Hi,
I am using a Nitrogen6x and I am trying HAB authentication of u-boot and kernel images in open config.
I have activated HAB in u-boot-2009. I used HAB API to authenticate: u-boot, 6x_bootscript, a device tree and a kernel image. In fact, I added a command called authimg to u-boot. authimg takes as input the load address and verifies an image signature. authimg is based on authenticate_image() function which is provided by default in u-boot. I am using authimg command to authenticate 6x_bootscript in bootcmd and to authenticate separately .dtb and uImage in 6x_bootscript. All the authentications were successful.
Then, I tried the last u-boot version which is provided by Freescale on github (u-boot-2014). I activated secure boot option in u-boot-2014 and I tried the same 6x_bootscript, device file and kernel image authentications. I did 2 tests:
1) I put u-boot.bin with Jtag directly at address 0x17800000 and launch it. Authentications of 6x_bootscript, device tree and uImage succeed.
2) However when I copy the corresponding u-boot.imx to NOR with "sf write 12000000(=my load address) 400 $filesize" and make a reset, I get HAB errors for the same signed 6x_bootscript, device tree and kernel image that have been successfully authenticated in test 1.
I get 5 events. Event1 is a HAB_FAILURE with a reason=HAB_INVALID_ADDRESS in HAB_AUTH_CTX. Meanwhile, the 4 other events are INVALID_ASSERTION events corresponding respectively to the following addresses: 0x177FF400 (IVT), 0x177FF42C (DCD), 0x177FF420 (boot_data) and 0x17800000 (entry). Note that when I load with Jtag u-boot.imx to 0x177ff400 and start executing instructions at the entry point 0x17800000, 6x_bootscript, device tree and kernel image authentications were successful.
Question1: Have you any idea about the origin of the problem? I don't understand why the authentication is working fine with u-boot.bin when loaded with Jtag and it is not working when u-boot.imx is copied to NOR.
Question2: is about u-boot.imx authentication. In u-boot-2009, we can enter CSF offset directly in ./board/freescale/mx6q_sabresd/flash_header.S. However, we can not do it in u-boot-2014 (as there is no more flash_header.S). In fact, a hexdump of u-boot.imx gives:
00000000 d1 00 20 40 00 00 80 17 00 00 00 00 2c f4 7f 17
00000010 20 f4 7f 17 00 f4 7f 17 00 00 00 00 00 00 00 00
That is, header=402000D1, entry addr=17800000, reserved1=0, dcd addr=177f4f2c, boot_data addr=177f4f20, self=177ff400, csf=0 and reserved2=0. Do we have to set manually csf pointer in set_imx_hdr_v2() function in ./tools/imximage.c?
Thank you in advance for your help,
Best regards
Solved! Go to Solution.
Hi again,
I was able to solve my 2 issues: I had just to add BOOT_OFFSET FLASH_OFFSET_STANDARD and CSF 0x2000 to boards/boundary/nitrogen6x/nitrogen6q.cfg to get a valid CSF offset in my u-boot.imx (this step is documented at ./doc/README.imximage). I have also signed my u-boot.imx and now everything is working fine. That is, u-boot, 6x_bootscript, .dtb and uImage signatures are all successful.
Regards,
Aymen
Please look at my comments below.
1.
If the reason of a HAB event is HAB_INV_ADDRESS (0x22)
[Invalid address: access denied] - please check if initialization
via DCD table meet allowed addresses.
Please take a look at Table 8-37 (Valid DCD Address Ranges) of the
i.MX6 DQ Reference Manual.
2.
Please check if the tools/mkimage utility is from the Freescale.
"Secure boot problem on i.MX6"
https://community.freescale.com/message/449201#449201
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Yuri,
Thank you for your answers.
1) It is table 8-35 :smileywink: , I have checked that all addresses are good. Any other idea?
2) I have already seen the "Secure boot problem on i.MX6" discussion and that is why I used using u-boot-fslc that I got from freescale github. I am using the last version of u-boot-fslc (2014.10-01193-gcfca0f7).
Best regards,
Aymen
Hi again,
I was able to solve my 2 issues: I had just to add BOOT_OFFSET FLASH_OFFSET_STANDARD and CSF 0x2000 to boards/boundary/nitrogen6x/nitrogen6q.cfg to get a valid CSF offset in my u-boot.imx (this step is documented at ./doc/README.imximage). I have also signed my u-boot.imx and now everything is working fine. That is, u-boot, 6x_bootscript, .dtb and uImage signatures are all successful.
Regards,
Aymen
Thank you for posting the answer Aymen, it will surely help the community!