- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
Why I am getting these HAB events? Dealing with QSPI FLASH offset.
I am using the following tools:
- Flash tool: uuu (GitHub - NXPmicro/mfgtools: Freescale/NXP I.MX Chip image deploy tools. )
- UBOOT: uboot source code (uboot-imx - i.MX U-Boot )
- CST 3.2.0
- Openssl v1.1.1 September 2018
- Ubuntu 18.04 x64 (kernel 5.0.0)
- NXP iMX6ULEVK_14x14
- Built-in QSPI NOR FLASH 256Mbit
- Connected by USB OTG and USB Serial debug
After generating u-boot.imx with HAB features enabled, the output is as follows:
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 638976 Bytes = 624.00 KiB = 0.61 MiB
Load Address: 877ff908
Entry Point: 87800000
HAB Blocks: 877ff8e8 00000000 00097000
DCD Blocks: 00910000 0000002c 000001e8
Therefore, my csf file is:
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 0[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"[Authenticate Data]
Verification index = 2
Blocks = 0x877ff8e8 0x0000 0x97000 "u-boot.imx"[Authenticate Data]
Verification index = 2
Blocks = 0x910000 0x2c 0x1e8 "u-boot.imx"
Then, I compile the csf binary:
./cst --o csf-uboot.bin --i csf-uboot
CSF Processed successfully and signed data available in csf-uboot.bin
Afterwards, I concatenate it to the uboot.imx and flash it to the target:
cat u-boot.imx csf-uboot.bin > u-boot-signed.imx
uuu -b qspi u-boot-signed.imx
uuu (Universal Update Utility) for nxp imx chips -- libuuu_1.3.63-0-gea1d1ee
Success 0 Failure 0
2:12 1/ 0 [ ]
Success 0 Failure 0
2:12 1/ 8 [ ] FB: ucmd setenv fastboot_buffer ${loadaddr}
Success 0 Failure 0
2:12 1/ 8 [ ] FB: ucmd setenv fastboot_buffer ${loadaddr}
Success 0 Failure 0
2:12 1/ 8 [ ] FB: ucmd setenv fastboot_buffer ${loadaddr}
Success 0 Failure 0
2:12 2/ 8 [ ] FB: download -f u-boot-signed.imx
Success 0 Failure 0
2:12 2/ 8 [ ] FB: download -f u-boot-signed.imx
Success 0 Failure 0
2:12 2/ 8 [ ] FB: download -f u-boot-signed.imx
Success 0 Failure 0
2:12 3/ 8 [ ] FB: ucmd if qspihdr dump ${fastboot_buffer}; then setenv qspihdr_exist yes; else setenv qspihd
Success 0 Failure 0
2:12 3/ 8 [ ] FB: ucmd if qspihdr dump ${fastboot_buffer}; then setenv qspihdr_exist yes; else setenv qspihd
Success 0 Failure 0
2:12 3/ 8 [ ] FB: ucmd if qspihdr dump ${fastboot_buffer}; then setenv qspihdr_exist yes; else setenv qspihd
Success 0 Failure 0
2:12 4/ 8 [ ] FB[-t 60000]: ucmd if test ${qspihdr_exist} = yes; then qspihdr init ${fastboot_buffer} ${fast
Success 0 Failure 0
2:12 4/ 8 [ ] FB[-t 60000]: ucmd if test ${qspihdr_exist} = yes; then qspihdr init ${fastboot_buffer} ${fast
Success 0 Failure 0
2:12 4/ 8 [ ] FB[-t 60000]: ucmd if test ${qspihdr_exist} = yes; then qspihdr init ${fastboot_buffer} ${fast
Success 0 Failure 0
2:12 5/ 8 [ ] FB: ucmd if test ${qspihdr_exist} = no; then sf probe; else true; fi;
Success 0 Failure 0
2:12 5/ 8 [ ] FB: ucmd if test ${qspihdr_exist} = no; then sf probe; else true; fi;
Success 0 Failure 0
2:12 5/ 8 [ ] FB: ucmd if test ${qspihdr_exist} = no; then sf probe; else true; fi;
Success 0 Failure 0
