IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE

cancel
Showing results for 
Search instead for 
Did you mean: 

IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE

376 Views
cristiansicilia
Contributor III

Hello,

I'm trying to configuring secure boot on IMX6.

I followed the guide (https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.t...   )

=> hab_version 
HAB version: 4.2

I write the keys in the shadow (the hab_auth_img should work, correct?)

=> fuse override 3 0 0xFBA8C054
Overriding bank 3 word 0x00000000 with 0xfba8c054...
=> fuse override 3 1 0x0EBA35D4
Overriding bank 3 word 0x00000001 with 0x0eba35d4...
=> fuse override 3 2 0x71EB6B8A
Overriding bank 3 word 0x00000002 with 0x71eb6b8a...
=> fuse override 3 3 0xF916FB67
Overriding bank 3 word 0x00000003 with 0xf916fb67...
=> fuse override 3 4 0x70AC4FE5
Overriding bank 3 word 0x00000004 with 0x70ac4fe5...
=> fuse override 3 5 0x71840DDE
Overriding bank 3 word 0x00000005 with 0x71840dde...
=> fuse override 3 6 0x7068C921
Overriding bank 3 word 0x00000006 with 0x7068c921...
=> fuse override 3 7 0xAB611F8B
Overriding bank 3 word 0x00000007 with 0xab611f8b...
 
I read the kernel image from sdcard to loaddaddress 0x80800000, then I check that at the end of the image we found the IVT and then that the CSF that is all inside. Everything looks good here-
 
=> read mmc 1 $loadaddr 4000 5808
=> md 81300000 20
81300000: 412000d1 80800000 00000000 00000000 .. A............
81300010: 00000000 81300000 81300020 00000000 ......0. .0.....
81300020: 423800d4 000c00be 00001703 38000000 ..8B...........8
81300030: 000c00ca 001dc501 cc070000 001400ca ................
81300040: 001dc500 cc090000 00008080 2000b000 ...............
81300050: 1d0800b2 02000000 404004d7 210f01e1 ..........@@...!
81300060: 00000000 03000001 9d199b9f 10844e79 ............yN..
81300070: c8ba9df7 b5b4ae3a 4376c6c8 6aed44c7 ....:.....vC.D.j
=> md 81300bc0 16
81300bc0: b17dd47f 62ca77cc ed2d753b df955029 ..}..w.b;u-.)P..
81300bd0: 54d59846 8dd7c131 cd94da1d edda1953 F..T1.......S...
81300be0: 2b6384be f91d7c4c bc1bb014 00000000 ..c+L|..........
81300bf0: 00000000 00000000 00000000 00000000 ................
81300c00: 00000000 00000000 00000000 00000000 ................
81300c10: 00000000 00000000 ........
 
I check the current status, there are already two events, probably because the u-boot raise same issue, but at startup the fuse was not set.
=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x07 0xcc

STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x14 0x00 0x00 0xc5 0x1d 0x00
0x00 0x00 0x09 0xcc 0x87 0x7f 0xf4 0x00
0x00 0x08 0x2c 0x00

STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
 
Now I start the hab_auth_img and I get two events
 
=> hab_auth_img 80800000 00B00BF0 00B00000
hab fuse not enabled

Authenticate image from DDR location 0x80800000...
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66

[ ... omissis ... ]

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x07 0xcc

STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x14 0x00 0x00 0xc5 0x1d 0x00
0x00 0x00 0x09 0xcc 0x80 0x80 0x00 0x00
0x00 0xb0 0x00 0x20

STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
 
I'm getting this Hab Unsupported Engine error, I don't know if I get this because I'm using the fuse override , or if I produced a bad certificate.
 
Someone can help me with this?
 

The cfs file is:

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "/secure-boot/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install NOCAK]
File = "/secure-boot/crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 0
# Authenticate Start Address, Offset, Length and file
Blocks = 0x80800000 0x00000000 0x00B00020 "zImage-signed"

 

The CFS with full key was this

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "/board/emotiq/secure-boot/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "/secure-boot/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "/secure-boot/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x80800000 0x00000000 0x00B00020 "zImage-signed"

 

Labels (2)
0 Kudos
6 Replies

342 Views
Harvey021
NXP Employee
NXP Employee
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

It still supports secure boot, just change the "Engine" to SW instead of CAAM.

 

Best regards

Harvey

0 Kudos

335 Views
cristiansicilia
Contributor III

Thanks @Harvey021 for reply,

I changed it to `Engine SW`, but there are something strange.

