Has anyone tried HAB4 Fast authentication? Does this option lowers the authentication time?
I want to improve the boot time with a signed u-boot image. Below are the "csf" files prepared for without and with fast authentication.
1) u-boot.csf (normal authentication)
----------------file content start----------------
[Header]
# CSF header and default values
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
# Authenticate and install root public key
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Select SRK1
[Install CSFK]
# Authenticate and install public key for use in "Authenticate CSF"
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
# Authenticate the CSF (this file)
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
# Authenticate and install public key for use in "Authenticate Data"
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded U-boot starting at the IVT through to the end with
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
# Verify authenticity of pre-loaded data in memory
Verification index = 2
Blocks = 0x177FF400 0x0 0x48C00 "u-boot.imx"
-------file content end------------------
2)1) u-boot_fast.csf (For fast authentication)
-------file content start--------------------
[Header]
# CSF header and default values
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install NOCAK]
File = "../crts/SRK1_sha256_2048_65537_v3_ca_crt.pem"
[Authenticate CSF]
# whole line comment
[Unlock]
Engine = CAAM
Features = RNG
# Sign padded U-boot starting at the IVT through to the end with
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
# Verify authenticity of pre-loaded data in memory
Verification index = 0
Blocks = 0x177FF400 0x0 0x48C00 "u-boot.imx"
-------file content end------------------
Is the u-boot_fast.csf is correct? I am getting hab failure with Fast authentication. In HAB CST UG i have seen
below example which confuses me.
[Authenticate Data] # part line comment
Verification index = 0
Blocks = 0x877fb000 0x000 0x48000 “signed-uboot.bin”
What is that signed-uboot.bin means?. Is it like we need to generate signed uboot using normal authentication and then use this to create fast authentication image?
Any pointers will be highly appreciated.
thanks in advance.
Krishnan, good day !
Again : in section [Authenticate Data]
Blocks = 0x177FF400 0x0 0x48C00 "u-boot.imx"
Is it correct that zero offset is the pointer of DCD table for both u-boot.imx file
and for OCRAM image ? Usually the IVT is located at zero offset.
~Yuri.
Hello Yuri, Greetings!
Below is the hexdump of IVT table in u-boot.imx ( dump of u-boot.imx from start)
0x00000000: 0x402000D1 // header
0x00000004: 0x17800000 // entry
0x00000008: 0x0 //res 1
0x0000000C: 0x177FF42C //dcd ptr
0x00000010: 0x177FF420 //boot data ptr
0x00000014: 0x177FF400 // self
0x00000018: 0x17848000 // csf ptr
0x0000001C:0x0 //Res 2
0x00000020: 0x177FF000 //
0x00000024: 0x4B000
0x00000028: 0x0
0x0000002C: 0x403803D2
I can see that the authentication success with the normal way, but Fast authentication fails.
OCRAM/DDR Image has IVT at 0x177FF400.
BTW way does Fast authentication makes any improvement in boot time? That is why I am behind this..
Appreciate your help.
Krishnan
I.MX6 HAB does not support the Fast Autentification.
~Yuri.
Thanks for that update.
the options I am considering for reducing boot time are.
1. Reduce the boot loader image size.
2. Add DCD for optimizing the NOR read write.
3. Use CAAM as the HASH engine (With configuration 0)
4. Enable D cache and I cache.
Is there any other options or pointers you suggest?
Thanks again.
Krishnan
All steps, You metioned, helps to decrease boot time.
In the same time, the most time consuming is checking algorithms,
inplemened in software by boot ROM. This stage cannot be optimyzed
by customers.
~Yuri.
Thanks Yuri.
Dear moderator, Pls make this thread as answered.
Just click the Correct Answer button.
~Yuri.