ahab_status error from imx93 secure boot

Jacky-Cheng · ‎04-26-2024

Hi, professionals !

I'm doing the secure boot on imx93. I use Yocto with meta-nxp-security-reference-design/meta-secure-boot meta layer, which supports i.MX boot image signing automation to compile the signed uboot and kernel container.

First time, i referred to the ahab document and generated the ecc sha384 keys, and got the signed uboot and kernel container. I flash it to first board and run ahab_status, it succeed

Second time, i generated the rsa-2048 sha256 keys, and every steps else is the same with the first time. I flash the signed uboot and kernel to second board and run ahab_status, it failed, shows

0x0287f7d6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_CONTAINER_FAILURE_IND (0xF7)
STA = ELE_SUCCESS_IND (0xD6)

I'm really confused why it can't work with the rsa keys, and what does the failure indication mean? I think the imx93 and ahab support both ECC and RSA, and i really follow the same step, just key type are different.

I am very eager to get your support and help! Thanks in advance!

Jacky-Cheng · ‎05-05-2024

This issue has been resolved. As the IMX93 Reference Manual say, it support rsa-pss and ecc key, but not rsa key, so it is clear that imx93 doesn't support rsa type keys.

元の投稿で解決策を見る

brati_7 · ‎11-28-2024

Hi @Jacky-Cheng actually i am also using imx93 with yocto and i want secure boot i.MX 93 signed and encrypted AHAB image but as i am totally new to this i was unable to do after many attempts. What i did was added the layer to my source and then i am confused like how the generated how the keys generated what conf i need to add in local.conf and all can you please help me with this to provide steps!

Thanks & regards
Brati

Jacky-Cheng · ‎05-05-2024

This issue has been resolved. As the IMX93 Reference Manual say, it support rsa-pss and ecc key, but not rsa key, so it is clear that imx93 doesn't support rsa type keys.

Migli0 · ‎02-18-2025

I ended up with the same errors of Jacky-Cheng...
Where is this statement located? I could not find it in the IMX93RM and SRM.
Are you referring to the table 4 in UG10106?

Harvey021 · ‎05-07-2024

That is correct, no RSA with ele device.

brati_7 · ‎11-29-2024

Hi @Harvey021 I have compiled the image including the meta-secure-boot by follwing the document but previously i was using "core-image-selinux-imx93-11x11-lpddr4x-curiosity.rootfs.wic.zst" to flash now can you please tell what are the images i can use to flash and how can i flash please.

Thank you in advance
Brati

Harvey021 · ‎04-28-2024

Hi,

Probably a cause as like " By default, the NXP CST Signer Tool uses standard keys of type ECC P256-SHA256 for i.MX 8/8x/8ULP/9 Family" as stated from <10.9.2 Prerequisites for preparing a signed image>

Regards

Harvey

Jacky-Cheng · ‎04-28-2024

Hi Harvey, thanks for your reply first! But, it just said by default, not explicitly stated that other key types can't be used. So i wonder can RSA key type works? And if not, what's the reason? Thanks again!

Harvey021 · ‎04-28-2024

Hi

As AHAB should support RSA key. With checking the whole statement from the section " 10.9.2 Prerequisites for preparing a signed image". my understanding is that the Signer Tool, by default, will use ECC type of keys for i.MX93 device for signing. Sorry, it is not available for me to have a test for now.

Can you side have a test while using RSA keys? as stated here “Note: (Optional) Create and populate csf_hab4.cfg and/or csf_ahab.cfg with the preferred key type at the CST location to use your preferred PKI tree. The default configuration files are located at the CST Signer work directory in Yocto build.”

Regards

Harvey

ahab_status error from imx93 secure boot

ahab_status error from imx93 secure boot

Security