How to enable secure boot for IMX8MM

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

How to enable secure boot for IMX8MM

18,589件の閲覧回数
Ben_Teng
Contributor I

Hello, 

Currently I'm working on Enable SecureBoot, would anyone guide me and point me out what steps I missed?

Here's my step as below:

Step 1. download cst-3.3.1.tgz

Step 2. tar xvf cst-3.3.1.tgz && cd cst-3.3.1/keys

Step 3. cst-3.3.1/keys

$ echo "4242424E" > ser

$ echo "test" > key_pass.txt

$ echo "test" >> key_pass.txt

$ ./hab4_pki_tree.sh

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This script is a part of the Code signing tools for Freescale's
High Assurance Boot. It generates a basic PKI tree. The PKI
tree consists of one or more Super Root Keys (SRK), with each
SRK having two subordinate keys:
+ a Command Sequence File (CSF) key
+ Image key.
Additional keys can be added to the PKI tree but a separate
script is available for this. This this script assumes openssl
is installed on your system and is included in your search
path. Finally, the private keys generated are password
protectedwith the password provided by the file key_pass.txt.
The format of the file is the password repeated twice:
my_password
my_password
All private keys in the PKI tree are in PKCS #8 format will be
protected by the same password.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 20
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

 

Step 4. cd ../crts &&

../linux64/bin/srktool \
> -h 4 \
> -t SRK_1_2_3_4_table.bin \
> -e SRK_1_2_3_4_fuse.bin \
> -d sha256 \
> -c ./SRK1_sha256_2048_65537_v3_ca_crt.pem,\
> ./SRK2_sha256_2048_65537_v3_ca_crt.pem,\
> ./SRK3_sha256_2048_65537_v3_ca_crt.pem,\
> ./SRK4_sha256_2048_65537_v3_ca_crt.pem

 

Number of certificates = 4
SRK table binary filename = SRK_1_2_3_4_table.bin
SRK Fuse binary filename = SRK_1_2_3_4_fuse.bin
SRK Fuse binary dump:
SRK HASH[0] = 0xDA7CCBEB
SRK HASH[1] = 0xD7D9F573
SRK HASH[2] = 0x20DEBFD6
SRK HASH[3] = 0x0E4AAC11
SRK HASH[4] = 0xB0965A65
SRK HASH[5] = 0x1A89C7DA
SRK HASH[6] = 0x6D960E3F
SRK HASH[7] = 0xE080A6D8

 

Step 5. CONFIG_SECURE_BOOT=y In uboot then rebuild it.

Step 6. 

$ cp imx-uboot/tools/mkimage ./imx-mkimage/iMX8M/mkimage_uboot
$ cp imx-uboot/arch/arm/dts/myb-imx8mm-base.dtb ./imx-mkimage/iMX8M/fsl-imx8mm-ddr4-evk.dtb
$ cp imx-uboot/spl/u-boot-spl.bin ./imx-mkimage/iMX8M/
$ cp imx-uboot/u-boot-nodtb.bin ./imx-mkimage/iMX8M/

# firmware-imx-8.7
$ cp firmware-imx-8.7/firmware/ddr/synopsys/ddr4_dmem_1d.bin ./imx-mkimage/iMX8M/
$ cp firmware-imx-8.7/firmware/ddr/synopsys/ddr4_dmem_2d.bin ./imx-mkimage/iMX8M/
$ cp firmware-imx-8.7/firmware/ddr/synopsys/ddr4_imem_1d.bin ./imx-mkimage/iMX8M/
$ cp firmware-imx-8.7/firmware/ddr/synopsys/ddr4_imem_2d.bin ./imx-mkimage/iMX8M/

# imx8mm-atf
$ cp imx-atf/build/imx8mm/release/bl31.bin ./imx-mkimage/iMX8M/

$ cd imx-mkimage
$ make SOC=iMX8MM clean
$ make SOC=iMX8MM flash_ddr4_evk

 

