- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- IMX6UL HAB encryption
IMX6UL HAB encryption
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
IMX6UL HAB encryption
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I followed every single step of the following guide, but my device doesn't boot. My device is closed and signing works perfect but when i try to encrypt it just doesn't work. Can somebody help me out please?
in doc/imx/hab/habv4/guides/mx6_mx7_encrypted_boot.txt ( i skipped some parts
+==========================================================+ + i.MX6, i.MX7 U-Boot Encrypted Boot guide using HABv4 + +==========================================================+ CONFIG_FAT_WRITE=y CONFIG_CMD_DEKBLOB=y CONFIG_CDM_PRIBLOB=y - Kconfig File systems -> Enable FAT filesystem support-> Enable FAT filesystem write support ARM architecture -> Support the 'dek_blob' command ARM architecture -> Support the set_priblob_bitfield command 1.3 Compile the CST to enable the encrypting feature ---------------------------------------------------- The encrypting feature is not enabled by default. You need to execute the following commands to enable it: $ sudo apt-get install libssl-dev openssl $ cd <CST install directory>/code/back_end/src $ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto $ cp cst_encrypted ../../../<where your original CST executable is> 1.4.1 csf_u-boot_enc.txt ------------------------- - Modify the Authenticate Data command to only cover IVT and DCD: Blocks = 0x877ff400 0x00000000 0x00000c00 "u-boot-dtb.imx" Blob Address = Authenticate Start Address + Padding + length = 0x877ff400 + 0x2000 + 0x9ec00 = 0x878a0000 $ cp u-boot-dtb.imx u-boot-dtb.imx-enc Block = (Authenticate start addr + 0xc00) 0xc00 (length - 0xc00) u-boot-dtb.imx-enc = (0x877ff400 + 0xc00) 0xc00 (0x9ec00 - 0xc00) u-boot-dtb.imx-enc = 0x87800000 0xc00 0x9e000 u-boot-dtb.imx-enc 1.4.2 csf_u-boot_sign_enc.txt ----------------------------- Blocks = 0x877ff400 0x000 0x0009ec00 "u-boot-dtb.imx-enc" Key = "dek-dummy.bin" Blocks = 0x87800000 0x00000c00 0x9e000 "u-boot-dtb.imx-dummy" 1.5 Encrypt the U-Boot image ---------------------------- The image is encrypted using the Code Signing Tool. It generates also a CSF binary and a dek.bin file, which will be used on the future steps below. - Create the CSF binary file and encrypt the U-Boot image $ ./cst_encrypted -i csf_u-boot_enc.txt -o csf_u-boot_enc.bin 1.6 Sign the encrypted U-Boot image ----------------------------------- $ ./cst_encrypted -i csf_u-boot_sign_enc.txt -o csf_u-boot_sign_enc.bin 1.7 Swap Nonce/MAC from csf_u-boot_enc.bin to csf_u-boot_sign_enc.bin --------------------------------------------------------------------- First, calculate Nonce/MAC size based on MAC bytes value in CSF. As Mac bytes is 16: Nonce/MAC size = Nonce size + MAC bytes + CSF header for Nonce/Mac = 12 + 16 + 8 = 36 bytes Then, calculate Nonce/MAC offset in CSF: MAC offset = csf_u-boot-enc.bin size - Nonce/MAC size = 3972 - 36 = 3936 Bytes In the next step, extract Nonce/NAC from the first CSF: $ dd if=csf_u-boot_enc.bin of=noncemac.bin bs=1 skip=3936 count=36 Finally, replace the MAC of csf_u-boot_sign_enc.bin with the extracted one: $ dd if=noncemac.bin of=csf_u-boot_sign_enc.bin bs=1 seek=3936 count=36 1.8 Generate encryptedu-boot with no dek ---------------------------------------- First, pad the CSF to 0x2000: $ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0xff csf_u-boot_sign_enc.bin csf_u-boot_sign_enc_padded.bin Then, append this file to the encrypted U-Boot image: $ cat u-boot-dtb.imx-enc csf_u-boot_sign_enc_padded.bin > u-boot_encrypted_no_dek.bin Pad this new file to width+offset (0x9ec00 + 0x2000 = 0xa0c00): $ objcopy -I binary -O binary --pad-to 0xa0c00 --gap-fill=0x00 u-boot_encrypted_no_dek.bin u-boot_encrypted_no_dek_padded.bin 1.9 Generate the DEK Blob ------------------------- Run the following commands: => mmc list FSL_SDHC: 0 (SD) #index to use for mmc in following commands => fatload mmc 0 0x80800000 dek.bin => dek_blob 0x80800000 0x80801000 128 => fatwrite mmc 0 0x80801000 dek_blob.bin 0x48 1.10 Finalize the encrypted U-Boot image ---------------------------------------- $ cat u-boot_encrypted_no_dek_padded.bin dek_blob.bin > u-boot_encrypted.bin If the image does not boot, please verify the size of your U-Boot image, the length specified into CSF and the padding values.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello .
