Secure Boot on imx6ul using HABv4

radikedalpatadu · ‎07-22-2016

Hi All,

I am currently working on performing a secure boot on the imx6ul using HABv4. I followed the steps provided in the following document.

http://marc.info/?l=u-boot&m=139227973004718&q=p5

After performing all the steps I have described below, I typed hab_status in the U-boot command prompt. Then I get the HAB Events I have shown below. The only step I did not perform is fusing the SRK table. I would like to know the following information:

1. Is it a must to fuse the SRK table during the development stage?

2. From where can I find the load address that has to specify in the csf file? I used the following value defined in the Uboot configuration file. The document AN4581 (Rev.0,10/2012) describes that start* = TEXT_BASE and that it is defined in the config.mk file. However, config.mk file is not available in my U-boot folder (Probably because I am using a newer version).

#define CONFIG_SYS_TEXT_BASE 0x87800000

AN4581(Rev. 1, 10/2015) does not provide any information regarding this.

3. How does the Uboot knows the starting pointer of cfs? Should we specify it in any other location?

4. I have specified the steps I performed below. Let me know whether anything I am doing wrongly.

Steps Performed:

Please see the steps performed below.

1. Built u-boot.imx enabling the secure mode.

2. Generated all root public key files and corresponding hash.

3. Created csf file with the following content. Content of the file is attached at the end.

4. My u-uboot.imx file is 0x60830. I extended it to 0x61000 using the following command.

objcopy -I binary -O binary --pad-to 0x61000 --gap-fill=0x5A u-boot.imx u-boot-pad.imx

5. Then I generated csf.bin file using the command below.

./cst -o u-boot_csf.bin -i uboot.csf

6. Merged image and csf data using the command below.

cat u-boot-pad.imx u-boot_csf.bin > u-boot-signed.imx

7. Then extended the final image to 0x63000

objcopy -I binary -O binary --pad-to 0x63000 --gap-fill=0x5A u-boot-signed.imx u-boot-signed-pad.imx

8. The length of the block is calculated as: Length = u-boot-pad.imx (0x61000) - IVT_OFFSET (0x400).

And added 400 to the starting address as shown below.

# Address Offset Length Data File Path

Blocks = 0x87800400 0x400 0x00060C00 "u-boot-pad.imx"

HAB Events:

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00

0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00

0x00 0x00 0x0d 0x34 0x87 0x80 0x04 0x00

0x00 0x06 0x0c 0x00

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x87 0x7f 0xf7 0xd0

0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x87 0x7f 0xf7 0xfc

0x00 0x00 0x01 0xf0

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x87 0x7f 0xf7 0xf0

0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00

0x00 0x00 0x00 0x04

Command Sequency File Description:

#Illustrative Command Sequence File Description

[Header]

Version = 4.1

Hash Algorithm = sha256

Engine = ANY

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

# Index of the key location in the SRK table to be installed

Source index = 0

[Install CSFK]

# Key used to authenticate the CSF data

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]

# Key to install

File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Target key slot in HAB key store where key will be installed

Target Index = 2

# Key slot index used to authenticate the key to be installed

Verification index = 0

[Authenticate Data]

# Address Offset Length Data File Path

Blocks = 0x87800400 0x400 0x00060C00 "u-boot-pad.imx"

# Key slot index used to authenticate the image data

Verification index = 2

Best Regards

Yuri · ‎07-26-2016

Hello,

Please look at my comments below.

1.

> Is it a must to fuse the SRK table during the development stage?

The system boots but it is impossible to check signed image.

2.
Please look at example in the following thread.

HAB on Nitrogen_6X IMX6Q board

https://community.nxp.com/servlet/JiveServlet/download/325535-1-259256/secure_boot_on_imx6.pdf

3.

According to the Appendix A (Interpreting HAB Event Data from Report_Event() API) of the “HAB4_API.pdf” in the
CST package, HAB Event 1 indicates that the digital signature authentication of the data block starting at 0x8780_0400

has failed.

Please look at Example 2 in the Appendix.

HAB event2 means that one of the following required areas is not signed as documented in the Operation section for authenticate_image() API:

- IVT;

- DCD (if provided);

- Boot Data (initial byte - if provided);

- Entry point (initial word).

Please look at Example 1 in the Appendix.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Secure Boot on imx6ul using HABv4