- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: HAB4 and externally generated keys/certificates
HAB4 and externally generated keys/certificates
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I'm trying to enforce high assurance boot on an iMX8MP based system and for this I need to sign the SPL/FIT images. To ensure the keys and certificates are treated with enough care, these are generated and stored in an externally hosted PKI system. From this system I managed to generate the SRK hash and fused it into the chip.
So far no problems.
When I however sign the SPL and FIT images with the img/csf keys (of which the public key certificates are signed using the SRK keys in the hosted PKI environment) the HAB code throws events.
There are several events, I can provide all if needed, but it seems to start with:
u-boot=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x02 0x09 0x00 0x00 0x01
0x00 0x00 0x08 0xa8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
I'm trying to analyze what could be wrong, and one of the suspects is the public key certificate for these signing keys. The openssl configuration in the cst tooling seems to prescribe some constraints for the certificate extension (eg. CA:false) but I cannot find any conclusive information on this topic.
The x509v3 extensions our certificates contain, include e.g the "(extended) key usage" fields, to limit the usage of the key to digital signatures and codesigning. Also the CRL distribution point extensions is part of the certificate. Are there any checks the HAB4 code performs on the certificates that could be causing the behavior I'm seeing?
Kind regards,
Eric
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For future reference, I'll reply to my own question, as this issue is resolved now. The certificates we were using had a few x509v3 extensions added. The extension "ExtendedKeyUsage" was set to codeSigning and was marked as critical. As it turns out, this means the certificate cannot be used to create a signed digest for the SPL/FIT images. Recreating certificates for the IMG and CSF keys without the "ExtendedKeyUsage" extension and having the "KeyUsage" extension set to digitalSignature only and marked critical removes the hab_events (that unfortunately give no information as to why a certificate is rejected).
Kind regards,
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For future reference, I'll reply to my own question, as this issue is resolved now. The certificates we were using had a few x509v3 extensions added. The extension "ExtendedKeyUsage" was set to codeSigning and was marked as critical. As it turns out, this means the certificate cannot be used to create a signed digest for the SPL/FIT images. Recreating certificates for the IMG and CSF keys without the "ExtendedKeyUsage" extension and having the "KeyUsage" extension set to digitalSignature only and marked critical removes the hab_events (that unfortunately give no information as to why a certificate is rejected).
Kind regards,
Eric
