Hello,
I try to start a signed U-Boot 2015.10 on a customers board.
I generated 4096bit keys for signing as described here:
High Assurance Boot (HAB) for dummies - Boundary Devices
My SRK_1_2_3_4_fuse.bin looks like this:
root@Jessie:/work/cst-2.3.2_flashedkey/crts# hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin
0xFD441C27
0x1B9E96A8
0x3A5BD436
0xDD9D0FCB
0xA89C2AE3
0x64FA9580
0x3E64FF2C
0x35558E4D
I burned the fuses and when I read they it looks like this:
=> fuse read -y 3 0
Reading bank 3:
Word 0x00000000: fd441c27
=> fuse read -y 3 1
Reading bank 3:
Word 0x00000001: 1b9e96a8
=> fuse read -y 3 2
Reading bank 3:
Word 0x00000002: 3a5bd436
=> fuse read -y 3 3
Reading bank 3:
Word 0x00000003: dd9d0fcb
=> fuse read -y 3 4
Reading bank 3:
Word 0x00000004: a89c2ae3
=> fuse read -y 3 5
Reading bank 3:
Word 0x00000005: 64fa9580
=> fuse read -y 3 6
Reading bank 3:
Word 0x00000006: 3e64ff2c
=> fuse read -y 3 7
Reading bank 3:
Word 0x00000007: 35558e4d
=> fuse read -y 3 8
Reading bank 3:
My u-boot.cst:
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x000 0x6dc00 "u-boot.imx"
I use cst-2.3.2 to sign my u-boot.imx, added the generated file and changed the header values, but when I boot I get this events:
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x3c 0x17 0x7f 0xf4 0x00
0x00 0x06 0xdc 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x03 0x10
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
My u-boot_signed.imx starts with the IVT(and will be written to the eeprom at offset 0x400) and when I booted I find the following in the RAM:
IVT
=> md.b 177ff400
177ff400: d1 00 20 40 00 00 80 17 00 00 00 00 2c f4 7f 17 .. @........,...
177ff410: 20 f4 7f 17 00 f4 7f 17 00 d0 86 17 00 00 00 00 ...............
177ff420: 00 f0 7f 17 40 f9 06 00 00 00 00 00 d2 03 10 40 ....@..........@
177ff430: cc 03 0c 04 02 0e 04 bc 00 00 00 30 02 0e 04 c0 ...........0....
177ff440: 00 00 00 30 02 0e 04 c4 00 00 00 30 02 0e 04 c8 ...0.......0....
...
U-Boot
=> md.b 17800000
17800000: be 00 00 ea 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 ................
17800010: 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 ................
17800020: 60 00 80 17 c0 00 80 17 20 01 80 17 80 01 80 17 `....... .......
17800030: e0 01 80 17 40 02 80 17 a0 02 80 17 ef be ad de ....@...........
17800040: de c0 ad 0b 00 f0 20 e3 00 f0 20 e3 00 f0 20 e3 ...... ... ... .
17800050: 00 f0 20 e3 00 f0 20 e3 00 f0 20 e3 00 f0 20 e3 .. ... ... ... .
17800060: 28 d0 1f e5 00 e0 8d e5 00 e0 4f e1 04 e0 8d e5 (.........O.....
17800070: 13 d0 a0 e3 0d f0 69 e1 0f e0 a0 e1 0e f0 b0 e1 ......i.........
17800080: 48 d0 4d e2 ff 1f 8d e8 50 20 1f e5 0c 00 92 e8 H.M.....P ......
17800090: 48 00 8d e2 34 50 8d e2 0e 10 a0 e1 0f 00 85 e8 H...4P..........
u-boot_csf.bin
=> md.b 1786d000
1786d000: d4 00 50 41 be 00 0c 00 03 17 00 00 00 00 00 50 ..PA...........P
1786d010: be 00 0c 02 09 00 00 01 00 00 08 90 ca 00 0c 00 ................
1786d020: 01 c5 1d 00 00 00 0d e4 b2 00 08 1d 00 00 00 02 ................
1786d030: be 00 0c 00 09 00 00 02 00 00 10 e8 ca 00 14 00 ................
1786d040: 02 c5 1d 00 00 00 16 3c 17 7f f4 00 00 06 dc 00 .......<........
1786d050: d7 08 40 40 e1 02 0f 21 00 00 00 80 02 00 00 03 ..@@...!........
1786d060: f7 af 6b 13 98 c4 78 96 76 c2 c3 92 29 9b f5 2f ..k...x.v...)../
1786d070: 69 36 ef 18 25 f9 55 a4 be 91 46 ed e4 c5 8e ef i6..%.U...F.....
1786d080: a1 0d 87 08 32 93 c6 4f ef 7f 55 e5 f0 d2 e7 24 ....2..O..U....$
1786d090: ae b0 e1 b1 bd 2f 2d 10 b1 46 e2 26 7f 76 b0 89 ...../-..F.&.v..
I checked if the u-boot_csf.bin is complete in the RAM, and it is. I checked the lenght of the U-Boot image too.
I suppose any problems because I use 4096 instead of 2048 bit keys.
What I'm doing wrong ?
Solved! Go to Solution.
Sometimes it's enough to write it down to get it. I Patched the header AFTER signing it... m(
Patch the header before signing and all is working perfect.
I try to start a signed U-Boot 2016.11-toradex.
I generated 4096bit keys for signing.
I use cst-3.1.0 to sign my u-boot.but when i am booting the signed image i am getting HAB events as same as you got (Invaild signature).
How you reslove that issues,can you please help me slove these issues.
Sometimes it's enough to write it down to get it. I Patched the header AFTER signing it... m(
Patch the header before signing and all is working perfect.