Secure boot imx8Mq dart, hab_status HAB_FAILURE (0x33)

mariusoctavian · ‎06-26-2023

Hello,

I am using this board: variscite
I downloaded CST latest
I downloaded u-boot from https://github.com/varigit/uboot-imx.git
- commit checkout 9458fd59dd6d69230438350c3aeb8ac803ff1b1c
I downloaded https://github.com/varigit/imx-atf.git
- commit checkout : 7575633e03ff952a18c0a2c0aa543dee793fda5f
Downloaded https://github.com/nxp-imx/imx-mkimage.git
- checkout commit 6745ccdcf15384891639b7ced3aa6ce938682365
All build fine as final generated file is: ./src/imx-mkimage/iMX8M/flash.bin

Here are excerpts from build log

Platform:	i.MX8M (mScale)
ROM VERSION:	v1
Using FIT image
LOADER IMAGE:	u-boot-spl-lpddr4-ddr4.bin start addr: 0x007e1000
SECOND LOADER IMAGE:	u-boot-lpddr4-ddr4-evk.itb start addr: 0x40200000 offset: 0x00060000
...
========= OFFSET dump =========
Loader IMAGE:
 header_image_off 	0x0
 dcd_off 		0x0
 image_off 		0x40
 csf_off 		0x3c000
 spl hab block: 	0x7e0fc0 0x0 0x3c000

Second Loader IMAGE:
 sld_header_off 	0x57c00
 sld_csf_off 		0x58c20
 sld hab block: 	0x401fcdc0 0x57c00 0x1020
...
u-boot-nodtb.bin + imx8mm-var-dart-customboard.dtb are padded to 722544
TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 ./print_fit_hab.sh 0x60000 imx8mm-var-dart-customboard.dtb
0x40200000 0x5AC00 0xA8D00
0x402A8D00 0x103900 0x7970
0x920000 0x10B270 0x9300

From above build log I extracted and build following variables

TEE_LOAD_ADDR=0xbe000000
ATF_LOAD_ADDR=0x00920000
HAB_BLK='0x401fcdc0 0x57c00 0x1020'
header_image_off='0x0'
dcd_off='0x0'
image_off='0x40'
csf_off='0x3c000'
spl_hab_block='0x7e0fc0 0x0 0x3c000'
sld_header_off='0x57c00'
sld_csf_off='0x58c20'
sld_hab_block='0x401fcdc0 0x57c00 0x1020'
ADDR_1='0x40200000 0x5AC00 0xA8D00'
ADDR_2='0x402A8D00 0x103900 0x7970'
ADDR_3='0x920000 0x10B270 0x9300'

I generated the keys as:

pushd ./secure_boot/CRT/cst-3.3.2/keys
        echo "======================================"
        pwd
            (
                echo n
                echo rsa
                echo 1024
                echo 15
                echo 4
                echo n
            ) | ./hab4_pki_tree.sh
        popd

Then the pem files

pushd secure_boot/CRT/cst-3.3.2/crts/
    echo "WF: $(pwd)"
    srktool -h 4 -t SRK_1_2_3_4_table.bin -e        \
            SRK_1_2_3_4_fuse.bin -d sha256 -c       \
            SRK1_sha256_1024_65537_v3_usr_crt.pem,  \
            SRK2_sha256_1024_65537_v3_usr_crt.pem,  \
            SRK3_sha256_1024_65537_v3_usr_crt.pem,  \
            SRK4_sha256_1024_65537_v3_usr_crt.pem
            FUSE_DIR=$(pwd)
    popd

