bootm command when HAB boot is turned on causes unwanted authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

bootm command when HAB boot is turned on causes unwanted authentication

Jump to solution
1,219 Views
JohnKlug
Senior Contributor I

bootm seems to want to verify my zImage and optee image, and I don't want this, since they are not signed.

I put the kernel, device tree and optee into a static ubifs partition (read-only).  I signed the ubifs partition, and hab_auth_img apparently likes it  (hopefully it will work with hab_aut_img_or_fail after I close the device):

 

=> hab_auth_img_or_fail $loadaddr $filesize 0x4a1c000
hab fuse not enabled

Authenticate image from DDR location 0x80800000...

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!​


But now when I run bootm, I get a bunch of HAB errors, because none of my individual images are signed.

How can I turn off HAB authentication in bootm?  I suspect if I close the device it will stop booting.

=> bootm ${tee_addr} - ${fdt_addr}
hab fuse not enabled

Authenticate image from DDR location 0x84000000...
bad magic magic=0x1 length=0xcd33 version=0x1
bad length magic=0x1 length=0xcd33 version=0x1
bad version magic=0x1 length=0xcd33 version=0x1
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR       = 0x4X2000D1
IVT ENTRY     = 0xXXXXXXXX
IVT RSV1      = 0x0
IVT DCD       = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF      = 0xXXXXXXXX
IVT CSF       = 0xXXXXXXXX
IVT RSV2      = 0x0
Kernel image @ 0x80800000 [ 0x000000 - 0x7b4438 ]
hab fuse not enabled

Authenticate image from DDR location 0x80800000...
bad magic magic=0x7d length=0x25c0 version=0x5c
bad length magic=0x7d length=0x25c0 version=0x5c
bad version magic=0x7d length=0x25c0 version=0x5c
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR       = 0x4X2000D1
IVT ENTRY     = 0xXXXXXXXX
IVT RSV1      = 0x0
IVT DCD       = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF      = 0xXXXXXXXX
IVT CSF       = 0xXXXXXXXX
IVT RSV2      = 0x0
## Booting kernel from Legacy Image at 84000000 ...
   Image Name:   
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    333212 Bytes = 325.4 KiB
   Load Address: 84000000
   Entry Point:  84000000
   Verifying Checksum ... OK
## Flattened Device Tree blob at 83000000
   Booting using the fdt blob at 0x83000000
   Loading Kernel Image
   Using Device Tree in place at 83000000, end 83009850
Modify /soc/aips-bus@2000000/tsc@2040000:status disabled
Modify /soc/aips-bus@2100000/pxp@21cc000:status disabled
ft_system_setup for mx6

Starting kernel ...

E/TC:0 0 plat_rng_init:354 Warning: seeding RNG with zeroes
[    0.000000] Booting Linux on physical CPU 0x0​

 

0 Kudos
1 Solution
1,201 Views
JohnKlug
Senior Contributor I

The CPU part is i.MX6 ULL.

The U-Boot is:
https://source.codeaurora.org/external/imx/uboot-imx.git 

rel_imx_5.4.24_2.1.0

This is 2020.04 U-Boot.

It was rather straightforward to remove the authenticate image code from bootm in U-Boot with a patch.  This solved my problem:

#
# In i.MX code they authenticate the U-Boot image and OPTEE.
# Note too that they only support zImage.  This patch
# removes authentication of images during bootm.
# Instead we will use hab_auth_img_or_fail.
# This command is supposed to start a USB boot
# if we fail to boot.
#
diff --git a/cmd/bootm.c b/cmd/bootm.c
index 03ea3b8998..bac2923a11 100644
--- a/cmd/bootm.c
+++ b/cmd/bootm.c
@@ -124,9 +124,6 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 	}
 
 #ifdef CONFIG_IMX_HAB
-	extern int authenticate_image(
-			uint32_t ddr_start, uint32_t raw_image_size);
-
 #ifdef CONFIG_IMX_OPTEE
 	ulong tee_addr = 0;
 	int ret;
@@ -140,11 +137,6 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 
 	switch (genimg_get_format((const void *)tee_addr)) {
 	case IMAGE_FORMAT_LEGACY:
-		if (authenticate_image(tee_addr,
-		       image_get_image_size((image_header_t *)tee_addr)) != 0) {
-		       printf("Authenticate uImage Fail, Please check\n");
-		       return 1;
-		}
 		break;
 	default:
 		printf("Not valid image format for Authentication, Please check\n");
@@ -154,22 +146,11 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 	ret = bootz_setup(image_load_addr, &zi_start, &zi_end);
 	if (ret != 0)
 		return 1;
-
-	if (authenticate_image(image_load_addr, zi_end - zi_start) != 0) {
-		printf("Authenticate zImage Fail, Please check\n");
-		return 1;
-	}
-
 #else
 
