HABv4 on imx6solo

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

HABv4 on imx6solo

跳至解决方案
2,860 次查看
jane-jiajuan_zh
Contributor III

chip: imx6solo rev1.3

uboot version: imx_v2018.03_4.14.78_1.0.0_ga

CST tools: CST3.2.0

Hi,

I follow the steps in file AN4581 to generate the keys and crts,  and write the SRK hash to the Fuses, but didn't close the chip.  Then switch my board BOOT_MODE[1:0] to 00 which means boot from Fuses.

and use the script in AN4581 "Appendix F. i.MX manufacturing tool", the script is attached. But the device cannot boot up and no log in UART.

Then I switch the BOOT_MODE[1:0] to 10, and enter u-boot command line, get the hab_status as below:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x02 0x38

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

Could some one help check what it means?

Further more,  Does it need to pad 0xFF to the u-boot before/after calling cst tools?  

objcopy -I binary -O binary --pad-to 0xXXXX --gap-fill=0xff ${PROG_NAME}.imx ${PROG_NAME}_padded.imx

objcopy -I binary -O binary --pad-to 0xXXXX --gap-fill=0xff ${PROG_NAME}_tmp.bin ${PROG_NAME}_signed.bin

Which files need to use in CSF files? 

Blocks = 0x177ff400 0x00000000 0x000AF000 "u-boot_padded.imx"

or 

Blocks = 0x177ff400 0x00000000 0x000AEC00 "u-boot.imx"

1 解答
2,665 次查看
jane-jiajuan_zh
Contributor III

It is solved now, mark here:

No need add DCD in CSF file, I don't know why my mfgtools don't need this, but after remove all DCD block from my CSF file, and add kernel CSF, and close the device, all runs well.

在原帖中查看解决方案

6 回复数
2,666 次查看
jane-jiajuan_zh
Contributor III

It is solved now, mark here:

No need add DCD in CSF file, I don't know why my mfgtools don't need this, but after remove all DCD block from my CSF file, and add kernel CSF, and close the device, all runs well.

2,665 次查看
Yuri
NXP Employee
NXP Employee

Hello,

   the following, hope, helps:

https://community.nxp.com/message/1081015 

secure boot in i.mx6ull 

Regards,

Yuri.

0 项奖励
回复
2,665 次查看
jane-jiajuan_zh
Contributor III

my script of signing as below

#!/bin/bash
PROG_NAME=u-boot
objcopy -I binary -O binary --pad-to 0xaec00 --gap-fill=0xff ${PROG_NAME}.imx ${PROG_NAME}_padded.imx
./mod_4_mfgtool.sh clear_dcd_addr ${PROG_NAME}_padded.imx
../linux64/bin/cst --o ${PROG_NAME}_csf.bin --i ${PROG_NAME}.csf
objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0xff ${PROG_NAME}_csf.bin ${PROG_NAME}_csf_pad.bin
./mod_4_mfgtool.sh set_dcd_addr ${PROG_NAME}_padded.imx
cat ${PROG_NAME}_padded.imx ${PROG_NAME}_csf_pad.bin > ${PROG_NAME}_signed.bin

0 项奖励
回复
2,665 次查看
jane-jiajuan_zh
Contributor III

HAB has no event when
Blocks = 0x177ff400 0x00000000 0x000aec00 "./u-boot.imx"

but has lot of HAB event when

Blocks = 0x177ff400 0x00000000 0x000aec00 "./u-boot.imx", \
0x00910000 0x0000002c 0x00000238 "./u-boot.imx"

I use MfgTools to download the u-boot to NAND,  should I use the second one? 

Should I clear the DCD address before signing? and add the DCD address back after signing?

Jane

0 项奖励
回复
2,665 次查看
jane-jiajuan_zh
Contributor III

Hi Yuri,

I am looked up many your replies about HAB,  it seems I move one step forward,  but meet a new problem.

my CONFIG_CSF_SIZE is 0x4000, I try to pad the CSF to 0x4000, then the device could boot up when BOOT_MODE[1:0] =10, 

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

But still cannot boot when BOOT_MODE[1:0] =00.

What problem it might be?

 

Jane

0 项奖励
回复
2,665 次查看
Yuri
NXP Employee
NXP Employee

Hello,

Is it possible to boot unsigned system when BOOT_MODE[1:0]=00?

Perhaps some fuses are incorrect for Your boot configuration?

Regards,

Yuri.

0 项奖励
回复