have the generated files files SRK_1_2_3_4_table.bin and SRK_1_2_3_4_fuse.bin

I copied all generated files in a folder called secure_boot

-rwxrwxr-x  1 marius marius   37632 Jun 26 17:17 bl31.bin
drwxrwxr-x  3 marius marius    4096 Jun 24 21:56 CRT
drwxrwxr-x  2 marius marius    4096 Jun 24 21:56 CSF
-rw-rw-r--  1 marius marius    1150 Jun 26 17:17 csf_fit.txt
-rw-rw-r--  1 marius marius    1112 Jun 26 17:17 csf_spl.txt
-rw-rw-r--  1 marius marius 1163384 Jun 26 17:17 flash.bin
-rwxrwxr-x  1 marius marius     404 Jun 26 17:17 gen_addr.sh
-rw-rw-r--  1 marius marius     297 Jun 24 21:56 gen_addr.txt
-rwxrwxr-x  1 marius marius    2378 Jun 26 15:45 print_fit_hab.sh
-rw-rw-r--  1 marius marius      32 Jun 26 17:17 SRK_1_2_3_4_fuse.bin
-rw-rw-r--  1 marius marius     147 Jun 26 17:17 SRK_1_2_3_4_table.bin
-rwxrwxr-x  1 marius marius  691456 Jun 26 17:17 u-boot-nodtb.bin

Ans compiled the csf_fit.txt and csf_spl.txt

####################  csf_spl.txt ###########################
[Header]
    Version = 4.3
    Hash Algorithm = sha256
    Engine = CAAM
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS

[Install SRK]
    # Index of the key location in the SRK table to be installed
    File = "./SRK_1_2_3_4_table.bin"
    Source index = 0

[Install CSFK]
    # Key used to authenticate the CSF data
    File = "./CRT/cst-3.3.2/crts/CSF1_1_sha256_1024_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
    # Leave Job Ring and DECO master ID registers Unlocked
    Engine = CAAM
    Features = MID

[Install Key]
    # Key slot index used to authenticate the key to be installed
    Verification index = 0
    # Target key slot in HAB key store where key will be installed
    Target index = 2
    # Key to install
    File = "./CRT/cst-3.3.2/crts/IMG1_1_sha256_1024_65537_v3_usr_crt.pem"

[Authenticate Data]
    # Key slot index used to authenticate the image data
    Verification index = 2
    # Authenticate Start Address, Offset, Length and file


#  spl hab block: 	0x7e0fc0 0x0 0x3c000, from build log
Blocks = 0x7e0fc0 0x0 0x3c000 "flash.bin"


####################  csf_fit.txt ###########################
[Header]
    Version = 4.3
    Hash Algorithm = sha256
    Engine = CAAM
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS

[Install SRK]
    # Index of the key location in the SRK table to be installed
    File = "./SRK_1_2_3_4_table.bin"
    Source index = 0

[Install CSFK]
    # Key used to authenticate the CSF data
    File = "./CRT/cst-3.3.2/crts/CSF1_1_sha256_1024_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
    # Key slot index used to authenticate the key to be installed
    Verification index = 0
    # Target key slot in HAB key store where key will be installed
    Target index = 2
    # Key to install
    File = "./CRT/cst-3.3.2/crts/IMG1_1_sha256_1024_65537_v3_usr_crt.pem"

[Authenticate Data]
    # Key slot index used to authenticate the image data
    Verification index = 2
    # Authenticate Start Address, Offset, Length and file





#  sld hab block: 	0x401fcdc0 0x57c00 0x1020, from build log
Blocks = 0x401fcdc0 0x57c00 0x1020 "flash.bin", \ 
 0x40200000 0x5AC00 0xA8D00 "flash.bin", \ 
 0x402A8D00 0x103900 0x7970 "flash.bin", \ 
 0x920000 0x10B270 0x9300 "flash.bin"

Complied them, or whatever cst does
- cst -i csf_spl.txt -o csf_spl.bin
  cst -i csf_fit.txt -o csf_fit.bin

building the signed flash.bin

cd releases
cp ./flash.bin ./signed_flash.bin
dd if=./csf_spl.bin of=signed_flash.bin seek=$((csf_off)) bs=1 conv=notrunc
dd if=./csf_fit.bin of=signed_flash.bin seek=$((sld_csf_off)) bs=1 conv=notrunc
where 
csf_off are the one from above as 
csf_off=0x3c000
sld_csf_off=0x58c20