========= OFFSET dump =========
Loader IMAGE:
header_image_off 0x0
dcd_off 0x0
image_off 0x40
csf_off 0x2c600
spl hab block: 0x7e0fc0 0x0 0x2c600

Second Loader IMAGE:
sld_header_off 0x57c00
sld_csf_off 0x58c20
sld hab block: 0x401fcdc0 0x57c00 0x1020

 

$ make SOC=iMX8MM print_fit_hab_ddr
./../scripts/pad_image.sh bl31.bin
./../scripts/pad_image.sh u-boot-nodtb.bin fsl-imx8mm-ddr4-evk.dtb
TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 ./print_fit_hab.sh 0x60000 fsl-imx8mm-ddr4-evk.dtb
0x40200000 0x5AC00 0x9BDB0
0x4029BDB0 0xF69B0 0x83B0
0x920000 0xFED60 0xA160

Step 7.  Copy template from imx-uboot source code

$ cp ./myir-imx-uboot/doc/imx/habv4/csf_examples/mx8m/csf_fit.txt cst-3.3.1

$ cp ./myir-imx-uboot/doc/imx/habv4/csf_examples/mx8m/csf_spl.txt

 

Step 8. Modify Blocks in csf_spl.txt

Blocks = 0x7e0fc0 0x0 0x2c600 "flash.bin"

 

Step 9. Modify Blocks in csf_fit.txt

Blocks = 0x401fcdc0 0x57c00 0x1020 "flash.bin" \

                0x40200000 0x5AC00 0x9BDB0 "flash.bin" \
                0x4029BDB0 0xF69B0 0x83B0 "flash.bin" \
                0x920000 0xFED60 0xA160 "flash.bin"

 

Step 10.  Signed flash.bin then updating uboot

$ ../linux64/bin/cst -i csf_spl.txt -o csf_spl.bin
Install SRK
Install CSFK
Authenticate CSF
Install key
Authenticate data
CSF Processed successfully and signed data available in csf_spl.bin
$ ../linux64/bin/cst -i csf_fit.txt -o csf_fit.bin
Install SRK
Install CSFK
Authenticate CSF
Install key
Authenticate data
CSF Processed successfully and signed data available in csf_fit.bin

$ cp flash.bin signed_flash.bin

dd if=csf_spl.bin of=signed_flash.bin seek=$((0x2c600)) bs=1 conv=notrunc
3912+0 records in
3912+0 records out
3912 bytes (3.9 kB, 3.8 KiB) copied, 0.00899194 s, 435 kB/s
$ dd if=csf_fit.bin of=signed_flash.bin seek=$((0x58c20)) bs=1 conv=notrunc
3928+0 records in
3928+0 records out
3928 bytes (3.9 kB, 3.8 KiB) copied, 0.00964808 s, 407 kB/s

 

$ dd if=/tmp/signed_flash.bin of=/dev/mmcblk1 bs=1k seek=33 && sync && reboot

 

Step11.  check hab_status

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x68

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x7e 0x0f 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x7e 0x0f 0xe0
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x7e 0x10 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 7 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x58

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

 

Step 12. fuse program

u-boot=> fuse prog 6 0 0xDA7CCBEB
u-boot=> fuse prog 6 1 0xD7D9F573
u-boot=> fuse prog 6 2 0x20DEBFD6
u-boot=> fuse prog 6 3 0x0E4AAC11
u-boot=> fuse prog 7 0 0xB0965A65
u-boot=> fuse prog 7 1 0x1A89C7DA
u-boot=> fuse prog 7 2 0x6D960E3F
u-boot=> fuse prog 7 3 0xE080A6D8

 

u-boot=> fuse prog 0 0 0x200

u-boot=> fuse prog 1 3 0x8000000

u-boot=> fuse prog 1 3 0x200000

u-boot=> fuse prog 1 3 0xC00000

 

u-boot=> reset

 

After resetting, iMX8MM can not bootup, could anyone help me clarify this? 

I'm wondering what the correct way is or what steps I missed/wrong?

