Regarding fuse programming in IMX7 for HAB Secure boot

Hi Yuri,

Thanks for the reference document for the IMX7d fuse procedure. The commands did work.

We are having the below methods for building u-boot:

a) Serial download bootloader image

# make distclean
# make smx7_defconfig
# make

The resulting bootloader image will be u-boot-dtb.imx. It can be used with a serial
download tool (e.g. usb_imx) to boot the module.

b) QSPI flash bootloader image

# make distclean
# make smx7_spl_defconfig
# make u-boot-with-spl.imx

The resulting bootloader image will be u-boot-with-spl.imx. In bootloader default
environment the 'uboot_update' script is defined that can be used to update a
given bootloader image via TFTP network connection.

We normally use option - b. But after fusing, the signed u-boot image did not come up.

So, we went to option - a. The HAB block logs are not available for option - a. So we created the image and used the HAB blocks generated from option b from file SPL.log.

This time, the HAB signed image after fuse of the processor came up.

However, I got the below HAB events in hab_status:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xbc

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

=>

Please find below our images generated for option - a:

-rw-r--r-- 1 adtop users 7889 Aug 5 01:48 .u-boot.lds.cmd
-rw-r--r-- 1 adtop users 2410 Aug 5 01:48 u-boot.lds
-rw-r--r-- 1 adtop users 662767 Aug 5 01:48 u-boot.map
-rw-r--r-- 1 adtop users 1363 Aug 5 01:48 .u-boot.cmd
-rwxr-xr-x 1 adtop users 4675556 Aug 5 01:48 u-boot
-rw-r--r-- 1 adtop users 281 Aug 5 01:48 .u-boot-nodtb.bin.cmd
-rwxr-xr-x 1 adtop users 435364 Aug 5 01:48 u-boot-nodtb.bin
drwxr-xr-x 2 adtop users 4096 Aug 5 01:48 dts
-rw-r--r-- 1 adtop users 71 Aug 5 01:48 .u-boot-dtb.bin.cmd
-rw-r--r-- 1 adtop users 472210 Aug 5 01:48 u-boot-dtb.bin
-rw-r--r-- 1 adtop users 2913 Aug 5 01:48 u-boot-dtb.cfgout
-rw-r--r-- 1 adtop users 7578 Aug 5 01:48 .u-boot-dtb.cfgout.cmd
-rw-r--r-- 1 adtop users 194 Aug 5 01:48 u-boot-dtb.imx.log
-rw-r--r-- 1 adtop users 139 Aug 5 01:48 .u-boot-dtb.imx.cmd
-rw-r--r-- 1 adtop users 478208 Aug 5 01:48 u-boot-dtb.imx
-rw-r--r-- 1 adtop users 267 Aug 5 01:48 .u-boot.srec.cmd
-rwxr-xr-x 1 adtop users 1306250 Aug 5 01:48 u-boot.srec
-rw-r--r-- 1 adtop users 47 Aug 5 01:48 .u-boot.bin.cmd
-rw-r--r-- 1 adtop users 472210 Aug 5 01:48 u-boot.bin
-rw-r--r-- 1 adtop users 72 Aug 5 01:48 .u-boot.sym.cmd
-rw-r--r-- 1 adtop users 167162 Aug 5 01:48 u-boot.sym
-rw-r--r-- 1 adtop users 80202 Aug 5 01:48 System.map
-rw-r--r-- 1 adtop users 36846 Aug 5 01:48 u-boot.dtb
drwxr-xr-x 27 adtop users 4096 Aug 5 01:48 .

Please find below our images generated for option - b:

-rw-r--r-- 1 adtop users 8483 Aug 4 23:23 .u-boot.lds.cmd
-rw-r--r-- 1 adtop users 2410 Aug 4 23:23 u-boot.lds
-rw-r--r-- 1 adtop users 663748 Aug 4 23:23 u-boot.map
-rw-r--r-- 1 adtop users 1363 Aug 4 23:23 .u-boot.cmd
-rwxr-xr-x 1 adtop users 4693748 Aug 4 23:23 u-boot
drwxr-xr-x 2 adtop users 4096 Aug 4 23:23 dts
drwxr-xr-x 14 adtop users 4096 Aug 4 23:23 spl
-rwxr-xr-x 1 adtop users 439056 Aug 4 23:23 u-boot-nodtb.bin
-rw-r--r-- 1 adtop users 281 Aug 4 23:23 .u-boot-nodtb.bin.cmd
-rw-r--r-- 1 adtop users 71 Aug 4 23:23 .u-boot-dtb.bin.cmd
-rw-r--r-- 1 adtop users 475902 Aug 4 23:23 u-boot-dtb.bin
-rw-r--r-- 1 adtop users 47 Aug 4 23:23 .u-boot.bin.cmd
-rw-r--r-- 1 adtop users 475902 Aug 4 23:23 u-boot.bin
-rw-r--r-- 1 adtop users 173 Aug 4 23:23 .u-boot.img.cmd
-rw-r--r-- 1 adtop users 475966 Aug 4 23:23 u-boot.img
-rw-r--r-- 1 adtop users 286 Aug 4 23:23 SPL.log
-rw-r--r-- 1 adtop users 114 Aug 4 23:23 .SPL.cmd
-rw-r--r-- 1 adtop users 52224 Aug 4 23:23 SPL
-rw-r--r-- 1 adtop users 364 Aug 4 23:23 .u-boot-with-spl.imx.cmd
-rw-r--r-- 1 adtop users 545598 Aug 4 23:23 u-boot-with-spl.imx
drwxr-xr-x 27 adtop users 4096 Aug 5 01:04 .

Questions:

1. Can you please let us know whether we made any mistake in the procedure we tried?
2. Can you please let us know how to resolve these hab_status events?
3. I understand that the procedure for SPL HABv4 is somewhat different than HABv4 as when I tried the HABv4 procedure and the signed image did not get booted up after the fuse programming.
Can you provide us the procedure for SPL HABv4 that we can try out?

Please provide us with a quick response.

Thank you.

With Regards,

N.Raghu Raman.

@nraghu12003 
Hello,

   please double check Your sequence and parameters, using the following U-boot help:

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_spl_secure_bo...

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides?h=imx_v2020.04_5.4.70...

Regards,
Yuri.

@nraghu12003
Hello,

   You mentioned about TFTP using with the fuses burned.
This means, that both "original" and updated U-boot images
must be signed. Is it so?

Regards,
Yuri.

Hi Yuri,

We do not use the tftp method to burn the flashes of the images created using option-b. We use USB method using the below commands:

usb start && load usb 0 81000000 u-boot-with-spl-signed.imx && sf probe 0 && sf read 80800000 0 200
sf erase 0 c0000 && sf write 80800000 0 200 && sf write 81000000 400 $filesize

Since you mentioned now to try out with a signed image, we tried that as well where the image is signed and which had the HAB events as mentioned and we tried to burn the image signed using option-b. That too did not work.

Please help us with this at the earliest.

Thank you.

With Regards,

N.Raghu Raman.

Hi Yuri,

Can you please provide your valuable inputs for this issue?

Thank you.

With Regards,

N.Raghu Raman.

Please find the contents of :

cat SPL.log
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 61536 Bytes = 60.09 KiB = 0.06 MiB
Load Address: 00910420
Entry Point: 00911000
HAB Blocks: 0x00910400 0x00000000 0x0000cc00
DCD Blocks: 0x00910000 0x0000002c 0x00000004

cat U-Boot.CSF

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
Engine = CAAM
Features = MID

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0

# Key to install
Target index = 2
File = "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x910400 0x0 0xcc00 "u-boot-dtb-hab-serial.imx"

Steps used to generate signed u-boot:

$ ./cst --o U-Boot_CSF.bin --i U-Boot.CSF

CSF Processed successfully and signed data available in U-Boot_CSF.bin

Create Signed U-Boot

$ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 U-Boot_CSF.bin U-Boot_CSF_pad.bin
$ cat u-boot-dtb-hab-serial.imx U-Boot_CSF_pad.bin > u-boot-dtb-hab-serial-signed.imx

Please let me know whether this information helps for this issue.

Thank you.

With Regards,

N.Raghu Raman.

Hi Yuri,

Good day. I see that similar issues are posted in:

https://community.nxp.com/t5/i-MX-Processors/HAB-signature-failure-on-i-MX6/m-p/276309

https://community.nxp.com/t5/i-MX-Processors/HAB-secure-serial-boot-on-mx6/m-p/237488#332405

But I am not sure what exactly is the solution. Your expert advice is essential to resolve my issue. Please help me in this regard at the earliest. Please let me know if you need any additional information.

Thank you.

With Regards,

N.Raghu Raman.

Hi Yuri,

I double checked the sequence and parameters using the U-boot help:

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_spl_secure_bo...

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides?h=imx_v2020.04_5.4.70...

However, all the combinations that I tried did not result in resolution for the issue.

I am not using SPL and I am using method 1 for u-boot via USB loader.

Please provide your advise any to overcome this issue.

Thank you.

With Regards,

N.Raghu Raman.