Hello all.
NOW I came across a problem with SECURE BOOT(HAB) on I.MX6S.
I've followed through the AN4581("Signing Code Downloadable with Manufacturing Tool").but i met HAB Event unfortunately.witch as follow.
Out: serial
Err: serial
Checking HAB_status
HAB Configuration: 0xf0 HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x27 0x80 0x07 0x00
0x00 0x00 0x00 0x20
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x27 0x80 0x07 0x20
0x00 0x00 0x00 0x04
--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x02 0xe0
Net: got MAC address from IIM: 00:01:02:03:04:05
FEC0 [PRIME]
..main_loop
------------------------------------------------------------------------------------------------------
My u-boot.csf file comes bellow:
-----------------------------------------------------------------------------------------------------
[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_1024_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_1024_65537_v3_usr_crt.pem"
# Sign padded u-boot starting at the IVT through to the end with
# length = 0x2F000 (padded u-boot length) - 0x400 (IVT offset) = 0x2EC00
# Note: 0x2F000 may be different depending on the size of U-Boot
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x27800400 0x400 0x2EC00 "u-boot-pad.bin",\
0x00910000 0x42C 0x2E0 "u-boot-pad.bin"
---------------------------------------------------------------------------------------------------
The pic above is the IVT get from u-boot-signed-pad.bin.
--------------------------------------------------------------------------------------------------
Can anyone help me with this.TKS.
Another question is HOW does CST TOOL deal with [Authenticate Data],what's the difference between these below:
[Authenticate Data]
Verification index = 2
Blocks = 0x27800400 0x400 0x2EC00 "u-boot-pad.bin",\
0x00910000 0x42C 0x2E0 "u-boot-pad.bin"
------------------------------------------------------------------------------------------------
[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x42C 0x2E0 "u-boot-pad.bin",\
0x27800400 0x400 0x2EC00 "u-boot-pad.bin"
------------------------------------------------------------------------------------------------
[Authenticate Data]
Verification index = 2
Blocks = 0x27800400 0x400 0x2EC00 "u-boot-pad.bin"
[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x42C 0x2E0 "u-boot-pad.bin"
------------------------------------------------------------------------------------------------
[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x42C 0x2E0 "u-boot-pad.bin"
[Authenticate Data]
Verification index = 2
Blocks = 0x27800400 0x400 0x2EC00 "u-boot-pad.bin"
------------------------------------------------------------------------------------------------
does 0x00910000 is the right address for I.mx6?
THANKS VERY MUCH!
According to Appendix A of the HAB4 API Reference Manual, included in the CST release,
the HAB event occur because of invalid address (access denied).
Also : the HAB API checks that all of the following data have been authenticated
(using their final locations):
IVT
DCD (if provided);
Boot Data (initial byte if provided);
Entry point (initial word).
Please check if each of the above data components is covered by a valid signature.
Next, the following links may be useful :
https://community.freescale.com/docs/DOC-94864
https://community.freescale.com/docs/DOC-96451
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------