- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Secure Boot issue on imx6ull
Secure Boot issue on imx6ull
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Secure Boot issue on imx6ull
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! I'm trying to implement secure boot on imx6ull (Yocto - sumo release). Using the related guide at this link, no error shows up. In fact, after burning the public keys on efuses the hab_status resulted always ok even in the next boot (Secure boot disabled HAB Configuration: 0xf0, HAB State: 0x66 No HAB Events Found!). Considering that no HAB Events were found, i've burnt the last fuse (fuse prog 0 6 0x2), but now i'm not able to boot the system.
The error is the following:
---
## Flattened Device Tree blob at 83000000
Booting using the fdt blob at 0x83000000
Authenticate image from DDR location 0x82000000...
Check CSF for Write Data command before authenticating image
Error - CSF lies outside the image bounds
Authenticate zImage Fail, Please check
-----
And the hab_status still not shows HAB events.
How can i solve this problem?
Thank you in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kwroot:
Thank you for sharing. I am also working on secure boot on the imx6ull board. I want to know if you have successfully solved this problem later. I hope you can provide information to help me solve this problem.
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kwroot
for "Error - CSF lies outside the image bounds" one can look at issues on
https://community.nxp.com/t5/i-MX-Processors/HAB-on-i-MX6/m-p/279393
Step by step descriptions for using HAB :
https://variwiki.com/index.php?title=High_Assurance_Boot
https://boundarydevices.com/high-assurance-boot-hab-dummies/
Best regards
igor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Igor,
I followed the HAB tutorial step by step. The Paragraph 3.10 says "Make sure there are not events before proceeding to the next step". But even if no HAB event were found, the system now is not booting. This means that i cannot be 100% sure that the HAB is correctly done until burning the SEC_CONFIG[1] fuse bit. Now i'm not confident to make further test on other imx6ull cpu's.
Questions:
- Is there some virtual safe-environment for make this kind of test?
- The tutorial use the 2.3.3 cfu's version. I've used the cst 3.1.0. Could this be a problem?
Thank you for your support.
Best
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kwroot
>Is there some virtual safe-environment for make this kind of test?
no
>The tutorial use the 2.3.3 cfu's version. I've used the cst 3.1.0. Could this be a problem?
cst 3.1.0 is latest version, it should not cause problem.
Best regards
igor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Igor,
I've seen all the posts concerning the "CSF lies outside the image bounds" error, but i'm still stucked. I also checked step by step all the HAB instruction, and all seems correctly done. Could the problem be indexing related even if the unlocked system correctly boot with no HAB events?
You can find all the .csf below:
------ var-default.csf ------
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
----- u-boot-ivt.img.csf ------
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = SW
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x85ffffc0 0x0000 0x00057020 "u-boot-ivt.img"
------ SPL.csf -------
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = SW
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x00908400 0x00000000 0x0000ac00 "SPL"
[Unlock]
Engine = CAAM
Features = RNG
------ zImage-ivt.csf -------
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = SW
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x82000000 0x0000 0x6a3020 "zImage-ivt"
---------------
Can you give me an hint?
Thank you for the support.
Best
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kwroot
what bsp used in the case, could you try from source.codeaurora.org/external/imx/linux-imx repository
https://source.codeaurora.org/external/imx/uboot-imx/tree/?h=imx_v2020.04_5.4.24_2.1.0
https://source.codeaurora.org/external/imx/linux-imx/tree/?h=imx_5.4.24_2.1.0
Rebuild all from scratch following guidelines from:
https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4?h=imx_v2020.04_5.4.24_2.1.0
Best regards
igor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Igor,
I've seen the posts related to the "Error - CSF lies outside the image bounds" issue, but i'm still stacked. I checked all the step of HAB tutorial, and all seems correctly done. Could the problem be indexing related even if the unlocked system correctly boot?
You can find all the file .csf file used below.
------ var-default.csf ------
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
------ u-boot-ivt.img.csf ------
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = SW
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x85ffffc0 0x0000 0x00057020 "u-boot-ivt.img"
------ SPL.csf ------
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = SW
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x00908400 0x00000000 0x0000ac00 "SPL"
[Unlock]
Engine = CAAM
Features = RNG
------ zImage-ivt.csf ------
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = SW
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x82000000 0x0000 0x6a3020 "zImage-ivt"
Can you give me some further hint?
Thank you for the support,
Best
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Igor,
I look forward to your reply.
Thank you in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EDIT:
If i try to reflash with the same sd card i get this error:
-------
Authenticate image from DDR location 0x82000000...
Check CSF for Write Data command before authenticating image
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0f 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x48
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_INDEX (0x0F)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Authenticate zImage Fail, Please check