0 件の賞賛
返信
23 返答(返信)

17,634件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Ben_Teng 

"Step 5. CONFIG_SECURE_BOOT=y In uboot then rebuild it. "

Not sure what version of U-Boot you are using. It should be CONFIG_IMX_HAB=y if you are using newer U-Boot BSP.

 

Best regards

Harvey

 

0 件の賞賛
返信

17,610件の閲覧回数
Ben_Teng
Contributor I

Hi @Harvey021 ,

Thanks for your reply!

Currently I'm using U-Boot 2019.04.

Is it alright? Thanks again!

 

Best Regards,

Ben

タグ(1)
0 件の賞賛
返信

17,604件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

Hi 

Can you please share both your csf files? and would be better with your signed and unsigned images.

 

Best regards

Harvey

0 件の賞賛
返信

17,582件の閲覧回数
Ben_Teng
Contributor I

Hi @Harvey021 ,

Thanks for your reply!

 

Here's csf files and unsigned/signed images as attachment.

 

Thanks again!

 

Best Regards,

Ben

0 件の賞賛
返信

17,538件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Ben_Teng 

Authenticate Data in your csf for fit should be matched as printed by print_fit_hab_ddr.

These mismatched lines marked with red as attached.

 

Best regards

Harvey

 

0 件の賞賛
返信

17,444件の閲覧回数
Ben_Teng
Contributor I

Hi @Harvey021 ,

Thanks for your reply!

Oops! Most likely I forgot to revise it.

 

In this case, do I have any chance to rescue it back? 

It cannot boot up due to my mistake.

 

Besides, would you please help me to check if my images and csf files correct or not when I rebuild it?

I would like to build it again.

 

Many thanks!

 

Best Regards, 

Ben

0 件の賞賛
返信

17,423件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

Hi 

You can retry to sign your boot image with correct csf files. It should be no problem, I don't see your fuse operation with error which will cause chip bricked if so. 

 

Best regards

Harvey

0 件の賞賛
返信

17,399件の閲覧回数
Ben_Teng
Contributor I

Hi @Harvey021 ,

Thanks for your reply!

The chip still bricked, let me attach csf & image I used currently again.

Is there anything wrong? 

 

