I have been spending a lot of time getting HAB working on an i.MX7 for the mfgtool (uuu). I eventually got it working after a lot of troubleshooting.
Problem is: The way I got it working runs completely counter to what https://www.nxp.com/docs/en/application-note/AN4581.pdf specifies!
In Appendix F.1. in AN4581, it clearly explains that the CSF signature should be generated against the u-boot image with the DCD table pointer zeroed, and that the DCD table should also be signed as if located in OCRAM. The resulting signature can then be attached to the back of the image with the DCD table pointer restored to its original value. This does not work on the silicon on my desk. On the device I get a `HAB_INV_SIGNATURE` as the first event followed by a further 5 events.
If I skip the DCD table pointer zeroing, I get `No HAB Events Found!`. So it works... But will it keep on working for future `mfgtool` or silicon versions?
Can anybody explain what I am seeing?
Hello,
Do You use the mfg or uuu?
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Yuri,
I am using the uuu executable as built by the mfgtool project cloned from here: GitHub - NXPmicro/mfgtools: Freescale/NXP I.MX Chip image deploy tools. My uuu.auto script contains:
SDP: boot -f u-boot.imx.hab-signed.mfgtool -nojump SDP: write -f zImage -addr 0x80800000 SDP: write -f rootfs.cpio.uboot -addr 0x83800000 SDP: write -f imx7dea-2piasg.dtb -addr 0x83000000 SDP: jump -f u-boot.imx.hab-signed.mfgtool -ivt
u-boot.imx.hab-signed.mfgtool is a concatenation of boot.imx and u-boot.imx.mfgtool.csf.bin.
u-boot.imx.mfgtool.csf.bin is generated with cst using the following input:
[Header] Version = 4.1 Security Configuration = Open Hash Algorithm = sha256 Engine Configuration = 0 Certificate Format = X509 Signature Format = CMS Engine = CAAM [Install SRK] File = "otau/cst/crts/SRK_1_2_3_4_table.bin" Source index = 0 [Install CSFK] File = "otau/cst/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem" [Authenticate CSF] [Install Key] # Key slot index used to authenticate the key to be installed Verification index = 0 # Key to install Target index = 2 File = "otau/cst/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem" [Authenticate Data] Verification index = 2 # Address Offset Length DataFilePath Blocks = 0x877ff400 0 0x4ec00 "/home/smipi1/Projects/apex.new/build_dir/arm/boot/u-boot.imx", \ 0x910000 0x2c 0x01b0 "/home/smipi1/Projects/apex.new/build_dir/arm/boot/u-boot.imx"
As already stated, the above works, but it shouldn't. I should be using a DCD pointer zeroed variant of u-boot.imx to create the signature for it to work.
Regards,
Pieter
Hello,
The issue may be concern with MFG using. Is it possible to reproduce the issue with the MFG (instead of UUU)?
Regards,
Yuri.