Secure Boot on imx6ul

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Secure Boot on imx6ul

1,781 Views
prabhunath_gupt
Contributor II

Hi NXP team,

I am currently working on enabling a secure boot in the imx6ul using HABv4. I have followed all the steps which are mentioned in https://www.nxp.com/docs/en/application-note/AN4581.pdf.

Please find the following detailed steps which I have performed to get a secure boot to enable.

1. I am using cst-2.3.2 for generating the PKI tree as below.

      go into key directory and run below script

     ./hab4_pki_tree.sh
      Do you want to use an existing CA key (y/n)?: n
      Do you want to use Elliptic Curve Cryptography (y/n)?: n
      Enter key length in bits for PKI tree: 4096
      Enter PKI tree duration (years): 4
      How many Super Root Keys should be generated? 4
      Do you want the SRK certificates to have the CA flag set? (y/n)?: y

2. Go into the crts directory and followed the below step to generate the SRK table.

      ../linux64/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem

3. Fuse the hash value of the SRK table on-chip as below.

         hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin

         0x9D60B98F
         0xAB246CEF
         0x7B02E64A
         0x7B5FA5DD
         0x885CAEEF
         0x7D09B391
         0x79B8B60D
         0xBBB2A18

         fuse prog 3 0 0x9D60B98F

         fuse prog 3 1 0xAB246CEF 

         fuse prog 3 2 0x7B02E64A

         fuse prog 3 3 0x7B5FA5DD

         fuse prog 3 4 0x885CAEEF

         fuse prog 3 5 0x7D09B391

         fuse prog 3 6 0x79B8B60D

         fuse prog 3 7 0xBBB2A18

4.  Added CONFIG_SECURE_BOOT=y in u-boot (imx_v2017.03_4.9.11_1.0.0_ga) defconfig file, Compiled the u-boot and got below details form compilation log.

         u-boot-imx-2017.03-r0 do_compile: Image Type: Freescale IMX Boot Image
         Image Ver: 2 (i.MX53/6/7 compatible)
         Mode: DCD
         Data Size: 466944 Bytes = 456.00 KiB = 0.45 MiB
         Load Address: 877ff420
         Entry Point: 87800000
         HAB Blocks: 877ff400 00000000 0006dc00
         DCD Blocks: 00910000 0000002c 000001e8

5. Prepared the CSF file as below.

      [Header]
      Version = 4.1
      Security Configuration = Open
      Hash Algorithm = sha256
      Engine Configuration = 0
      Certificate Format = X509
      Signature Format = CMS
      Engine = CAAM

      [Install SRK]
      File = "../crts/SRK_1_2_3_4_table.bin"
      Source index = 0

      [Install CSFK]
      File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

      [Authenticate CSF]

      [Install Key]
      # Key slot index used to authenticate the key to be installed
      Verification index = 0
      # Key to install
      Target index = 2
      File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

      [Authenticate Data]
      Verification index = 2
      #_ivt_self offset _ad_size
      Blocks = 0x877ff400 0x00000000 0x0006DC00 "./u-boot-pad.imx", \
                     0x00910000 0x0000002c 0x000001e8 "./u-boot-pad.imx"

6. I have tried following different approaches for a secure boot but not able to get any success.

First approach

  •  As my  "u-boot.imx" file size is 449536 bytes (0x6DC00) so I have padded up to 450560 bytes (0x6E000) as

                  objcopy -I binary -O binary --pad-to=0x6E000 --gap-fill=0x00 u-boot.imx u-boot-pad.imx

  •  Clear DCD address using "./mod_4_mfgtool.sh" availbale in "AN4581.pdf" file.

