Can we use HAB to decrypt a Linux image from u-boot?
I have an i.MX6DL device with secure boot enabled and I can successfully boot using HAB a signed and encrypted u-boot image. And from that u-boot image, I can then load a signed (but NOT encrypted) app image, use hab_auth_img to authenticate the image, and then launch it.
NOW I want to encrypt that app image and have hab_auth_img authenticate and decrypt it. I have modified the CSF script, made sure to select a new key slot (different than the one I use to auth u-boot) for the app's key, made sure to create a new dek_blob just for the app and append the blob to the app. But when I call the HAB authentication API (which should call run_csf to authenticate, install secret key, and decrypt), I get the following HAB error:
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
--------- HAB Event 1 -----------------
0xdb 0x00 0x14 0x41 0x33 0x06 0xc0 0x00
0xbe 0x00 0x0c 0x01 0xbb 0x00 0x00 0x01
0x16 0x00 0x6f 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_COMMAND (0x06)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Note that this is saying the "install secret key" command is an invalid command.
Am I getting HAB_INV_COMMAND because HAB won't allow me to install a secret key via API? Or can I be getting this error because something isn't configured properly in my CSF?
Have you had much luck with this? I am trying to encrypt the Linux image and have uboot decrypt and authenticate it before booting Linux but I'm struggling to find instructions. I've already implemented encrypting and authenticating the uboot image so it is just the Linux image. I'm working on a custom imx6 solo board.
I just finished doing this myself and I know it can be very stressful to find information on encrypted boot, so let me help here.
Since you already did encrypted u-boot you probably are familiar with the CST already (and have it built with encryption support).
Can you share further details about exactly what you are doing and where the issue is? if you share your CSF maybe it will be helpful as well.
Are you getting the same HAB events that Allenivester was getting?
It is nice to hear that you can have uboot to load a kernel image. Would you like to share the the steps? Thanks...
Thanks for the reply, Yuri, but those posts are about getting encrypted boot working for u-boot. I already can boot encrypted u-boot. The problem I have is that I'm trying to have u-boot load a second image from flash that is also encrypted using cst and I want to use the HAB APIs (via ROM vector table) to decrypt and authenticate that other image. This will let me easily and securely extend chain of trust to the app using the same HW security features used for secure boot. I am already signing and authenticating the app image, so I just want to add encryption to the process, similar to what I did with u-boot.
As for encrypted boot issue - it is not considered as public one.
Please create request \ ticket.
Code Signing Tool should be built for encryption mode. Is it so for Your case?
Yes, I built cst for encryption. I am successfully encrypting u-boot and my device successfully decrypts and runs u-boot, so I know the cst tool works at least for IMX images loaded by the i.MX6 ROM Loader. Obviously the cst process is different for signing and encrypting a non-IMX image (the app is a legacy uimage), but the error I get is in loading the secret key, so obviously run_csf is executing which means the IVT is valid, HAB can find the CSF, it authenticates the signed regions, and it executes far enough to get to the private key loading command.
Anyway, I opened a private case. Hopefully I'm not the first one to try this. :-)
please use the following:
Have a great day,
Note: If this post answers your question, please click the Correct Answer
button. Thank you!