Secure Boot: mx6ul HAB

Bluelllrrr · ‎10-11-2023

I am working on i.MX 6UltraLite and get the following event:

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x05 0x0a 0x00

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x00 0xc5 0x1d 0x00
0x00 0x00 0x09 0xd0 0x87 0x7f 0xf4 0x00
0x00 0x03 0x7c 0x00

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x01 0xe8

This is my Usage environment：

CST TOOLS: cst-3.3.2

$ ./hab4_pki_tree.sh
...

Do you want to use an existing CA key (y/n)?: n

Key type options (confirm targeted device supports desired key type):
Select the key type (possible values: rsa, rsa-pss, ecc)?: rsa
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 20
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?:n

U-boot-imge:

Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Mode: DCD
Data Size: 245760 Bytes = 240.00 kB = 0.23 MB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks: 877ff400 00000000 00037c00

csf.text:

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install NOCAK]
File = "../crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Authenticate Data]
# Key slot index 0 used to authenticate the image data
Verification index = 0
# Authenticate Start Address, Offset, Length and file
Blocks = 0x877ff400 0x00000000 0x00037c00 "u-boot.imx"

instructions：

../linux64/bin/cst -i uboot-fast.csf -o csf_uboot.bin

cat u-boot.imx csf_uboot.bin > u-boot-signed-mfg.bin

Can you help me see where the problem is?

Harvey021 · ‎10-12-2023

Hi @Bluelllrrr

Please refer to the document from the link (i.MX6UL bootloader code signing method for UUU too... - NXP Community).

Best regards

Harvey

Bluelllrrr · ‎10-12-2023

If I download an unsigned uboot to nandflash first, I can download the new firmware directly through the mfg tool because it is in the close device state, but the tool gets stuck at the loading uboot.Is this due to the signature information verification failing？

But if I download a signed uboot to nandflash, and then enter the download through boot_mode_apply(1), everything is normal at this time.

Why is this？

Harvey021 · ‎10-12-2023

Is this due to the signature information verification failing?

-> Not signed image can't be loaded in closed device.

Best regards

Harvey

Bluelllrrr · ‎10-18-2023

Can you help answer this question?

Harvey021 · ‎10-18-2023

Only signed images can be loaded in a closed device. use hab_status or hab_auth_img to verify hab events before closing device. we can't restore device once closed.

Reference as below for you.

uboot-imx/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub

Best regards

Harvey

Bluelllrrr · ‎10-24-2023

How to rewrite data to NandFlash after the u-boot signature verification fails in NANDFLASH. At first, data was written to the specified mtd partition through mfgtool, but after the authentication failed, mfgtool could not be used

Harvey021 · ‎10-25-2023

mfgtool is a legacy of uuu. To use it, you need to add DCD REMOVE/RESTORE and then add the OCRAM area when signing.

It is recommended to use uuu tool. Releases · nxp-imx/mfgtools · GitHub

Best regards

Harvey

Bluelllrrr · ‎10-18-2023

The u-boot image is signed, in recovery mode, I can successfully download to RAM through the mfg tool and run successfully, but if the image signature verification in Nandflash fails, boot failure enters the USB serial download mode, I cannot successfully download it, and the mfs tool stops loading u-boot.

How to solve this problem?

Harvey021 · ‎10-18-2023

For NAND boot, ROM will read boot_data.size from NAND flash.

Try to dump u-boot layout to check boot_data.size, as its size is larger than u-boot image length.

Then try to objcopy -I binary -O binary --pad-to boot_data.size --gap-fill=0xff u-boot-signed.bin u-boot-signed-pad.bin

boot the u-boot-signed-pad.bin.

Best regards

Harvey

Bluelllrrr · ‎10-18-2023

I know how to sign normally, and now I'm more concerned about how to recover from abnormal situations. How do I recover if the firmware in Nandflash is incomplete or the signature is wrong.

In this error case, I use the mfg tool, but I cannot download the new firmware into RAM。