$ build_boot.sh

include misc.mak
include m4.mak
include android.mak
include test.mak
include autobuild.mak
include rev_a.mak
include alias.mak
imx8qm clean done
include misc.mak
include m4.mak
include android.mak
include test.mak
include autobuild.mak
include rev_a.mak
include alias.mak
imx8qx clean done
Compiling mkimage_imx8
PLAT=imx8mm HDMI=no
Compiling mkimage_imx8
gcc -O2 -pipe -g -feliminate-unused-debug-types mkimage_imx8.c -o mkimage_imx8 -lz
24564+0 records in
24564+0 records out
98256 bytes (98 kB, 96 KiB) copied, 0.0506418 s, 1.9 MB/s
./../scripts/pad_image.sh bl31.bin
bl31.bin is padded to 41312
./../scripts/pad_image.sh u-boot-nodtb.bin fsl-imx8mm-ddr4-evk.dtb
u-boot-nodtb.bin + fsl-imx8mm-ddr4-evk.dtb are padded to 672096
DEK_BLOB_LOAD_ADDR=0x40400000 TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 ./mkimage_fit_atf.sh fsl-imx8mm-ddr4-evk.dtb > u-boot-ddr4-evk.its
bl31.bin size:
41312
u-boot-nodtb.bin size:
638376
fsl-imx8mm-ddr4-evk.dtb size:
33720
./mkimage_uboot -E -p 0x3000 -f u-boot-ddr4-evk.its u-boot-ddr4-evk.itb
u-boot-ddr4-evk.its:7.11-14.5: Warning (unit_address_vs_reg): /images/uboot@1: node has a unit name, but no reg property
u-boot-ddr4-evk.its:15.9-20.5: Warning (unit_address_vs_reg): /images/fdt@1: node has a unit name, but no reg property
u-boot-ddr4-evk.its:21.9-29.5: Warning (unit_address_vs_reg): /images/atf@1: node has a unit name, but no reg property
u-boot-ddr4-evk.its:34.12-39.5: Warning (unit_address_vs_reg): /configurations/config@1: node has a unit name, but no reg property
FIT description: Configuration to load ATF before U-Boot
Created: Tue Jun 6 14:16:06 2023
Image 0 (uboot@1)
Description: U-Boot (64-bit)
Created: Tue Jun 6 14:16:06 2023
Type: Standalone Program
Compression: uncompressed
Data Size: 638376 Bytes = 623.41 KiB = 0.61 MiB
Architecture: AArch64
Load Address: 0x40200000
Entry Point: unavailable
Image 1 (fdt@1)
Description: fsl-imx8mm-ddr4-evk
Created: Tue Jun 6 14:16:06 2023
Type: Flat Device Tree
Compression: uncompressed
Data Size: 33720 Bytes = 32.93 KiB = 0.03 MiB
Architecture: Unknown Architecture
Image 2 (atf@1)
Description: ARM Trusted Firmware
Created: Tue Jun 6 14:16:06 2023
Type: Firmware
Compression: uncompressed
Data Size: 41312 Bytes = 40.34 KiB = 0.04 MiB
Architecture: AArch64
OS: Unknown OS
Load Address: 0x00920000
Default Configuration: 'config@1'
Configuration 0 (config@1)
Description: fsl-imx8mm-ddr4-evk
Kernel: unavailable
Firmware: uboot@1
FDT: fdt@1
Loadables: atf@1
./mkimage_imx8 -version v1 -fit -loader u-boot-spl-ddr4.bin 0x7E1000 -second_loader u-boot-ddr4-evk.itb 0x40200000 0x60000 -out flash.bin
Platform: i.MX8M (mScale)
ROM VERSION: v1
Using FIT image
LOADER IMAGE: u-boot-spl-ddr4.bin start addr: 0x007e1000
SECOND LOADER IMAGE: u-boot-ddr4-evk.itb start addr: 0x40200000 offset: 0x00060000
Output: flash.bin
========= IVT HEADER [HDMI FW] =========
header.tag: 0x0
header.length: 0x0
header.version: 0x0
entry: 0x0
reserved1: 0x0
dcd_ptr: 0x0
boot_data_ptr: 0x0
self: 0x0
csf: 0x0
reserved2: 0x0
boot_data.start: 0x0
boot_data.size: 0x0
boot_data.plugin: 0x0
========= IVT HEADER [PLUGIN] =========
header.tag: 0x0
header.length: 0x0
header.version: 0x0
entry: 0x0
reserved1: 0x0
dcd_ptr: 0x0
boot_data_ptr: 0x0
self: 0x0
csf: 0x0
reserved2: 0x0
boot_data.start: 0x0
boot_data.size: 0x0
boot_data.plugin: 0x0
========= IVT HEADER [LOADER IMAGE] =========
header.tag: 0xd1
header.length: 0x2000
header.version: 0x41
entry: 0x7e1000
reserved1: 0x57c00
dcd_ptr: 0x0
boot_data_ptr: 0x7e0fe0
self: 0x7e0fc0
csf: 0x80d5c0
reserved2: 0x0
boot_data.start: 0x7e0bc0
boot_data.size: 0x2ea60
boot_data.plugin: 0x0
========= OFFSET dump =========
Loader IMAGE:
header_image_off 0x0
dcd_off 0x0
image_off 0x40
csf_off 0x2c600
spl hab block: 0x7e0fc0 0x0 0x2c600

Second Loader IMAGE:
sld_header_off 0x57c00
sld_csf_off 0x58c20
sld hab block: 0x401fcdc0 0x57c00 0x1020

 

 

imx-mkimage $ make SOC=iMX8MM print_fit_hab_ddr4
./../scripts/pad_image.sh bl31.bin
./../scripts/pad_image.sh u-boot-nodtb.bin fsl-imx8mm-ddr4-evk.dtb
TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 ./print_fit_hab.sh 0x60000 fsl-imx8mm-ddr4-evk.dtb
0x40200000 0x5AC00 0x9BDA8
0x4029BDA8 0xF69A8 0x83B8
0x920000 0xFED60 0xA160

 

 

 

Thanks again!