Then burned u-boot into emmc dd if=./signed_flash.bin of=${1} bs=1024 seek=33 conv=notrunc

Upon U-boot prompt I get error 33

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x1d 0xc0 0x00
        0xbe 0x00 0x0c 0x02 0x09 0x00 0x00 0x01
        0x00 0x00 0x00 0xfc

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_KEY (0x1D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x7e 0x0f 0xc0
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x7e 0x0f 0xe0
        0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x7e 0x10 0x00
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 6 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 7 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x1d 0xc0 0x00
        0xbe 0x00 0x0c 0x02 0x09 0x00 0x00 0x01
        0x00 0x00 0x00 0xec

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_KEY (0x1D)

Any help would be appreciated

Harvey021 · ‎06-30-2023

Hi @mariusoctavian

It seems that you did "Generating a fast authentication PKI tree", is that right?

Best regards

Harvey

mariusoctavian · ‎06-30-2023

Hi,

What 'Generating a fast authentication PKI tree' suppose to mean.

I was following pretty much:

https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/Steps-to-enable-secure-boot-in-i-MX8M-Na...

Is there a better paper? . I am not using yocto. I have build everything on build-root. Is cleaner and faster,
though I see NXP went all the way with yocto.

I did not burn the fuses yet. I did not do anything with the filesystem and kernel.
OS Already flashed in the emmc partition 1

I have gathered all u-boot build files as:

marius@hpp:~/_br/u-boot$ ls -la ./secure_boot/
total 2872
drwxrwxr-x 4 marius marius    4096 Jun 30 10:40 .
drwxrwxr-x 8 marius marius    4096 Jun 30 10:40 ..
-rwxrwxr-x 1 marius marius   37632 Jun 30 09:49 bl31.bin
drwxrwxr-x 3 marius marius    4096 Jun 27 15:56 CRT
drwxrwxr-x 2 marius marius    4096 Jun 27 15:56 CSF
-rw-rw-r-- 1 marius marius    2204 Jun 30 10:40 csf_fit.bin
-rw-rw-r-- 1 marius marius    1150 Jun 30 09:49 csf_fit.txt
-rw-rw-r-- 1 marius marius    2188 Jun 30 10:40 csf_spl.bin
-rw-rw-r-- 1 marius marius    1112 Jun 30 09:49 csf_spl.txt
-rw-rw-r-- 1 marius marius 1163384 Jun 30 10:40 flash.bin
-rwxrwxr-x 1 marius marius     404 Jun 30 09:49 gen_addr.sh
-rw-rw-r-- 1 marius marius     297 Jun 27 15:56 gen_addr.txt
-rwxrwxr-x 1 marius marius    2378 Jun 27 19:49 print_fit_hab.sh
-rw-rw-r-- 1 marius marius 1163384 Jun 30 10:40 signed_flash.bin
-rw-rw-r-- 1 marius marius      32 Jun 30 10:40 SRK_1_2_3_4_fuse.bin
-rw-rw-r-- 1 marius marius     147 Jun 30 10:40 SRK_1_2_3_4_table.bin
-rwxrwxr-x 1 marius marius  691456 Jun 30 10:40 u-boot-nodtb.bin

I have assembled signed_flash.bin as

# on PC
cp ./flash.bin ./signed_flashed.bin
SPL_BIN=csf_spl.bin
FIT_BIN=csf_fit.bin
csf_off='0x3c000'
sld_csf_off='0x58c20'
FLASH_BIN_SIGNED=./signed_flashed.bin
dd if=./${SPL_BIN} of=${FLASH_BIN_SIGNED} seek=$((csf_off)) bs=1 conv=notrunc
dd if=./${FIT_BIN} of=${FLASH_BIN_SIGNED} seek=$((sld_csf_off)) bs=1 conv=notrunc

#### on device ####
u-boot-> ums 0 mmc 2
/

#### on PC
# emmc is visible sd as /dev/sdb
dd if=${FLASH_BIN_SIGNED} of=/dev/sdb bs=1023 seek=33


#### on device ####
Crtrl+C
u-boot-> reset

Then: booting up.