Bluelllrrr · ‎10-13-2023

If the uboot firmware in my nandflash is unsigned, it will not enter boot, how can I recover it? In this case, I connected directly to USB, I try to use the mfg tool to download a new u-boot, but I can't download it. The following is the USB log.
Device Phase Data Description Delta Cmd.Phase.Ofs(rep)
------ ----- -------------------------------------------------- ---------------- ----- ------------------
49.0 CTL 80 06 00 01 00 00 12 00 GET DESCRIPTOR 6.9sc 1.1.0
49.0 IN 12 01 00 02 00 00 00 40 a2 15 7d 00 01 00 01 02 .......@........ 116us 1.2.0
00 01 .. 1.2.16
49.0 CTL 80 06 00 02 00 00 09 00 GET DESCRIPTOR 56us 2.1.0
49.0 IN 09 02 22 00 01 01 04 c0 05 .."...... 172us 2.2.0
49.0 CTL 80 06 00 02 00 00 22 00 GET DESCRIPTOR 44us 3.1.0
49.0 IN 09 02 22 00 01 01 04 c0 05 09 04 00 00 01 03 00 .."............. 166us 3.2.0
00 05 09 21 10 01 00 01 22 4c 00 07 05 81 03 40 ...!...."L.....@ 3.2.16
49.0 CTL 00 09 01 00 00 00 00 00 SET CONFIG 56us 4.1.0
49.0 CTL 21 0a 00 00 00 00 00 00 SET IDLE 752us 5.1.0
49.0 CTL 81 06 00 22 00 00 8c 00 GET DESCRIPTOR 253us 6.1.0
49.0 IN 06 00 ff 09 01 a1 01 85 01 19 01 29 01 15 00 26 ...........)...& 140us 6.2.0
ff 00 75 08 95 10 91 02 85 02 19 01 29 01 15 00 ..u.........)... 6.2.16
49.0 CTL 21 09 01 02 00 00 11 00 SET REPORT 42ms 7.1.0
49.0 OUT 01 0a 0a 00 91 00 00 00 00 00 01 e8 00 00 00 00 ................ 208us 7.2.0
00 . 7.2.16
50 OUT 01 0a 0a 00 91 00 00 00 00 00 01 e8 00 00 00 00 ................ 4us 8.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 8.1.16
49.0 CTL 21 09 02 02 00 00 01 04 SET REPORT 20us 9.1.0
49.0 OUT 02 d2 01 e8 40 cc 01 e4 04 02 0c 40 68 ff ff ff ....@......@h... 400us 9.2.0
ff 02 0c 40 6c ff ff ff ff 02 0c 40 70 ff ff ff ...@l......@p... 9.2.16
50 OUT 02 d2 01 e8 40 cc 01 e4 04 02 0c 40 68 ff ff ff ....@......@h... 2us 10.1.0
ff 02 0c 40 6c ff ff ff ff 02 0c 40 70 ff ff ff ...@l......@p... 10.1.16
41 IN 0b 00 2a 00 00 00 00 00 00 00 00 00 ..*......... 20sc 11.1.0
41 IN 0b 00 38 00 00 00 00 00 00 00 00 00 ..8......... 432us 12.1.0
41 IN 0b 00 1e 00 00 00 00 00 00 00 00 00 ............ 135ms 13.1.0
41 IN 0b 00 2a 00 01 00 00 00 00 00 00 00 ..*......... 87ms 14.1.0
41 IN 0b 00 38 00 01 00 00 00 00 00 00 00 0b 00 1e 00 ..8............. 455us 15.1.0
01 00 00 00 00 00 00 00 ........ 15.1.16
41 IN 0b 00 38 00 00 00 00 00 00 00 00 00 ..8......... 4.5sc 16.1.0(2)
41 IN 0b 00 2a 00 00 00 00 00 00 00 00 00 ..*......... 96ms 17.1.0(2)
41 IN 0b 00 1e 00 00 00 00 00 00 00 00 00 ............ 159ms 18.1.0(2)
41 IN 0b 00 38 00 01 00 00 00 00 00 00 00 ..8......... 63ms 19.1.0(2)
41 IN 0b 00 2a 00 01 00 00 00 00 00 00 00 ..*......... 24ms 20.1.0(2)
41 IN 0b 00 1e 00 01 00 00 00 00 00 00 00 ............ 487us 21.1.0(2)
41 IN 0b 00 39 00 00 00 00 00 00 00 00 00 ..9......... 8.5sc 28.1.0
41 IN 0b 00 39 00 01 00 00 00 00 00 00 00 ..9......... 55ms 29.1.0
41 IN 0b 00 2f 00 00 00 00 00 00 00 00 00 ../......... 152ms 30.1.0
41 IN 0b 00 2f 00 01 00 00 00 00 00 00 00 ../......... 15ms 31.1.0
41 IN 0b 00 0e 00 00 00 00 00 00 00 00 00 ............ 824ms 32.1.0
41 IN 0b 00 0e 00 01 00 00 00 00 00 00 00 ............ 39ms 33.1.0
41 IN 0b 00 1d 00 00 00 00 00 00 00 00 00 ............ 15ms 34.1.0
41 IN 0b 00 2f 00 00 00 00 00 00 00 00 00 ../......... 64ms 35.1.0
41 IN 0b 00 1d 00 01 00 00 00 00 00 00 00 ............ 71ms 36.1.0
