- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: HAB status reports warning event
HAB status reports warning event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
HAB status reports warning event
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
I'm working on secure boot implementation on i/MX6DL system:
- Freescale i.MX6DL rev1.4, Industrial temperature grade, device id: 0x10, revision id: 0x21
- board: Toradex Colibri iMX6 DualLite 512MB IT V1.1A
- u-boot version: toradex_2019.07
After booting to the bootloader, I have one warning event reported by HAB, with this data bytes read from HAB log memory:
db 00 24 42 69 30 e1 1d 00 04 00 02 40 00 36 06 55 55 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
so the event parameters are:
Tag = Event
Length = 36 bytes
HAB Version = 4.2
STS = HAB_WARNING (operation completed with warning)
RSN = HAB_ENG_FAIL (engine failure)
CTX = HAB_CTX_ENTRY (event logged in hab_rvt_entry())
ENG = HAB_ENG_CAAM
...
It looks like same problem described here:
Am I right or do my issue is something different?
Should I ignore this warning event and try to finish SB implementation and locking the device? Or should I adopt the "Run RNG self test" patch to my u-boot source code?
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Yes, it is needed to adapt / apply the mentioned patch. This patch identifies the descriptors based on the CAAM version
in the chip and determines which descriptor to run. The descriptors are executed in CAAM which result in a value that is compared with a known answer. If the Known Answer Test (KAT) passes, that means the RNG self test has passed.
This should be executed on the chip at the earliest boot stage in order to ensure that the RNG is functioning correctly before it is utilized for any crypto operations.
Regards,
Yuri.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have applied the patch to the u-boot and also enabled debug output in two files (drivers/crypto/fsl/jr.c and .../error.c). After booting to u-boot's console and executing rng_self_test command I get this result:
00000000: No error: 00000000: No error: SEC0: RNG instantiated RNG SELF TEST DESCRIPTOR: 0xB0800036 0x04800010 0x3C85A15B 0x50A9D0B1 0x71A09FEE 0x2EECF20B 0x02800020 0xB267292E 0x85BF712D 0xE85FF43A 0xA716B7FB 0xC40BB528 0x27B6F564 0x8821CB5D 0x9B5F6C26 0x12A00020 0x0A20DE17 0x6529357E 0x316277AB 0x2846254E 0x34D23BA5 0x6F5E9C32 0x7ABDC1BB 0x0197A385 0x82500405 0xA2000001 0x10880004 0x00000005 0x12820004 0x00000020 0x82500001 0xA2000001 0x10880004 0x40000045 0x02800020 0x8F389CC7 0xE7F7CBB0 0x6BF2073D 0xFC380B6D 0xB22E9D1A 0xEE64FCB7 0xA2B48D49 0xDF9BC3A4 0x82500009 0xA2000001 0x10880004 0x00000005 0x82500001 0x60340020 0x12000000 0xA2000001 0x10880004 0x00000005 0x8250000D 20001953: CCB: desc idx 25: RNG: No error. Error 20001953 Error while running RNG self-test descriptor: 536877395
What does that error means and what should I do with it? Is it still safe to try to secure-lock the device with properly signed (but not encrypted) u-boot and linux kernel?
EDIT 1:
I've checked error code "20001953" in "Job termination status/error codes" paragraph from "Security Reference Manual for i.MX 6Dual, 6Quad, 6Solo, and 6DualLite Families of Applications Processors" document and it looks like there should be diffrent debug message printed:
20001953: CCB: desc idx 25: RNG: Instantiate
EDIT 2:
I have found the source of the "20001953" error - there was executed "rng_init()" function before actual RNG self test. I've modified u-boot build and now the result from "rng_self_test" command is:
RNG SELF TEST DESCRIPTOR: (...) 00000000: No error: Result 3AFE2C87CCB6444919169A74A1318BEFF4860BB95EEEAE9192F4A98FB03718A4 Expected Result 3AFE2C87CCB6444919169A74A1318BEFF4860BB95EEEAE9192F4A98FB03718A4 RNG self test passed
So... does it mean I'm safe to secure-lock the device?
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
"RNG self test passed" - looks like all is OK now.
Regards,
Yuri.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Get the exact same behavior running the rng_self_test
Freescale i.MX6SOLO rev1.4 MCIMX6S1AVM08AD
u-boot-imx 2019.04
20001953 error code is returned even after modifying u-boot as previously suggested
Kernel and dtb authentication works, but would like to be sure HAB can be safely enabled.
Could I safely secure the board or anything else needs to be done before ?
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
After fusing the board, it boots and returns values as described in HAB Users's Guide even HAB warning events are still reported
Authenticate image from DDR location 0x10007fc0...
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01
STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for answering to my question.
I'll try to apply the patch and I'll write about my results.