2:12 6/ 8 [ ] FB[-t 40000]: ucmd if test ${qspihdr_exist} = no; then sf erase 0 +${fastboot_bytes}; else tru
Success 0 Failure 0
2:12 6/ 8 [ ] FB[-t 40000]: ucmd if test ${qspihdr_exist} = no; then sf erase 0 +${fastboot_bytes}; else tru
Success 0 Failure 0
2:12 6/ 8 [ ] FB[-t 40000]: ucmd if test ${qspihdr_exist} = no; then sf erase 0 +${fastboot_bytes}; else tru
Success 0 Failure 0
2:12 7/ 8 [ ] FB[-t 20000]: ucmd if test ${qspihdr_exist} = no; then sf write ${fastboot_buffer} 0 ${fastboo
Success 0 Failure 0
2:12 7/ 8 [ ] FB[-t 20000]: ucmd if test ${qspihdr_exist} = no; then sf write ${fastboot_buffer} 0 ${fastboo
Success 0 Failure 0
2:12 7/ 8 [ ] FB[-t 20000]: ucmd if test ${qspihdr_exist} = no; then sf write ${fastboot_buffer} 0 ${fastboo
Success 0 Failure 0
2:12 8/ 8 [ ] FB: done
Success 1 Failure 0
2:12 8/ 8 [Done ] FB: done
Success 1 Failure 0
2:12 8/ 8 [Done ] FB: done
Success 1 Failure 0
2:12 8/ 8 [Done ] FB: done
Then, I change the target Boot Mode, to Internal boot QSPI FLASH, and exectute hab_status:
U-Boot 2018.03-01209-gb9dc0acc7a (Sep 16 2019 - 13:20:31 -0300)
CPU: Freescale i.MX6UL rev1.1 528 MHz (running at 396 MHz)
CPU: Industrial temperature grade (-40C to 105C) at 41C
Reset cause: POR
Model: Freescale i.MX6 UltraLite 14x14 EVK Board
Board: MX6UL 14x14 EVK
DRAM: 512 MiB
MMC: FSL_SDHC: 0, FSL_SDHC: 1
Loading Environment from SPI Flash... SF: Detected n25q256 with page size 256 Bytes, erase size 64 KiB, total 32 MiB
*** Warning - bad CRC, using default environment
Failed (-5)
Display: TFT43AB (480x272)
Video: 480x272x24
In: serial
Out: serial
Err: serial
Net:
Warning: ethernet@020b4000 using MAC address from ROM
eth1: ethernet@020b4000 [PRIME]
Warning: ethernet@02188000 using MAC address from ROM
, eth0: ethernet@02188000
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot: 2 0
=> hab_status
hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf8 0xe8
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf9 0x14
0x00 0x00 0x01 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf9 0x08
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
=>
Analyzing the HAB Events, this is what I get:
- Event 1: Means either IVT self/entry point is NULL or IVT, DCD, Boot Data, CSF outside image bounds
- Event 2: ADDR: 0x877FF8E8 (ivt self), LENGTH: 0x20 -> HAB_INV_ASSERTION (same error for following events)
- Event 3: ADDR: 0x877FF914 (ivt dcd), LENGTH: 0x1E8
- Event 4: ADDR: 0x877FF908 (ivt boot data), LENGTH: 0x1
- Event 5: ADDR: 0x87800000 (ivt entry), LENGTH: 0x4
Performed Tests:
- QSPI NOR Flash needs an offset of 0x1000. However, if I put that offset in the Authorization Data, it throws the following error:
CSF FILE:Invalid Block arguments, Blocks start offset and length together exceed file size in command AuthenticateData
[Authenticate Data]
Verification index = 2
Blocks = 0x877ff8e8 0x1000 0x97000 "u-boot.imx"
[Authenticate Data]
Verification index = 2
Blocks = 0x910000 0x2c 0x1e8 "u-boot.imx" - If I keep the offset in 0x0 and change the offset of the DCD block, from 0x2c to 0x102c (where it actually is), it compiles but throws HAB events too.
