Issues with HAB on iMX8MM Module: U-Boot 2022 vs. 2023

ricciolino · ‎08-29-2024

Hello,

I'm encountering issues with enabling the High Assurance Boot (HAB) feature on the iMX8M Mini module when using different versions of U-Boot (2022 vs. 2023).

=> U-Boot 2023.04 works fine (No HAB events found, as expected).
=> U-Boot 2022.04 does not work fine (generates HAB events, see below).

I attached two bash script (u-boot-2022-hab-variscite-builder and u-boot-2023-hab-variscite-builder) showing the details of the steps I performed for building both U-Boot binaries.

I also attached txt log files of both builds (launched with bash scripts) and resulting CSF *.txt files for generating SPL and FIT binaries using Code Signing Tool.

All these files have been included into a single zip archive (HAB-Issues-iMX8MM.zip) attached to this post.

Here is the logs showing the HAB Events I obtained from the 2022 u-boot version build, when trying to boot my demo board (imx8mm-var-som-symphony).

U-Boot 2022.04-64036-g9a1f574209-dirty (Aug 29 2024 - 17:34:22 +0200)

CPU: i.MX8MMQ rev1.0 1600 MHz (running at 1200 MHz)
CPU: Industrial temperature grade (-40C to 105C) at 34C
Reset cause: POR
Model: Variscite VAR-SOM-MX8M-MINI
DRAM: 2 GiB
Core: 73 devices, 23 uclasses, devicetree: separate
MMC: FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMC... *** Warning - bad CRC, using default environment

In: serial
Out: serial
Err: serial
PTN5150: Vendor ID [0x3], Version ID [0x1], Addr [I2C1 0x3d]

Part number: VSM-MX8MM-503
Assembly: AS312212751
Production date: 2024 Jan 04
Serial Number: f8:dc:7a:d0:71:f8
switch to partitions #0, OK
mmc1 is current device
flash target is MMC:1
Net: ADIN1300 PHY detected at addr 4
eth0: ethernet@30be0000
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot: 0
u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x00 0x7e 0x0b 0xc0
0x00 0x03 0xf8 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_TARGET (0x33)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x00 0x7e 0x0b 0xc0
0x00 0x03 0xf6 0x60

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_TARGET (0x33)
ENG = HAB_ENG_ANY (0x00)

Could you gently help me in understanding what is wrong here?

ricciolino · ‎09-09-2024

Following up on my original post, I was able to resolve the HAB errors I encountered by enabling CONFIG_LTO=y in my defconfig. This seems to have reduced the size of the SPL binary (from 0x3d200 to 0x3a600), which I think is the key to solving the problem.

Before this, running hab_status showed two HAB failures with the reason HAB_INV_ADDRESS (0x22), indicating invalid memory access. My assumption is that the SPL was too large, causing memory overflows or misalignments. By enabling LTO, the SPL size was optimized, and these HAB events disappeared.

I'm not 100% certain, but it seems that reducing the SPL size allows it to fit properly within its memory boundaries, preventing the invalid address errors. If you're facing similar issues, I suggest trying CONFIG_LTO=y and seeing if it helps!

View solution in original post

ricciolino · ‎09-09-2024

Following up on my original post, I was able to resolve the HAB errors I encountered by enabling CONFIG_LTO=y in my defconfig. This seems to have reduced the size of the SPL binary (from 0x3d200 to 0x3a600), which I think is the key to solving the problem.

Before this, running hab_status showed two HAB failures with the reason HAB_INV_ADDRESS (0x22), indicating invalid memory access. My assumption is that the SPL was too large, causing memory overflows or misalignments. By enabling LTO, the SPL size was optimized, and these HAB events disappeared.

I'm not 100% certain, but it seems that reducing the SPL size allows it to fit properly within its memory boundaries, preventing the invalid address errors. If you're facing similar issues, I suggest trying CONFIG_LTO=y and seeing if it helps!

Bio_TICFSL · ‎08-30-2024

Hello,

Yes the uboot 2022 has some issue with HAB but they fixed in 2023, you must check with your vendor this situation.

Regards

ricciolino · ‎08-30-2024

To better understand and address this situation with our vendor, could you kindly provide more detailed information on how this issue was resolved in U-Boot 2023? Specifically, I would appreciate it if you could point me to the relevant commits or patches that were applied to fix the HAB issue. Having this information will greatly help in ensuring that the necessary updates are applied correctly.

Thank you in advance for your assistance.

hustdage · ‎09-02-2024

If you check the git log, you will find the changes(2022 vs. 2023).

doc/imx/habv4/guides/mx8m_secure_boot.

ricciolino · ‎09-03-2024

I checked those changes.
I applied patches as described here for integrating them in uboot-imx and imx-mkimage repositories.
I think I can say the FDT-FIT hash solution with (optional) FDT-FIT signature works as expected, since I am seeing this logs at the very first stage of u-boot command prompt console:

U-Boot SPL 2022.04-64036-g9a1f574209-dirty (Sep 03 2024 - 09:57:35 +0200)
SEC0: RNG instantiated
Normal Boot
Trying to boot from MMC1
hab fuse not enabled

Authenticate image from DDR location 0x401fadc0...
hab fuse not enabled

Authenticate image from DDR location 0x401fadc0...

U-Boot 2022.04-64036-g9a1f574209-dirty (Sep 03 2024 - 09:57:35 +0200)

CPU: i.MX8MMQ rev1.0 1600 MHz (running at 1200 MHz)
CPU: Industrial temperature grade (-40C to 105C) at 34C
Reset cause: POR
Model: Variscite VAR-SOM-MX8M-MINI
DRAM: 2 GiB
Core: 73 devices, 23 uclasses, devicetree: separate
MMC: FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMC... *** Warning - bad CRC, using default environment

In: serial
Out: serial
Err: serial
PTN5150: Vendor ID [0x3], Version ID [0x1], Addr [I2C1 0x3d]

Part number: VSM-MX8MM-503
Assembly: AS312212751
Production date: 2024 Jan 04
Serial Number: f8:dc:7a:d0:71:f8
switch to partitions #0, OK
mmc1 is current device
flash target is MMC:1
Net: ADIN1300 PHY detected at addr 4
eth0: ethernet@30be0000
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot: 2

Anyway, running hab_status now, it returns 5 HAB events:

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x1c 0x43 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x3c 0x40 0x1f 0xad 0xc0
0x00 0x00 0x30 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x00 0x7e 0x0b 0xc0
0x00 0x03 0xfa 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_TARGET (0x33)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x00 0x7e 0x0b 0xc0
0x00 0x03 0xf8 0x60

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_TARGET (0x33)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xad 0xc0
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

So, there must be some other relevant changes between 2022 and 2023 versions that need to be applied for having the HAB feature working.

Could you please provide a much detailed solution as I need to apply ad-hoc changes in order to have HAB feature works with the 2022.04 U-Boot version?

Thank you.