- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
-
I have a SEGGER j-Link Plus, and we have enabled J-Link debugging on the evaluation board, and it can set the shadow registers for the fuses. I then do serial boot from USB.
Is there any documentation on how to do secure boot with this board?
I am using CST-3.3.1 and u-boot 2020.04. I have chosen the following answers in the Code signing tool:
existing CA Key: n
Elliptic Curve Crypto: n
bits for PKI tree: 2048
PKI tree duration: 10
# of Super Root Keys: 4
SRK has CA flag set: y
The signing tool gives no errors.
If I ask U-Boot after booting for hab_status, I see:
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x07 0xe4
STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x69 0x0a 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x0d 0x3c 0x87 0x7f 0xf4 0x00
0x00 0x0a 0x1c 0x00
STS = HAB_WARNING (0x69)
RSN = HAB_UNS_ENGINE (0x0A)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x02 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
If I corrupt the image, (changed the date from 2021 to 9021), and I run hab_status in U-Boot, I see the first two warning events are the same, and event 3 I see two changes:
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
In addition, the corrupted image sees this error in events 4 through 8:
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
So I believe something must be right about my image.
So are there fuse settings I need to prevent HAB_UNS_ENGINE and HAB_INV_ASSERTION? Or is something wrong with my signing process?
已解决! 转到解答。
@JohnKlug
Hello,
i.MX 6ULL does not have CAAM, therefore Engine = SW should be applied.
You mentioned about shadow registers for the fuses.
Perhaps it makes sense to burn the SRK.
Regards,
Yuri.
I found a way to get rid of the warning about HAB_UNS_ENGINE.
I removed the following line from my u-boot.csf file:
Engine = CAAM
Note that Engine = CAAM is mentioned in many examples with the i.MX6. How does one know what to do?
That still leaves this error:
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x02 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
Looking at the HABV4 doc with 3.3.1 CST, I see the following:
In this case the context is the hab_rvt.assert()API. An assertion event means that one of
the following required areas is not signed as documented in the Operation section for
authenticate_image() API:
• IVT;
• DCD (if provided);
• Boot Data (initial byte - if provided);
• Entry point (initial word).
How do I fix this problem? Why would one of the above not be signed as documented? Is there a bug in the Code Signing Tool?
What is interesting to note is that if I set SEC_CONFIG[1], closed, USB (external) boot works with a corrupted image. So this device does not have enforceable security over external boot?
U-Boot results with corrupted image:
U-Boot 2020.04-5.4.24-2.1.0+g4979a99482 (May 11 9021 - 22:11:57 +0000)
=> hab_status
Secure boot enabled
...
RSN = HAB_INV_SIGNATURE (0x18)
SEC_CONFIG[1] is set:
=> fuse read 0 6
Reading bank 0:
Word 0x00000006: 00000002