Secure boot support in imx6ul

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Secure boot support in imx6ul

Jump to solution
3,560 Views
prabhunath_gupt
Contributor II

Hi NXP team,

I am currently working on enabling secure boot support in the imx6ul based custom board. I have read all the documents regarding secure boot support in imx6ul like. (AN4581.pdf, HAB4_API.pdf, HABCST_UG.pdf, and MX6UL Secure Boot DOC-333674.pdf, etc.).

I didn't get below two documents as those are mentioned in "MX6UL Secure Boot DOC-333674.pdf" for steps to enable HAB and verify the function, You can share those documents as we have NDA.

https://community.freescale.com/docs/DOC-96451 

https://community.freescale.com/docs/DOC-275249

I have followed the below steps as per documents but not able to get any success. Please help me to figure out the root cause.

  1. Followed CST user guide to generate PKIs tree, SRK tables and programed the SRK hash on the fuse registers as below.
    • Login on the imx6ul custom board then writes SRK hash on fuse registers.
      • echo 0xFEA39D1C > /sys/fsl_otp/HW_OCOTP_SRK0
      • echo 0x80EA23E4 > /sys/fsl_otp/HW_OCOTP_SRK1
      • echo 0x630F3E1E > /sys/fsl_otp/HW_OCOTP_SRK2
      • echo 0x6ECFC2E4 > /sys/fsl_otp/HW_OCOTP_SRK3
      • echo 0xCC8479A6 > /sys/fsl_otp/HW_OCOTP_SRK4
      • echo 0xA964111  > /sys/fsl_otp/HW_OCOTP_SRK5
      • echo 0x239A0E94 > /sys/fsl_otp/HW_OCOTP_SRK6
      • echo 0xECD0C737 > /sys/fsl_otp/HW_OCOTP_SRK7
    • Verify the hash value on u-boot console as below
      • => fuse read 3 0 8
        Reading bank 3:

        Word 0x00000000: fea39d1c 80ea23e4 630f3e1e 6ecfc2e4
        Word 0x00000004: cc8479a6 0a964111 239a0e94 ecd0c737

    • I don't update any other fuse register for the secure boot. So my question is, Do i need to update any other fuse register other than SRK hash fuse?
  2. I have added "CONFIG_SECURE_BOOT=y" in my u-boot defconfig file and build it. You can find my u-boot-compilation log as below.

    u-boot-imx-2017.03-r0 do_compile: ./tools/mkimage -n board/freescale/centauri/imximage.cfg.cfgtmp -T imximage -e 0x87800000 -d u-boot.bin u-boot.imx

    u-boot-imx-2017.03-r0 do_compile: Image Type: Freescale IMX Boot Image
    Image Ver: 2 (i.MX53/6/7 compatible)
    Mode: DCD
    Data Size: 466944 Bytes = 456.00 KiB = 0.45 MiB
    Load Address: 877ff420
    Entry Point: 87800000
    HAB Blocks: 877ff400 00000000 0006dc00
    DCD Blocks: 00910000 0000002c 000001e8

    Here, My question is Do i need other changes required in u-boot for secure boot ?
  3. Prepared CSF file as attached, You can see that, I have used both HAB and DCD blocks in "[Authenticate Data]" command. Is there anything missing in the attached CSF file?
  4. I am using mfg-tool for flashing the u-boot in eMMC. So I have prepared a signed image using the below commands.
    • ./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx
    • ./cst -o u-boot-csf.bin -i u-boot.csf (CST version "2.3.2")
    • ./mod_4_mfgtool.sh set_dcd_addr u-boot.imx
    • cat u-boot.imx u-boot-csf.bin > u-boot-sec.imx
    • Then I have paded the siggned image upto "0x72000" (466944 bytes)length as "DATA size" available in u-boot compilation log.
      • objcopy -I binary -O binary --pad-to 0x72000 --gap-fill=0x00 u-boot-sec.imx u-boot-sec-pad.imx

                       Is my understanding of the padding is correct? and is I have used proper padding for my u-boot image?

  • Copy the u-boot-sec-pad.imx in mfg tool at "mfgtools-imx6ul\Profiles\Linux\OS Firmware\files\" directory and keep older u-boot in "mfgtools-imx6ul\Profiles\Linux\OS Firmware\firmware\". I didn't change anything in mfg-tool, So here is my question is, Do I need any changes in mfg-tool for the secure boot?

               You can find my u-boot.imx, u-boot-csf.bin, mod_4_mfgtool.sh,u-boot-sec-pad.imx and mfg tool script in

attachment.

