Hello,
Currently i am working on HAB support in imx6 for u-boot and my u-boot version is 2014.04 . I have enabled HAB by defining CONFIG_SECURE_BOOT in my u-boot configuration file. I followed document provided by freescale (AN4581.pdf) . In that document mentioned that to enable HAB we need to change u-boot.lds and flash_header.S for specicfying IVT details ...etc.But my u-boot doesn't have flash_header.S file and when i added "TEXT_BASE" details to u-boot.lds it is giving error.
So what are the changed i need to do to have HAB in 2014.04 version u-boot .
I hope you guys could help me, thanks a lot !
SaiSurya
I am also facing same issue with exactly similar log. I tried the cache flush but it didn't work. saisuryanarayan: did you figure out the resolution?
here is my u-boot.csf
[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
#[Unlock]
# Engine = CAAM
# Features = RNG
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded u-boot starting at the IVT through to the end with
# length = 0x70C00
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x177FF400 0x0 0x70C00 "u-boot-pad.imx"
and hab_status:
Secure boot disabled
HAB Configuration: 0x00, HAB State: 0x00
--------- HAB Event 1 -----------------
event data:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00
0x10 0x05 0xf7 0x17 0x1c 0x05 0xf7 0x17
0x10 0x05 0xf7 0x17 0x06 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0xd4 0x90 0xf5 0x17
0x5c 0xde 0x4b 0x17 0x08 0x08 0x08 0x20
0x30 0x20 0x00 0x20 0x6b 0x65 0x79 0x20
0x74 0x6f 0x20 0x73 0x74 0x6f 0x70 0x20
0x61 0x75 0x74 0x6f 0x62 0x6f 0x6f 0x74
0x3a 0x20 0x20 0x33 0x20 0x00 0x6c 0x65
0x64 0x0a 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x29 0x02 0x00 0x00 0x00 0x00 0x00 0x00
STS = HAB_SUCCESS (0xF0)
RSN = HAB_RSN_ANY (0x00)
CTX = HAB_CTX_ANY(0x00)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00
0x10 0x05 0xf7 0x17 0x1c 0x05 0xf7 0x17
0x10 0x05 0xf7 0x17 0x06 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0xd4 0x90 0xf5 0x17
0x5c 0xde 0x4b 0x17 0x08 0x08 0x08 0x20
0x30 0x20 0x00 0x20 0x6b 0x65 0x79 0x20
0x74 0x6f 0x20 0x73 0x74 0x6f 0x70 0x20
0x61 0x75 0x74 0x6f 0x62 0x6f 0x6f 0x74
0x3a 0x20 0x20 0x33 0x20 0x00 0x6c 0x65
0x64 0x0a 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x29 0x02 0x00 0x00 0x00 0x00 0x00 0x00
STS = HAB_SUCCESS (0xF0)
RSN = HAB_RSN_ANY (0x00)
CTX = HAB_CTX_ANY(0x00)
ENG = HAB_ENG_ANY (0x00)
any help would be appreciated. Thanks.
HI Yuri,
My u-boot was signed and it worked well for imx6Solo rev1.1 chip. However it wasn't working for rev imx6Solo 1.2 chip.
I did following changes for all HAB function pointers in my hab.c and it worked for rev imx6Solo 1.2 chip without any events.
#define hab_rvt_report_event_p \
( \
((is_cpu_type(MXC_CPU_MX6Q) || \
is_cpu_type(MXC_CPU_MX6D)) && \
(soc_rev() >= CHIP_REV_1_5)) ? \
((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT_NEW) : \
((is_cpu_type(MXC_CPU_MX6DL) || \
is_cpu_type(MXC_CPU_MX6SOLO)) && \
(soc_rev() >= CHIP_REV_1_2)) ? \
((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT_NEW) : \
((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT) \
)
I think there have been changes in rev 1.2 chip and new HAB pointers shall be used.
Hello Yuri,
We have developed product based on i.MX6 Solo with Andoird 6.0 release from NXP.
Our customer would like have secure HAB booting on that. Do we have HAB implemented and available in Android 6.0
Kind Regards
Vivek
Hi Kapil Ruchandani,
That issue didn't solve for us also we are using unsigned u-boot only
The recent instructions how to treat with HAB may be found under the next
Community thread :
"Mx6 HAB (High Assurance Boot)"
https://community.freescale.com/docs/DOC-96451
Please use U-boot from Freescale BSP.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Yuri,
Thanks for your reply,
I followed all the steps mentioned in that thread.I didn't made SEC_CONFIG to closed when i try hab_status from u-boot it is giving continuous hab events.
