[URGENT] What prints could possibly come when HAB closed mode is triggered?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[URGENT] What prints could possibly come when HAB closed mode is triggered?

685 Views
ajithpv
Contributor V

Hi all,

As part of my current task, I have enabled HAB(OPEN mode) and make my images signed. I have followed the below document.

1) i.MX 6 Linux High Assurance Boot (HAB) User's Guide, Rev L3.10.17_1.0.0-ga, 05/2014

NOTE: The steps and reference that I have followed is mentioned earlier in the following thread.

Need to know how to implement HAB with Yocto BSP (Kernel 3.10.17)

I have followed all the steps that are given in the document till 18th step and in 18th step, I fused the SRK values. I didn't perform OTPMK, RNG_TRIM and SEC_CONFIG settings here.

In OPEN mode configuration I can able to get the below prints while booting.

HAB Configuration: 0xf0, HAB State: 0x66

No HAB Events Found!

Once, I got the above message (this means no error), I started proceeding with the further pending steps in 18th. Since, OTPMK is factory burned, I didn't do this one.

I have Turn on RNG_TRIM by echo 0x00040000 > HW_OCOTP_MEM0 and Put SEC_CONFIG to close (turn on chip security) by echo 0x2 > HW_OCOTP_CFG5.

After that, when I reboot my system, nothing(no prints) is coming on the console! As from the document if something happened, then HAB events should come. Then why I'm not getting nothing on the console (is my processor bricked)? According to the document, these 2 steps can be done once we get "No HAB Events Found!" message in OPEN mode.

Could anyone help me to understand what exactly happened here from OPEN mode working case to CLOSE mode non working?

Thank you in advance,
Ajith P V

0 Kudos
2 Replies

437 Views
Yuri
NXP Employee
NXP Employee

Hello,

  The print messages are provided by U-boot ; it is running

in open configuration. In closed one, if some security check

has not been passed U-boot does not start and there are no

messages.  Please take a look at section 7.1 (SRK Authentication

for i.MX 6 Series in Open Configuration) of the app note AN4581.

It makes sense to check the fuses.

AN4581 "Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4".

http://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf


Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos

437 Views
ajithpv
Contributor V

Hi,

Thank you for your response. I have gone through the AN4581 document.

According to the AN4581 :

“However, for i.MX 6 Series in Open configuration, the HAB always skips the verification of the SRK table, regardless of whether the SRK fuse field has been provisioned or not.”

Whether this statement means that, even though "no HAB event" came in open configuration, I couldn't able to confirm it is OK?

How should I make sure everything is perfect in Open configuration and can go to close configuration then?

How I can check the SRK fuses? Using "ls | grep "SRK.$" | xargs cat  " command?

I would like to tell you that, I already perform close mode and now what I can do on that?

Thank you in advance,

Ajith P V

0 Kudos