I tried at startup to load an image, and check it (without setup any fuse), and I obtain this:

 

 

Hit any key to stop autoboot: 0
=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

=> read mmc 1 $loadaddr 4000 5808
=> md 81300000 20
81300000: 412000d1 80800000 00000000 00000000 .. A............
81300010: 00000000 81300000 81300020 00000000 ......0. .0.....
81300020: 423000d4 000c00be 00001703 30000000 ..0B...........0
81300030: 000c00ca 00ffc501 c4070000 001400ca ................
81300040: 00ffc500 c4090000 00008080 2000b000 ...............
81300050: 404004d7 210f01e1 00000000 03000001 ..@@...!........
81300060: 9d199b9f 10844e79 c8ba9df7 b5b4ae3a ....yN......:...
81300070: 4376c6c8 6aed44c7 8ea56094 8d0d6981 ..vC.D.j.`...i..
=> md 81300bc0 16
81300bc0: df650e07 ea875d19 bca01b57 d61a73e4 ..e..]..W....s..
81300bd0: 63f848ec eb1405b0 2734f114 3dd2e483 .H.c......4'...=
81300be0: a74f0db9 00000000 00000000 00000000 ..O.............
81300bf0: 00000000 00000000 00000000 00000000 ................
81300c00: 00000000 00000000 00000000 00000000 ................
81300c10: 00000000 00000000 ........
hab_auth_img 80800000 00B00BF0 00B00000

hab fuse not enabled

Authenticate image from DDR location 0x80800000...

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

 

 
But overriding the fuse, I get the same result
 

 

=> fuse override 3 0 0xFBA8C054
Overriding bank 3 word 0x00000000 with 0xfba8c054...
=> fuse override 3 1 0x0EBA35D4
Overriding bank 3 word 0x00000001 with 0x0eba35d4...
=> fuse override 3 2 0x71EB6B8A
Overriding bank 3 word 0x00000002 with 0x71eb6b8a...
=> fuse override 3 3 0xF916FB67
Overriding bank 3 word 0x00000003 with 0xf916fb67...
=> fuse override 3 4 0x70AC4FE5
Overriding bank 3 word 0x00000004 with 0x70ac4fe5...
=> fuse override 3 5 0x71840DDE
Overriding bank 3 word 0x00000005 with 0x71840dde...
=> fuse override 3 6 0x7068C921
Overriding bank 3 word 0x00000006 with 0x7068c921...
=> fuse override 3 7 0xAB611F8B
Overriding bank 3 word 0x00000007 with 0xab611f8b...
=> read mmc 1 $loadaddr 4000 5808
=> hab_auth_img 80800000 00B00BF0 00B00000
hab fuse not enabled

Authenticate image from DDR location 0x80800000...

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

 

 
And also overriding the secure-boot enabled flag
 

 

=> fuse override 3 0 0
Overriding bank 3 word 0x00000000 with 0x00000000...
=> hab_auth_img_or_fail 80800000 00B00BF0 00B00000

Authenticate image from DDR location 0x80800000...

Secure boot enabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

 

 

I reset every key, but looks the same

 

=> fuse override 3 1 0                            
Overriding bank 3 word 0x00000001 with 0x00000000...
=> fuse override 3 2 0
Overriding bank 3 word 0x00000002 with 0x00000000...
=> fuse override 3 3 0
Overriding bank 3 word 0x00000003 with 0x00000000...
=> fuse override 3 4 0
Overriding bank 3 word 0x00000004 with 0x00000000...
=> fuse override 3 5 0
Overriding bank 3 word 0x00000005 with 0x00000000...
=> fuse override 3 6 0
Overriding bank 3 word 0x00000006 with 0x00000000...
=> fuse override 3 7 0
Overriding bank 3 word 0x00000007 with 0x00000000...
=> hab_auth_img_or_fail 80800000 00B00BF0 00B00000

Authenticate image from DDR location 0x80800000...

Secure boot enabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

=> 

 

 

 I was expected to se an event if I do not set any keys, but looks accept everything

 

Thanks

 

0 Kudos

296 Views
cristiansicilia
Contributor III

I try also ANY engine, but it doesn't work.

The Engine = SW looks like a never fail, anyone can help me with this?

0 Kudos

316 Views
cristiansicilia
Contributor III

Anyone know why I don't see any events when I do not specify any key?

 

0 Kudos

356 Views
Harvey021
NXP Employee
NXP Employee

Hi @cristiansicilia 

> I write the keys in the shadow (the hab_auth_img should work, correct?)

In general, We do blow fuse and comparing SRK Hash. As you see the example in the guide.

> HAB_UNS_ENGINE

What chip of i.MX6 you're performing? It'll be SW if that is i.MX6ULL.

Best regards

Harvey

 

 

0 Kudos

349 Views
cristiansicilia
Contributor III

The CPU is IMX6ULL (MCIMX6Y2DVM09AB), what mean "is the SW", that it do not support the secure-boot?

0 Kudos