High Assurance Boot Application Note wrong for HAB and mfgtool?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

High Assurance Boot Application Note wrong for HAB and mfgtool?

928 Views
pieter1
Contributor I

I have been spending a lot of time getting HAB working on an i.MX7 for the mfgtool (uuu). I eventually got it working after a lot of troubleshooting.

Problem is: The way I got it working runs completely counter to what https://www.nxp.com/docs/en/application-note/AN4581.pdf specifies!

In Appendix F.1. in AN4581, it clearly explains that the CSF signature should be generated against the u-boot image with the DCD table pointer zeroed, and that the DCD table should also be signed as if located in OCRAM. The resulting signature can then be attached to the back of the image with the DCD table pointer restored to its original value. This does not work on the silicon on my desk. On the device I get a `HAB_INV_SIGNATURE` as the first event followed by a further 5 events.

If I skip the DCD table pointer zeroing, I get `No HAB Events Found!`. So it works... But will it keep on working for future `mfgtool` or silicon versions?

Can anybody explain what I am seeing?

Labels (1)
0 Kudos
3 Replies

660 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Do You use the mfg or uuu?


Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos

660 Views
pieter1
Contributor I

Hi Yuri,

I am using the uuu executable as built by the mfgtool project cloned from here: GitHub - NXPmicro/mfgtools: Freescale/NXP I.MX Chip image deploy tools. My uuu.auto script contains:

SDP: boot -f u-boot.imx.hab-signed.mfgtool -nojump
SDP: write -f zImage -addr 0x80800000
SDP: write -f rootfs.cpio.uboot -addr 0x83800000
SDP: write -f imx7dea-2piasg.dtb -addr 0x83000000
SDP: jump -f u-boot.imx.hab-signed.mfgtool -ivt

u-boot.imx.hab-signed.mfgtool is a concatenation of boot.imx and u-boot.imx.mfgtool.csf.bin.

u-boot.imx.mfgtool.csf.bin is generated with cst using the following input:

[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
File = "otau/cst/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "otau/cst/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "otau/cst/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
# Address Offset Length DataFilePath
Blocks = 0x877ff400 0 0x4ec00 "/home/smipi1/Projects/apex.new/build_dir/arm/boot/u-boot.imx", \
         0x910000 0x2c 0x01b0 "/home/smipi1/Projects/apex.new/build_dir/arm/boot/u-boot.imx"

As already stated, the above works, but it shouldn't. I should be using a DCD pointer zeroed variant of u-boot.imx to create the signature for it to work.

Regards,

Pieter

0 Kudos

660 Views
Yuri
NXP Employee
NXP Employee

Hello,

  The issue may be concern with MFG using. Is it possible to reproduce the issue with the MFG (instead of UUU)?

Regards,

Yuri.

0 Kudos