Hi,
I’ve got a problem with using High Assurance Boot (HAB) on my i.mx28 using U-boot (version 04/2012).
When booting, I get several HAB failure events (described later on) and I don’t know what to do about it and how to interpret them in detail. I’ll first give the general steps which I applied to get HAB running and I attached my source files.
I followed the instructions from several Freescale manuals:
When booting, I get the following HAB Errors:
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x00 0x00 0x00 0x00
0x00 0x00 0x07 0x50
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x00 0x00 0x80 0x00
0x54 0xce 0x13 0xdd
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x08 0x40 0x33 0x22 0x0a 0x00
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x00
0x00 0x00 0x00 0x20
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x14
0x00 0x00 0x00 0x04
--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x00 0x00 0x80 0x00
0x54 0xce 0x13 0xdd
--------- HAB Event 7 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x00
0x00 0x00 0x00 0x20
--------- HAB Event 8 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x04 0x10 0x00 0x00
0x00 0x00 0x03 0xe8
My questions are:
With just this information I have no idea where I should start and what to do
I'm really stuck here and I appreachiate any kind of help very much.
Best regards,
Christopher
Original Attachment has been moved to: u-boot.lds.zip
Original Attachment has been moved to: uboot-csf.zip
Original Attachment has been moved to: u-boot-spl.lds.zip
Original Attachment has been moved to: u-boot.bd.zip
Original Attachment has been moved to: spl-csf.zip
Hi, Tai:
Sorry I forgot to put the link files into the attached zip file. That's very kind of you.
For power_prep, boot_prep and uboot's link files, I only added below lines before bss section:
SECTIONS
{
- . = 0x00000000;
+ . = 0x00000010;
...
+ __uboot_ivt = .; |
+ .ivt : { KEEP(*(.ivt)) }
+ __hab_uboot_data = .;
+ .hab : { KEEP(*(.hab)) }
+ . = . + 0x2000;
.bss
My questions are: 1. according with your suggestion, for example, I need to add " align(0x4010) before "__hab_uboot_data = ." ?
2. I found the "BASE_ADDR" in AN4555 which is passed by Makefile, I do not know what it's mean and do not want to use it, Tai,
can I ignore it? I also found in Chris' patch, the BASE_ADDR in u-boot-spl.lds is "0x00000100", but int u-boot.lds, it is "0x40000100",
3. If I used the above image layout, pad to 0x4000, in csf: block 0x10 0x0 0x4000 "xxx_pad.bin", do you think the "ivt" is in the signed block?
Tai, thanks your help again, I am in a urgent work, could you please share your linker, csf and .bd files for reference? My email: wrlucker@sina.cn or
try this
SECTIONS
{
. = 0x00000010;
_BASE__ = .
__uboot_ivt = .; |
.ivt : { KEEP(*(.ivt)) }
. = _BASE__ + 0x4000;
__hab_uboot_data = .;
.hab : { KEEP(*(.hab)) }
. = . + 0x2000;
.bss
objcopy -I binary -O binary --gap-fill 0xff --pad-to 0x4000 old.bin pad.bin
Then, in your csf file
Blocks = 0x000010 0x0 0x4000 "pad.bin"
my bd file is exactly as in chris's patch.
Dear Tai:
You are right, I am here now:
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x41 0x02 0xf4 0x1c
0x00 0x00 0x00 0x20
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x41 0x00 0x80 0x00
0x00 0x00 0x00 0x04
You mentioned that "include the IVT in the to be signed block", I think the error image is uboot, power_prep and boot_prep are ok now.
Tai, I tried lots times to make the IVT signed, but maybe I am wrong way, the above Events still there, could you please give me some
hints? o, lots, lots of thanks ^_^; (attached link and csf of uboot.)
Bai,
You need to do the same thing for uboot. After compiling uboot, there is a uboot.map file. Look in there to figure out how big uboot will be. Then, use that as your ceiling to pad to the next 0x1000 alignment to make thing easy. Also, your BASE now will be 0x40000010.The rest you already know.
Tai
Tai:
The .map file is very useful to diagnose, thanks a lot! :smileyhappy:
Hi tainguyen , christopherpreschern Deactivated user,
I have been trying to setup secure boot on i.MX28.
- I have followed all the steps in AN4555 to generate keys/certs, blow them and verify that they are blown using the BitBurner Tools.
- Applied HAB Patches to u-boot and u-boot-spl as instructed and discussed above in the thread.
- I have modified linker files and .bd files accordingly
Even before padding and code-signing them image, I have tried to boot the unsigned .sb file on the device.
When I download the .sb using mxsldr onto the device it fails to transfer the the .sb file completely and the boot process fails. This happens only when I change the load address of u-boot-spl to a non-zero address (0x10 from 0x00). When the load address is 0x00 the boot process is successful and the boot-loader and kernel load but with HAB Events(as expected because the image isn't signed yet.)
I have attached the the changes I have done.
I am really stuck and any help in resolving this is very much appreciated.
Thanks,
-Raj
I exactly see that, too. The system crashes when the SPL is linked to an address above zero. I added to the .bd file (before the call to the SPL):
load 0x00.b >0x04..0x0f;
This clears the vector table. I have no idea why that helps, but I really would like to know.
Bai,
I don't use the imx tool to write the OTP. I use an OTP linux driver( links below ). However, I do use the bitburner tool to read back and verify the content of the OTP registers just to make sure.
https://community.freescale.com/thread/306284
https://community.freescale.com/thread/294307
Edit: I started again with a new board. The Otp_burner.py gave me the same error but works on Windows XP. Using the window tools, I am able to generate OtpBit.sb with the srk_fuse.bin and burn it using the BitInit.exe tools. I am now passed the Install Key errors. I would recommend you do the same to save time. However, I am getting a new error which has to do with authentication. If I get this far, then I assume that the board successfully verify the SRKs, install the SRK table and used is using it to verity the boot image.
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x1c 0x40 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00
0x00 0x00 0x0d 0x34 0x00 0x00 0x01 0x00
0x00 0x00 0x20 0x00
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x1d 0x5c
0x00 0x00 0x00 0x20
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x14
0x00 0x00 0x00 0x04
Thank you. I did generated a length of 4096. Let me find another board and try again. Again, really appreciate your help.
Chris,
This is excellent. Thank you for addressing my questions. You rock.
Tai
Thanks for the reply. It looks like you did something special to make the linker work well.
Did you happen to go any further with staged authentication using the API from within U-boot?
Edit to add lessons learned (for a lack of better place to communicate this):
For those attempting to using the HAB API from within U-boot, I highly recommend flushing your data caches before making any calls to the HAB API. It seems that in some cases of DMA transfers, the data is not fully synced between the cache and RAM. At the point of making the HAB API call to verify a signature over data in RAM, HAB attempts to use RAM data that is not actually valid. The HAB failure returned indicates a signature verification problem but with a NOP context. U-Boot provides a nice CONFIG_CMD_CACHE switch to enable cache flushing from the interactive console.
I don't use the U-Boot API. After U-Boot I simply boot a signed kernel. I use the mkimage tool and the bootm command.