Booting from mmc ...
fdt_file=imx8mm-var-dart-dt8mcustomboard-legacy.dtb
38538 bytes read in 10 ms (3.7 MiB/s)
hab fuse not enabled

Authenticate image from DDR location 0x40480000...
bad magic magic=0x85 length=0x4668 version=0xd1
bad length magic=0x85 length=0x4668 version=0xd1
bad version magic=0x85 length=0x4668 version=0xd1
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR       = 0x4X2000D1
IVT ENTRY     = 0xXXXXXXXX
IVT RSV1      = 0x0
IVT DCD       = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF      = 0xXXXXXXXX
IVT CSF       = 0xXXXXXXXX
IVT RSV2      = 0x0
## Flattened Device Tree blob at 43000000
   Booting using the fdt blob at 0x43000000
   Using Device Tree in place at 0000000043000000, end 000000004300c689

Starting kernel ...

unable to select a mode
device_remove: Device 'mmc@30b60000.blk' failed to remove, but children are gone
[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.15.60-imx8mm (marius@hpp) (aarch64-linux-gcc.br_real (Buildroot 2021.11-4428-g6b6741b) 11.3.0, GNU ld (GNU Binutils) 2.38) #1 SMP PREEMPT Fri Jun 9 08:36:47 EDT 2023
...... boots fine into linux prompt

Then stopping at u-boot prompt I have following hab options;

hab_auth_img- authenticate image via HAB
hab_auth_img_or_fail- authenticate image via HAB on failure drop to USB BootROM mode
hab_failsafe- run BootROM failsafe routine
hab_status- display HAB status
hab_version- print HAB major/minor version

u-boot-> hab_version
HAB version: 4.3
u-boot-> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x08 0x43 0x33 0x11 0xcf 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CSF (0x11)
CTX = HAB_CTX_CSF (0xCF)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x7e 0x0f 0xc0
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x7e 0x0f 0xe0
        0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x7e 0x10 0x00
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

u-boot->

Then in this document: HAB4_API.pdf

STS = HAB_FAILURE (0x33)

I dont know what to do next ?

Thank you.

Harvey021 · ‎07-03-2023

Hi

What 'Generating a fast authentication PKI tree' suppose to mean?

I see this from your post

Best regards

Harvey

mariusoctavian · ‎07-03-2023

That was answer to:

Do you want the SRK certificates to have the CA flag set? (y/n)?

mariusoctavian · ‎07-03-2023

Do you want the SRK certificates to have the CA flag set? (y/n)?:

        (
            echo n
            echo rsa
            echo 1024
            echo 15
            echo 4
            echo y  # Do you want the SRK certificates to have the CA flag set? (y/n)?: y
        ) | ./hab4_pki_tree.sh

answering yes did not changed a thing.

Harvey021 · ‎07-04-2023

Hi

I am not quite sure that if there appears to problems with offset dump, authenticate data on the condition of mentioning just build root.

some suggestions as below.

You did not burn fuse, but HAB 4.3 will check SRK hash in open mode.

The first hab event has changed with the CA flag set.

RSN = HAB_INV_CSF (0x11)
CTX = HAB_CTX_CSF (0xCF)

Refer to 3.8 Run CSF of HAB API to check the context and invalid related to CSF may bring analysis.

RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)

Refer to 3.9 Assert of HAB API.

OS will be verified by default.

Best regards

Harvey

mariusoctavian · ‎07-06-2023

Thank you

I went down from 6 events to 2 events, so far.

