x00)

any help would be appreciated. Thanks.

0 项奖励
回复

2,677 次查看
Yuri
NXP Employee
NXP Employee

Hello,

  U-boot should be signed for HAB.

Regards,

Yuri.

0 项奖励
回复

2,677 次查看
kapilruchandani
Contributor I

HI Yuri,

My u-boot was signed and it worked well for imx6Solo rev1.1 chip. However it wasn't working for rev imx6Solo 1.2 chip.

I did following changes for all HAB function pointers in my hab.c and it worked for rev imx6Solo 1.2 chip without any events.

#define hab_rvt_report_event_p                                                                           \

(                                                                                                                              \

                ((is_cpu_type(MXC_CPU_MX6Q) ||                                                      \

                  is_cpu_type(MXC_CPU_MX6D)) &&                                                    \

                  (soc_rev() >= CHIP_REV_1_5)) ?                                             \

                ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT_NEW) :              \

                ((is_cpu_type(MXC_CPU_MX6DL) ||                                     \

                is_cpu_type(MXC_CPU_MX6SOLO)) &&                                              \

                (soc_rev() >= CHIP_REV_1_2)) ?                                                              \

                ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT_NEW) :              \

                ((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT)             \

)

I think there have been changes in rev 1.2 chip and new HAB pointers shall be used.

0 项奖励
回复

2,677 次查看
Yuri
NXP Employee
NXP Employee

Hello,

  Please look at EB804 (i.MX 6Solo/6DualLite Application
Processor Silicon Revision 1.1 to 1.2/1.3 Comparison)

http://www.nxp.com/docs/pcn_attachments/16558A_EB804.pdf 

Regards,

Yuri.

0 项奖励
回复

2,677 次查看
vivek_kaushik
Contributor II

Hello Yuri,

We have developed product based on i.MX6 Solo with Andoird 6.0 release from NXP.

Our customer would like have secure HAB booting on that. Do we have HAB implemented and available in Android 6.0

Kind Regards

Vivek

0 项奖励
回复

2,677 次查看
Yuri
NXP Employee
NXP Employee

Hello,

  I do not know about example just for Android 6. 

Note, NDA is needed to get more details about implementation for other version.

Regards,

Yuri.

0 项奖励
回复

2,677 次查看
saisuryanarayan
Contributor I

Hi Kapil Ruchandani,

That issue didn't solve  for us also we are using unsigned u-boot only

0 项奖励
回复

2,677 次查看
Yuri
NXP Employee
NXP Employee

   The recent instructions how to treat with HAB may be found under the next

Community thread :

"Mx6 HAB (High Assurance Boot)"

https://community.freescale.com/docs/DOC-96451

Please use U-boot from Freescale BSP.


Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 项奖励
回复

2,677 次查看
saisuryanarayan
Contributor I

Hi Yuri,

     Thanks for your reply,

     I followed all the steps mentioned in that thread.I didn't made SEC_CONFIG to closed when i try hab_status from u-boot it is giving continuous hab events.

Here is my CSF file

[Header]

Version = 4.0

Security Configuration = Open

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

Engine = CAAM

Engine Configuration = 0

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

Verification index = 0

Target index = 2

File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded U-Boot starting at the IVT through to the end with

# length = 0x59C00 (padded U-Boot length) - 0x0 (IVT offset) = 0x59C00

# This covers the essential parts: IVT, boot data and DCD.

#Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x177ff400 0x00 0x59c00 "U-Boot-pad.bin"

Here my u-boot size is 0x59c00 and i am not using any padding.

Hi Yuri,

     Thanks for your reply,

     I followed all the steps mentioned in that thread.I didn't made SEC_CONFIG to closed when i try hab_status from u-boot it is giving continuous hab events.

Here is my CSF file

[Header]

Version = 4.0

Security Configuration = Open

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

Engine = CAAM

Engine Configuration = 0

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

Verification index = 0

Target index = 2

File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded U-Boot starting at the IVT through to the end with

# length = 0x59C00 (padded U-Boot length) - 0x0 (IVT offset) = 0x59C00

# This covers the essential parts: IVT, boot data and DCD.

#Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x177ff400 0x00 0x59c00 "U-Boot-pad.bin"

Here my u-boot size is 0x59c00 and i am not using any padding.

