- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Secure boot with HABv4 imx6ull and code signing tool version change
Secure boot with HABv4 imx6ull and code signing tool version change
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm implementing HAB for a custom imx6ull (512MB nand) based board. I first tried to use cst version 3.1.0, but it failed to boot after I added the CSF block to the u-boot image. Then I upgraded to version 3.3.2 and tried to reuse the keys generated previously and with the CSF block it produced the board does boot but still fails with many HAB events. I tried burning the SRK fuses, but it did not help so I created new keys with cst 3.3.2.
My CSF text file:
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/srk_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x00000000 0x000a6c00 "/tmp/cst_CODE_SIGN/u-boot.imx"
----END CSF TEXT---
HAB events when using old keys with cst 3.3.2 (SRK Hash burned to these keys)
Event |0xdb|0x0014|0x42| SRCE Field: 33 18 c0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_SIGNATURE (0x18)
| | | | CTX = HAB_CTX_COMMAND (0xC0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Cmd Field: 0xca000c00
| | | | CMD: HAB_CMD_AUT_DAT (0xca)
| | | | LEN: 0x000c
| | | | FLG: 0x00
| | | | FLAGS: AUT_DAT_CLR (0x00)
| | | | KPEC Field: 0x01c50000
| | | | KEY: 0x01
| | | | PCL: HAB_PCL_CMS (0xC5)
| | | | Sig. Start: 0x00000d34
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 7f f4 00 00 00 00 20
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 7f f4 2c 00 00 01 d8
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 7f f4 20 00 00 00 01
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 80 00 00 00 00 00 04
HAB events when using new keys (wrong SRK Hash):
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 7f f4 00 00 00 00 20
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 7f f4 2c 00 00 01 d8
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 7f f4 20 00 00 00 01
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 80 00 00 00 00 00 04
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 21 c0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_CERTIFICATE (0x21)
| | | | CTX = HAB_CTX_COMMAND (0xC0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Cmd Field: 0xbe000c00
| | | | CMD: HAB_CMD_INS_KEY (0xbe)
| | | | LEN: 0x000c
| | | | FLG: 0x03
| | | | FLAGS: NOTHING YET
| | | | PAST Field: 0x03170000
| | | | Crt. addr: 0x00000048
I noticed that the HAB_INV_SIGNATURE event was not present and HAB_INV_CERTIFICATE event was added.
Am I correct in thinking that this means that the signature was correctly read by the device, but SRK Hash check has failed (as expected since the SRK fuses had wrong value)?
EDIT:
IVT of the uboot image
0 = 0x402000d1
1 = 0x87800000
2 = 0x00000000
3 = 0x877ff42c
4 = 0x877ff420
5 = 0x877ff400
6 = 0x878a6000
7 = 0x00000000
I've tried with another device with updated SRK hash, and still there are errors. So something is not right with this setup.
I used 'fuse prog 3 <n> <HASHWORD_n>' command for each of the 8 hash words to burn the SRK hash. Is this correct for imx6ull?
Also, in my final u-boot-nand.imx the IVT starts at 0x400 and the CSF starts at 0xa7000, which is 0x400 + 0xa6c00 (the length of the image). Is this correct?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATE:
Changed ENGINE = ANY to ENGINE = SW and now I have
No HAB Events Found!
So the device now accepts the signature. I wish it was more clearly stated in the documentation which engines are supported and that ENGINE = ANY does not work for imx6ull.
As further question:
I know there's hab_auth_img command to authenticate kernel image. Is there a recommended procedure to add it to use with zImage?
hector_delgado
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Tuomas_Tuhkanen_IM ,
I hope you're doing well! Could you please show the errors shown with the new device (the one with updated SRK Hash)? Or are these the same as either one of the previous ones you mentioned in your initial post?
Thank you.
Best regards,
Hector.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Events with correct SRK hash:
Event |0xdb|0x0014|0x42| SRCE Field: 33 18 c0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_SIGNATURE (0x18)
| | | | CTX = HAB_CTX_COMMAND (0xC0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Cmd Field: 0xca000c00
| | | | CMD: HAB_CMD_AUT_DAT (0xca)
| | | | LEN: 0x000c
| | | | FLG: 0x00
| | | | FLAGS: AUT_DAT_CLR (0x00)
| | | | KPEC Field: 0x01c50000
| | | | KEY: 0x01
| | | | PCL: HAB_PCL_CMS (0xC5)
| | | | Sig. Start: 0x00001218
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 7f f4 00 00 00 00 20
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 7f f4 2c 00 00 01 d8
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 7f f4 20 00 00 00 01
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x42| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 87 80 00 00 00 00 00 04
These look very similar to the first case. The new keys are 4096 bits instead of 2048, if that makes any difference.
I would like to know where the problem is. Is it
a) Signature is in wrong place
b) Signature/keys are malformed somehow (they were generated with cst)
c) CSF is wrong for the device (Blocks value, perhaps)
d) Some other systematic error
Since I'm getting HAB_INV_SIGNATURE with the correct SRK hash, does this mean that the device and the cst are calculating different checksum hash? Some sort of memory alignment issue?
Just to be clear, I'm creating the u-boot-nand.imx from u-boot.imx by padding it to 0x400 and appending the binary CSF (which is padded to size 0x4000). The cst is run on the initial unpadded u-boot.imx.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATE:
Changed ENGINE = ANY to ENGINE = SW and now I have
No HAB Events Found!
So the device now accepts the signature. I wish it was more clearly stated in the documentation which engines are supported and that ENGINE = ANY does not work for imx6ull.
As further question:
I know there's hab_auth_img command to authenticate kernel image. Is there a recommended procedure to add it to use with zImage?
