IMX6UL HAB encryption

Showing results for 
Search instead for 
Did you mean: 

IMX6UL HAB encryption

Contributor II

I followed every single step of the following guide, but my device doesn't boot. My device is closed and signing works perfect but when i try to encrypt it just doesn't work. Can somebody help me out please?

in doc/imx/hab/habv4/guides/mx6_mx7_encrypted_boot.txt ( i skipped some parts

+   i.MX6, i.MX7 U-Boot Encrypted Boot guide using HABv4   +
- Kconfig    
File systems -> Enable FAT filesystem support-> Enable FAT filesystem   write support   
ARM architecture -> Support the 'dek_blob' command   
ARM architecture -> Support the set_priblob_bitfield command  
1.3 Compile the CST to enable the encrypting feature 
The encrypting feature is not enabled by default. 
You need to execute the following commands to enable it:    
$ sudo apt-get install libssl-dev openssl   
$ cd <CST install directory>/code/back_end/src   
$ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c     -lfrontend -lcrypto   
$ cp cst_encrypted ../../../<where your original CST executable is>    

1.4.1 csf_u-boot_enc.txt 
- Modify the Authenticate Data command to only cover IVT and DCD:    
Blocks = 0x877ff400 0x00000000 0x00000c00 "u-boot-dtb.imx"    
Blob Address = Authenticate Start Address + Padding + length                
= 0x877ff400 + 0x2000 + 0x9ec00 = 0x878a0000      
$ cp u-boot-dtb.imx u-boot-dtb.imx-enc   
Block = (Authenticate start addr + 0xc00) 0xc00 (length - 0xc00) u-boot-dtb.imx-enc
      = (0x877ff400 + 0xc00) 0xc00 (0x9ec00 - 0xc00) u-boot-dtb.imx-enc
      = 0x87800000 0xc00 0x9e000 u-boot-dtb.imx-enc  

1.4.2 csf_u-boot_sign_enc.txt 
Blocks = 0x877ff400 0x000 0x0009ec00 "u-boot-dtb.imx-enc"    
Key = "dek-dummy.bin"   Blocks = 0x87800000 0x00000c00 0x9e000 "u-boot-dtb.imx-dummy"  
1.5 Encrypt the U-Boot image 
The image is encrypted using the Code Signing Tool.
It generates also a CSF binary and a dek.bin file, which will be used on the future steps below.  
- Create the CSF binary file and encrypt the U-Boot image    
$ ./cst_encrypted -i csf_u-boot_enc.txt -o csf_u-boot_enc.bin
1.6 Sign the encrypted U-Boot image 
$ ./cst_encrypted -i csf_u-boot_sign_enc.txt -o csf_u-boot_sign_enc.bin

1.7 Swap Nonce/MAC from csf_u-boot_enc.bin to csf_u-boot_sign_enc.bin 
First, calculate Nonce/MAC size based on MAC bytes value in CSF. 
As Mac bytes is 16:    
Nonce/MAC size = Nonce size + MAC bytes + CSF header for Nonce/Mac
                  = 12 + 16 + 8 = 36 bytes  
Then, calculate Nonce/MAC offset in CSF:    
MAC offset = csf_u-boot-enc.bin size - Nonce/MAC size              
= 3972 - 36 = 3936 Bytes  
In the next step, extract Nonce/NAC from the first CSF:    
$ dd if=csf_u-boot_enc.bin of=noncemac.bin bs=1 skip=3936 count=36
Finally, replace the MAC of csf_u-boot_sign_enc.bin with the extracted one:
$ dd if=noncemac.bin of=csf_u-boot_sign_enc.bin bs=1 seek=3936 count=36

1.8 Generate encryptedu-boot with no dek 
First, pad the CSF to 0x2000:
$ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0xff
csf_u-boot_sign_enc.bin csf_u-boot_sign_enc_padded.bin
Then, append this file to the encrypted U-Boot image:
$ cat u-boot-dtb.imx-enc csf_u-boot_sign_enc_padded.bin >   u-boot_encrypted_no_dek.bin
Pad this new file to width+offset (0x9ec00 + 0x2000 = 0xa0c00):
$ objcopy -I binary -O binary --pad-to 0xa0c00 --gap-fill=0x00 
u-boot_encrypted_no_dek.bin u-boot_encrypted_no_dek_padded.bin

