Secure boot with HABv4 imx6ull and code signing tool version change

Tuomas_Tuhkanen_IM · ‎10-20-2023

Hi,

I'm implementing HAB for a custom imx6ull (512MB nand) based board. I first tried to use cst version 3.1.0, but it failed to boot after I added the CSF block to the u-boot image. Then I upgraded to version 3.3.2 and tried to reuse the keys generated previously and with the CSF block it produced the board does boot but still fails with many HAB events. I tried burning the SRK fuses, but it did not help so I created new keys with cst 3.3.2.

My CSF text file:

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/srk_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x00000000 0x000a6c00 "/tmp/cst_CODE_SIGN/u-boot.imx"

----END CSF TEXT---

HAB events when using old keys with cst 3.3.2 (SRK Hash burned to these keys)

HAB events when using new keys (wrong SRK Hash):

I noticed that the HAB_INV_SIGNATURE event was not present and HAB_INV_CERTIFICATE event was added.

Am I correct in thinking that this means that the signature was correctly read by the device, but SRK Hash check has failed (as expected since the SRK fuses had wrong value)?

EDIT:

IVT of the uboot image

0 = 0x402000d1
1 = 0x87800000
2 = 0x00000000
3 = 0x877ff42c
4 = 0x877ff420
5 = 0x877ff400
6 = 0x878a6000
7 = 0x00000000

I've tried with another device with updated SRK hash, and still there are errors. So something is not right with this setup.

I used 'fuse prog 3 <n> <HASHWORD_n>' command for each of the 8 hash words to burn the SRK hash. Is this correct for imx6ull?

Also, in my final u-boot-nand.imx the IVT starts at 0x400 and the CSF starts at 0xa7000, which is 0x400 + 0xa6c00 (the length of the image). Is this correct?

Tuomas_Tuhkanen_IM · ‎10-30-2023

UPDATE:

Changed ENGINE = ANY to ENGINE = SW and now I have

No HAB Events Found!

So the device now accepts the signature. I wish it was more clearly stated in the documentation which engines are supported and that ENGINE = ANY does not work for imx6ull.

As further question:

I know there's hab_auth_img command to authenticate kernel image. Is there a recommended procedure to add it to use with zImage?

在原帖中查看解决方案

hector_delgado · ‎10-25-2023

Hi @Tuomas_Tuhkanen_IM ,

I hope you're doing well! Could you please show the errors shown with the new device (the one with updated SRK Hash)? Or are these the same as either one of the previous ones you mentioned in your initial post?

Thank you.

Best regards,
Hector.

Tuomas_Tuhkanen_IM · ‎10-25-2023

Events with correct SRK hash:

These look very similar to the first case. The new keys are 4096 bits instead of 2048, if that makes any difference.

I would like to know where the problem is. Is it

a) Signature is in wrong place

b) Signature/keys are malformed somehow (they were generated with cst)

c) CSF is wrong for the device (Blocks value, perhaps)

d) Some other systematic error

Since I'm getting HAB_INV_SIGNATURE with the correct SRK hash, does this mean that the device and the cst are calculating different checksum hash? Some sort of memory alignment issue?

Just to be clear, I'm creating the u-boot-nand.imx from u-boot.imx by padding it to 0x400 and appending the binary CSF (which is padded to size 0x4000). The cst is run on the initial unpadded u-boot.imx.

Tuomas_Tuhkanen_IM · ‎10-30-2023