 

Best Regards,

Ben

0 件の賞賛
返信

17,353件の閲覧回数
rudi_cyber
Contributor III

I use the tools in cst to parse the signed_flash.bin in secureboot_csf_image.zip and re-create the hash.

hexdump SRK_fuses.bin
0000000 cbeb da7c f573 d7d9 bfd6 20de ac11 0e4a
0000010 5a65 b096 c7da 1a89 0e3f 6d96 a6d8 e080

It is correct. 

The big problem is:

You didn't follow the document in uboot-imx\doc\imx\habv4\guides\mx8m_secure_boot.txt.

The only fuse to enable the security boot on 8MM is 

- Program SEC_CONFIG[1] fuse on i.MX8M family devices:

=> fuse prog 1 3 0x2000000

You didn't do that.

But you program the SRK_LOCK (fuse prog 0 0 0x200). 

It is not the i.MX8MM document.

But according to my i.MX6 experience. 

If the  SRK_LOCK is set, even the ROM security boot cannot read the srk table.

So, you board gets bricked for ever.

 

 

 

0 件の賞賛
返信

17,306件の閲覧回数
Ben_Teng
Contributor I

Hi @rudi_cyber ,

Thanks for your reply,

I'll read uboot-imx\doc\imx\habv4\guides\mx8m_secure_boot.txt closely.

 

According to your experience, could I just only program the fuse as below?

u-boot=> fuse prog 6 0 0xDA7CCBEB
u-boot=> fuse prog 6 1 0xD7D9F573
u-boot=> fuse prog 6 2 0x20DEBFD6
u-boot=> fuse prog 6 3 0x0E4AAC11
u-boot=> fuse prog 7 0 0xB0965A65
u-boot=> fuse prog 7 1 0x1A89C7DA
u-boot=> fuse prog 7 2 0x6D960E3F
u-boot=> fuse prog 7 3 0xE080A6D8

 

Thanks again!

 

Best Regards,

Ben

 

0 件の賞賛
返信

17,278件の閲覧回数
rudi_cyber
Contributor III

The srk table hash is correct.

I have check the your signed flash.bin and  extract the srk table from your singed flash.bin.

and re-generate the hash by tools in cst. It is correct. 

You device hasn't been closed, yet. Because you didn't burn the SEC_CONFIG[1] fuse(fuse prog 1 3 0x2000000).

You problem is you burn the the SRK_LOCK (fuse prog 0 0 0x200).

If you didn't burn the SRK_LOCK (fuse prog 0 0 0x200), you can try till no any HAB event.

Then you close the device by burn the SEC_CONFIG[1] fuse(fuse prog 1 3 0x2000000).

The document in uboot, didn't tell you 

u-boot=> fuse prog 0 0 0x200

u-boot=> fuse prog 1 3 0x8000000

                      u-boot=> fuse prog 1 3 0x200000   you didn't close the device.

(SEC_CONFIG[1] fuse(fuse prog 1 3 0x2000000).)

u-boot=> fuse prog 1 3 0xC00000

I

https://github.com/nxp-imx/uboot-imx/blob/lf_v2022.04/doc/imx/habv4/guides/mx8m_secure_boot.txt

Prior to closing the device users should ensure no HAB events were found, as
the example below:

- Verify HAB events:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

 

attached the SRK_fuse.bin and SRKTable.bin extracted from your signed_flash.bin

hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_fuses.bin

0xDA7CCBEB

0xD7D9F573

0x20DEBFD6

0xE4AAC11

0xB0965A65

0x1A89C7DA

0x6D960E3F

0xE080A6D8

 
0 件の賞賛
返信

15,207件の閲覧回数
gaurav_bankar
Contributor II

Hello, 

   You said you have extracted the srk table from your signed flash.bin and re-generated the hash by tools in cst. Can you tell me how did you do that? 

