Preloader related information required for secure boot for iMX6-dp

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Preloader related information required for secure boot for iMX6-dp

1,893 Views
shantanu-banerjee
Contributor I

Hello Team,

I have below question for iMX6-dp processor secure boot boot flow.

C300 have a Preloader folder. If I refer AN4581 I am not able to find any information regarding Preloader.

Q1. Is it custom implementation?

Q2. How can I get some information about bootflow?

 

Thank you

 

Labels (1)
0 Kudos
Reply
10 Replies

1,878 Views
Richard_Kim
NXP Employee
NXP Employee

Hello @shantanu-banerjee,

 

Q1. Is it custom implementation?

[Richard] Preloader is a part of fail-safe boot solution that was provided by MSS team as a commercial service. You can get additional information if you ask LGE to share "failsafe_user_guide.pdf" document.

Q2. How can I get some information about boot-flow?

[Richard] I remember the boot-flow is included in release note of MSS solution. But you need to ask LGE to share it. Following is brief of the flow. 

richardkim_0-1673420086993.png

Thank you.

 

0 Kudos
Reply

1,865 Views
shantanu-banerjee
Contributor I

Dear Richard Kim,

Thank you for the information. 

I have shared this infomation with LGE regarding MSS documents.

Meanwhile could you please clarify below questions,

1. Is it required to authenticate Preloader?

2. Is there any mechanism to print entire HAB event log from preloader? Similar what is happening in u-boot.

It will be very helpful if you give some overview.

Thank you.

0 Kudos
Reply

1,849 Views
Richard_Kim
NXP Employee
NXP Employee

Hello Shantanu,

Please find my in-line comments below.

  1. Is it required to authenticate Preloader? [Richard] Preloader is not required to be authenticated.
  2. Is there any mechanism to print entire HAB event log from preloader? Similar what is happening in u-boot. [Richard] You may get more information from the document I commented.

Thank you.

0 Kudos
Reply

1,843 Views
shantanu-banerjee
Contributor I

Hello Support Team,

I have a question related to preloader.

As I have understood Preloader is responsible to authenticate Uboot.But problem is that I am not able to print HAB authentication log from Preloader. It seems Preloader not including standard C functions.

My question is how to print HAB events from Preloader? Because I am getting HAB authentication failed but unable to understand the reason.

 

Below is the code snippet from Preloader source.

shantanubanerjee_0-1674460037208.png

Thank you for your support.

 

0 Kudos
Reply

1,838 Views
shantanu-banerjee
Contributor I

Dear Support Team,

We have successfully printed HAB log from Preloader.

As we have understood error as below. But we are unable to identify the exact reason for this failure.

It will be helpful if you share some information opinion on this.

HAB Event 1 = 3311cf00 = HAB_INV_CSF
HAB Event 2 = 330ca000 = HAB_INV_ASSERTION
HAB Event 3 = 330ca000 = HAB_INV_ASSERTION
HAB Event 4 = 330ca000 = HAB_INV_ASSERTION
HAB Event 5 = 330ca000 = HAB_INV_ASSERTION

Please find below details

u-boot.bin size = 0x20CB4

objcopy -I binary -O binary --pad-to 0x21000 --gap-fill=0x5A u-boot.bin u-boot-pad.bin

u-boot-pad.bin size = 0x21000


genIVT_uboot

#! /usr/bin/perl -w
use strict;
open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";
print $out pack("V", 0x402000D1); # Signature
print $out pack("V", 0x17800000); # Jump Location
print $out pack("V", 0x0); # Reserved
print $out pack("V", 0x0); # DCD pointer
print $out pack("V", 0x0); # Boot Data
print $out pack("V", 0x17821000); # Self Pointer
print $out pack("V", 0x17821020); # CSF Pointer
print $out pack("V", 0x0); # Reserved
close($out);

u-boot.csf

[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded uImage start at address 0x10800000
# length = 0x3FE0000
# This covers the essential parts: original uImage and the attached IVT
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x17800000 0x0 0x21020 "u-boot-pad-ivt.bin"

Preloader main.c use below for authentication uboot

#define DDR_UBOOT_LOAD 0x17800000

// hab
#define IVT_SIZE 0x20
#define ALIGN_SIZE 0x1000
#define CSF_PAD_SIZE 0x2000

#define UBOOT_SIZE_PAD 0x21000
#define UBOOT_COPY 0x23000

#define UBOOT_IVT_OFFSET UBOOT_SIZE_PAD
#define UBOOT_AUTH_SIZE (UBOOT_SIZE_PAD + IVT_SIZE + CSF_PAD_SIZE)
 
Then use below function for authentication in main.c (Preloader)
authenticate_image(UBOOT_IVT_OFFSET, DDR_UBOOT_LOAD, UBOOT_AUTH_SIZE);
 
 
habApiIf.c
hab_rvt_authenticate_image(1, ivt_offset, (void **)&start,(size_t *)&bytes, NULL);
 
0 Kudos
Reply

1,831 Views
Richard_Kim
NXP Employee
NXP Employee

Hello @shantanu-banerjee,

 

I'm sorry but nobody can fully help you to understand failsafe solution.

Have you ever checked all documents below?

richardkim_0-1674608497930.png

 

0 Kudos
Reply

1,821 Views
shantanu-banerjee
Contributor I

Dear @Richard_Kim,

Thank you for the reply.

We just want to understand why "invalid CSF" error comes. We are using CSF as described in the fastboot document.

As per the hab_status_t(* hab_rvt::report_status) it is reporting HAB authentication failure but as per failsafe logic it pass the authentication. We need to understand this situation.

Code snippet:

shantanubanerjee_0-1674629012960.png

Current log

shantanubanerjee_1-1674629322989.png

NXP fast boot test log as per fastboot document

shantanubanerjee_2-1674629386165.png

Both log contains B, P1 and J. But as per HAB event log it saying authentication failed.

Thanks,

Shantanu Banerjee

 

 

 

0 Kudos
Reply

1,815 Views
Richard_Kim
NXP Employee
NXP Employee

Hello @shantanu-banerjee,

 

NXP MSS team provided reference code for failsafe boot solution.

It was implemented and tested by "bg80.song" and I remember he was a LGE engineer.

I recommend you to ask and check the original failsafe code.

0 Kudos
Reply

1,811 Views
shantanu-banerjee
Contributor I

Dear @Richard_Kim 

Thank you for your support.

I need to clarify one point from original failsafe code.
 
I need to understand IMAGE_SIZE calculation. May be I am doing some mistake.
 
As per the failsafe document below is the calculation. But it does not match.  Any thing I did wrong?
$printf "0x%x" `stat -c "%s" u-boot-imx6dqp-signed-pad.bin` //Original failsafe uboot binary
$0x42000            //size of u-boot-imx6dqp-signed-pad.bin
 
IMAGE_SIZE = 0x42000 + 2400
 
But in the original source code it is calculated as 0xFA000. Could you please clarify this.
 
Document snippet.
shantanubanerjee_0-1674650037121.png
 
Code snippet : PreLoader/src/vectors.S
shantanubanerjee_1-1674650037122.png

 

Thanks,

Shantanu Banerjee

0 Kudos
Reply

1,807 Views
Richard_Kim
NXP Employee
NXP Employee

Hello @shantanu-banerjee,

 

I’m sorry but I dont fully understand failsafe solution. You should deep dive into it by yourself.

0 Kudos
Reply