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x34 0x43 0x33 0x18 0xc0 0x00
        0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
        0x00 0x00 0x05 0x9c 0x40 0x1f 0xcd 0xc0
        0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
        0x00 0x0a 0x8d 0x00 0x40 0x2a 0x8d 0x00
        0x00 0x00 0x79 0x70 0x00 0x92 0x00 0x00
        0x00 0x00 0x93 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

I will check that from the post above

mariusoctavian · ‎08-10-2023

... we had a break from this. We are still fighting with it.

mariusoctavian · ‎08-11-2023

I followed meanwhile

https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/

I redid my keys using 4K key length. I still have 3 events,
Saying that the 3 blocks are not signed

-----------------------------------------------
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x34 0x43 0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x0d 0x24 0x40 0x1f 0xcd 0xc0 [1]
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00 [2]
0x00 0x0a 0x8d 0x00 0x40 0x2a 0x8d 0x00 [3]
0x00 0x00 0x79 0x70 0x00 0x92 0x00 0x00 [4]
0x00 0x00 0x93 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)

and in csf_fit.txt they are as, see the tags [#]

csf_fit.txt

Blocks =
0x401fcdc0 0x57c00 0x1020 "flash.bin", \ [1]
0x40200000 0x5AC00 0xA8D00 "flash.bin", \ [2]
0x402A8D00 0x103900 0x7970 "flash.bin", \ [3]
0x920000 0x10B270 0x9300 "flash.bin" [4]

Why these are marked as invalid signature

The u-boot build log excerpts related to addresses are.

-----------------------------------------------
Loader IMAGE:
header_image_off 0x0
dcd_off 0x0
image_off 0x40
csf_off 0x3c000
spl hab block: 0x7e0fc0 0x0 0x3c000
...
Second Loader IMAGE:
sld_header_off 0x57c00
sld_csf_off 0x58c20
sld hab block: 0x401fcdc0 0x57c00 0x1020

...
./print_fit_hab.sh 0x60000 imx8mm-var-dart-customboard.dtb
0x40200000 0x5AC00 0xA8D00
0x402A8D00 0x103900 0x7970
0x920000 0x10B270 0x9300
-----------------------------------------------

Any help would be appreciated,

Regards, Marius

Harvey021 · ‎08-15-2023

From event1 and 2, which tells one of the following required areas is not signed
• IVT;
• DCD (if provided);
• Boot Data (initial byte - if provided);
• Entry point (initial word).

From event3, which tells the digital signature authentication of data block from 0x40 0x1f 0xcd 0xc0 [1] has failed. Did you put [1] [2] [3] [4] in your csf_fit.txt? they should not be there.

I's suggest you to try to get support form boundarydevice. if problem still persists.

For secure boot building from yocto, we don't provide support for that.

Best regards

Harvey

Harvey021 · ‎08-13-2023

I've cloned a new case to follow up the issue, since it's been too long.

Best regards

Harvey

mariusoctavian · ‎08-14-2023

Thank you.
...meanwhile we've used yocto to create a secure boot

###  local.conf as per docs
OVERRIDES =. "hab:"
#NXP_CST_URI="file://${HOME}/cst-3.1.0.tgz"
#CST_SERIAL="1248163E"
#CST_KEYPASS="kohler_pegmatis"
#UBOOT_DTBS:mx8mm-nxp-bsp="imx8mm-var-dart-customboard.dtb imx8mm-var-som-symphony.dtb"
UBOOT_DTB_DEFAULT:mx8mm-nxp-bsp="-imx8mm-var-dart-customboard"
SIGN_DTB:mx8mm-nxp-bsp="${B}/${KERNEL_OUTPUT_DIR}/dts/freescale/imx8mm-var-dart-dt8mcustomboard.dtb

#build as per docs
MACHINE=imx8mm-var-dart DISTRO=fslc-xwayland . var-setup-release.sh build_xwayland
bitbake -c cleansstate linux-variscite && bitbake -c cleansstate u-boot-variscite && bitbake -c cleansstate imx-boot
bitbake -c deploy imx-boot

But is even worst we get 7 HAB events errors

Best regards,
Marius