Need to know how to implement HAB with Yocto BSP (Kernel 3.10.17)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need to know how to implement HAB with Yocto BSP (Kernel 3.10.17)

Jump to solution
10,481 Views
ajithpv
Contributor V

Hi all,

As part of my current task, I have to implement the HAB feature of i.MX6Q in Linux kernel 3.10.17 (Yocto) based system. I'm booting from micro SD card.

The following are the documents and tools which I'm using.

1) AN4581_HAB_Application_Note.pdf

2) i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf (for 3.10.17-Yocto BSP)

3) README.txt from mxc_secureboot.zip (V2012) - this contain the automated script files for creating dynamic signed images. The corresponding path is <Yocto build directory>/tmp/work/<machine-poky-linux-gnueabi>/imx-test/1_3.10.17-1.0.0.-r0/imx-test-3.10.17-1.0.0/test

4) HABCST_UG.pdf

5) HAB4_API.pdf

Please clarify my below doubt with respect to HAB implementation on i.MX6Q SabreSD based platform.


I have followed all the steps from below documents , apart from the OTPMK,RNG_TRIM and SEC_CONFIG configuration (i.e. OPEN mode configuration)

1) i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf

2) README.txt from mxc_secureboot.zip (V2012) - this contain the automated script files for creating dynamic signed images.

I have created the signed u-boot as well as uImage and flashed into microSD card (please not that I'm not using MFG tool for this task).


I'm getting below HAB events while running the signed images:

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x28 0x33 0x00

0x00 0x00 0x00 0x0f 0x17 0x7f 0xac 0x00

0x00 0x04 0xe4 0x00

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x2c

0x00 0x00 0x00 0x04

As from the Appendix A (Interpreting HAB Event Data from Report_Event() API) of the “HAB4_API.pdf” in the CST package, I understood the meaning of these HAB Events, but I didn't get any clue on how to resolve these issues! (In other words, I'm screwed-up here)

Could you please help me to give some clue how I can proceed to resolve these issues. As I said, I'm using the dynamic script files from Yocto build and I hope these scripts should do all the jobs.

Any help would be appreciated...

Thank you in advance

Ajith P Venugopal

Labels (3)
1 Solution
6,375 Views
ajithpv
Contributor V

Great News! HAB Events got resolved!

I was trying with PLUGIN mode. I have changed the PLUGIN mode settings into DCD since, "tools/imximage.c" defining that PLUGIN mode shall not support SECURE_BOOT related activities.

Once I changed into DCD mode, the addresses become accurate and HAB Events got resolved.

Please note that I have tested this in OPEN mode.

Thank you Yuri for your wonderful support!

Ajith P V

View solution in original post

0 Kudos
Reply
24 Replies
6,376 Views
ajithpv
Contributor V

Great News! HAB Events got resolved!

I was trying with PLUGIN mode. I have changed the PLUGIN mode settings into DCD since, "tools/imximage.c" defining that PLUGIN mode shall not support SECURE_BOOT related activities.

Once I changed into DCD mode, the addresses become accurate and HAB Events got resolved.

Please note that I have tested this in OPEN mode.

Thank you Yuri for your wonderful support!

Ajith P V

0 Kudos
Reply
5,825 Views
robyf
Contributor IV

Hi Ajith,

Have you automatized the signing process using a particular recipe patch? I'm actually interested on automatizing the signing process.

Cheers,

Roberto Fichera.

0 Kudos
Reply
5,825 Views
ajithpv
Contributor V

Hi robyf,

Could you please elaborate what you mean by the "particular recipe patch" a little more. Do you want to automate even the serial number which has to be provided too?

Regards

Ajith P V

0 Kudos
Reply
5,825 Views
robyf
Contributor IV

Hi Ajith,

Sorry! I meant within yocto. So to produce a final image having both u-boot and u/zImage signed, ready to be flashed.

Cheers,

Roberto Fichera.

0 Kudos
Reply
5,825 Views
ajithpv
Contributor V

Hi Roberto Fichera,

I have not tried to make the signed images with-in Yocto it-self. I got your point and it make sense too. But so far I used CST (Code Signing Tool) with Yocto compiled images.

I believe there should be some security concerns for this separation, though I couldn't able to tell you what is the exact reason for this CST and Yocto separation (more over, this is an optional feature in i.MX platform).

Regards

Ajith P V

0 Kudos
Reply
5,825 Views
robyf
Contributor IV

Hi Ajith,

I don't think there are security reasons. As you know it's a step-by-step process so it can be automatized as optional task within Yocto.

So, I'm now looking how to do that.

Cheers,

Roberto Fichera.

0 Kudos
Reply
5,825 Views
ajithpv
Contributor V

Hi Roberto Fichera,

I agree to your point. Unfortunately, I'm not the right person to comment on the Freescale process. I think Yuri Muhin can definitely give you a better answer.

