- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE
IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
IMX6 HAB test kernel with fuse override HAB_UNS_ENGINE
08-22-2022
01:13 AM
2,163 Views
cristiansicilia
Contributor III
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to configuring secure boot on IMX6.
I followed the guide (https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.t... )
=> hab_version
HAB version: 4.2
I write the keys in the shadow (the hab_auth_img should work, correct?)
=> fuse override 3 0 0xFBA8C054
Overriding bank 3 word 0x00000000 with 0xfba8c054...
=> fuse override 3 1 0x0EBA35D4
Overriding bank 3 word 0x00000001 with 0x0eba35d4...
=> fuse override 3 2 0x71EB6B8A
Overriding bank 3 word 0x00000002 with 0x71eb6b8a...
=> fuse override 3 3 0xF916FB67
Overriding bank 3 word 0x00000003 with 0xf916fb67...
=> fuse override 3 4 0x70AC4FE5
Overriding bank 3 word 0x00000004 with 0x70ac4fe5...
=> fuse override 3 5 0x71840DDE
Overriding bank 3 word 0x00000005 with 0x71840dde...
=> fuse override 3 6 0x7068C921
Overriding bank 3 word 0x00000006 with 0x7068c921...
=> fuse override 3 7 0xAB611F8B
Overriding bank 3 word 0x00000007 with 0xab611f8b...
I read the kernel image from sdcard to loaddaddress 0x80800000, then I check that at the end of the image we found the IVT and then that the CSF that is all inside. Everything looks good here-
=> read mmc 1 $loadaddr 4000 5808
=> md 81300000 20
81300000: 412000d1 80800000 00000000 00000000 .. A............
81300010: 00000000 81300000 81300020 00000000 ......0. .0.....
81300020: 423800d4 000c00be 00001703 38000000 ..8B...........8
81300030: 000c00ca 001dc501 cc070000 001400ca ................
81300040: 001dc500 cc090000 00008080 2000b000 ...............
81300050: 1d0800b2 02000000 404004d7 210f01e1 ..........@@...!
81300060: 00000000 03000001 9d199b9f 10844e79 ............yN..
81300070: c8ba9df7 b5b4ae3a 4376c6c8 6aed44c7 ....:.....vC.D.j
=> md 81300bc0 16
81300bc0: b17dd47f 62ca77cc ed2d753b df955029 ..}..w.b;u-.)P..
81300bd0: 54d59846 8dd7c131 cd94da1d edda1953 F..T1.......S...
81300be0: 2b6384be f91d7c4c bc1bb014 00000000 ..c+L|..........
81300bf0: 00000000 00000000 00000000 00000000 ................
81300c00: 00000000 00000000 00000000 00000000 ................
81300c10: 00000000 00000000 ........
I check the current status, there are already two events, probably because the u-boot raise same issue, but at startup the fuse was not set.
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x07 0xcc
STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x14 0x00 0x00 0xc5 0x1d 0x00
0x00 0x00 0x09 0xcc 0x87 0x7f 0xf4 0x00
0x00 0x08 0x2c 0x00
STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Now I start the hab_auth_img and I get two events
=> hab_auth_img 80800000 00B00BF0 00B00000
hab fuse not enabled
Authenticate image from DDR location 0x80800000...
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
[ ... omissis ... ]
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x07 0xcc
STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x14 0x00 0x00 0xc5 0x1d 0x00
0x00 0x00 0x09 0xcc 0x80 0x80 0x00 0x00
0x00 0xb0 0x00 0x20
STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Someone can help me with this?
The cfs file is:
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
# Index of the key location in the SRK table to be installed
File = "/secure-boot/crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install NOCAK]
File = "/secure-boot/crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 0
# Authenticate Start Address, Offset, Length and file
Blocks = 0x80800000 0x00000000 0x00B00020 "zImage-signed"
The CFS with full key was this
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
# Index of the key location in the SRK table to be installed
File = "/board/emotiq/secure-boot/crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "/secure-boot/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "/secure-boot/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x80800000 0x00000000 0x00B00020 "zImage-signed"
7 Replies
08-28-2022
07:40 PM
2,129 Views
Harvey021
NXP TechSupport
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
It still supports secure boot, just change the "Engine" to SW instead of CAAM.
Best regards
Harvey
08-29-2022
04:48 AM
2,122 Views
cristiansicilia
Contributor III
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Harvey021 for reply,
I changed it to `Engine SW`, but there are something strange.
I tried at startup to load an image, and check it (without setup any fuse), and I obtain this:
Hit any key to stop autoboot: 0
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
=> read mmc 1 $loadaddr 4000 5808
=> md 81300000 20
81300000: 412000d1 80800000 00000000 00000000 .. A............