41 IN 0b 00 2f 00 01 00 00 00 00 00 00 00 ../......... 317us 37.1.0
41 IN 0b 00 1c 00 00 00 00 00 00 00 00 00 ............ 159ms 38.1.0
41 IN 0b 00 1c 00 01 00 00 00 00 00 00 00 ............ 55ms 39.1.0
49.1 USTS c0000011 xact error 12sc 40.1.0
41 IN 0b 00 14 00 00 00 00 00 00 00 00 00 ............ 20sc 41.1.0
41 IN 0b 00 14 00 01 00 00 00 00 00 00 00 ............ 31ms 42.1.0
41 IN 0b 00 12 00 00 00 00 00 00 00 00 00 ............ 112ms 43.1.0
41 IN 0b 00 12 00 01 00 00 00 00 00 00 00 ............ 64ms 44.1.0
41 IN 0b 00 1f 00 00 00 00 00 00 00 00 00 ............ 111ms 45.1.0
41 IN 0b 00 1f 00 01 00 00 00 00 00 00 00 ............ 88ms 46.1.0
41 IN 0b 00 14 00 00 00 00 00 00 00 00 00 ............ 79ms 47.1.0
41 IN 0b 00 14 00 01 00 00 00 00 00 00 00 ............ 55ms 48.1.0
41 IN 0b 00 2a 00 00 00 00 00 00 00 00 00 ..*......... 160ms 49.1.0
41 IN 0b 00 2a 00 01 00 00 00 00 00 00 00 ..*......... 88ms 50.1.0
41 IN 0b 00 34 00 00 00 00 00 00 00 00 00 ..4......... 103ms 51.1.0
41 IN 0b 00 34 00 01 00 00 00 00 00 00 00 ..4......... 39ms 52.1.0
41 IN 0b 00 26 00 00 00 00 00 00 00 00 00 ..&......... 208ms 53.1.0
41 IN 0b 00 26 00 01 00 00 00 00 00 00 00 ..&......... 55ms 54.1.0
41 IN 0b 00 18 00 00 00 00 00 00 00 00 00 ............ 336ms 55.1.0
41 IN 0b 00 18 00 01 00 00 00 00 00 00 00 ............ 72ms 56.1.0
41 IN 0b 00 22 00 00 00 00 00 00 00 00 00 .."......... 31ms 57.1.0
41 IN 0b 00 22 00 01 00 00 00 00 00 00 00 .."......... 88ms 58.1.0
41 IN 0b 00 14 00 00 00 00 00 00 00 00 00 ............ 2.8sc 59.1.0
41 IN 0b 00 14 00 01 00 00 00 00 00 00 00 ............ 47ms 60.1.0
41 IN 0b 00 12 00 00 00 00 00 00 00 00 00 ............ 352ms 61.1.0
41 IN 0b 00 12 00 01 00 00 00 00 00 00 00 ............ 64ms 62.1.0
41 IN 0b 00 1f 00 00 00 00 00 00 00 00 00 ............ 103ms 63.1.0
41 IN 0b 00 1f 00 01 00 00 00 00 00 00 00 ............ 88ms 64.1.0
41 IN 0b 00 14 00 00 00 00 00 00 00 00 00 ............ 112ms 65.1.0
41 IN 0b 00 14 00 01 00 00 00 00 00 00 00 ............ 48ms 66.1.0
41 IN 0b 00 34 00 00 00 00 00 00 00 00 00 ..4......... 632ms 67.1.0
41 IN 0b 00 34 00 01 00 00 00 00 00 00 00 ..4......... 39ms 68.1.0
41 IN 0b 00 26 00 00 00 00 00 00 00 00 00 ..&......... 168ms 69.1.0
41 IN 0b 00 26 00 01 00 00 00 00 00 00 00 ..&......... 32ms 70.1.0
41 IN 0b 00 18 00 00 00 00 00 00 00 00 00 ............ 87ms 71.1.0
41 IN 0b 00 18 00 01 00 00 00 00 00 00 00 ............ 71ms 72.1.0
41 IN 0b 00 22 00 00 00 00 00 00 00 00 00 .."......... 40ms 73.1.0
41 IN 0b 00 22 00 01 00 00 00 00 00 00 00 .."......... 48ms 74.1.0
41 IN 0b 00 1c 00 00 00 00 00 00 00 00 00 ............ 120ms 75.1.0
41 IN 0b 00 1c 00 01 00 00 00 00 00 00 00 ............ 55ms 76.1.0

Bluelllrrr · ‎10-13-2023

hab_status in two cases:

1、

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x05 0x0a 0x00

2、

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!

The same u-boot firmware, the same board, why are there two hab_status？

Bluelllrrr · ‎10-12-2023

Sign u-boot for nandflash and Sign u-boot for mfgtools firmware , Is there a difference between these two signature methods?

I Sign a uboot, If I launch from nandflash, and use boot_mode_apply(1) , wait to download from MFG Tool, Hab Status will have an event. But if launched directly from the mfg tool after downloading, there will be no event.

That's why? I used mod_4_mfgtool_yocto.sh script