Need to know how to implement HAB with Yocto BSP (Kernel 3.10.17)

ajithpv · ‎02-03-2015

Hi all,

As part of my current task, I have to implement the HAB feature of i.MX6Q in Linux kernel 3.10.17 (Yocto) based system. I'm booting from micro SD card.

The following are the documents and tools which I'm using.

1) AN4581_HAB_Application_Note.pdf

2) i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf (for 3.10.17-Yocto BSP)

3) README.txt from mxc_secureboot.zip (V2012) - this contain the automated script files for creating dynamic signed images. The corresponding path is <Yocto build directory>/tmp/work/<machine-poky-linux-gnueabi>/imx-test/1_3.10.17-1.0.0.-r0/imx-test-3.10.17-1.0.0/test

4) HABCST_UG.pdf

5) HAB4_API.pdf

Please clarify my below doubt with respect to HAB implementation on i.MX6Q SabreSD based platform.

I have followed all the steps from below documents , apart from the OTPMK,RNG_TRIM and SEC_CONFIG configuration (i.e. OPEN mode configuration)

1) i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf

2) README.txt from mxc_secureboot.zip (V2012) - this contain the automated script files for creating dynamic signed images.

I have created the signed u-boot as well as uImage and flashed into microSD card (please not that I'm not using MFG tool for this task).

I'm getting below HAB events while running the signed images:

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x28 0x33 0x00

0x00 0x00 0x00 0x0f 0x17 0x7f 0xac 0x00

0x00 0x04 0xe4 0x00

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x2c

0x00 0x00 0x00 0x04

As from the Appendix A (Interpreting HAB Event Data from Report_Event() API) of the “HAB4_API.pdf” in the CST package, I understood the meaning of these HAB Events, but I didn't get any clue on how to resolve these issues! (In other words, I'm screwed-up here)

Could you please help me to give some clue how I can proceed to resolve these issues. As I said, I'm using the dynamic script files from Yocto build and I hope these scripts should do all the jobs.

Any help would be appreciated...

Thank you in advance

Ajith P Venugopal

ajithpv · ‎02-05-2015

Great News! HAB Events got resolved!

I was trying with PLUGIN mode. I have changed the PLUGIN mode settings into DCD since, "tools/imximage.c" defining that PLUGIN mode shall not support SECURE_BOOT related activities.

Once I changed into DCD mode, the addresses become accurate and HAB Events got resolved.

Please note that I have tested this in OPEN mode.

Thank you Yuri for your wonderful support!

Ajith P V

View solution in original post

ajithpv · ‎02-05-2015

Hi,

The further update is as follows.

Since, our custom board shows HAB Events and still not clear why it is happening, I took SabreSD u-boot configuration and found below points.

Procedure 1: DCD

Build the SabreSD board configuration using "mx6qsabresd_config" (in Yocto 3.10.17 build U-boot source code).
I used the default board configurations with secure boot enabled. in other words, I have enabled CONFIG_SECURE_BOOT from the <u-boot path>include/configs/mx6qsabre_common.h file
I got below prints during the building

SabreSD board build log - DCD enabled(default)

=============================================

Image Type: Freescale IMX Boot Image

Image Ver: 2 (i.MX53/6 compatible)

Mode: DCD

Secure Boot Mode: ON

CSF Data Address: 17858000

U-Boot Data Size: 390144 Bytes = 381.00 kB = 0.37 MB

U-Boot Load Address: 177fac00

U-Boot Entry Point: 17800000

Procedure 2: PLUGIN

Build the SabreSD board configuration using "mx6qsabresd_config" (in Yocto 3.10.17 build U-boot source code).
I have enabled secure boot as well as PLUGIN mode from the default configuration. In other words, I have enabled CONFIG_USE_PLUGIN and CONFIG_SECURE_BOOT from the <u-boot path>include/configs/mx6qsabre_common.h file
I got below prints during the building

SabreSD board build log -PLUGIN enabled

=============================================

Image Type: Freescale IMX Boot Image

Image Ver: 2 (i.MX53/6 compatible)

Mode: PLUGIN

Secure Boot Mode: OFF

Plugin Data Size: 16384 Bytes = 16.00 kB = 0.02 MB

Plugin Code Size: 888 Bytes = 0.87 kB = 0.00 MB

Plugin Load Address: 00907000

Plugin Entry Point: 0090742c

U-Boot Data Size: 378368 Bytes = 369.50 kB = 0.36 MB

U-Boot Load Address: 00907000

U-Boot Entry Point: 17800000

From the above build prints, it is obvious that, there are some changes from DCD to PLUGIN with respect to HAB secure boot. I have seen the Secure Boot Mode: is OFF when using PLUGIN whereas its ON in DCD. Similarly, I have not seen any CSF Data Address in PLUGIN mode.

