How to enable Android14 BSP 2.2 Security Boot On IMX8MP platform

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to enable Android14 BSP 2.2 Security Boot On IMX8MP platform

835 Views
liangyan
Contributor III

Hi NXP

I am using IMX8MP EVK Board , I want to enable Secure Boot on Android 14. Following is my steps:

1. cd cst-3.1.0/keys

2./hab4_pki_tree.sh

3. cd cst-3.1.0/crts

4. ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_ca_crt.pem, SRK2_sha256_2048_65537_v3_ca_crt.pem, SRK3_sha256_2048_65537_v3_ca_crt.pem, SRK4_sha256_2048_65537_v3_ca_crt.pem

5. hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
liangyan_0-1733304272304.png

6. uboot cmd:

    fuse prog -y 6 0 0x2C316710 0x46A7CA37 0x6FAD074B 0xFA86146A
    
    fuse prog -y 7 0 0x8D79AC5E 0xD6E89D73 0x678A9405 0xE386E6A3
7. enable 
CONFIG_IMX_HAB=y in uboot
8. build android kernel
liangyan_1-1733304374546.png

9. edit 

csf_spl.txt, csf_fit.txt  csf_fit_fdt.txt 10.
./cst --i=csf_spl.txt --o=csf_spl.bin
./cst --i=csf_fit.txt --o=csf_fit.bin
./cst -i csf_fit_fdt.txt -o csf_fit_fdt.bin
11. 
dd if=csf_spl.bin of=u-boot-imx8mp-evk-uuu.imx seek=$((0x34000)) bs=1 conv=notrunc
dd if=csf_fit.bin of=u-boot-imx8mp-evk-uuu.imx seek=$((0x59020)) bs=1 conv=notrunc
dd if=csf_fit_fdt.bin of=u-boot-imx8mp-evk-uuu.imx seek=$((0x5b020)) bs=1 conv=notrunc
12. copy u-boot-imx8mp-evk-uuu.imx and burn board
13. sudo ./${FALSH_DIR}/uuu_imx_android_flash.sh -D ${FALSH_DIR} -f imx8mp -e -d lvds-panel
14. board is not bootup
liangyan_2-1733304526569.png

 

15. csf_fit.txt

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x401fadc0 0x58000 0x1020 "u-boot-imx8mp-evk-uuu.imx", \
0x40200000 0x5D000 0x10A7E8 "u-boot-imx8mp-evk-uuu.imx", \
0x4030A7E8 0x1677E8 0x10788 "u-boot-imx8mp-evk-uuu.imx", \
0x970000 0x177F70 0xAA70 "u-boot-imx8mp-evk-uuu.imx"

16. csf_spl.txt

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID, MFG

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x91ffc0 0x0 0x34000 "u-boot-imx8mp-evk-uuu.imx"

17.csf_fit_fdt.txt

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x401fadc0 0x58000 0x3020 "u-boot-imx8mp-evk-uuu.imx"

Labels (1)
Tags (1)
0 Kudos
Reply
1 Reply

802 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi @liangyan 

Will reply back to you in your other case 

IMX8MP Android 14 secure boot HAB Failed - NXP Community

Regards

Harvey

0 Kudos
Reply