Hello,
I try to start a signed U-Boot 2015.10 on a customers board.
I generated 4096bit keys for signing as described here:
High Assurance Boot (HAB) for dummies - Boundary Devices
My SRK_1_2_3_4_fuse.bin looks like this:
root@Jessie:/work/cst-2.3.2_flashedkey/crts# hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin
0xFD441C27
0x1B9E96A8
0x3A5BD436
0xDD9D0FCB
0xA89C2AE3
0x64FA9580
0x3E64FF2C
0x35558E4D
I burned the fuses and when I read they it looks like this:
=> fuse read -y 3 0
Reading bank 3:
Word 0x00000000: fd441c27
=> fuse read -y 3 1
Reading bank 3:
Word 0x00000001: 1b9e96a8
=> fuse read -y 3 2
Reading bank 3:
Word 0x00000002: 3a5bd436
=> fuse read -y 3 3
Reading bank 3:
Word 0x00000003: dd9d0fcb
=> fuse read -y 3 4
Reading bank 3:
Word 0x00000004: a89c2ae3
=> fuse read -y 3 5
Reading bank 3:
Word 0x00000005: 64fa9580
=> fuse read -y 3 6
Reading bank 3:
Word 0x00000006: 3e64ff2c
=> fuse read -y 3 7
Reading bank 3:
Word 0x00000007: 35558e4d
=> fuse read -y 3 8
Reading bank 3:
My u-boot.cst:
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x000 0x6dc00 "u-boot.imx"
I use cst-2.3.2 to sign my u-boot.imx, added the generated file and changed the header values, but when I boot I get this events:
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x3c 0x17 0x7f 0xf4 0x00
0x00 0x06 0xdc 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x03 0x10
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
My u-boot_signed.imx starts with the IVT(and will be written to the eeprom at offset 0x400) and when I booted I find the following in the RAM:
IVT
=> md.b 177ff400
177ff400: d1 00 20 40 00 00 80 17 00 00 00 00 2c f4 7f 17 .. @........,...
177ff410: 20 f4 7f 17 00 f4 7f 17 00 d0 86 17 00 00 00 00 ...............
177ff420: 00 f0 7f 17 40 f9 06 00 00 00 00 00 d2 03 10 40 ....@..........@
177ff430: cc 03 0c 04 02 0e 04 bc 00 00 00 30 02 0e 04 c0 ...........0....
177ff440: 00 00 00 30 02 0e 04 c4 00 00 00 30 02 0e 04 c8 ...0.......0....
...
U-Boot
=> md.b 17800000
17800000: be 00 00 ea 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 ................
17800010: 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 ................
17800020: 60 00 80 17 c0 00 80 17 20 01 80 17 80 01 80 17 `....... .......
17800030: e0 01 80 17 40 02 80 17 a0 02 80 17 ef be ad de ....@...........
17800040: de c0 ad 0b 00 f0 20 e3 00 f0 20 e3 00 f0 20 e3 ...... ... ... .
17800050: 00 f0 20 e3 00 f0 20 e3 00 f0 20 e3 00 f0 20 e3 .. ... ... ... .
17800060: 28 d0 1f e5 00 e0 8d e5 00 e0 4f e1 04 e0 8d e5 (.........O.....
17800070: 13 d0 a0 e3 0d f0 69 e1 0f e0 a0 e1 0e f0 b0 e1 ......i.........
17800080: 48 d0 4d e2 ff 1f 8d e8 50 20 1f e5 0c 00 92 e8 H.M.....P ......
17800090: 48 00 8d e2 34 50 8d e2 0e 10 a0 e1 0f 00 85 e8 H...4P..........
u-boot_csf.bin
=> md.b 1786d000
1786d000: d4 00 50 41 be 00 0c 00 03 17 00 00 00 00 00 50 ..PA...........P
1786d010: be 00 0c 02 09 00 00 01 00 00 08 90 ca 00 0c 00 ................
1786d020: 01 c5 1d 00 00 00 0d e4 b2 00 08 1d 00 00 00 02 ................
1786d030: be 00 0c 00 09 00 00 02 00 00 10 e8 ca 00 14 00 ................
1786d040: 02 c5 1d 00 00 00 16 3c 17 7f f4 00 00 06 dc 00 .......<........
1786d050: d7 08 40 40 e1 02 0f 21 00 00 00 80 02 00 00 03 ..@@...!........
1786d060: f7 af 6b 13 98 c4 78 96 76 c2 c3 92 29 9b f5 2f ..k...x.v...)../
1786d070: 69 36 ef 18 25 f9 55 a4 be 91 46 ed e4 c5 8e ef i6..%.U...F.....
1786d080: a1 0d 87 08 32 93 c6 4f ef 7f 55 e5 f0 d2 e7 24 ....2..O..U....$
1786d090: ae b0 e1 b1 bd 2f 2d 10 b1 46 e2 26 7f 76 b0 89 ...../-..F.&.v..
I checked if the u-boot_csf.bin is complete in the RAM, and it is. I checked the lenght of the U-Boot image too.
I suppose any problems because I use 4096 instead of 2048 bit keys.
What I'm doing wrong ?
已解决! 转到解答。
Sometimes it's enough to write it down to get it. I Patched the header AFTER signing it... m(
Patch the header before signing and all is working perfect.
I try to start a signed U-Boot 2016.11-toradex.
I generated 4096bit keys for signing.
I use cst-3.1.0 to sign my u-boot.but when i am booting the signed image i am getting HAB events as same as you got (Invaild signature).
How you reslove that issues,can you please help me slove these issues.