HAB status reports warning event

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

HAB status reports warning event

3,548 次查看
tomaszstaniszew
Contributor II

Hello.

I'm working on secure boot implementation on i/MX6DL system:

- Freescale i.MX6DL rev1.4, Industrial temperature grade, device id: 0x10, revision id: 0x21

- board: Toradex Colibri iMX6 DualLite 512MB IT V1.1A

- u-boot version: toradex_2019.07

After booting to the bootloader, I have one warning event reported by HAB, with this data bytes read from HAB log memory:

db 00 24 42 69 30 e1 1d 00 04 00 02 40 00 36 06 55 55 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01

so the event parameters are:

Tag = Event

Length = 36 bytes

HAB Version = 4.2

STS = HAB_WARNING (operation completed with warning)

RSN = HAB_ENG_FAIL (engine failure)

CTX = HAB_CTX_ENTRY (event logged in hab_rvt_entry())

ENG = HAB_ENG_CAAM

...

It looks like same problem described here:

https://mirrors.edge.kernel.org/caf_patches/external/imxsupport/uboot-imx/imx_v2016.03_4.1.15_2.0.0_...

Am I right or do my issue is something different?

Should I ignore this warning event and try to finish SB implementation and locking the device? Or should I adopt the "Run RNG self test" patch to my u-boot source code?

标签 (2)
6 回复数

3,372 次查看
Yuri
NXP Employee
NXP Employee

Hello,

  Yes, it is needed to adapt / apply the mentioned patch. This patch identifies the descriptors based on the CAAM version

in the chip and determines which descriptor to run. The descriptors are executed in CAAM which result in a value that is compared with a known answer. If the Known Answer Test (KAT) passes, that means the RNG self test has passed.

This  should be executed  on the chip at the earliest boot stage in order to ensure that the RNG is functioning correctly before it is utilized for any crypto operations.

Regards,

Yuri.

0 项奖励
回复

3,372 次查看
tomaszstaniszew
Contributor II

I have applied the patch to the u-boot and also enabled debug output in two files (drivers/crypto/fsl/jr.c and .../error.c). After booting to u-boot's console and executing rng_self_test command I get this result:

00000000: No error:
00000000: No error:
SEC0: RNG instantiated
RNG SELF TEST DESCRIPTOR:
0xB0800036
0x04800010
0x3C85A15B
0x50A9D0B1
0x71A09FEE
0x2EECF20B
0x02800020
0xB267292E
0x85BF712D
0xE85FF43A
0xA716B7FB
0xC40BB528
0x27B6F564
0x8821CB5D
0x9B5F6C26
0x12A00020
0x0A20DE17
0x6529357E
0x316277AB
0x2846254E
0x34D23BA5
0x6F5E9C32
0x7ABDC1BB
0x0197A385
0x82500405
0xA2000001
0x10880004
0x00000005
0x12820004
0x00000020
0x82500001
0xA2000001
0x10880004
0x40000045
0x02800020
0x8F389CC7
0xE7F7CBB0
0x6BF2073D
0xFC380B6D
0xB22E9D1A
0xEE64FCB7
0xA2B48D49
0xDF9BC3A4
0x82500009
0xA2000001
0x10880004
0x00000005
0x82500001
0x60340020
0x12000000
0xA2000001
0x10880004
0x00000005
0x8250000D

20001953: CCB: desc idx 25: RNG: No error.
Error 20001953
Error while running RNG self-test descriptor: 536877395

What does that error means and what should I do with it? Is it still safe to try to secure-lock the device with properly signed (but not encrypted) u-boot and linux kernel?

EDIT 1:

I've checked error code "20001953" in "Job termination status/error codes" paragraph from "Security Reference Manual for i.MX 6Dual, 6Quad, 6Solo, and 6DualLite Families of Applications Processors" document and it looks like there should be diffrent debug message printed:

20001953: CCB: desc idx 25: RNG: Instantiate

EDIT 2:

I have found the source of the "20001953" error - there was executed "rng_init()" function before actual RNG self test. I've modified u-boot build and now the result from "rng_self_test" command is:

RNG SELF TEST DESCRIPTOR:
(...)
00000000: No error:
Result
3AFE2C87CCB6444919169A74A1318BEFF4860BB95EEEAE9192F4A98FB03718A4
Expected Result
3AFE2C87CCB6444919169A74A1318BEFF4860BB95EEEAE9192F4A98FB03718A4
RNG self test passed

So... does it mean I'm safe to secure-lock the device?

3,372 次查看
Yuri
NXP Employee
NXP Employee

Hello,

"RNG self test passed" - looks like all is OK now.

Regards,

Yuri.

0 项奖励
回复

2,922 次查看
nad
Contributor III

Hi,

Get the exact same behavior running the rng_self_test

Freescale i.MX6SOLO rev1.4 MCIMX6S1AVM08AD
u-boot-imx 2019.04

20001953 error code is returned even after modifying u-boot as previously suggested

Kernel and dtb authentication works, but would like to be sure HAB can be safely enabled.
Could I safely secure the board or anything else needs to be done before ?

BR

0 项奖励
回复

2,911 次查看
nad
Contributor III

Hi,

After fusing the board, it boots and returns values as described in HAB Users's Guide even HAB warning events are still reported

Authenticate image from DDR location 0x10007fc0...

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

0 项奖励
回复

3,372 次查看
tomaszstaniszew
Contributor II

Thank you for answering to my question.

I'll try to apply the patch and I'll write about my results.