Hi all,
As part of my current task, I have to implement the HAB feature of i.MX6Q in Linux kernel 3.10.17 (Yocto) based system. I'm booting from micro SD card.
The following are the documents and tools which I'm using.
1) AN4581_HAB_Application_Note.pdf
2) i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf (for 3.10.17-Yocto BSP)
3) README.txt from mxc_secureboot.zip (V2012) - this contain the automated script files for creating dynamic signed images. The corresponding path is <Yocto build directory>/tmp/work/<machine-poky-linux-gnueabi>/imx-test/1_3.10.17-1.0.0.-r0/imx-test-3.10.17-1.0.0/test
4) HABCST_UG.pdf
5) HAB4_API.pdf
Please clarify my below doubt with respect to HAB implementation on i.MX6Q SabreSD based platform.
I have followed all the steps from below documents , apart from the OTPMK,RNG_TRIM and SEC_CONFIG configuration (i.e. OPEN mode configuration)
1) i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf
2) README.txt from mxc_secureboot.zip (V2012) - this contain the automated script files for creating dynamic signed images.
I have created the signed u-boot as well as uImage and flashed into microSD card (please not that I'm not using MFG tool for this task).
I'm getting below HAB events while running the signed images:
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x28 0x33 0x00
0x00 0x00 0x00 0x0f 0x17 0x7f 0xac 0x00
0x00 0x04 0xe4 0x00
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x00
0x00 0x00 0x00 0x20
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x20
0x00 0x00 0x00 0x01
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x2c
0x00 0x00 0x00 0x04
As from the Appendix A (Interpreting HAB Event Data from Report_Event() API) of the “HAB4_API.pdf” in the CST package, I understood the meaning of these HAB Events, but I didn't get any clue on how to resolve these issues! (In other words, I'm screwed-up here)
Could you please help me to give some clue how I can proceed to resolve these issues. As I said, I'm using the dynamic script files from Yocto build and I hope these scripts should do all the jobs.
Any help would be appreciated...
Thank you in advance
Ajith P Venugopal
Solved! Go to Solution.
Great News! HAB Events got resolved!
I was trying with PLUGIN mode. I have changed the PLUGIN mode settings into DCD since, "tools/imximage.c" defining that PLUGIN mode shall not support SECURE_BOOT related activities.
Once I changed into DCD mode, the addresses become accurate and HAB Events got resolved.
Please note that I have tested this in OPEN mode.
Thank you Yuri for your wonderful support!
Ajith P V
Hi,
The further update is as follows.
Since, our custom board shows HAB Events and still not clear why it is happening, I took SabreSD u-boot configuration and found below points.
Procedure 1: DCD
SabreSD board build log - DCD enabled(default)
=============================================
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Mode: DCD
Secure Boot Mode: ON
CSF Data Address: 17858000
U-Boot Data Size: 390144 Bytes = 381.00 kB = 0.37 MB
U-Boot Load Address: 177fac00
U-Boot Entry Point: 17800000
Procedure 2: PLUGIN
SabreSD board build log -PLUGIN enabled
=============================================
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Mode: PLUGIN
Secure Boot Mode: OFF
Plugin Data Size: 16384 Bytes = 16.00 kB = 0.02 MB
Plugin Code Size: 888 Bytes = 0.87 kB = 0.00 MB
Plugin Load Address: 00907000
Plugin Entry Point: 0090742c
U-Boot Data Size: 378368 Bytes = 369.50 kB = 0.36 MB
U-Boot Load Address: 00907000
U-Boot Entry Point: 17800000
From the above build prints, it is obvious that, there are some changes from DCD to PLUGIN with respect to HAB secure boot. I have seen the Secure Boot Mode: is OFF when using PLUGIN whereas its ON in DCD. Similarly, I have not seen any CSF Data Address in PLUGIN mode.
Now, here comes my actual doubt. Whether PLUGIN mode supports HAB secure boot feature? I have tried so far in our custom Freescale board with PLUGIN mode since that support by default in our case.
Looking forward to any suggestion OR help.
Thank you in advance
Ajith P V
Hi Ajith,
I have enabled CONFIG_SECURE_BOOT in the path given. Since I used yocto project to build the u-boot image, the path in which the config file exists is within the build directory. After enabling CONFIG_SECURE_BOOT, i need to re-compile and re-build right? If so, do you know which commands to execute?
Regards,
Dheeraj
Please try to sign U-boot only, using templates in Freescale Yocto package (git).
Also, please use the recent information from
Mx6 HAB (High Assurance Boot)
https://community.freescale.com/docs/DOC-96451
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Thank you Yuri for your support.
Please see my comments below and let me know whether I need to change anything, even my assumption!
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Mode: PLUGIN
Secure Boot Mode: OFF
Plugin Data Size: 16384 Bytes = 16.00 kB = 0.02 MB
Plugin Code Size: 2000 Bytes = 1.95 kB = 0.00 MB
Plugin Load Address: 00907000
Plugin Entry Point: 0090742c
U-Boot Data Size: 320512 Bytes = 313.00 kB = 0.31 MB
U-Boot Load Address: 00907000
U-Boot Entry Point: 17800000
ddr_addr= 0x00907000
uboot_size= 319396 (0x4DFA4)
habimagegen script:
====================
pad_len= 0x4E000
sig_len= 0x50000
uboot csf script:
======================
ivt_offset= 0x0
auth_len= 0x4E000
ivt_start= 0x907400
./mk_secure_uboot
Make Sure Your "u-boot.imx" is up to date...
extend u-boot to 0x4E000...
generate csf data...
CSF Processed successfully and signed data available in u-boot_csf.bin
merge image and csf data...
extend final image to 0x50000...
u-boot-signed-pad.imx is ready
U-Boot image with Signature "u-boot-signed-pad.imx" is ready to use
$ sudo dd if=<path>/u-boot-signed-pad.imx of=/dev/sdx bs=512 seek=2
Whether my procedure is correct? Am I missing something here? Anybody tested HAB secure boot with automated script which present inside the Yocto build?
Please note that I'm not using MFG tool for flashing and I'm hopping that this will not make any issue.
Thank you in advance
Ajith P V