I create Kernel image and tested using hab_auth_img command as described below.
I am basically following the documentation mx6_mx7_secure_boot.txt and csf_additional_images.txt.
But I see a HAB event.
If someone can find what I did it wrong, please advise me.
The authenticate data section of my csf file is as below.
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x48200000 0x00000000 0x007b2000 "kernel_pad.bin"
And this kernel_pad.bin is created as below.
$ objcopy -I binary -O binary --pad-to 0x7b2000 --gap-fill=0x00 kernel.itb kernel_pad.bin
And this kernel.itb is created as below.
$ mkimage -f auto -A arm64 -O linux -T kernel -C gzip -n "My Kernel" -a 0x40200000 -e 0x40200000 -d ./Image.gz ./kernel.itb
Final Kernel image bootm uses is Kernel_signed.bin
And Kernel_signed.bin is created as follow.
$ cat Kernel_pad_ivt.bin csf_kernel.bin > Kernel_signed.bin
And Kernel_pad_ivt.bin is created as follow.
$ cat kernel_pad.bin ivt.bin > Kernel_pad_ivt.bin
And ivt.bin is created as below.
echo "0xd1002041 0x00002048 0x00000000 0x00000000 0x00000000 0x00209b48 0x20209b48 0x00000000" | xxd -r -p > ivt.bin
And I run hab_auth_img command from uboot and I saw this messages.
u-boot=> hab_auth_img 0x48200000 0x489b2000 0x7b2000
Authenticate image from DDR location 0x48200000...
ivt_offset = 0x7b2000, ivt addr = 0x489b2000
ivt entry = 0x48200000, dcd = 0x00000000, csf = 0x489b2020
Dumping IVT
489b2000: 412000d1 48200000 00000000 00000000 .. A.. H........
489b2010: 00000000 489b2000 489b2020 00000000 ..... .H .H....
Dumping CSF Header
489b2020: 425000d4 000c00be 00001703 50000000 ..PB...........P
489b2030: 020c00be 01000009 64020000 000c00ca ...........d....
489b2040: 001dc501 10100000 000c00be 02000009 ................
489b2050: b8070000 001400ca 001dc502 0c0d0000 ................
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!
Calling authenticate_image in ROM
ivt_offset = 0x7b2000
start = 0x48200000
bytes = 0x489b2000
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x48 0x9b 0x20 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
u-boot=>
Hi @JasonC007
It seems the length of authenticate data for ivt missed and Kernel_pad_ivt.bin should be authenticated instead.
Blocks = 0x48200000 0x00000000 0x007b2000 "kernel_pad.bin"
Best regards
Harvey
Thanks!
Tested as recommended and the HAB event has gone!