                     ./mod_4_mfgtool.sh clear_dcd_addr u-boot-pad.imx

  •  Genrating csf bin file as below

                     ./cst -o u-boot-csf.bin -i u-boot.csf

  • Set DCD address

                     ./mod_4_mfgtool.sh set_dcd_addr u-boot-pad.imx

  • Padded csf binary upto 0x4000 as per "AN4581.pdf and imximage.cfg" files.

                     objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x00 u-boot-csf.bin u-boot-csf-pad.bin

  • Append CSF binary to u-boot image.

                     cat u-boot-pad.imx u-boot-csf-pad.bin > u-boot-sec.imx

  • Flashed this "u-boot-sec.imx" on the emmc using mfgtool.

Got below HAB events using hab_status command.      

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x50

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

Second approach

  • Change the Authenticate data command in the CSF file.

         [Authenticate Data] 
         Verification index = 2 
         #_ivt_self offset _ad_size 
         Blocks = 0x877ff400 0x00000000 0x0006DC00 "./u-boot.imx", \ 
                         0x00910000 0x0000002c 0x000001e8 "./u-boot.imx" 

  •  Clear DCD address using "./mod_4_mfgtool.sh" availbale in "AN4581.pdf" file.

                     ./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx

  •  Genrating csf bin file as below

                     ./cst -o u-boot-csf.bin -i u-boot.csf

  • Set DCD address

                     ./mod_4_mfgtool.sh set_dcd_addr u-boot.imx

  •  Append CSF binary to u-boot image.

      cat u-boot.imx u-boot-csf.bin > u-boot-intmed.imx

    • Padded final signed image upto 

                         objcopy -I binary -O binary --pad-to 0x72000 --gap-fill=0x00 u-boot-intmed.imx u-boot-sec.imx

    • Flashed this "u-boot-sec.imx" on the emmc using mfgtool.

    Got the same HAB events as per approach #1

    Actually, I have gone through the HAB and CST user guide to debugging the above issue but not able to fix it out. So please help me to fix this issue.

    I am using the Mfg tool for flashing the u-boot binary in the eMMc please find the Mfg tool script is attached.

    Do I need any changes in the MFG tool script for the secure boot?

    Do I need to set any other fuse bit or register for the secure boot?

    Can we update the new hash values of the SRK table on SRK fuses?

    What I missed in the above two approaches?

    After compilation of u-boot got below images

    3449176 Jan 7 21:57 u-boot
    445213 Jan 7 21:57 u-boot.bin
    12462 Jan 7 21:57 u-boot.cfg
    445213 Jan 7 21:57 u-boot-dtb.bin
    449536 Jan 7 21:57 u-boot.imx
    559946 Jan 7 21:57 u-boot.map
    414768 Jan 7 21:57 u-boot-nodtb.bin
    449536 Jan 7 21:57 u-boot-sd.imx

    Labels (1)
    0 Kudos
    Reply
    2 Replies

    1,530 Views
    prabhunath_gupt
    Contributor II

    Hi Igor,

    Thanks for the fast response.

    I don't want an encrypted boot for my imx6ul chipset. I am trying to sign a u-boot image and try to get no HAb events for this.

    I have below queries, so please resolve these queries.

    1. Do I need a separate Mfg tool for the secure boot?

    2. You can see the CSF file which I am using as above, I have prepared it based on the compilation log from the u-boot.  So my question, is the Authenticate Data command is correct or not? 

    3. Do I pad both u-boot.imx and u-boot-csf.bin file in 4K alignment?

    4. Do I need to set any other fuse bit or register for the secure boot?

    5. Do I need to use the DCD block in the CSF file?

    igorpadykov Please suggest me if I missing anything in my two approaches as above.

    0 Kudos
    Reply

    1,530 Views
    igorpadykov
    NXP Employee
    NXP Employee

    Hi prabhunath

    for additional reading and examples one can also look at

    AN12056 Encrypted Boot on HABv4 and CAAM Enabled Devices

    habv4\imx\doc - uboot-imx - i.MX U-Boot 

    Best regards
    igor
    -----------------------------------------------------------------------------------------------------------------------
    Note: If this post answers your question, please click the Correct Answer button. Thank you!
    -----------------------------------------------------------------------------------------------------------------------

    0 Kudos
    Reply