HAB with imx6

ciaran_lequeux · ‎04-11-2023

Hello,

I want to validate several images with the imx6 dual lite hab.
If an image fails hab_rvt_report_status always returns me false, with X events on buffer.
Can events and status be erased?
Where should I rely on the list of events?
Is it possible to have hab_rvt_report_status fail with no events?

Thanks in advance

ciaran_lequeux · ‎04-13-2023

Thanks you for your response.
I use uboot 2017
I wan't to verify multiple images.

For example:
IGM1_OK -> No hab events
IMG2_OK -> No hab events
IMG3_OK -> No hab events
IGM4_OK -> No hab events
IMG5_OK -> No hab events

I corrupt data on IMG3 after sign it.

IGM1_OK -> No hab events
IMG2_OK -> No hab events
IMG3_KO -> Failure, 1 HAB event
IGM4_OK -> Failure, 1 HAB event
IMG5_OK -> Failure, 1 HAB event

I see after a corrupted file is checked, all others next are fail.
Any solution to "reset" hab events ?

If i restart my board in each image it's ok, but y don't want t restart.

Dhruvit · ‎04-14-2023

Hi @ciaran_lequeux,

I hope you are doing well.

It seems to be expected behavior.

Please refer to /arch/arm/mach-imx/hab.c

imx_hab_authenticate_image() calls get_hab_status(), which prints all HAB events (including previous), which can only be cleared by restarting the board.

ROM/HAB allocates certain memory regions in Internal RAM (OCRAM) for HAB logs. This space is marked as reserved in the Internal RAM memory map and must not be edited. This memory region is called HAB persistent memory. It contains events and other HAB process-related information.

This space should not be cleared by software.
It can only be cleared by resetting.

Please correctly sign the bad/corrupted image.

Please share commands used to verify images and HAB event output in each case for further debugging.

Thanks & Regards,
Dhruvit Vasavada

Dhruvit · ‎04-13-2023

Hi @ciaran_lequeux,

I hope you are doing well.

HAB Events could be generated due to an incorrectly signed image or an Invalid ivt header.

Please provide me with the steps followed to sign the image and HAB Event error print for further debugging.

Please mention the U-boot version.

If the image is signed correctly, it prints the below message using the hab_status or hab_auth_img command.

"No HAB Events Found!"

Thanks & Regards,
Dhruvit Vasavada

ciaran_lequeux · ‎04-12-2023

anyone?

mason2036 · ‎04-16-2023

It is security concern and design to prevent cleaning the event within one power cycle.

This is simple logic.

If the IMG3 is an attach program image. and IMG4 can clean the even and still let the process going forward. It is very easy to hack the system.

That is very common design for security not i.MX. Any issue is detected stop it.