I have same problem, signing image with second SRK1 does not work for me, while first SRK0 works fine.
Here are my CSF file to make sign image.
####For SRK0 ( which works)####
[Header]
Version = 4.0
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Unlock]
Engine = CAAM
Features = RNG
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Sign padded SPL starting at the IVT through to the end with
# length = $FILESIZE (padded SPL length)
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
# Address Offset Length Data File Path
Blocks = 0x00907400 0x000 0x6c00 "SPL-pad.bin"
#####CSF file for SRK1, it does not work,######
[Header]
Version = 4.0
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 1 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF2_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../crts/IMG2_1_sha256_4096_65537_v3_usr_crt.pem"
[Unlock]
Engine = CAAM
Features = RNG
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Sign padded SPL starting at the IVT through to the end with
# length = $FILESIZE (padded SPL length)
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
# Address Offset Length Data File Path
Blocks = 0x00907400 0x000 0x6c00 "SPL-pad.bin"
Is any thing missing or incorrect in CSF file for SRK1? Thanks.
Here are HAB events report return by "hab_status".
U-Boot > hab_status
Secure boot disabled
Reporting HAB events HAB_STS_ANY
HAB Configuration[0xf0]: HAB_CFG_OPEN
HAB State[0x66]: HAB_STATE_NONSECURE
0: hStatus 0xf0 bytes 20
--------- HAB Event 1 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0f]: HAB_INV_INDEX
Context[0xc0]: HAB_CTX_COMMAND
Engine[0x00]: HAB_ENG_ANY
 Cmd[0xbe]: HAB_CMD_INS_KEY
 KeyIdx[0x03]
 Protocol[0x17]: Unknown
 Engine[0x01]: Unknown, Cfg[0x00]: Unknown
 authentication data address relative to CSF start
 0xbe 0x00 0x0c 0x00 0x03 0x17 0x01 0x00
 0x00 0x00 0x00 0x50
1: hStatus 0xf0 bytes 20
--------- HAB Event 2 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0f]: HAB_INV_INDEX
Context[0xc0]: HAB_CTX_COMMAND
Engine[0x00]: HAB_ENG_ANY
 Cmd[0xbe]: HAB_CMD_INS_KEY
 KeyIdx[0x03]
 Protocol[0x17]: Unknown
 Engine[0x01]: Unknown, Cfg[0x00]: Unknown
 authentication data address relative to CSF start
 0xbe 0x00 0x0c 0x00 0x03 0x17 0x01 0x00
 0x00 0x00 0x00 0x50
2: hStatus 0xf0 bytes 20
--------- HAB Event 3 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x00907400
 Length: 0x00000020
3: hStatus 0xf0 bytes 20
--------- HAB Event 4 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x0090742c
 Length: 0x00000060
4: hStatus 0xf0 bytes 20
--------- HAB Event 5 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x00907420
 Length: 0x00000001
5: hStatus 0xf0 bytes 20
--------- HAB Event 6 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x00908000
 Length: 0x00000004
6: hStatus 0xf0 bytes 20
--------- HAB Event 7 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x80841000
 Length: 0x00000020
7: hStatus 0xf0 bytes 20
--------- HAB Event 8 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x80800000
 Length: 0x00000004
Solved! Go to Solution.
Thank you Yuri. The other keys SRK1-3 also work for me now.
The problem was that only first SRK0 was present in my SRK_1_2_3_4_table.bin file, reason was spaces in between SRK certificates keys files after "," in srktool cmd line to generate SRK_1_2_3_4_table.bin.
One must pay attention to the instruction in srktool --help that mention
"Certificate filenames must be separated by a ','with no spaces"
 
					
				
		
 Yuri
		
			Yuri
		
		
		
		
		
		
		
		
	
			
		
		
			
					
		Hello,
What is part number of the i.MX device, used in the case?
Regards,
Yuri.
Thank you for quick response.
I used IMX6Q based Solidrun HummingBoard2 and following is /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 10 (v7l)
BogoMIPS : 3.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 10
processor : 1
model name : ARMv7 Processor rev 10 (v7l)
BogoMIPS : 3.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 10
processor : 2
model name : ARMv7 Processor rev 10 (v7l)
BogoMIPS : 3.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 10
processor : 3
model name : ARMv7 Processor rev 10 (v7l)
BogoMIPS : 3.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 10
Hardware : Freescale i.MX6 Quad/DualLite (Device Tree)
Revision : 63015
Serial : 0000000000000000
 
					
				
		
 Yuri
		
			Yuri
		
		
		
		
		
		
		
		
	
			
		
		
			
					
		Hello,
The issue was checked with 6Q Sabresd board with CST3.1 and L4.14.78_1.0.0_GA uboot. SRK2 works.
Please try using NXP SDP/B board with NXP U-boot.
Regards,
Yuri.
Thank you Yuri. The other keys SRK1-3 also work for me now.
The problem was that only first SRK0 was present in my SRK_1_2_3_4_table.bin file, reason was spaces in between SRK certificates keys files after "," in srktool cmd line to generate SRK_1_2_3_4_table.bin.
One must pay attention to the instruction in srktool --help that mention
"Certificate filenames must be separated by a ','with no spaces"
 
					
				
		
 Yuri
		
			Yuri
		
		
		
		
		
		
		
		
	
			
		
		
			
					
		Hello,
  please double check  SRK_1_2_3_4_table.bin's size;  are all 4 SRK keys in the SRK table?
What is key length (maybe 2048 bit)?
Regards,
Yuri.