If I follow this point UUU default support protocol list · NXPmicro/mfgtools Wiki · GitHub
(HABv4 closed chip support). I need to change the skip from 12 to 4108 due to the 4096 offset (0x1000) to make it work properly. However, the result is HAB events too.
Further questions:
- Where does the Address of DCD block comes from? (0x910000)
- How should I deal with the 0x1000 offset in order to get right auth?
Important note:
I didn't flash the fuses of SRK table since I didn't want to preset my SoC with that unchangeable fuses. I don't know if that is stricticly needed or the error is happenning despite that.
Fuses are:
hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
0x96832B1F
0xE12277B4
0x8E497D81
0x7983AB8F
0xFA699F3C
0x8AA5A4E5
0xBC4A85F7
0xC56A7837
Thanks in advance,
Hello,
the first HAB event means "Event 1: Means either IVT self/entry point is NULL or IVT, DCD, Boot Data,
CSF outside image bounds". This issue may take place when using MFG / UUU. Look at Appendix F
(i.MX manufacturing tool) of "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using HABv4"
application note, Rev. 2, 05/2018 for more details.
https://www.nxp.com/docs/en/application-note/AN4581.pdf
Regards,
Yuri.
Hello Yuri,
I tried several things around that, no good results unfortunately.
Please take a look, I am attaching my u-boot.imx compiled before signing.
In my u-boot.imx you can see with hexdump that IVT header starts at
0x1000, since it is aimed for QSPI NOR FLASH
cat u-boot.imx.log |
Image Type: Freescale IMX Boot Image Image Ver: 2 (i.MX53/6/7 compatible) Mode: DCD Data Size: 638976 Bytes = 624.00 KiB = 0.61 MiB Load Address: 877ff908 Entry Point: 87800000 HAB Blocks: 877ff8e8 00000000 00097000 DCD Blocks: 00910000 0000002c 000001e8 |
TEST 1
/(in csf file)/
Verification index = 2 Blocks = 0x877ff8e8 0x0000 0x97000 "u-boot.imx" Verification index = 2 Blocks = 0x910000 0x002c 0x01e8 "u-boot.imx" |
TEST 2
/(in csf file)/
Verification index = 2 # Actual length of file (0x97718) - IVT start offset (0x1000) = 0x96718 Blocks = 0x877ff8e8 0x1000 0x96718 "u-boot.imx" Verification index = 2 Blocks = 0x910000 0x102c 0x01e8 "u-boot.imx" |
TEST 3
/(in csf file)/
Verification index = 2 Blocks = 0x877ff8e8 0x1000 0x96000 "u-boot.imx" Verification index = 2 Blocks = 0x910000 0x102c 0x01e8 "u-boot.imx" |
Edit mod_4_mfgtool.sh to match correct DCD pointer ADDR
#!/bin/bash if | ; then echo You must provide an action and a valid u-boot file as parameters echo Example: $0 clear_dcd_addr u-boot.imx exit 1 fi # DCD address must be cleared for signature, as mfgtool will clear it. if [ "$1" == "clear_dcd_addr" ]; then # store the DCD address dd if=$2 of=dcd_addr.bin bs=1 count=4 skip=4108 # generate a NULL address for the DCD dd if=/dev/zero of=zero.bin bs=1 count=4 # replace the DCD address with the NULL address dd if=zero.bin of=$2 seek=4108 bs=1 conv=notrunc rm zero.bin fi # DCD address must be set for mfgtool to localize the DCD table. if [ "$1" == "set_dcd_addr" ]; then # restore the DCD address with the original address dd if=dcd_addr.bin of=$2 seek=4108 bs=1 conv=notrunc rm dcd_addr.bin fi |
|---|
Steps (same for each test)
./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx ./cst --o csf-uboot.bin --i csf-uboot ./mod_4_mfgtool.sh set_dcd_addr u-boot.imx cat u-boot.imx csf-uboot.bin > u-boot-signed.imx uuu -v -b qspi u-boot-signed.imx |
Serial console output (same for every test)
|HAB Configuration: 0xf0, HAB State: 0x66
Hello,
I've sent You some comments directly.
Have a great day,
Yuri
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