1.9 Generate the DEK Blob 
Run the following commands:    
=> mmc list   FSL_SDHC: 0 (SD)   #index to use for mmc in following commands   
=> fatload mmc 0 0x80800000 dek.bin   => dek_blob 0x80800000 0x80801000 128   
=> fatwrite mmc 0 0x80801000 dek_blob.bin 0x48  

1.10 Finalize the encrypted U-Boot image 
$ cat u-boot_encrypted_no_dek_padded.bin dek_blob.bin > u-boot_encrypted.bin
If the image does not boot, please verify the size of your U-Boot image,
the length specified into CSF and the padding values.
0 Kudos
3 Replies

Contributor IV

Hello .

I have stucked at command :

$  gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c     -lfrontend -lcrypto   

/tmp/ccuAQQCf.o: In function `sk_X509_new_null':
adapt_layer_openssl.c:(.text+0x5): undefined reference to `OPENSSL_sk_new_null'
/tmp/ccuAQQCf.o: In function `sk_X509_push':
adapt_layer_openssl.c:(.text+0x2a): undefined reference to `OPENSSL_sk_push'
/tmp/ccuAQQCf.o: In function `sk_X509_pop_free':
adapt_layer_openssl.c:(.text+0x4f): undefined reference to `OPENSSL_sk_pop_free'
/tmp/ccuAQQCf.o: In function `gen_sig_data_ecdsa':
adapt_layer_openssl.c:(.text+0xa4f): undefined reference to `EVP_PKEY_get0_EC_KEY'
adapt_layer_openssl.c:(.text+0xa8d): undefined reference to `EVP_PKEY_get0_EC_KEY'
adapt_layer_openssl.c:(.text+0xbda): undefined reference to `ECDSA_SIG_get0'
/tmp/cc2DOb8b.o: In function `generate_hash':
openssl_helper.c:(.text+0x1f): undefined reference to `EVP_MD_CTX_new'
/tmp/cc2DOb8b.o: In function `sign_data':
openssl_helper.c:(.text+0x4b3): undefined reference to `EVP_MD_CTX_new'
openssl_helper.c:(.text+0x520): undefined reference to `EVP_MD_CTX_free'
openssl_helper.c:(.text+0x5a6): undefined reference to `EVP_MD_CTX_free'
openssl_helper.c:(.text+0x5c5): undefined reference to `EVP_MD_CTX_free'
/tmp/cc2DOb8b.o: In function `ver_sig_data':
openssl_helper.c:(.text+0xc8b): undefined reference to `EVP_PKEY_get0_RSA'
openssl_helper.c:(.text+0xd49): undefined reference to `ECDSA_SIG_set0'
openssl_helper.c:(.text+0xd78): undefined reference to `EVP_PKEY_get0_EC_KEY'
../../../linux64/lib/libfrontend.a(srk_helper.o): In function `srk_entry_pkcs1':
srk_helper.c:(.text+0x90): undefined reference to `EVP_PKEY_get0_RSA'
srk_helper.c:(.text+0xa8): undefined reference to `RSA_get0_key'
../../../linux64/lib/libfrontend.a(srk_helper.o): In function `srk_entry_ec':
srk_helper.c:(.text+0x564): undefined reference to `EVP_PKEY_get0_EC_KEY'
srk_helper.c:(.text+0x5d3): undefined reference to `EVP_PKEY_get0_EC_KEY'
/usr/bin/ld: ../../../linux64/lib/libfrontend.a(err.o): unrecognized relocation (0x2a) in section `.text'
/usr/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status

Thanks in advance ,


0 Kudos

NXP TechSupport
NXP TechSupport

Hi Pramod

one can look at AN12056 Encrypted Boot on HABv4 and CAAM Enabled Devices

Best regards

0 Kudos

NXP TechSupport
NXP TechSupport

Hi Omar

one can create service request for obtaining encrypted boot example

How to submit a new question for NXP Support 

Best regards
Note: If this post answers your question, please click the Correct Answer button. Thank you!

0 Kudos