How to sign a kernel+ramdisk+dtb FIT image with HAB?

jclsn · ‎11-02-2021

I have alredy read

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_secure_boot.txt?...

and the PDF on Secure Boot on i.MX boards, but I am still unsure how to do this.

I have three files with the corresponding load addresses contained in the FIT image

Image                                    0x40480000
ramdisk-recovery.img            0x43100000
imx8mm-gpv-distec.dtb         0x43000000

The load address of the FIT image is 0x44000000 and its size is 0x0285d200. Its padded size is 0x285E000.

So in my ./genIVT I guess I need

#! /usr/bin/perl -w
use strict;
open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";
print $out pack("V", 0x412000D1); # Signature
print $out pack("V", 0x44000000); # Load Address (*load_address)
print $out pack("V", 0x0); # Reserved
print $out pack("V", 0x0); # DCD pointer
print $out pack("V", 0x0); # Boot Data
print $out pack("V", 0x4685E000); # Self Pointer (*ivt)
print $out pack("V", 0x4685E020); # CSF Pointer (*csf)
print $out pack("V", 0x0); # Reserved

I am unsure what to put in the csf_additional_images now. I have put this

Blocks = 0x40480000 0x00000000 0x01ec9a00 "Image", \
0x43000000 0x00000000 0x0000a638 "imx8mm-gpv-distec.dtb", \
0x43100000 0x00000000 0x00988a7a "ramdisk-recovery.img"

which corresponds to the sizes and load addresses of the individual components of the fitImage. Is that correct?

I cannot authenticate it with HAB

u-boot=> usb reset
resetting USB...
USB0:   Port not available.
USB1:   USB EHCI 1.00
scanning bus 1 for devices... Warning using limited usb xfer size 1024  
2 USB Device(s) found
      scanning usb for storage devices... 1 Storage Device(s) found
u-boot=> fatload usb 0 0x44000000 vti2/fitImage
42332016 bytes read in 1880 ms (21.5 MiB/s)
u-boot=> bootm 0x44000000

Authenticate image from DDR location 0x40480000...
bad magic magic=0xfd length=0xbc7b version=0xa9
bad length magic=0xfd length=0xbc7b version=0xa9
bad version magic=0xfd length=0xbc7b version=0xa9
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR       = 0x4X2000D1
IVT ENTRY     = 0xXXXXXXXX
IVT RSV1      = 0x0
IVT DCD       = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF      = 0xXXXXXXXX
IVT CSF       = 0xXXXXXXXX
IVT RSV2      = 0x0
Authenticate uImage Fail, Please check

I am wondering why the image is detected as a uImage and loaded from the uImage's load address. I could successfully load the FIT image without secure boot this way.

jclsn · ‎11-02-2021

I would also be happy to find out about any other way to authenticate the ramdisk and dtb. It does not have to be a FIT image.

In the csf_additional_images.txt there is a device tree blob listed:

Blocks = 0x80800000 0x00000000 0x006EA000 "zImage", \
0x83800000 0x00000000 0x0000B927 "imx7d-sdb.dtb", \
0x84000000 0x00000000 0x000425B8 "uTee-7dsdb"

I was assuming those to be the components of a FIT image. How would I sign the .dtb (or ramdisk) when loading all three components instead of a FIT? I can load all three components in my case with the bootm command without the .dtb or ramdisk being signed. Would I have to add hab_auth_img for those files in my boot script?

As soon as I add these images like this

Blocks = 0x40480000 0x00000000 0x01ec9a20 "uImage-pad-ivt", \
0x43000000 0x00000000 0x0000a638 "imx8mm-gpv-distec.dtb", \
0x43100000 0x00000000 0x00988a7a "ramdisk-recovery.img"

HAB authentication fails

 
Authenticate image from DDR location 0x40480000... 

Secure boot enabled 

HAB Configuration: 0xcc, HAB State: 0x99 

--------- HAB Event 1 ----------------- 
event data: 
       0xdb 0x00 0x2c 0x43 0x33 0x18 0xc0 0x00 
       0xca 0x00 0x24 0x00 0x02 0xc5 0x1d 0x00 
       0x00 0x00 0x0d 0x54 0x40 0x48 0x00 0x00 
       0x01 0xec 0xa0 0x20 0x43 0x00 0x00 0x00 
       0x00 0x00 0xa6 0x38 0x43 0x10 0x00 0x00 
       0x00 0x98 0x89 0x96 

STS = HAB_FAILURE (0x33) 
RSN = HAB_INV_SIGNATURE (0x18) 
CTX = HAB_CTX_COMMAND (0xC0) 
ENG = HAB_ENG_ANY (0x00) 

Error loading the OS

When I just put

Blocks = 0x40480000 0x00000000 0x01ec9a20 "uImage-pad-ivt"

Everything works fine

mbelouarga · ‎01-17-2023

Hi jclsn,

Did you find a way to sign and authenticate your fitImage ?

If you found it, I will be so grateful if you can share it for the public.

Thanks

Yuri · ‎11-04-2021

@jclsn
Hello,

yes, it is needed to sign each of the three components instead of a FIT;
and use hab_auth_img to authenticate each additional image.
Appears, we don't have a guide to sign a whole (kernel) FIT image.

Regards,
Yuri.