Using `dek_blob` command in i.MX6UL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using `dek_blob` command in i.MX6UL

3,603 Views
jdepedro
Contributor IV


I am trying to use the dek_command in the i.MX6UL, but I am getting some errors:

=> dek_blob 0x80800000 0x80801000 80

RNG: Instantiation failed with error ffffffff

RNG: Instantiation failed with error ffffffff

RNG: Instantiation failed with error ffffffff

RNG: Instantiation failed with error fffffffd

RNG: Failed to instantiate RNG

RNG instantiation failed

Encapsulating provided DEK to form blob

Allocation of page 0 in partition 1 failed 0x1

=>

I add the following U-Boot configuration options:

#define CONFIG_SYS_FSL_SEC-COMPAT 4

#define CONFIG_FSL_CAAM

#define CONFIG_CMD_DEKBLOB

#define CONFIG_SYS_FSL_SEC_LE

Is the configuration correct? How could I debug/fix those errors?

Labels (1)
Tags (2)
0 Kudos
19 Replies

2,387 Views
jdepedro
Contributor IV

I cannot help you further then, maybe you are using a different i.MX6UL (I am usnig i.MX6UL-2). You should probably open a Service Request with NXP, as they don't usually discuss this security related topics on the community forums.

0 Kudos

2,387 Views
jiriluznicky
Contributor III

I finally made it to work. The core of the problem was function sec_init(). Which is re-entrant unless it fails. And it fails if it has caches on. And if you forget this function in your board init from time, when you were trying to get hw accelerated hashing function to work, then you're doomed.

0 Kudos

2,387 Views
jdepedro
Contributor IV

I though you were using the NXP branch of U-Boot  (which does not use hw accelerated hashing functions).

Glad to hear it is working now.

0 Kudos

2,387 Views
jiriluznicky
Contributor III

FYI: In upstream U-Boot there is badly defined CAAM_BASE_ADDR in /arch/arm/include/asm/arch-mx6/imx-regs.h. It's fixed in imx-2015.04 branch with MLK-10808-3 commit. But never merged into upstream.

0 Kudos

2,387 Views
Yuri
NXP Employee
NXP Employee

Hello,

IMX6 should be booted using the signed U-boot.

Also, please look at the following

Encrypted boot loader on SabreSD i.MX6q board

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos

2,387 Views
jdepedro
Contributor IV

Hi Yuri,

thanks for your answer. I am already using a signed U-Boot image. Can you comment on the configuration for the header? Specifically should I use

#define CONFIG_SYS_FSL_SEC_LE

or

#define CONFIG_SYS_FSL_SEC_BE?

Also, I have this working on the i.MX6Q. So I expect this to some specific configuration for the i.MX6UL. The only thing I can think is the HAB version, which is 4.1.2 in i.MX6UL. Not sure if this would somehow affect to the dek_blob command.

0 Kudos

2,387 Views
robertlubas
Contributor II

Hello,

I have singed u-boot with no hab_events and with #define CONFIG_SYS_FSL_SEC_LE. I'm getting the same errors in dek_blob.

Do you have anything new?

Regards,

Robert

0 Kudos

2,387 Views
jiriluznicky
Contributor III

Hello,

do you have any progress on this?

Regards,

Jiri

0 Kudos

2,387 Views
jdepedro
Contributor IV

Yes, to make it work you need to fix two problems:

  • The secure memory register map is not correctly defined. I cannot provide the details as they come from the i.MX6UL Security Reference Manual, which is a document under NDA. I think you have to contact your local NXP FAE to get that.
  • The memory invalidation ranges are not correct, which leads to problems when using caches and DMA for the CAAM. As a workaround, you can just disable the intruction and data caches during DEK blob generation.

I hope that helps.

2,387 Views
jiriluznicky
Contributor III

Ok, my happiness was a bit premature. I did both steps (I expect both are described also in https://community.nxp.com/thread/395507#comment-819340). And I got the same error.

