Preloader related information required for secure boot for iMX6-dp

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Preloader related information required for secure boot for iMX6-dp

2,244 次查看
shantanu-banerjee
Contributor I

Hello Team,

I have below question for iMX6-dp processor secure boot boot flow.

C300 have a Preloader folder. If I refer AN4581 I am not able to find any information regarding Preloader.

Q1. Is it custom implementation?

Q2. How can I get some information about bootflow?

 

Thank you

 

标签 (1)
0 项奖励
回复
10 回复数

2,229 次查看
Richard_Kim
NXP Employee
NXP Employee

Hello @shantanu-banerjee,

 

Q1. Is it custom implementation?

[Richard] Preloader is a part of fail-safe boot solution that was provided by MSS team as a commercial service. You can get additional information if you ask LGE to share "failsafe_user_guide.pdf" document.

Q2. How can I get some information about boot-flow?

[Richard] I remember the boot-flow is included in release note of MSS solution. But you need to ask LGE to share it. Following is brief of the flow. 

richardkim_0-1673420086993.png

Thank you.

 

0 项奖励
回复

2,216 次查看
shantanu-banerjee
Contributor I

Dear Richard Kim,

Thank you for the information. 

I have shared this infomation with LGE regarding MSS documents.

Meanwhile could you please clarify below questions,

1. Is it required to authenticate Preloader?

2. Is there any mechanism to print entire HAB event log from preloader? Similar what is happening in u-boot.

It will be very helpful if you give some overview.

Thank you.

0 项奖励
回复

2,200 次查看
Richard_Kim
NXP Employee
NXP Employee

Hello Shantanu,

Please find my in-line comments below.

  1. Is it required to authenticate Preloader? [Richard] Preloader is not required to be authenticated.
  2. Is there any mechanism to print entire HAB event log from preloader? Similar what is happening in u-boot. [Richard] You may get more information from the document I commented.

Thank you.

0 项奖励
回复

2,194 次查看
shantanu-banerjee
Contributor I

Hello Support Team,

I have a question related to preloader.

As I have understood Preloader is responsible to authenticate Uboot.But problem is that I am not able to print HAB authentication log from Preloader. It seems Preloader not including standard C functions.

My question is how to print HAB events from Preloader? Because I am getting HAB authentication failed but unable to understand the reason.

 

Below is the code snippet from Preloader source.

shantanubanerjee_0-1674460037208.png

Thank you for your support.

 

0 项奖励
回复

2,189 次查看
shantanu-banerjee
Contributor I

Dear Support Team,

We have successfully printed HAB log from Preloader.

As we have understood error as below. But we are unable to identify the exact reason for this failure.

It will be helpful if you share some information opinion on this.

HAB Event 1 = 3311cf00 = HAB_INV_CSF
HAB Event 2 = 330ca000 = HAB_INV_ASSERTION
HAB Event 3 = 330ca000 = HAB_INV_ASSERTION
HAB Event 4 = 330ca000 = HAB_INV_ASSERTION
HAB Event 5 = 330ca000 = HAB_INV_ASSERTION

Please find below details

u-boot.bin size = 0x20CB4

objcopy -I binary -O binary --pad-to 0x21000 --gap-fill=0x5A u-boot.bin u-boot-pad.bin

u-boot-pad.bin size = 0x21000


genIVT_uboot

#! /usr/bin/perl -w
use strict;
open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";
print $out pack("V", 0x402000D1); # Signature
print $out pack("V", 0x17800000); # Jump Location
print $out pack("V", 0x0); # Reserved
print $out pack("V", 0x0); # DCD pointer
print $out pack("V", 0x0); # Boot Data
print $out pack("V", 0x17821000); # Self Pointer
print $out pack("V", 0x17821020); # CSF Pointer
print $out pack("V", 0x0); # Reserved
close($out);

u-boot.csf

[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded uImage start at address 0x10800000
# length = 0x3FE0000
# This covers the essential parts: original uImage and the attached IVT
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x17800000 0x0 0x21020 "u-boot-pad-ivt.bin"

Preloader main.c use below for authentication uboot

#define DDR_UBOOT_LOAD 0x17800000

// hab
#define IVT_SIZE 0x20
#define ALIGN_SIZE 0x1000
#define CSF_PAD_SIZE 0x2000

#define UBOOT_SIZE_PAD 0x21000
#define UBOOT_COPY 0x23000

#define UBOOT_IVT_OFFSET UBOOT_SIZE_PAD
#define UBOOT_AUTH_SIZE (UBOOT_SIZE_PAD + IVT_SIZE + CSF_PAD_SIZE)
 
Then use below function for authentication in main.c (Preloader)
authenticate_image(UBOOT_IVT_OFFSET, DDR_UBOOT_LOAD, UBOOT_AUTH_SIZE);
 
 
habApiIf.c
hab_rvt_authenticate_image(1, ivt_offset, (void **)&start,(size_t *)&bytes, NULL);
 
0 项奖励
回复

2,182 次查看
Richard_Kim
NXP Employee
NXP Employee

Hello @shantanu-banerjee,

 

I'm sorry but nobody can fully help you to understand failsafe solution.

Have you ever checked all documents below?

richardkim_0-1674608497930.png

 

0 项奖励
回复

2,172 次查看
shantanu-banerjee
Contributor I

Dear @Richard_Kim,

Thank you for the reply.

We just want to understand why "invalid CSF" error comes. We are using CSF as described in the fastboot document.

As per the hab_status_t(* hab_rvt::report_status) it is reporting HAB authentication failure but as per failsafe logic it pass the authentication. We need to understand this situation.

Code snippet:

shantanubanerjee_0-1674629012960.png

Current log

shantanubanerjee_1-1674629322989.png

NXP fast boot test log as per fastboot document

shantanubanerjee_2-1674629386165.png

Both log contains B, P1 and J. But as per HAB event log it saying authentication failed.

Thanks,

Shantanu Banerjee

 

 

 

0 项奖励
回复

2,166 次查看
Richard_Kim
NXP Employee
NXP Employee

Hello @shantanu-banerjee,

 

NXP MSS team provided reference code for failsafe boot solution.

It was implemented and tested by "bg80.song" and I remember he was a LGE engineer.

I recommend you to ask and check the original failsafe code.

0 项奖励
回复

2,162 次查看
shantanu-banerjee
Contributor I

Dear @Richard_Kim 

Thank you for your support.

I need to clarify one point from original failsafe code.
 
I need to understand IMAGE_SIZE calculation. May be I am doing some mistake.
 
As per the failsafe document below is the calculation. But it does not match.  Any thing I did wrong?
$printf "0x%x" `stat -c "%s" u-boot-imx6dqp-signed-pad.bin` //Original failsafe uboot binary
$0x42000            //size of u-boot-imx6dqp-signed-pad.bin
 
IMAGE_SIZE = 0x42000 + 2400
 
But in the original source code it is calculated as 0xFA000. Could you please clarify this.
 
Document snippet.
shantanubanerjee_0-1674650037121.png
 
Code snippet : PreLoader/src/vectors.S
shantanubanerjee_1-1674650037122.png

 

Thanks,

Shantanu Banerjee

0 项奖励
回复

2,158 次查看
Richard_Kim
NXP Employee
NXP Employee

Hello @shantanu-banerjee,

 

I’m sorry but I dont fully understand failsafe solution. You should deep dive into it by yourself.

0 项奖励
回复