Now, here comes my actual doubt. Whether PLUGIN mode supports HAB secure boot feature? I have tried so far in our custom Freescale board with PLUGIN mode since that support by default in our case.

Looking forward to any suggestion OR help.

Thank you in advance

Ajith P V

dheerajr · ‎02-22-2018

Hi Ajith,

I have enabled CONFIG_SECURE_BOOT in the path given. Since I used yocto project to build the u-boot image, the path in which the config file exists is within the build directory. After enabling CONFIG_SECURE_BOOT, i need to re-compile and re-build right? If so, do you know which commands to execute?

Regards,

Dheeraj

Yuri · ‎02-04-2015

Please try to sign U-boot only, using templates in Freescale Yocto package (git).

Also, please use the recent information from

Mx6 HAB (High Assurance Boot)

https://community.freescale.com/docs/DOC-96451

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

ajithpv · ‎02-04-2015

Thank you Yuri for your support.

Please see my comments below and let me know whether I need to change anything, even my assumption!

I'm using the mxc_secure script files (V2012) as it is without any modifications. The path of the same is "<Yocto build directory>/tmp/work/<machine-poky-linux-gnueabi>/imx-test/1_3.10.17-1.0.0.-r0/imx-test-3.10.17-1.0.0/test". The scripts taking the address and offsets dynamically from the given u-boot.imx
I have gone through the https://community.freescale.com/docs/DOC-96451 document (specifically 9 :Sign Yocto 3.10.17 u-boot section).
Please note that I'm using PLUGIN mode instead of DCD mode in u-boot configuration settings.
I would like to give my u-boot build log info as below

Image Type: Freescale IMX Boot Image

Image Ver: 2 (i.MX53/6 compatible)

Mode: PLUGIN

Secure Boot Mode: OFF

Plugin Data Size: 16384 Bytes = 16.00 kB = 0.02 MB

Plugin Code Size: 2000 Bytes = 1.95 kB = 0.00 MB

Plugin Load Address: 00907000

Plugin Entry Point: 0090742c

U-Boot Data Size: 320512 Bytes = 313.00 kB = 0.31 MB

U-Boot Load Address: 00907000

U-Boot Entry Point: 17800000

The FLASH_OFFSET_STANDARD is 0x400 and CSF_ALIGN_SIZE is 0x1000 (in other words no change in these values)
I'm using Code Signing Tool (CST) version cst-2.2 from Freescale provided link
From "mk_secure_uboot" script inside mxc_secure script(V2012) folder, I calculated and got the below values for its variables

ddr_addr= 0x00907000

uboot_size= 319396 (0x4DFA4)

habimagegen script:

====================

pad_len= 0x4E000

sig_len= 0x50000

uboot csf script:

======================

ivt_offset= 0x0

auth_len= 0x4E000

ivt_start= 0x907400

When I run the "mk_secure_uboot" script, I'm getting successful message as shown below

./mk_secure_uboot

Make Sure Your "u-boot.imx" is up to date...

extend u-boot to 0x4E000...

generate csf data...

CSF Processed successfully and signed data available in u-boot_csf.bin

merge image and csf data...

extend final image to 0x50000...

u-boot-signed-pad.imx is ready

U-Boot image with Signature "u-boot-signed-pad.imx" is ready to use

I'm download u-boot-signed-pad.imx to microSD card using below command

$ sudo dd if=<path>/u-boot-signed-pad.imx of=/dev/sdx bs=512 seek=2

After all these steps, still I'm getting the HAB Events as it is.

Whether my procedure is correct? Am I missing something here? Anybody tested HAB secure boot with automated script which present inside the Yocto build?

Please note that I'm not using MFG tool for flashing and I'm hopping that this will not make any issue.

Thank you in advance

Ajith P V

Need to know how to implement HAB with Yocto BSP (Kernel 3.10.17)

Need to know how to implement HAB with Yocto BSP (Kernel 3.10.17)

i.MX6Quad

Linux

Yocto Project