Use HAB API from u-boot to decrypt Linux image

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use HAB API from u-boot to decrypt Linux image

5,177 Views
allenivester
Contributor III

Can we use HAB to decrypt a Linux image from u-boot?

More specifically:

I have an i.MX6DL device with secure boot enabled and I can successfully boot using HAB a signed and encrypted u-boot image.  And from that u-boot image, I can then load a signed (but NOT encrypted) app image, use hab_auth_img to authenticate the image, and then launch it.

NOW I want to encrypt that app image and have hab_auth_img authenticate and decrypt it.  I have modified the CSF script, made sure to select a new key slot (different than the one I use to auth u-boot) for the app's key, made sure to create a new dek_blob just for the app and append the blob to the app.  But when I call the HAB authentication API (which should call run_csf to authenticate, install secret key, and decrypt), I get the following HAB error:

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x06 0xc0 0x00
0xbe 0x00 0x0c 0x01 0xbb 0x00 0x00 0x01
0x16 0x00 0x6f 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_COMMAND (0x06)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

Note that this is saying the "install secret key" command is an invalid command.

Am I getting HAB_INV_COMMAND because HAB won't allow me to install a secret key via API?  Or can I be getting this error because something isn't configured properly in my CSF?

Tags (1)
0 Kudos
9 Replies

3,395 Views
danielberhe
Contributor IV

Hi Allenivester,

Have you had much luck with this? I am trying to encrypt the Linux image and have uboot decrypt and authenticate it before booting Linux but I'm struggling to find instructions. I've already implemented encrypting and authenticating the uboot image so it is just the Linux image. I'm working on a custom imx6 solo board.

0 Kudos

3,386 Views
noorahmadshinwa
Contributor III

Hi Daniel.

I just finished doing this myself and I know it can be very stressful to find information on encrypted boot, so let me help here.

Since you already did encrypted u-boot you probably are familiar with the CST already (and have it built with encryption support).

Can you share further details about exactly what you are doing and where the issue is? if you share your CSF maybe it will be helpful as well.

Are you getting the same HAB events that Allenivester was getting?

0 Kudos

2,524 Views
yanghongsing1
Contributor III

Dear Noorahmadshinwa,

It is nice to hear that you can have uboot to load a kernel image. Would you like to share the the steps? Thanks...

0 Kudos

3,485 Views
allenivester
Contributor III

Thanks for the reply, Yuri, but those posts are about getting encrypted boot working for u-boot. I already can boot encrypted u-boot. The problem I have is that I'm trying to have u-boot load a second image from flash that is also encrypted using cst and I want to use the HAB APIs (via ROM vector table) to decrypt and authenticate that other image. This will let me easily and securely extend chain of trust to the app using the same HW security features used for secure boot. I am already signing and authenticating the app image, so I just want to add encryption to the process, similar to what I did with u-boot. 

0 Kudos

3,485 Views
Yuri
NXP Employee
NXP Employee

  As for encrypted boot issue - it is not considered as public one.

Please create request \ ticket.

 Support|NXP 

0 Kudos

3,485 Views
Yuri
NXP Employee
NXP Employee

The following may be helpful:

High Assurance Boot (HAB) for dummies - Boundary Devices 

~Yuri.

0 Kudos

3,485 Views
Yuri
NXP Employee
NXP Employee

Hello,

Code Signing Tool should be built for encryption mode. Is it so for Your case?

Regards,

Yuri.

0 Kudos

3,485 Views
allenivester
Contributor III

Yes, I built cst for encryption.  I am successfully encrypting u-boot and my device successfully decrypts and runs u-boot, so I know the cst tool works at least for IMX images loaded by the i.MX6 ROM Loader.  Obviously the cst process is different for signing and encrypting a non-IMX image (the app is a legacy uimage), but the error I get is in loading the secret key, so obviously run_csf is executing which means the IVT is valid, HAB can find the CSF, it authenticates the signed regions, and it executes far enough to get to the private key loading command.

Anyway, I opened a private case.  Hopefully I'm not the first one to try this.  :-)

0 Kudos

3,485 Views
Yuri
NXP Employee
NXP Employee

 

Hello,

 

 please use the following:

Encrypted U-boot Example 

 

https://community.nxp.com/docs/DOC-330622 

Have a great day,

Yuri

 

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer

button. Thank you!

0 Kudos