81300010: 00000000 81300000 81300020 00000000 ......0. .0.....
81300020: 423000d4 000c00be 00001703 30000000 ..0B...........0
81300030: 000c00ca 00ffc501 c4070000 001400ca ................
81300040: 00ffc500 c4090000 00008080 2000b000 ...............
81300050: 404004d7 210f01e1 00000000 03000001 ..@@...!........
81300060: 9d199b9f 10844e79 c8ba9df7 b5b4ae3a ....yN......:...
81300070: 4376c6c8 6aed44c7 8ea56094 8d0d6981 ..vC.D.j.`...i..
=> md 81300bc0 16
81300bc0: df650e07 ea875d19 bca01b57 d61a73e4 ..e..]..W....s..
81300bd0: 63f848ec eb1405b0 2734f114 3dd2e483 .H.c......4'...=
81300be0: a74f0db9 00000000 00000000 00000000 ..O.............
81300bf0: 00000000 00000000 00000000 00000000 ................
81300c00: 00000000 00000000 00000000 00000000 ................
81300c10: 00000000 00000000 ........
hab_auth_img 80800000 00B00BF0 00B00000
hab fuse not enabled
Authenticate image from DDR location 0x80800000...
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
But overriding the fuse, I get the same result
=> fuse override 3 0 0xFBA8C054
Overriding bank 3 word 0x00000000 with 0xfba8c054...
=> fuse override 3 1 0x0EBA35D4
Overriding bank 3 word 0x00000001 with 0x0eba35d4...
=> fuse override 3 2 0x71EB6B8A
Overriding bank 3 word 0x00000002 with 0x71eb6b8a...
=> fuse override 3 3 0xF916FB67
Overriding bank 3 word 0x00000003 with 0xf916fb67...
=> fuse override 3 4 0x70AC4FE5
Overriding bank 3 word 0x00000004 with 0x70ac4fe5...
=> fuse override 3 5 0x71840DDE
Overriding bank 3 word 0x00000005 with 0x71840dde...
=> fuse override 3 6 0x7068C921
Overriding bank 3 word 0x00000006 with 0x7068c921...
=> fuse override 3 7 0xAB611F8B
Overriding bank 3 word 0x00000007 with 0xab611f8b...
=> read mmc 1 $loadaddr 4000 5808
=> hab_auth_img 80800000 00B00BF0 00B00000
hab fuse not enabled
Authenticate image from DDR location 0x80800000...
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
And also overriding the secure-boot enabled flag
=> fuse override 3 0 0
Overriding bank 3 word 0x00000000 with 0x00000000...
=> hab_auth_img_or_fail 80800000 00B00BF0 00B00000
Authenticate image from DDR location 0x80800000...
Secure boot enabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
I reset every key, but looks the same
=> fuse override 3 1 0
Overriding bank 3 word 0x00000001 with 0x00000000...
=> fuse override 3 2 0
Overriding bank 3 word 0x00000002 with 0x00000000...
=> fuse override 3 3 0
Overriding bank 3 word 0x00000003 with 0x00000000...
=> fuse override 3 4 0
Overriding bank 3 word 0x00000004 with 0x00000000...
=> fuse override 3 5 0
Overriding bank 3 word 0x00000005 with 0x00000000...
=> fuse override 3 6 0
Overriding bank 3 word 0x00000006 with 0x00000000...
=> fuse override 3 7 0
Overriding bank 3 word 0x00000007 with 0x00000000...
=> hab_auth_img_or_fail 80800000 00B00BF0 00B00000
Authenticate image from DDR location 0x80800000...
Secure boot enabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
=>
I was expected to se an event if I do not set any keys, but looks accept everything
Thanks
09-06-2022
01:46 PM
2,083 Views
cristiansicilia
Contributor III
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I try also ANY engine, but it doesn't work.
The Engine = SW looks like a never fail, anyone can help me with this?
09-01-2022
02:34 AM
2,103 Views
cristiansicilia
Contributor III
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone know why I don't see any events when I do not specify any key?
04-04-2024
08:42 AM
951 Views
jelenas
Contributor I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any update on this topic?
08-25-2022
03:14 AM
2,143 Views
Harvey021
NXP TechSupport
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> I write the keys in the shadow (the hab_auth_img should work, correct?)
In general, We do blow fuse and comparing SRK Hash. As you see the example in the guide.
> HAB_UNS_ENGINE
What chip of i.MX6 you're performing? It'll be SW if that is i.MX6ULL.
Best regards
Harvey
08-26-2022
11:17 AM
2,136 Views
cristiansicilia
Contributor III
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The CPU is IMX6ULL (MCIMX6Y2DVM09AB), what mean "is the SW", that it do not support the secure-boot?