 I have hab events telling me I have invalid signature so I wanted to check if my flash.bin is correctly signed. 

Thank you. 

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x34 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x54 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x0c 0x8a 0x00 0x40 0x2c 0x8a 0x00
0x00 0x00 0x7c 0x60 0x00 0x97 0x00 0x00
0x00 0x00 0xb1 0x50

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x34 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x54 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x0c 0x8a 0x00 0x40 0x2c 0x8a 0x00
0x00 0x00 0x7c 0x60 0x00 0x97 0x00 0x00
0x00 0x00 0xb1 0x50

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

0 件の賞賛
返信

15,136件の閲覧回数
Ben_Teng
Contributor I

Hi @gaurav_bankar ,

 

Please try hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin  so that you are able to retrieve the key you generated.

 

Hope it'll help you.

 

Ben.

0 件の賞賛
返信

17,366件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

Hi 

Can you tell more details about device bricked? 

Not sure what will happen when you do fuse 1 3 0x8000000, as I see this bit reserved.

If you close device, have you compared SRK fuse with SRK table? 

You can try to boot your signed image on a not-closed device.

Are you using your own script (build_boot.sh) to build uboot? then have you tried an unsigned image which can be booted on a not-closed device?

So far, I can't find problems from your csf and images.

 

Best regards

Harvey 

 

 

 

0 件の賞賛
返信

17,204件の閲覧回数
Ben_Teng
Contributor I

Hi @Harvey021 & @rudi_cyber,

I programed new fuse I re-generated couple of minutes ago, the chip is not bricked so far.

I checked hab_status Secure boot is still disabled, should I program these are shown as below for enable secure boot?

I'm not sure if it's fine to program these.

 

- Program SRK_LOCK:

=> fuse prog 0 0 0x200

- Program DIR_BT_DIS:

=> fuse prog 1 3 0x8000000

- Program SJC_DISABLE:

=> fuse prog 1 3 0x200000

- JTAG_SMODE:

=> fuse prog 1 3 0xC00000

 

Here's the log I programmed SRK_HASH. Then check hab_status.

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

u-boot=> fuse prog 6 0 0xF251CB62
Programming bank 6 word 0x00000000 to 0xf251cb62...
Warning: Programming fuses is an irreversible operation!
This may brick your system.
Use this command only if you are sure of what you are doing!

Really perform this fuse programming? <y/N>
y
u-boot=> fuse prog 6 1 0x7BF4EB5C
Programming bank 6 word 0x00000001 to 0x7bf4eb5c...
Warning: Programming fuses is an irreversible operation!
This may brick your system.
Use this command only if you are sure of what you are doing!

Really perform this fuse programming? <y/N>
y
u-boot=> fuse prog 6 2 0x02741273
Programming bank 6 word 0x00000002 to 0x02741273...
Warning: Programming fuses is an irreversible operation!
This may brick your system.
Use this command only if you are sure of what you are doing!

Really perform this fuse programming? <y/N>
y
u-boot=> fuse prog 6 3 0xD5EE1986
Programming bank 6 word 0x00000003 to 0xd5ee1986...
Warning: Programming fuses is an irreversible operation!
This may brick your system.
Use this command only if you are sure of what you are doing!

Really perform this fuse programming? <y/N>
y
u-boot=> fuse prog 7 0 0xF0CB6BB1
Programming bank 7 word 0x00000000 to 0xf0cb6bb1...
Warning: Programming fuses is an irreversible operation!
This may brick your system.
Use this command only if you are sure of what you are doing!

