Why I am getting these HAB events? Dealing with QSPI FLASH offset.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why I am getting these HAB events? Dealing with QSPI FLASH offset.

1,814 Views
gbassi1
Contributor II

I am using the following tools:

After generating u-boot.imx with HAB features enabled, the output is as follows:

Image Type:   Freescale IMX Boot Image
Image Ver:    2 (i.MX53/6/7 compatible)
Mode:         DCD
Data Size:    638976 Bytes = 624.00 KiB = 0.61 MiB
Load Address: 877ff908
Entry Point:  87800000
HAB Blocks:   877ff8e8 00000000 00097000
DCD Blocks:   00910000 0000002c 000001e8

Therefore, my csf file is:

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x877ff8e8    0x0000    0x97000    "u-boot.imx"

[Authenticate Data]
Verification index = 2
Blocks = 0x910000    0x2c    0x1e8    "u-boot.imx"

Then, I compile the csf binary:

./cst --o csf-uboot.bin --i csf-uboot
CSF Processed successfully and signed data available in csf-uboot.bin

Afterwards, I concatenate it to the uboot.imx and flash it to the target:

cat u-boot.imx csf-uboot.bin > u-boot-signed.imx

uuu -b qspi u-boot-signed.imx   
uuu (Universal Update Utility) for nxp imx chips -- libuuu_1.3.63-0-gea1d1ee

Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     1/ 0 [                                      ]                                                                                               
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     1/ 8 [                                      ] FB: ucmd setenv fastboot_buffer ${loadaddr}                                                   
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     1/ 8 [                                      ] FB: ucmd setenv fastboot_buffer ${loadaddr}                                                   
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     1/ 8 [                                      ] FB: ucmd setenv fastboot_buffer ${loadaddr}                                                   
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     2/ 8 [                                      ] FB: download -f u-boot-signed.imx                                                             
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     2/ 8 [                                      ] FB: download -f u-boot-signed.imx                                                             
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     2/ 8 [                                      ] FB: download -f u-boot-signed.imx                                                             
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     3/ 8 [                                      ] FB: ucmd if qspihdr dump ${fastboot_buffer}; then setenv qspihdr_exist yes; else setenv qspihd
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     3/ 8 [                                      ] FB: ucmd if qspihdr dump ${fastboot_buffer}; then setenv qspihdr_exist yes; else setenv qspihd
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     3/ 8 [                                      ] FB: ucmd if qspihdr dump ${fastboot_buffer}; then setenv qspihdr_exist yes; else setenv qspihd
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     4/ 8 [                                      ] FB[-t 60000]: ucmd if test ${qspihdr_exist} = yes; then qspihdr init ${fastboot_buffer} ${fast
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     4/ 8 [                                      ] FB[-t 60000]: ucmd if test ${qspihdr_exist} = yes; then qspihdr init ${fastboot_buffer} ${fast
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     4/ 8 [                                      ] FB[-t 60000]: ucmd if test ${qspihdr_exist} = yes; then qspihdr init ${fastboot_buffer} ${fast
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     5/ 8 [                                      ] FB: ucmd if test ${qspihdr_exist} = no; then sf probe; else true; fi;                         
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     5/ 8 [                                      ] FB: ucmd if test ${qspihdr_exist} = no; then sf probe; else true; fi;                         
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     5/ 8 [                                      ] FB: ucmd if test ${qspihdr_exist} = no; then sf probe; else true; fi;                         
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     6/ 8 [                                      ] FB[-t 40000]: ucmd if test ${qspihdr_exist} = no; then sf erase 0 +${fastboot_bytes}; else tru
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     6/ 8 [                                      ] FB[-t 40000]: ucmd if test ${qspihdr_exist} = no; then sf erase 0 +${fastboot_bytes}; else tru
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     6/ 8 [                                      ] FB[-t 40000]: ucmd if test ${qspihdr_exist} = no; then sf erase 0 +${fastboot_bytes}; else tru
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     7/ 8 [                                      ] FB[-t 20000]: ucmd if test ${qspihdr_exist} = no; then sf write ${fastboot_buffer} 0 ${fastboo
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     7/ 8 [                                      ] FB[-t 20000]: ucmd if test ${qspihdr_exist} = no; then sf write ${fastboot_buffer} 0 ${fastboo
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     7/ 8 [                                      ] FB[-t 20000]: ucmd if test ${qspihdr_exist} = no; then sf write ${fastboot_buffer} 0 ${fastboo
Success 0    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     8/ 8 [                                      ] FB: done                                                                                      
Success 1    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     8/ 8 [Done                                  ] FB: done                                                                                      
Success 1    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     8/ 8 [Done                                  ] FB: done                                                                                      
Success 1    Failure 0                                                                                                                              
                                                                                                                                                     
