MX6SL and HAB u-boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX6SL and HAB u-boot

795 Views
jamesanderson
Contributor I

Problem booting an IMX6SL board in HAB closed mode.

I can succesfully boot via the mfg tool using a signed image.

But the installed u-boot signed image just hangs.

last attempt at a CSF file looks like:--

 

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = DCP
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../../cst-2.3.3/crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../cst-2.3.3/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../cst-2.3.3/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x877ff400 0x00000000 0x00051c00 "boot.bin"

The defconfig has the following HAB entries:

CONFIG_ARM=y
CONFIG_ARCH_MX6=y
CONFIG_SYS_TEXT_BASE=0x87800000
CONFIG_TARGET_NAD_MX6SL=y
CONFIG_SYS_CONSOLE_OVERWRITE_ROUTINE=y
CONFIG_BOOTDELAY=0
CONFIG_SECURE_BOOT=y
CONFIG_SYS_FSL_HAS_SEC=y
CONFIG_SYS_FSL_SEC_COMPAT=4

and is pretty much identical to the mfg config apart from the MFG=Y

I have tried with Engine = Any and Engine = SW but to no avail.

The u-boot works on an Open config machine, and I did not see any hab_status errors before the board was closed.

A similar setup fir a mx6ul board is working without problems.   

Labels (1)
0 Kudos
4 Replies

679 Views
igorpadykov
NXP Employee
NXP Employee

Hi James

one can try latest cst-3.1.0 tool

i.MX High Assurance Boot Reference Code Signing Tool

and recheck image layout using Appendix F. i.MX manufacturing tool AN4581

Secure Boot on i.MX50, i.MX53, i.MX 6 and i.MX7 Series using HABv4

https://www.nxp.com/docs/en/application-note/AN4581.pdf 


Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos

679 Views
jamesanderson
Contributor I

Igor,

Thanks for the input.

I tried using 3.1.0 but it still fails.

Just to be clear the mfg_tool boot works fine. Its the "normal" boot installed  at address 1024 on /dev/mmcblk0 that fails.

Some things I noticed and tried:- 

The README.mxc_hab doc in u-boot/docs says to use objcopy to pad the csf bin with zeroes - tried and failed.

There is a "CAUTION" notice in section 4.1 of the HAB manual which I think is telling us to execute the 

cst from the releases directory, the wording is not very clear but I think "product_code" means "linux64/bin" anyway -- tried and failed.

In the documentation the "Unlock" command is documented as "M" for mandatory, but the mx6sl DCD engine is not listed as one of the unlock options. Several of the exple CSF commands do not have the Unlock command so maybe the "M" is a typo?

Regards

James

0 Kudos

679 Views
igorpadykov
NXP Employee
NXP Employee

Hi James

may be useful to look at latest uboot hab documentation

introduction_habv4.txt\habv4\imx\doc - uboot-imx - i.MX U-Boot 

Best regards
igor

0 Kudos

679 Views
jamesanderson
Contributor I

I found this fix:-

[U-Boot] mx6sl: hab: Fix pu_irom_mmu_enabled address - Patchwork 

which may be relevant. However I applied the fix and it still failed.

Where can I find an up to date NXP repository so I can check for 

any missing patches.

0 Kudos