5. I got below status using the hab_status command, I have tried differnt way to fix it out but not able to fix it. So please let me know what is missing in setps for secure boot.

  • => hab_status

    Secure boot disabled

    HAB Configuration: 0xf0, HAB State: 0x66

    --------- HAB Event 1 -----------------
    event data:
    0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00
    0xca 0x00 0x14 0x00 0x02 0xc5 0x1d 0x00
    0x00 0x00 0x0d 0x44 0x87 0x7f 0xf4 0x00
    0x00 0x06 0xdc 0x00

    STS = HAB_FAILURE (0x33)
    RSN = HAB_INV_SIGNATURE (0x18)
    CTX = HAB_CTX_COMMAND (0xC0)
    ENG = HAB_ENG_ANY (0x00)


    --------- HAB Event 2 -----------------
    event data:
    0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
    0x00 0x00 0x00 0x20

    STS = HAB_FAILURE (0x33)
    RSN = HAB_INV_ASSERTION (0x0C)
    CTX = HAB_CTX_ASSERT (0xA0)
    ENG = HAB_ENG_ANY (0x00)


    --------- HAB Event 3 -----------------
    event data:
    0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
    0x00 0x00 0x01 0xe8

    STS = HAB_FAILURE (0x33)
    RSN = HAB_INV_ASSERTION (0x0C)
    CTX = HAB_CTX_ASSERT (0xA0)
    ENG = HAB_ENG_ANY (0x00)


    --------- HAB Event 4 -----------------
    event data:
    0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
    0x00 0x00 0x00 0x01

    STS = HAB_FAILURE (0x33)
    RSN = HAB_INV_ASSERTION (0x0C)
    CTX = HAB_CTX_ASSERT (0xA0)
    ENG = HAB_ENG_ANY (0x00)


    --------- HAB Event 5 -----------------
    event data:
    0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
    0x00 0x00 0x00 0x04

    STS = HAB_FAILURE (0x33)
    RSN = HAB_INV_ASSERTION (0x0C)
    CTX = HAB_CTX_ASSERT (0xA0)
    ENG = HAB_ENG_ANY (0x00)

I have some more queries as below, so please resolve these queries.

  1. Do I pad both u-boot.imx and u-boot-csf.bin file in 4K alignment?
  2. I am using the same mfg tool for bot secure and unsecured images, Do I need a separate Mfg tool for the secure boot?

Please Note: I just want to authenticate my u-boot image only, not kernel. So I am using only signed u-boot image and want to get no HAB events found using hab_status command. I don't want an encrypted secure boot for this secure boot.

Labels (4)
0 Kudos
1 Solution
3,306 Views
igorpadykov
NXP Employee
NXP Employee

Hi prabhunath

additional documents were sent via mail.

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

0 Kudos
8 Replies
733 Views
dhvanil
Contributor I

Hello @igorpadykov ,

 

I am working on to enable the secure boot on i.MX6UL board. Can you please help to me to get the secure boot related documents for i.MX6UL board?

 

-

Thanks,

Dhvanil

0 Kudos
2,022 Views
virendra_dalal
Contributor I

I am getting the same HAB events, can you please help me out with what am I missing here? I have attached my uboot csf file, u-boot.imx file as well as csf_uboot.bin file.

0 Kudos
3,307 Views
igorpadykov
NXP Employee
NXP Employee

Hi prabhunath

additional documents were sent via mail.

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
1,260 Views
rohitkumar21
Contributor I
Hi @igorpadykov
I'm also facing same issue with mx6ull soc. I'm getting HAB Events logs on running hab_status command. Let know know what am I missing.

Best regards
Rohit
0 Kudos
698 Views
rohitkumar21
Contributor I

After a long time, I'm looking back at my query here. As my HAB implementation is done now. I'm replying to my old question myself to share documents that I obtained from various sources to someone who is struggling on this. Please keep in mind that the NXP docs for HAB are not very well documented so implementation took lots of time and effort. It has lots of variables to take care.. so my suggestion is to, read the documents very carefully. Also there are docs provided with CST package, so read those first.

0 Kudos
3,051 Views
story
Contributor II

Hi,

   Now I am also using the Secure boot of IMX6UL, could you please send me the relevant reference documents.  @igorpadykov 

0 Kudos
3,306 Views
prabhunath_gupt
Contributor II

Hi Nxp team,

YuriMuhin_ng‌ & igorpadykov

I am waiting for your response so please resolve my above queries.

0 Kudos
3,306 Views
kanimozhi_t
Contributor V

prabhunath.gupt@volansystech.com We're also facing the similar kind of issue now, so can you help us now?

0 Kudos