2:12     8/ 8 [Done                                  ] FB: done  

Then, I change the target Boot Mode, to Internal boot QSPI FLASH, and exectute hab_status:

U-Boot 2018.03-01209-gb9dc0acc7a (Sep 16 2019 - 13:20:31 -0300)

CPU:   Freescale i.MX6UL rev1.1 528 MHz (running at 396 MHz)
CPU:   Industrial temperature grade (-40C to 105C) at 41C
Reset cause: POR
Model: Freescale i.MX6 UltraLite 14x14 EVK Board
Board: MX6UL 14x14 EVK
DRAM:  512 MiB
MMC:   FSL_SDHC: 0, FSL_SDHC: 1
Loading Environment from SPI Flash... SF: Detected n25q256 with page size 256 Bytes, erase size 64 KiB, total 32 MiB
*** Warning - bad CRC, using default environment

Failed (-5)
Display: TFT43AB (480x272)
Video: 480x272x24
In:    serial
Out:   serial
Err:   serial
Net:
Warning: ethernet@020b4000 using MAC address from ROM
eth1: ethernet@020b4000 [PRIME]
Warning: ethernet@02188000 using MAC address from ROM
, eth0: ethernet@02188000
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot:  2                                                                  0
=> hab_status
hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf8 0xe8
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf9 0x14
        0x00 0x00 0x01 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf9 0x08
        0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

=>

Analyzing the HAB Events, this is what I get:

  • Event 1: Means either IVT self/entry point is NULL or IVT, DCD, Boot Data, CSF outside image bounds
  • Event 2: ADDR: 0x877FF8E8 (ivt self), LENGTH: 0x20 -> HAB_INV_ASSERTION (same error for following events)
  • Event 3: ADDR: 0x877FF914 (ivt dcd), LENGTH: 0x1E8
  • Event 4: ADDR: 0x877FF908 (ivt boot data), LENGTH: 0x1
  • Event 5: ADDR: 0x87800000 (ivt entry), LENGTH: 0x4

Performed Tests:

  1. QSPI NOR Flash needs an offset of 0x1000. However, if I put that offset in the Authorization Data, it throws the following error:

    Invalid Block arguments, Blocks start offset and length together exceed file size in command AuthenticateData

    CSF FILE:

    [Authenticate Data]
    Verification index = 2
    Blocks = 0x877ff8e8    0x1000    0x97000    "u-boot.imx"

    [Authenticate Data]
    Verification index = 2
    Blocks = 0x910000    0x2c    0x1e8    "u-boot.imx"

  2. If I keep the offset in 0x0 and change the offset of the DCD block, from 0x2c to 0x102c (where it actually is), it compiles but throws HAB events too.
  3. If I follow this point UUU default support protocol list · NXPmicro/mfgtools Wiki · GitHub
    (HABv4 closed chip support). I need to change the skip from 12 to 4108 due to the 4096 offset (0x1000) to make it work properly. However, the result is HAB events too.

Further questions:

  1. Where does the Address of DCD block comes from? (0x910000)
  2. How should I deal with the 0x1000 offset in order to get right auth?

Important note:

I didn't flash the fuses of SRK table since I didn't want to preset my SoC with that unchangeable fuses. I don't know if that is stricticly needed or the error is happenning despite that.