 	switch (genimg_get_format((const void *)image_load_addr)) {
 #if defined(CONFIG_LEGACY_IMAGE_FORMAT)
 	case IMAGE_FORMAT_LEGACY:
-		if (authenticate_image(image_load_addr,
-			image_get_image_size((image_header_t *)image_load_addr)) != 0) {
-			printf("Authenticate uImage Fail, Please check\n");
-			return 1;
-		}
 		break;
 #endif
 #ifdef CONFIG_ANDROID_BOOT_IMAGE

 
Of course my next problem is that USB hangs after the call to hab_auth_img_or_fail, but that is the subject of another post.

View solution in original post

3 Replies
1,200 Views
JohnKlug
Senior Contributor I

One more comment.  By putting rootfs, optee and device tree into a read-only rootfs and signing the whole thing and putting it into a static volume we get the advantage of fewer blocks used on the NAND, and a guard against read-disturb errors, as ubifs will do wear leveling from what I understand. My part has 256K erase blocks, and my NAND will be of minimal size, so this is more space efficient on the NAND as well, because ubifs can allocate space in smaller granules than the erase block size, which is required if we use an MTD partition for the kernel and optee.

0 Kudos
1,202 Views
JohnKlug
Senior Contributor I

The CPU part is i.MX6 ULL.

The U-Boot is:
https://source.codeaurora.org/external/imx/uboot-imx.git 

rel_imx_5.4.24_2.1.0

This is 2020.04 U-Boot.

It was rather straightforward to remove the authenticate image code from bootm in U-Boot with a patch.  This solved my problem:

#
# In i.MX code they authenticate the U-Boot image and OPTEE.
# Note too that they only support zImage.  This patch
# removes authentication of images during bootm.
# Instead we will use hab_auth_img_or_fail.
# This command is supposed to start a USB boot
# if we fail to boot.
#
diff --git a/cmd/bootm.c b/cmd/bootm.c
index 03ea3b8998..bac2923a11 100644
--- a/cmd/bootm.c
+++ b/cmd/bootm.c
@@ -124,9 +124,6 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 	}
 
 #ifdef CONFIG_IMX_HAB
-	extern int authenticate_image(
-			uint32_t ddr_start, uint32_t raw_image_size);
-
 #ifdef CONFIG_IMX_OPTEE
 	ulong tee_addr = 0;
 	int ret;
@@ -140,11 +137,6 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 
 	switch (genimg_get_format((const void *)tee_addr)) {
 	case IMAGE_FORMAT_LEGACY:
-		if (authenticate_image(tee_addr,
-		       image_get_image_size((image_header_t *)tee_addr)) != 0) {
-		       printf("Authenticate uImage Fail, Please check\n");
-		       return 1;
-		}
 		break;
 	default:
 		printf("Not valid image format for Authentication, Please check\n");
@@ -154,22 +146,11 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 	ret = bootz_setup(image_load_addr, &zi_start, &zi_end);
 	if (ret != 0)
 		return 1;
-
-	if (authenticate_image(image_load_addr, zi_end - zi_start) != 0) {
-		printf("Authenticate zImage Fail, Please check\n");
-		return 1;
-	}
-
 #else
 
 	switch (genimg_get_format((const void *)image_load_addr)) {
 #if defined(CONFIG_LEGACY_IMAGE_FORMAT)
 	case IMAGE_FORMAT_LEGACY:
-		if (authenticate_image(image_load_addr,
-			image_get_image_size((image_header_t *)image_load_addr)) != 0) {
-			printf("Authenticate uImage Fail, Please check\n");
-			return 1;
-		}
 		break;
 #endif
 #ifdef CONFIG_ANDROID_BOOT_IMAGE

 
Of course my next problem is that USB hangs after the call to hab_auth_img_or_fail, but that is the subject of another post.

1,212 Views
Yuri
NXP Employee
NXP Employee

@JohnKlug 
Hello,

   what OS release and what i.MX part is used in the case?

Regards,
Yuri.

0 Kudos