- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Secure Boot on imx6ul
Secure Boot on imx6ul
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Secure Boot on imx6ul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi NXP team,
I am currently working on enabling a secure boot in the imx6ul using HABv4. I have followed all the steps which are mentioned in https://www.nxp.com/docs/en/application-note/AN4581.pdf.
Please find the following detailed steps which I have performed to get a secure boot to enable.
1. I am using cst-2.3.2 for generating the PKI tree as below.
go into key directory and run below script
./hab4_pki_tree.sh
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 4
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
2. Go into the crts directory and followed the below step to generate the SRK table.
../linux64/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem
3. Fuse the hash value of the SRK table on-chip as below.
hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
0x9D60B98F
0xAB246CEF
0x7B02E64A
0x7B5FA5DD
0x885CAEEF
0x7D09B391
0x79B8B60D
0xBBB2A18
fuse prog 3 0 0x9D60B98F
fuse prog 3 1 0xAB246CEF
fuse prog 3 2 0x7B02E64A
fuse prog 3 3 0x7B5FA5DD
fuse prog 3 4 0x885CAEEF
fuse prog 3 5 0x7D09B391
fuse prog 3 6 0x79B8B60D
fuse prog 3 7 0xBBB2A18
4. Added CONFIG_SECURE_BOOT=y in u-boot (imx_v2017.03_4.9.11_1.0.0_ga) defconfig file, Compiled the u-boot and got below details form compilation log.
u-boot-imx-2017.03-r0 do_compile: Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 466944 Bytes = 456.00 KiB = 0.45 MiB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks: 877ff400 00000000 0006dc00
DCD Blocks: 00910000 0000002c 000001e8
5. Prepared the CSF file as below.
[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
#_ivt_self offset _ad_size
Blocks = 0x877ff400 0x00000000 0x0006DC00 "./u-boot-pad.imx", \
0x00910000 0x0000002c 0x000001e8 "./u-boot-pad.imx"
6. I have tried following different approaches for a secure boot but not able to get any success.
First approach
- As my "u-boot.imx" file size is 449536 bytes (0x6DC00) so I have padded up to 450560 bytes (0x6E000) as
objcopy -I binary -O binary --pad-to=0x6E000 --gap-fill=0x00 u-boot.imx u-boot-pad.imx
- Clear DCD address using "./mod_4_mfgtool.sh" availbale in "AN4581.pdf" file.
./mod_4_mfgtool.sh clear_dcd_addr u-boot-pad.imx
- Genrating csf bin file as below
./cst -o u-boot-csf.bin -i u-boot.csf
- Set DCD address
./mod_4_mfgtool.sh set_dcd_addr u-boot-pad.imx
- Padded csf binary upto 0x4000 as per "AN4581.pdf and imximage.cfg" files.
objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x00 u-boot-csf.bin u-boot-csf-pad.bin
- Append CSF binary to u-boot image.
cat u-boot-pad.imx u-boot-csf-pad.bin > u-boot-sec.imx
- Flashed this "u-boot-sec.imx" on the emmc using mfgtool.
Got below HAB events using hab_status command.
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x50
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Second approach
- Change the Authenticate data command in the CSF file.
[Authenticate Data]
Verification index = 2
#_ivt_self offset _ad_size
Blocks = 0x877ff400 0x00000000 0x0006DC00 "./u-boot.imx", \
0x00910000 0x0000002c 0x000001e8 "./u-boot.imx"
- Clear DCD address using "./mod_4_mfgtool.sh" availbale in "AN4581.pdf" file.
./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx
- Genrating csf bin file as below
./cst -o u-boot-csf.bin -i u-boot.csf
- Set DCD address
./mod_4_mfgtool.sh set_dcd_addr u-boot.imx
- Append CSF binary to u-boot image.
cat u-boot.imx u-boot-csf.bin > u-boot-intmed.imx
- Padded final signed image upto
objcopy -I binary -O binary --pad-to 0x72000 --gap-fill=0x00 u-boot-intmed.imx u-boot-sec.imx
- Flashed this "u-boot-sec.imx" on the emmc using mfgtool.
Got the same HAB events as per approach #1
Actually, I have gone through the HAB and CST user guide to debugging the above issue but not able to fix it out. So please help me to fix this issue.
I am using the Mfg tool for flashing the u-boot binary in the eMMc please find the Mfg tool script is attached.
Do I need any changes in the MFG tool script for the secure boot?
Do I need to set any other fuse bit or register for the secure boot?
Can we update the new hash values of the SRK table on SRK fuses?
What I missed in the above two approaches?
After compilation of u-boot got below images
3449176 Jan 7 21:57 u-boot
445213 Jan 7 21:57 u-boot.bin
12462 Jan 7 21:57 u-boot.cfg
445213 Jan 7 21:57 u-boot-dtb.bin
449536 Jan 7 21:57 u-boot.imx
559946 Jan 7 21:57 u-boot.map
414768 Jan 7 21:57 u-boot-nodtb.bin
449536 Jan 7 21:57 u-boot-sd.imx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Igor,
Thanks for the fast response.
I don't want an encrypted boot for my imx6ul chipset. I am trying to sign a u-boot image and try to get no HAb events for this.
I have below queries, so please resolve these queries.
1. Do I need a separate Mfg tool for the secure boot?
2. You can see the CSF file which I am using as above, I have prepared it based on the compilation log from the u-boot. So my question, is the Authenticate Data command is correct or not?
3. Do I pad both u-boot.imx and u-boot-csf.bin file in 4K alignment?
4. Do I need to set any other fuse bit or register for the secure boot?
5. Do I need to use the DCD block in the CSF file?
igorpadykov Please suggest me if I missing anything in my two approaches as above.
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi prabhunath
for additional reading and examples one can also look at
AN12056 Encrypted Boot on HABv4 and CAAM Enabled Devices
habv4\imx\doc - uboot-imx - i.MX U-Boot
Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
