Hi ,
I am trying to boot u-boot securely by implementing HAB . I have some documentation on the process.
The problem is that after booting the u-boot, when i check the HAB status , I see that i have a "Signature Failure " situation ...
here are the HAB events being reported ...
HAB Configuration: 0x00 HAB State: 0x55
*--------- HAB Event 1 -----------------*
event data:
0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00
0x00 0x00 0x0d 0x34 0x87 0x80 0x04 0x00
0x00 0x02 0xbc 0x00
*--------- HAB Event 2 -----------------*
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x04 0x00
0x00 0x00 0x00 0x20
*--------- HAB Event 3 -----------------*
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x04 0x20
0x00 0x00 0x00 0x01
*--------- HAB Event 4 -----------------*
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x06 0x80
0x00 0x00 0x00 0x04
*--------- HAB Event 5 -----------------*
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x02 0x48
I know that there is another post on this website regarding the exact same issue ... HAB signature failure on i.MX6
The reply to that post points to another post related to HAB events .... Re: HAB secure serial boot on mx6 , but that post talks about a situation where you have a wrong syntax in the CSF config file and not signature failure.
I have a simple csf file .....
[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x87800400 0x400 0x2BC00 "U-Boot-pad.bin"
Pls note that my TEXT_BASE = 0x87800000
My IVT starts from TEXT_BASE + 0x400
and my CSF region starts at TEXT_BASE + 0x2C000 and the max length of CSF region is 0x2000
The first event says that a signature failure occurs when it tries to authenticate the part of the image that starts from 0x87800400 and has a length 0x2bc00
This is the area that includes my IVT + u-boot image . But I am not sure why I am getting the signature failure.
I have tried regenerating all the certificates as said in the AN4581.
I generate the signed images in following manner ....
# This step extends the u-boot image to address 0x2c000
objcopy -I binary -O binary --pad-to 0x2C000 --gap-fill=0xff U-Boot.bin U-Boot-pad.bin
#then i generate the CSF data using the above mentioned CSF file
../linux/cst --output U-Boot_CSF.bin < U-Boot.CSF
#then I merge the CSF binary and the u-boot image as follows
cat U-Boot-pad.bin U-Boot_CSF.bin > U-Boot-signed.bin
Can anybody, suggest something here ?
regards
Rajesh
The HAB API checks that all of the following data have been authenticated
(using their final locations):
IVT
DCD (if provided);
Boot Data (initial byte if provided);
Entry point (initial word).
Please check if each of the above data components is covered by a valid signature.
Also the following links may be useful :
https://community.freescale.com/docs/DOC-94864
https://community.freescale.com/docs/DOC-96451
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------