Need help troubleshooting HAB events on i.mx6

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need help troubleshooting HAB events on i.mx6

2,772 Views
DavisRoman
Contributor III

Hello,

We’re trying to enable high assurance boot on i.mx6solo.

 

We’re using u-boot 2017.03 however we’re getting HAB events.

 

I need to troubleshoot them however they’re very cryptic. Can you please help me diagnose this?

 

Thank you,

 

Davis

 

U-Boot 2017.03-high-assurance-boot+g1c9e603 (May 17 2018 - 13:47:52 -0400)

 

CPU:   Freescale i.MX6SOLO rev1.3 at 792 MHz

Reset cause: WDOG

Model: Keys

Board: ADT-HYBRID 200-01948A

DRAM:  256 MiB

MMC:   FSL_SDHC: 0, FSL_SDHC: 1

Using default environment

 

In:    serial

Out:   serial

Err:   serial

facmod value is 1!

Boot Device: EMMC

Net:   Board Net Initialization Failed

No ethernet found.

Normal Boot

Hit any key to stop autoboot:  0 

=> hab_status

 

Secure boot disabled

 

HAB Configuration: 0xf0, HAB State: 0x66

 

--------- HAB Event 1 -----------------

event data:

        0xdb 0x00 0x08 0x41 0x33 0x11 0xcf 0x00

 

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_CSF (0x11)

CTX = HAB_CTX_CSF (0xCF)

ENG = HAB_ENG_ANY (0x00)

 

 

--------- HAB Event 2 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00

        0x00 0x00 0x00 0x20

 

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_ASSERTION (0x0C)

CTX = HAB_CTX_ASSERT (0xA0)

ENG = HAB_ENG_ANY (0x00)

 

 

--------- HAB Event 3 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c

        0x00 0x00 0x01 0xe0

 

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_ASSERTION (0x0C)

CTX = HAB_CTX_ASSERT (0xA0)

ENG = HAB_ENG_ANY (0x00)

 

 

--------- HAB Event 4 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20

        0x00 0x00 0x00 0x01

 

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_ASSERTION (0x0C)

CTX = HAB_CTX_ASSERT (0xA0)

ENG = HAB_ENG_ANY (0x00)

 

 

--------- HAB Event 5 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00

        0x00 0x00 0x00 0x04

 

STS = HAB_FAILURE (0x33)

RSN = HAB_INV_ASSERTION (0x0C)

CTX = HAB_CTX_ASSERT (0xA0)

ENG = HAB_ENG_ANY (0x00)

 

=>

Also, my command sequence file looks like the following:

[Header]

Version = 4.0

Hash Algorithm = sha256

Engine = CAAM

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = "./cst-generated-data/crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "./cst-generated-data/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

Verification index = 0

Target Index = 2

File= "./cst-generated-data/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]

Verification index = 2

Blocks = 0x177ff400 0x00000000 0x0006ec00 "u-boot.imx",\

         0x00910000 0x0000002c 0x000001e0 "u-boot.imx"

0 Kudos
Reply
2 Replies

2,026 Views
Yuri
NXP Employee
NXP Employee

 

Hello,

 

 

  Appendix A (Interpreting HAB Event Data from Report_Event() API) of the “HAB4_API.pdf” in the CST

package should be used to analyze HAB Events. Use the recent CST 3.0.1.

  According to this document, in Your case one of HAB events reason is HAB_INV_CSF (0x11) - Invalid

Command Sequence File:

- CSF not authenticated;

- CSF malformed or too large;

- CSF version number is less than HAB library version.

 

 For the case 0xc (HAB_INV_ASSERTION) – the HAB checks that all of the

following data have been authenticated (using their final locations):

- IVT ;

- DCD (if provided);

- Boot Data (initial byte if provided);

- Entry point (initial word).

 

  Each of the above data components not covered by a valid signature will cause HAB

to generate an event with reason HAB_INV_ASSERTION.

 

 

Have a great day,

Yuri

 

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer

button. Thank you!

0 Kudos
Reply

2,026 Views
shyam_baldha
Contributor I

Hello,

We are also facing the same issue.

Trying to enable high assurance boot on i.mx6ul and Using u-boot 2017.03.

To enable secure boot I have applied the four patches, please find the attachments.

NOTE: The same patches and process are worked with u-boot-2015 and u-boot-2016.

Thanks,

Shyam

 The HAB event:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

==========Command sequence file=============

[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
File = "my-secure-boot/cst-2.3.2/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "my-secure-boot/cst-2.3.2/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "my-secure-boot/cst-2.3.2/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Unlock]
Engine = CAAM
Features = RNG

[Authenticate Data]
Verification index = 2
#_ivt_self offset _ad_size
Blocks = 0x877ff400 0x0 0x7EC00 "my-secure-boot/cst-2.3.2/../u-boot.imx"

0 Kudos
Reply