Fuses are:

hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
0x96832B1F
0xE12277B4
0x8E497D81
0x7983AB8F
0xFA699F3C
0x8AA5A4E5
0xBC4A85F7
0xC56A7837

Thanks in advance,

Labels (1)
Tags (4)
0 Kudos
5 Replies

1,532 Views
Yuri
NXP Employee
NXP Employee

Hello,

  the first HAB event means "Event 1: Means either IVT self/entry point is NULL or IVT, DCD, Boot Data,

CSF outside image bounds".  This issue may take place when using MFG / UUU. Look at Appendix F
(i.MX manufacturing tool) of "Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using HABv4"

application note, Rev. 2, 05/2018 for more details.

https://www.nxp.com/docs/en/application-note/AN4581.pdf 

Regards,

Yuri.

0 Kudos

1,532 Views
gbassi1
Contributor II

Hello Yuri,

I tried several things around that, no good results unfortunately.

Please take a look, I am attaching my u-boot.imx compiled before signing.

In my u-boot.imx you can see with hexdump that IVT header starts at

0x1000, since it is aimed for QSPI NOR FLASH

cat u-boot.imx.log

Image Type: Freescale IMX Boot Image Image Ver: 2 (i.MX53/6/7

compatible) Mode: DCD Data Size: 638976 Bytes = 624.00 KiB = 0.61 MiB

Load Address: 877ff908 Entry Point: 87800000 HAB Blocks: 877ff8e8

00000000 00097000 DCD Blocks: 00910000 0000002c 000001e8

TEST 1

/(in csf file)/

Verification index = 2 Blocks = 0x877ff8e8 0x0000

0x97000 "u-boot.imx" Verification index = 2 Blocks =

0x910000 0x002c 0x01e8 "u-boot.imx"

TEST 2

/(in csf file)/

Verification index = 2 # Actual length of file

(0x97718) - IVT start offset (0x1000) = 0x96718 Blocks = 0x877ff8e8

0x1000 0x96718 "u-boot.imx" Verification index = 2

Blocks = 0x910000 0x102c 0x01e8 "u-boot.imx"

TEST 3

/(in csf file)/

Verification index = 2 Blocks = 0x877ff8e8 0x1000

0x96000 "u-boot.imx" Verification index = 2 Blocks =

0x910000 0x102c 0x01e8 "u-boot.imx"

Edit mod_4_mfgtool.sh to match correct DCD pointer ADDR

#!/bin/bash if

; then echo You must provide

an action and a valid u-boot file as parameters echo Example: $0

clear_dcd_addr u-boot.imx exit 1 fi # DCD address must be cleared for

signature, as mfgtool will clear it. if [ "$1" == "clear_dcd_addr" ];

then # store the DCD address dd if=$2 of=dcd_addr.bin bs=1 count=4

skip=4108 # generate a NULL address for the DCD dd if=/dev/zero

of=zero.bin bs=1 count=4 # replace the DCD address with the NULL address

dd if=zero.bin of=$2 seek=4108 bs=1 conv=notrunc rm zero.bin fi # DCD

address must be set for mfgtool to localize the DCD table. if [ "$1" ==

"set_dcd_addr" ]; then # restore the DCD address with the original

address dd if=dcd_addr.bin of=$2 seek=4108 bs=1 conv=notrunc rm

dcd_addr.bin fi

Steps (same for each test)

./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx ./cst --o csf-uboot.bin

--i csf-uboot ./mod_4_mfgtool.sh set_dcd_addr u-boot.imx cat u-boot.imx

csf-uboot.bin > u-boot-signed.imx uuu -v -b qspi u-boot-signed.imx

Serial console output (same for every test)

|HAB Configuration: 0xf0, HAB State: 0x66

0 Kudos

1,533 Views
gbassi1
Contributor II

Hello, we need an update on this.

0 Kudos

1,533 Views
Yuri
NXP Employee
NXP Employee

Hello,

 

  I've sent You some comments directly.

 

Have a great day,

Yuri

 

 

-------------------------------------------------------------------------------

Note:

- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored

 

Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

0 Kudos

1,533 Views
gbassi1
Contributor II

I tried burning fuses and same result :smileysad:

0 Kudos