HAB4 CSF Fast Authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HAB4 CSF Fast Authentication

3,434 Views
krishnanp
Contributor III

Has anyone tried HAB4 Fast authentication?  Does this option lowers the authentication time?

I want to improve the boot time with a signed u-boot image. Below are the "csf" files prepared for without and with fast authentication.

1) u-boot.csf (normal authentication)

----------------file content start----------------

[Header]

  # CSF header and default values

  Version = 4.1

  Security Configuration = Open

  Hash Algorithm = sha256

  Engine Configuration = 0

  Certificate Format = X509

  Signature Format = CMS

[Install SRK]

  # Authenticate and install root public key

  File = "../crts/SRK_1_2_3_4_table.bin"

  Source index = 0 # Select SRK1

[Install CSFK]

  # Authenticate and install public key for use in "Authenticate CSF"

  File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

  # Authenticate the CSF (this file)

[Unlock]

  Engine = CAAM

  Features = RNG

[Install Key]

  # Authenticate and install public key for use in "Authenticate Data"

  Verification index = 0

  Target index = 2

  File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"


# Sign padded U-boot starting at the IVT through to the end with

# Blocks have the following definition:

#   Image block start address on i.MX, Offset from start of image file,

#   Length of block in bytes, image data file

[Authenticate Data]

  # Verify authenticity of pre-loaded data in memory

  Verification index = 2

  Blocks = 0x177FF400 0x0 0x48C00 "u-boot.imx"

-------file content  end------------------

2)1) u-boot_fast.csf (For fast authentication)

-------file content start--------------------

[Header]

  # CSF header and default values

  Version = 4.1

  Security Configuration = Open

  Hash Algorithm = sha256

  Engine Configuration = 0

  Certificate Format = X509

  Signature Format = CMS

[Install SRK]

  File = "../crts/SRK_1_2_3_4_table.bin"

  Source index = 0

[Install NOCAK]

  File = "../crts/SRK1_sha256_2048_65537_v3_ca_crt.pem"

[Authenticate CSF]

  # whole line comment

[Unlock]

  Engine = CAAM

  Features = RNG

# Sign padded U-boot starting at the IVT through to the end with

# Blocks have the following definition:

#   Image block start address on i.MX, Offset from start of image file,

#   Length of block in bytes, image data file

[Authenticate Data]

  # Verify authenticity of pre-loaded data in memory

  Verification index = 0

  Blocks = 0x177FF400 0x0 0x48C00 "u-boot.imx"

-------file content  end------------------

Is the u-boot_fast.csf is correct? I am getting hab failure  with Fast authentication.  In HAB CST UG  i have seen

below example  which confuses me.

[Authenticate Data] # part line comment

Verification index = 0

Blocks = 0x877fb000 0x000 0x48000 “signed-uboot.bin”

What is that signed-uboot.bin means?. Is it like we need to generate signed uboot using normal authentication and then  use this to create fast authentication image?

Any pointers will be highly appreciated.

thanks in advance.

Labels (1)
Tags (4)
0 Kudos
Reply
7 Replies

2,437 Views
Yuri
NXP Employee
NXP Employee

  Krishnan, good day !

Again : in section [Authenticate Data]

Blocks = 0x177FF400 0x0 0x48C00 "u-boot.imx"


Is it correct that zero offset is the pointer of DCD table for both u-boot.imx  file

and for OCRAM image ? Usually the IVT is located at  zero offset.

~Yuri.


0 Kudos
Reply

2,437 Views
krishnanpv
Contributor II

Hello Yuri, Greetings!

Below is the hexdump of IVT table in  u-boot.imx ( dump of u-boot.imx from start)

0x00000000: 0x402000D1 // header

0x00000004: 0x17800000 // entry

0x00000008: 0x0 //res 1

0x0000000C: 0x177FF42C //dcd ptr

0x00000010: 0x177FF420  //boot data ptr

0x00000014: 0x177FF400  // self

0x00000018: 0x17848000  // csf ptr

0x0000001C:0x0 //Res 2

0x00000020: 0x177FF000 //

0x00000024: 0x4B000

0x00000028: 0x0

0x0000002C: 0x403803D2

I can see that the authentication success with the normal way, but Fast authentication fails.

OCRAM/DDR Image has  IVT at  0x177FF400.

BTW way does Fast authentication makes any improvement in boot time?  That is why I am behind this..

Appreciate your  help.

Krishnan

0 Kudos
Reply

2,437 Views
Yuri
NXP Employee
NXP Employee

I.MX6 HAB does not support the Fast Autentification.

~Yuri.

2,437 Views
krishnanpv
Contributor II

Thanks for that update.

the options I am considering for reducing boot time are.

1. Reduce the boot loader image size.

2. Add DCD for optimizing the NOR read write.

3. Use CAAM as the HASH engine (With configuration 0)

4. Enable D cache and I cache.

Is there any other options or pointers you suggest?

Thanks again.

Krishnan

2,437 Views
Yuri
NXP Employee
NXP Employee

All steps, You metioned, helps to decrease boot time.

In the same time, the most time consuming is checking algorithms,

inplemened in software by boot ROM. This stage cannot be optimyzed
by customers.

~Yuri.

0 Kudos
Reply

2,437 Views
krishnanpv
Contributor II

Thanks Yuri.

Dear moderator, Pls make this thread as answered.

0 Kudos
Reply

2,437 Views
Yuri
NXP Employee
NXP Employee

Just click the Correct Answer button.

~Yuri.

0 Kudos
Reply