Here is hab_status command log:

HAB Configuration: 0x00, HAB State: 0x00

--------- HAB Event 1 -----------------

event data:

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

        0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00

        0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f

        0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f

        0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f

        0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

        0xa0 0x0a 0x35 0x4f 0xd8 0xf4 0x34 0x4f

        0xa0 0x0a 0x35 0x4f 0x04 0x00 0x00 0x00

        0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x00

        0x1c 0x6f 0xf7 0x4f 0x24 0x6f 0xf7 0x4f

        0x1c 0x6f 0xf7 0x4f 0xa4 0x91 0xf6 0x4f

        0x00 0x00 0x02 0x02 0x3c 0x6f 0xf7 0x4f

        0x8c 0xfc 0xf9 0x4f 0xc0 0x4b 0xf5 0x4f

        0x37 0x02 0x00 0x00 0x00 0x00 0x00 0x00

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

--------- HAB Event 2 -----------------

event data:

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

        0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00

        0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f

        0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f

        0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f

        0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

        0xa0 0x0a 0x35 0x4f 0xd8 0xf4 0x34 0x4f

        0xa0 0x0a 0x35 0x4f 0x04 0x00 0x00 0x00

        0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x00

        0x1c 0x6f 0xf7 0x4f 0x24 0x6f 0xf7 0x4f

        0x1c 0x6f 0xf7 0x4f 0xa4 0x91 0xf6 0x4f

        0x00 0x00 0x02 0x02 0x3c 0x6f 0xf7 0x4f

        0x8c 0xfc 0xf9 0x4f 0xc0 0x4b 0xf5 0x4f

        0x37 0x02 0x00 0x00 0x00 0x00 0x00 0x00

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

--------- HAB Event 3 -----------------

event data:

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

        0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00

        0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f

        0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f

        0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f

        0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

        0xa0 0x0a 0x35 0x4f 0xd8 0xf4 0x34 0x4f

        0xa0 0x0a 0x35 0x4f 0x04 0x00 0x00 0x00

        0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x00

        0x1c 0x6f 0xf7 0x4f 0x24 0x6f 0xf7 0x4f

        0x1c 0x6f 0xf7 0x4f 0xa4 0x91 0xf6 0x4f

        0x00 0x00 0x02 0x02 0x3c 0x6f 0xf7 0x4f

        0x8c 0xfc 0xf9 0x4f 0xc0 0x4b 0xf5 0x4f

        0x37 0x02 0x00 0x00 0x00 0x00 0x00 0x00

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

--------- HAB Event 4 -----------------

event data:

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

        0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00

        0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f

        0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f

        0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f

        0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f

        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

i dis hexdump on U-boot binary it is giving:

00000000  d1 00 20 40 00 00 80 17  00 00 00 00 2c f4 7f 17  |.. @........,...|

00000010  20 f4 7f 17 00 f4 7f 17  00 90 85 17 00 00 00 00  | ...............|

00000020  00 f0 7f 17 00 b0 05 00  00 00 00 00 d2 03 18 40  |...............@|

00000030  cc 03 14 04 02 0e 05 a8  00 00 00 30 02 0e 05 b0  |...........0....|

From this i understood that IVT is at 0x00000000 and values are as follows

header:0x402000D1

Pointer to absolute Entry address : 0x17800000

Reserved:0x00000000

Pointer to absolute address of DCD:0x177F2C00

Pointer to absolute address of boot data: 0x177ff400

Start of CSF data : 0x17859000

Can you explain what's the wrong ?

So can you please help me to resolve this problem ,

          Thank You

0 项奖励
回复

2,677 次查看
Yuri
NXP Employee
NXP Employee

Do You use U-boot from Freescale disto ?

~Yuri.

0 项奖励
回复

2,677 次查看
saisuryanarayan
Contributor I

Thanx for Quick reply,

     Yes yuri we are using Freescle u-boot (version 2014.04).

0 项奖励
回复

2,677 次查看
KursadOney
NXP Employee
NXP Employee

Can you flush the cache (enable CONFIG_CMD_CACHE, use dcache flush and icache flush commands) before you use the hab_status command? The implementation of some interfaces on u-boot do not flush the cache and might cause displaying false positive HAB events.

0 项奖励
回复