HAB status reports warning event

cancel
Showing results for 
Search instead for 
Did you mean: 

HAB status reports warning event

415 Views
tomaszstaniszew
Contributor II

Hello.

I'm working on secure boot implementation on i/MX6DL system:

- Freescale i.MX6DL rev1.4, Industrial temperature grade, device id: 0x10, revision id: 0x21

- board: Toradex Colibri iMX6 DualLite 512MB IT V1.1A

- u-boot version: toradex_2019.07

After booting to the bootloader, I have one warning event reported by HAB, with this data bytes read from HAB log memory:

db 00 24 42 69 30 e1 1d 00 04 00 02 40 00 36 06 55 55 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01

so the event parameters are:

Tag = Event

Length = 36 bytes

HAB Version = 4.2

STS = HAB_WARNING (operation completed with warning)

RSN = HAB_ENG_FAIL (engine failure)

CTX = HAB_CTX_ENTRY (event logged in hab_rvt_entry())

ENG = HAB_ENG_CAAM

...

It looks like same problem described here:

https://mirrors.edge.kernel.org/caf_patches/external/imxsupport/uboot-imx/imx_v2016.03_4.1.15_2.0.0_...

Am I right or do my issue is something different?

Should I ignore this warning event and try to finish SB implementation and locking the device? Or should I adopt the "Run RNG self test" patch to my u-boot source code?

Labels (2)
4 Replies

239 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,

  Yes, it is needed to adapt / apply the mentioned patch. This patch identifies the descriptors based on the CAAM version

in the chip and determines which descriptor to run. The descriptors are executed in CAAM which result in a value that is compared with a known answer. If the Known Answer Test (KAT) passes, that means the RNG self test has passed.

This  should be executed  on the chip at the earliest boot stage in order to ensure that the RNG is functioning correctly before it is utilized for any crypto operations.

Regards,

Yuri.

0 Kudos

239 Views
tomaszstaniszew
Contributor II

I have applied the patch to the u-boot and also enabled debug output in two files (drivers/crypto/fsl/jr.c and .../error.c). After booting to u-boot's console and executing rng_self_test command I get this result:

00000000: No error:
00000000: No error:
SEC0: RNG instantiated
RNG SELF TEST DESCRIPTOR:
0xB0800036
0x04800010
0x3C85A15B
0x50A9D0B1
0x71A09FEE
0x2EECF20B
0x02800020
0xB267292E
0x85BF712D
0xE85FF43A
0xA716B7FB
0xC40BB528
0x27B6F564
0x8821CB5D
0x9B5F6C26
0x12A00020
0x0A20DE17
0x6529357E
0x316277AB
0x2846254E
0x34D23BA5
0x6F5E9C32
0x7ABDC1BB
0x0197A385
0x82500405
0xA2000001
0x10880004
0x00000005
0x12820004
0x00000020
0x82500001
0xA2000001
0x10880004
0x40000045
0x02800020
0x8F389CC7
0xE7F7CBB0
0x6BF2073D
0xFC380B6D
0xB22E9D1A
0xEE64FCB7
0xA2B48D49
0xDF9BC3A4
0x82500009
0xA2000001
0x10880004
0x00000005
0x82500001
0x60340020
0x12000000
0xA2000001
0x10880004
0x00000005
0x8250000D

20001953: CCB: desc idx 25: RNG: No error.
Error 20001953
Error while running RNG self-test descriptor: 536877395

What does that error means and what should I do with it? Is it still safe to try to secure-lock the device with properly signed (but not encrypted) u-boot and linux kernel?

EDIT 1:

I've checked error code "20001953" in "Job termination status/error codes" paragraph from "Security Reference Manual for i.MX 6Dual, 6Quad, 6Solo, and 6DualLite Families of Applications Processors" document and it looks like there should be diffrent debug message printed:

20001953: CCB: desc idx 25: RNG: Instantiate

EDIT 2:

I have found the source of the "20001953" error - there was executed "rng_init()" function before actual RNG self test. I've modified u-boot build and now the result from "rng_self_test" command is:

RNG SELF TEST DESCRIPTOR:
(...)
00000000: No error:
Result
3AFE2C87CCB6444919169A74A1318BEFF4860BB95EEEAE9192F4A98FB03718A4
Expected Result
3AFE2C87CCB6444919169A74A1318BEFF4860BB95EEEAE9192F4A98FB03718A4
RNG self test passed

So... does it mean I'm safe to secure-lock the device?

239 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,

"RNG self test passed" - looks like all is OK now.

Regards,

Yuri.

0 Kudos

239 Views
tomaszstaniszew
Contributor II

Thank you for answering to my question.

I'll try to apply the patch and I'll write about my results.