Really perform this fuse programming? <y/N>
y
u-boot=> fuse prog 7 1 0xE6E0D45E
Programming bank 7 word 0x00000001 to 0xe6e0d45e...
Warning: Programming fuses is an irreversible operation!
This may brick your system.
Use this command only if you are sure of what you are doing!

Really perform this fuse programming? <y/N>
y
u-boot=> fuse prog 7 2 0x6207D012
Programming bank 7 word 0x00000002 to 0x6207d012...
Warning: Programming fuses is an irreversible operation!
This may brick your system.
Use this command only if you are sure of what you are doing!

Really perform this fuse programming? <y/N>
y
u-boot=> fuse prog 7 3 0x1A6EAA7E
Programming bank 7 word 0x00000003 to 0x1a6eaa7e...
Warning: Programming fuses is an irreversible operation!
This may brick your system.
Use this command only if you are sure of what you are doing!

Really perform this fuse programming? <y/N>
y

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

0 件の賞賛
返信

17,174件の閲覧回数
mason2036
Contributor I

1. fuse prog 1 3 0x2000000 is enough to finish the HAB close the device. SEC_CONFIG[1] fuse

    You don't need to program others. 

The others are related to the device SOC level security not HAB. 

2.  - Program SJC_DISABLE:

   => fuse prog 1 3 0x200000

This  fuse has no related to the HAB security. Open device still can disable  jtag. (no need fuse prog 1 3 0x2000000 )

3. - JTAG_SMODE:

=> fuse prog 1 3 0xC00000

This  fuse has no related to the HAB security. Open device still can use security jtag, which is called challenge. In i.MX is using uuid.(no need  fuse prog 1 3 0x2000000 )

Untitled.png

 

Besides, when you disable the jtag, you have no chance to access the jtag, jtag challenge also doesn't exist. 

So when you use  SJC_DISABLE, JTAG_SMODE, you don't need to program JTAG_SMODE.

Untitled1.png

0 件の賞賛
返信

17,156件の閲覧回数
Ben_Teng
Contributor I

Hi @mason2036 ,

Noted, Thank you so much, I'm really appreciate it.

 

I'm facing another issue as below, is it the problem about kernel image is not signed?

Authenticate image from DDR location 0x40480000...
bad magic magic=0x90 length=0x4ba version=0x0
bad length magic=0x90 length=0x4ba version=0x0
bad version magic=0x90 length=0x4ba version=0x0
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
Authenticate Image Fail, Please check

 

 

Thanks again!

Best Regard,

Ben

0 件の賞賛
返信

17,189件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

Hi 

To enable secure boot, as stated in (uboot-imx/doc/imx/habv4/guides/mx8m_secure_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub) you have to close device.

- Program SEC_CONFIG[1] fuse on i.MX8M family devices:

=> fuse prog 1 3 0x2000000

 

Yes, you can go ahead for Completely secure the device, just a note to "DIR_BT_DIS".

Normally this bit is already fused out of factory. You can read it before fuse.

More details, refer to 5.7 Securing the device of AN4581.

 

Best regards

Harvey

 

 

0 件の賞賛
返信

17,160件の閲覧回数
Ben_Teng
Contributor I

Hi @Harvey021 ,

Thank you so much for your reply!

1. As stated in AN4581, DIR_BT_DIS: Disable direct external memory boot.

-> I'm still not fully get it, would you please tell me much more detail?

What to note "DIR_BT_DIS"? I'm confused by "direct external memory boot" and "eMMC boot", would you please tell me more about it?

 

2. After I programmed SEC_CONFIG[1], I get an Error:Invalid IVT structure, shown as below, how can I fix it?

 

Authenticate image from DDR location 0x40480000...
bad magic magic=0x90 length=0x4ba version=0x0
bad length magic=0x90 length=0x4ba version=0x0
bad version magic=0x90 length=0x4ba version=0x0
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
Authenticate Image Fail, Please check

0 件の賞賛
返信

17,149件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

Hi 

As these questions are already different from originals. will answer back to you in a new case for which I already clone one. 

 

Best regards

Harvey

0 件の賞賛
返信