So, I still have not burned SEC_CONFIG fuse, but I expect fake key is used in that case to encrypt DEK.

2,387 Views
jdepedro
Contributor IV

Not having the SEC_CONFIG fuse burned is not a problem, as you expect, the test key is used instead of the OTPMK, but the dek blob command should still work. 

Are you sure that the caches are disabled and that you have applied the patch for the registers? Provide the output with debug enabled and I may be able to help you.

0 Kudos

2,387 Views
jiriluznicky
Contributor III

So,

I followed Encrypted boot loader on SabreSD i.MX6q board  with little difference related to MX6UL and also took https://community.nxp.com/thread/395507#comment into account. The last difference is that we use U-Boot 2016.05 instead of U-Boot 2016.03 used in 1st link above. Thus I reverted commit f91e65a74eff93d5187a3b27e1badd80c2a35fed (imx: Refactoring CAAM Job Ring structure and Secure Memory for imx7) and used patch from 2nd link.

After enabling a little debugging in CAAM i got:

==> mw.b 0x83701000 0xff 0x1000
==> dek_blob 0x83700000 0x83701000 128

Encapsulating provided DEK to form blob
Allocation of page 0 in partition 1 failed 0x1
Error in Job Descriptor Construction: 1
Error in Encapsulation 1
==> md.b 0x83701000 0x48
83701000: 81 00 48 41 66 55 10 00 00 00 00 00 00 00 00 00 ..HAfU..........
83701010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
83701020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
83701030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
83701040: 00 00 00 00 00 00 00 00

And that is dead end for me.

0 Kudos

2,387 Views
jdepedro
Contributor IV

The i.MX6Q uses a different Secure Memory version than the i.MX6UL.

I would recommend to test in the NXP release of U-Boot 2015.04 applying the patch and disabling the caches. Verify that it works then and then check the differences (or git bisect).

0 Kudos

2,387 Views
jiriluznicky
Contributor III

Hello,

I get back to 2015.04, where is fortunately a bit easier to get debug outputs. So our problem is also with RNG.

01: operation
02: jump
03: load_imm_u32
05: operation
Error in SEC deq
RNG: Instantiation failed with error ffffffff
01: operation
02: jump
03: load_imm_u32
05: operation
Error in SEC deq
RNG: Instantiation failed with error ffffffff
01: operation
02: jump
03: load_imm_u32
05: operation
Error in SEC deq
RNG: Instantiation failed with error ffffffff
01: operation
02: jump
03: load_imm_u32
05: operation
Error in SEC enq
RNG: Instantiation failed with error fffffffd
RNG: Failed to instantiate RNG
RNG instantiation failed

0 Kudos

2,387 Views
jdepedro
Contributor IV

Are you completely sure that you applied the register map patch and recompiled and reflashed properly? Those are the exact same error messages that you would get without the patch applied.

0 Kudos

2,387 Views
jiriluznicky
Contributor III

I rather rechecked it. I got this RNG error despite the patch is applied or not.

0 Kudos

2,387 Views
jiriluznicky
Contributor III

I'm not absolutely sure about caches, but I expect dcache off and icache off commands to work in U-Boot. Providing debug output will be a bit problematic as we're using U-Boot 2016.05 instead of the older one from FSL.

Furthermore I tried whether at least hw accelerated hash functions works and they don't. So there are two options. CAAM is broken in upstream U-Boot, or (the more probable) I have some serious mistake in my board configuration. So I'll have to spend some time investigating and I'll eventually let you know.

0 Kudos

2,387 Views
jdepedro
Contributor IV

Could you provide a way to contact you? I have tried some things by myself and have some progress, but not working yet.

0 Kudos

2,387 Views
Yuri
NXP Employee
NXP Employee

Hello,

basically U-boot options for i.MX6 UL are the same as for other devices of i.MX6 series.

  perhaps the following helps.

Encrypted U-boot Example

Regards,

Yuri.

0 Kudos