Hi All,
I am currently working on performing a secure boot on the imx6ul using HABv4. I followed the steps provided in the following document.
http://marc.info/?l=u-boot&m=139227973004718&q=p5
After performing all the steps I have described below, I typed hab_status in the U-boot command prompt. Then I get the HAB Events I have shown below. The only step I did not perform is fusing the SRK table. I would like to know the following information:
1. Is it a must to fuse the SRK table during the development stage?
2. From where can I find the load address that has to specify in the csf file? I used the following value defined in the Uboot configuration file. The document AN4581 (Rev.0,10/2012) describes that start* = TEXT_BASE and that it is defined in the config.mk file. However, config.mk file is not available in my U-boot folder (Probably because I am using a newer version).
#define CONFIG_SYS_TEXT_BASE 0x87800000
AN4581(Rev. 1, 10/2015) does not provide any information regarding this.
3. How does the Uboot knows the starting pointer of cfs? Should we specify it in any other location?
4. I have specified the steps I performed below. Let me know whether anything I am doing wrongly.
Steps Performed:
Please see the steps performed below.
1. Built u-boot.imx enabling the secure mode.
2. Generated all root public key files and corresponding hash.
3. Created csf file with the following content. Content of the file is attached at the end.
4. My u-uboot.imx file is 0x60830. I extended it to 0x61000 using the following command.
objcopy -I binary -O binary --pad-to 0x61000 --gap-fill=0x5A u-boot.imx u-boot-pad.imx
5. Then I generated csf.bin file using the command below.
./cst -o u-boot_csf.bin -i uboot.csf
6. Merged image and csf data using the command below.
cat u-boot-pad.imx u-boot_csf.bin > u-boot-signed.imx
7. Then extended the final image to 0x63000
objcopy -I binary -O binary --pad-to 0x63000 --gap-fill=0x5A u-boot-signed.imx u-boot-signed-pad.imx
8. The length of the block is calculated as: Length = u-boot-pad.imx (0x61000) - IVT_OFFSET (0x400).
And added 400 to the starting address as shown below.
# Address Offset Length Data File Path
Blocks = 0x87800400 0x400 0x00060C00 "u-boot-pad.imx"
HAB Events:
Command Sequency File Description:
#Illustrative Command Sequence File Description
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key to install
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key slot index used to authenticate the key to be installed
Verification index = 0
[Authenticate Data]
# Address Offset Length Data File Path
Blocks = 0x87800400 0x400 0x00060C00 "u-boot-pad.imx"
# Key slot index used to authenticate the image data
Verification index = 2
Best Regards
Hello,
Please look at my comments below.
1.
> Is it a must to fuse the SRK table during the development stage?
The system boots but it is impossible to check signed image.
2.
Please look at example in the following thread.
HAB on Nitrogen_6X IMX6Q board
https://community.nxp.com/servlet/JiveServlet/download/325535-1-259256/secure_boot_on_imx6.pdf
3.
According to the Appendix A (Interpreting HAB Event Data from Report_Event() API) of the “HAB4_API.pdf” in the
CST package, HAB Event 1 indicates that the digital signature authentication of the data block starting at 0x8780_0400
has failed.
Please look at Example 2 in the Appendix.
HAB event2 means that one of the following required areas is not signed as documented in the Operation section for authenticate_image() API:
- IVT;
- DCD (if provided);
- Boot Data (initial byte - if provided);
- Entry point (initial word).
Please look at Example 1 in the Appendix.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------