I have stucked at command :
$ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto
/tmp/ccuAQQCf.o: In function `sk_X509_new_null':
adapt_layer_openssl.c:(.text+0x5): undefined reference to `OPENSSL_sk_new_null'
/tmp/ccuAQQCf.o: In function `sk_X509_push':
adapt_layer_openssl.c:(.text+0x2a): undefined reference to `OPENSSL_sk_push'
/tmp/ccuAQQCf.o: In function `sk_X509_pop_free':
adapt_layer_openssl.c:(.text+0x4f): undefined reference to `OPENSSL_sk_pop_free'
/tmp/ccuAQQCf.o: In function `gen_sig_data_ecdsa':
adapt_layer_openssl.c:(.text+0xa4f): undefined reference to `EVP_PKEY_get0_EC_KEY'
adapt_layer_openssl.c:(.text+0xa8d): undefined reference to `EVP_PKEY_get0_EC_KEY'
adapt_layer_openssl.c:(.text+0xbda): undefined reference to `ECDSA_SIG_get0'
/tmp/cc2DOb8b.o: In function `generate_hash':
openssl_helper.c:(.text+0x1f): undefined reference to `EVP_MD_CTX_new'
/tmp/cc2DOb8b.o: In function `sign_data':
openssl_helper.c:(.text+0x4b3): undefined reference to `EVP_MD_CTX_new'
openssl_helper.c:(.text+0x520): undefined reference to `EVP_MD_CTX_free'
openssl_helper.c:(.text+0x5a6): undefined reference to `EVP_MD_CTX_free'
openssl_helper.c:(.text+0x5c5): undefined reference to `EVP_MD_CTX_free'
/tmp/cc2DOb8b.o: In function `ver_sig_data':
openssl_helper.c:(.text+0xc8b): undefined reference to `EVP_PKEY_get0_RSA'
openssl_helper.c:(.text+0xd49): undefined reference to `ECDSA_SIG_set0'
openssl_helper.c:(.text+0xd78): undefined reference to `EVP_PKEY_get0_EC_KEY'
../../../linux64/lib/libfrontend.a(srk_helper.o): In function `srk_entry_pkcs1':
srk_helper.c:(.text+0x90): undefined reference to `EVP_PKEY_get0_RSA'
srk_helper.c:(.text+0xa8): undefined reference to `RSA_get0_key'
../../../linux64/lib/libfrontend.a(srk_helper.o): In function `srk_entry_ec':
srk_helper.c:(.text+0x564): undefined reference to `EVP_PKEY_get0_EC_KEY'
srk_helper.c:(.text+0x5d3): undefined reference to `EVP_PKEY_get0_EC_KEY'
/usr/bin/ld: ../../../linux64/lib/libfrontend.a(err.o): unrecognized relocation (0x2a) in section `.text'
/usr/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
Thanks in advance ,
Pramod
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Omar
one can create service request for obtaining encrypted boot example
How to submit a new question for NXP Support
Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