It would be nice if you have a 'menuconfig' macro to enable HAB secure boot and that ask you the input(s) while you making the image.

Anyway, I wish you all the very best and looking forward to hear from you the good news...

Cheers

Ajith P V

0 Kudos
Reply
5,825 Views
robyf
Contributor IV

Hi,

I've just implemented the automatism I was talking about, attached there is my u-boot-cst-sign.inc file that I've tested on building my custom signed u-boot.

Once you add for example in your local.conf file

CST_ROOT = "_path_of_your_cst_dir_"

UBOOT_CSF = "_path_of_your_u-boot.csf"

it can be used easily by creating an u-boot-fslc_2014.10.bbappend file with just the command below:


require recipes-bsp/u-boot/u-boot-cst-sign.inc

afterwards you will have to regenerate your u-boot and rebuild your image, that's it!

Cheers,

Roberto Fichera.

5,824 Views
ajithpv
Contributor V

Hi Roberto Fichera,

Nice work! I will definitely check this out. Do you using another file for uImage signing (in other words, two files for complete signing task)?

Could you please prepare one simple user manual like document for the usage of your files so that, other people who coming here can also do a breakthrough in their job.

Anyway, I would like to appreciate for your effort...

Cheers

Ajith P V

0 Kudos
Reply
5,816 Views
robyf
Contributor IV

Hi Ajith,

Thanks! I'm just going to have a look how to automatize the u/zImage signing process. Once everything works I'll have write a simple HOWTO.

Cheers,

Roberto Fichera.

0 Kudos
Reply
5,813 Views
robyf
Contributor IV

Hi,

Finally I had some time to finish to integrate the signing steps for both u-boot 2014.10 and kernel within Yocto Dizzy, I will not explain the detail of how create the CST signing tree since this process is already well documented.

So far so good below are the steps to use the attached yocto include files:

conf/local.conf

1. Add the following variables in your conf/local.conf file, be sure to match exactly the one you want to use from your tree

CST_ROOT = "<path_to_your_cst>"

CST_SRK = "SRK_1_2_3_4_table.bin"

CST_SRK_FUSE = "SRK_1_2_3_4_fuse.bin"

CST_CSF_CERT = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

CST_IMG_CERT = "IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

u-boot 2014.10

1. It important to add a new hab_section section within the linker script arch/arm/cpu/u-boot.lds as

        .end :

        {

                *(.__end)

        }

        _image_binary_end = .;

        . = ALIGN(0x1000);

        .hab_section (OVERLAY) : {

           __hab_data = .;

           . = . + 0x2000; /* Reserve 8kB for CSF */

           __hab_data_end = .;

         }


        /*

         * Deprecated: this MMU section is used by pxa at present but

         * should not be used by new boards/CPUs.

         */

        . = ALIGN(4096);

        .mmutable : {

                *(.mmutable)

        }

2. Locate your board configuration file in ./configs, for example ./configs/mx6slevk_defconfig and add the SECURE_BOOT extra option

CONFIG_SYS_EXTRA_OPTIONS="IMX_CONFIG=board/freescale/mx6slevk/imximage.cfg,MX6SL,SECURE_BOOT"

CONFIG_ARM=y

CONFIG_TARGET_MX6SLEVK=y

3.  Set the CSF pointer in IVT by configuring your board configuration file, for example looking at the above IMX_CONFIG extra options it's located at board/freescale/mx6slevk/imximage.cfg.This will set the CSF pointer in IVT and add the given length field

/* Reserve 8kB for CSF */

CSF    0x2000

4. If you want to have the fuse command available in u-boot then add these #defines in your board config file, for example include/configs/mx6slevk.h. This can be useful because the attached yocto include will generate automatically the u-boot commands to program the SRKs

#define CONFIG_CMD_FUSE

#define CONFIG_MXC_OCOTP

5. Save the file u-boot-cst-sign.inc in your meta-<my_meta_package>/recipes-bsp/u-boot and here create the following u-boot-fslc_2014.10.bbappend or just include the u-boot-cst-sign.inc if you already have one

require recipes-bsp/u-boot/u-boot-cst-sign.inc

... rest of the recipe to patch your own u-boot version ...

6. At this time you should be able to bitbake the image and get signed your u-boot at the usual place tmp/deploy/images/<your_board>. Here you can also find the fuse-srks.txt file containing the u-boot commands used to programm the SRKs, for example something like below. The generated u-boot commands can be easily integrated by changing the u-boot-cst-sign.inc

fuse prog 3 0 0x3fc4281c

fuse prog 3 1 0xc29d9aaa

fuse prog 3 2 0x7ff6e9303

fuse prog 3 3 0x264264fe6

fuse prog 3 4 0x2252c543

fuse prog 3 5 0x30c1566

fuse prog 3 6 0xb4d42243

fuse prog 3 7 0x283229cc

fuse prog 3 7 0x28326653

Signing the u/zImage

1. Signing the kernel doesn't require much effort at all than just add the kernel-cst-sign.inc include file within your kernel recipe and add the following include in your recipe

require kernel-cst-sign.inc

That's it. You can now bitbake your image having both u-boot and u/zImage signed.