Here is my CSF file
[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
Engine Configuration = 0
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded U-Boot starting at the IVT through to the end with
# length = 0x59C00 (padded U-Boot length) - 0x0 (IVT offset) = 0x59C00
# This covers the essential parts: IVT, boot data and DCD.
#Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x00 0x59c00 "U-Boot-pad.bin"
Here my u-boot size is 0x59c00 and i am not using any padding.
Hi Yuri,
Thanks for your reply,
I followed all the steps mentioned in that thread.I didn't made SEC_CONFIG to closed when i try hab_status from u-boot it is giving continuous hab events.
Here is my CSF file
[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
Engine Configuration = 0
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded U-Boot starting at the IVT through to the end with
# length = 0x59C00 (padded U-Boot length) - 0x0 (IVT offset) = 0x59C00
# This covers the essential parts: IVT, boot data and DCD.
#Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x00 0x59c00 "U-Boot-pad.bin"
Here my u-boot size is 0x59c00 and i am not using any padding.
Here is hab_status command log:
HAB Configuration: 0x00, HAB State: 0x00
--------- HAB Event 1 -----------------
event data:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00
0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f
0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f
0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f
0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xa0 0x0a 0x35 0x4f 0xd8 0xf4 0x34 0x4f
0xa0 0x0a 0x35 0x4f 0x04 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x00
0x1c 0x6f 0xf7 0x4f 0x24 0x6f 0xf7 0x4f
0x1c 0x6f 0xf7 0x4f 0xa4 0x91 0xf6 0x4f
0x00 0x00 0x02 0x02 0x3c 0x6f 0xf7 0x4f
0x8c 0xfc 0xf9 0x4f 0xc0 0x4b 0xf5 0x4f
0x37 0x02 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
--------- HAB Event 2 -----------------
event data:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00
0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f
0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f
0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f
0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xa0 0x0a 0x35 0x4f 0xd8 0xf4 0x34 0x4f
0xa0 0x0a 0x35 0x4f 0x04 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x00
0x1c 0x6f 0xf7 0x4f 0x24 0x6f 0xf7 0x4f
0x1c 0x6f 0xf7 0x4f 0xa4 0x91 0xf6 0x4f
0x00 0x00 0x02 0x02 0x3c 0x6f 0xf7 0x4f
0x8c 0xfc 0xf9 0x4f 0xc0 0x4b 0xf5 0x4f
0x37 0x02 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
--------- HAB Event 3 -----------------
event data:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00
0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f
0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f
0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f
0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0xa0 0x0a 0x35 0x4f 0xd8 0xf4 0x34 0x4f
0xa0 0x0a 0x35 0x4f 0x04 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x00
0x1c 0x6f 0xf7 0x4f 0x24 0x6f 0xf7 0x4f
0x1c 0x6f 0xf7 0x4f 0xa4 0x91 0xf6 0x4f
0x00 0x00 0x02 0x02 0x3c 0x6f 0xf7 0x4f
0x8c 0xfc 0xf9 0x4f 0xc0 0x4b 0xf5 0x4f
0x37 0x02 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
--------- HAB Event 4 -----------------
event data:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00
0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f
0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f
0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f
0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
i dis hexdump on U-boot binary it is giving:
00000000 d1 00 20 40 00 00 80 17 00 00 00 00 2c f4 7f 17 |.. @........,...|
00000010 20 f4 7f 17 00 f4 7f 17 00 90 85 17 00 00 00 00 | ...............|
00000020 00 f0 7f 17 00 b0 05 00 00 00 00 00 d2 03 18 40 |...............@|
00000030 cc 03 14 04 02 0e 05 a8 00 00 00 30 02 0e 05 b0 |...........0....|
From this i understood that IVT is at 0x00000000 and values are as follows
header:0x402000D1
Pointer to absolute Entry address : 0x17800000
Reserved:0x00000000
Pointer to absolute address of DCD:0x177F2C00
Pointer to absolute address of boot data: 0x177ff400
Start of CSF data : 0x17859000
Can you explain what's the wrong ?
So can you please help me to resolve this problem ,
Thank You
Thanx for Quick reply,
Yes yuri we are using Freescle u-boot (version 2014.04).
Can you flush the cache (enable CONFIG_CMD_CACHE, use dcache flush and icache flush commands) before you use the hab_status command? The implementation of some interfaces on u-boot do not flush the cache and might cause displaying false positive HAB events.