In future work might I might add the possibility to automatically detect if u-boot has or not the SECURE_BOOT and CSF variable set in order to adapt the u-image signing process accordingly.

5,813 Views
kanimozhi_t
Contributor V

Hi robyf

   Thanks for your nice work! However I ran into FileNotFoundError for UBOOT_BINARY. The log is as follows,

File: '/home/ux/yocto/sources/meta-freescale-3rdparty/recipes-bsp/u-boot/u-boot-cst-sign.inc', lineno: 34, function: generate_csf
0030: import os
0031:
0032: ddr_addr = 0
0033:
*** 0034: with open('${UBOOT_BINARY}', 'rb') as f:
0035: f.read(32)
0036: ddr_addr = struct.unpack("<L", f.read(4))[0]
0037:
0038: uboot_size = os.path.getsize('${UBOOT_BINARY}')
Exception: FileNotFoundError: [Errno 2] No such file or directory: '${UBOOT_BINARY}'

 It would be grateful, if you could help

0 Kudos
Reply
4,396 Views
trivat
Contributor I

Hi all,

I experience the same error. Did anyone solve the complete u-boot-cst-sign.inc?
I could progress on this error by converting paths with d.expand() but run into error "Exception: KeyError: 'CST_ROOT'" at line *** 0071:'''.format(hex(ivt_start), hex(ivt_offset), hex(auth_len)))

0 Kudos
Reply
5,813 Views
ajithpv
Contributor V

Well done robyf

I appreciate your effort and nicely written steps to make use of the included files.

Cheers,

Ajith P V

0 Kudos
Reply
5,825 Views
saisuryanarayan
Contributor I

Hi ajith,

     Can you please provide your CSF file since i am also facing similar problem.

0 Kudos
Reply
5,825 Views
ajithpv
Contributor V

Hi saisuryanarayan,

Could you please make sure you are using DCD mode? If you confirm that, you are using DCD and still the problem exist, then please share your CSF file. We can correct it, if any problem present in it.

Regards

Ajith P Venugopal

0 Kudos
Reply
5,825 Views
saisuryanarayan
Contributor I

Hi Ajith,

     Thanks for your reply yes i have enabled DCD mode .Here is my CSF file

[Header]

Version = 4.0

Security Configuration = Open

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

Engine = CAAM

Engine Configuration = 0

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

Verification index = 0

Target index = 2

File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded U-Boot starting at the IVT through to the end with

# length = 0x59C00 (padded U-Boot length) - 0x0 (IVT offset) = 0x59C00

# This covers the essential parts: IVT, boot data and DCD.

# Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x177ff400 0x000 0x59C00 "U-Boot-pad.bin"

[Authenticate Data]

Verification index = 2

Blocks = 0x00910000 0x2C 0x13A "U-Boot-pad.bin"

Thank You

SaiSurya

0 Kudos
Reply
5,825 Views
ajithpv
Contributor V

Hi saisurya narayan,


Are you using MFG tool for HAB secure boot? I would like to tell you that, I have tried secure boot without using MFG tool (i.e, directly flashing the images into SD card).

Hence, I'm using only one [Authenticate Data] section.

Could you please elaborate a little about your HAB problem? Though it might be different from what I have faced, we can check that part too.


Also please see the Mx6 HAB (High Assurance Boot) link Yocto section, if you are using Yocto Build.

Regards

Ajith P V

0 Kudos
Reply
5,825 Views
saisuryanarayan
Contributor I

Hi Ajith,

     Thanks for your reply.

I am not using MFG tool for Secure boot(Directly flashing images to eMMC) and i removed second [Authenticate Data] section from my CSF. Now my hab_status command is not giving any HAB events.Thanks for your suggestion.

Now can i make SEC_CONFIG fuse to close mode? or do i need to test anything else before closing it?

Thank You

SaiSurya

0 Kudos
Reply
5,825 Views
ajithpv
Contributor V

Hi saisurya narayan,


I would like to tell you that the second [Authenticate Data] section used only if you are using MFG tool. So that was your issue. Anyway great!

Ideally, no HAB Event is the indication to go to the CLOSE mode. Also I recommend you to check the HAB actions by manipulating the signed images. Once, you confirm everything working fine without any issues, then go ahead with CLOSE mode.


All the very best..

Ajith P V

0 Kudos
Reply