hab_auth_image with IVT offset 0 possible ?

andreasschuler · ‎11-07-2017

Hello,

I try to authenticate a encrypted image with 'hab_auth_image'.

This is working perfectly when I have the IVT in memory behind the encrypted binary. Now I want to have it at offset 0, so I don't need to change anything in u-boot configuration when the images changes.

Is this generally possible ?

My csf:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "/done/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "/done/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "/done/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x12000000 0 0x20 "zImage_ivt"

[Install Secret Key]
Verification index = 0
Target index = 0
Key = "./zImage_dek.bin"
Key Length = 128
Blob address = 0x12671000

[Decrypt Data]
Verification index = 0
Mac Bytes = 16
Blocks = 0x12001000 0x1000 0x0066d930 "zImage_ivt"

Layout of my encrypted image:

Offset 0: IVT

0000 0000: D1 00 20 41 00 10 00 12 00 00 00 00 00 00 00 00 .. A.... ........
0000 0010: 00 00 00 00 00 00 00 12 00 F0 66 12 00 00 00 00 ........ ..f.....

Offset 0x1000: encrypted binary

Offset 0x66f000: signature

0066 F000: D4 00 70 41 BE 00 0C 00 03 17 00 00 00 00 00 70 ..pA.... .......p
0066 F010: BE 00 0C 02 09 00 00 01 00 00 08 B0 CA 00 0C 00 ........ ........

...

Offset 0x671000: keyblob

0067 1000: 81 00 48 41 66 55 10 00 C8 D7 50 C7 A1 01 8E 3D ..HAfU.. ..P....=
0067 1010: 8A DA C1 87 E0 A7 D2 B8 32 88 C7 1C E3 C1 3B F2 ........ 2.....;.
0067 1020: FA 6F 4A 4B 97 76 EB D1 23 AC 4E 01 69 88 A0 6F .oJK.v.. #.N.i..o
0067 1030: C5 A0 CC 52 42 B7 04 1B 34 78 2A 61 29 D9 79 5D ...RB... 4x*a).y]
0067 1040: 14 38 F2 A7 B5 E6 65 4D .8....eM
0067 1050:

When I try to authenticate the image I get:

=> ext4load usb 0:1 0x12000000 zImage_encblob
6754376 bytes read in 271 ms (23.8 MiB/s)
=> hab_auth_img 0x12000000 0

Authenticate image from DDR location 0x12000000...

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)

Is there any need for a new DCD when I have the IVT before the encrypted image ?

I have no problems with the other layout, so it can't be a problem of keys or hardware-configuration.

My device is closed and the u-boot is signed correct.

Yuri · ‎11-08-2017

Hello,

You may look at Figure 1 (Typical memory layout of a signed image) of app note AN4581, Rev. 1, 10/2015.

All shown data structures, from free region (partition table for instance) till

Command Sequence File (commands + SRK table +signatures + certificates)

must be signed with a digital signature. Image Vector Table has 0x400 offset.

As for encrypted boot: sorry, but this information is treated as confidential info at this time

and requires a signed NDA (Non-Disclosure Agreement). We cannot discuss this with you in public anyway,

this requires to be handled as a Service Request (SR). Be aware that to give you remote support through a SR,

we will still need the confirmation that the NDA is in place.

Have a great day,
Yuri

-------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-------------------------------------------------------------------------------

hab_auth_image with IVT offset 0 possible ?

hab_auth_image with IVT offset 0 possible ?

i.MX6_All

i.MX6DL

i.MX6Dual

i.MX6Quad

i.MX6S

i.MX6SL

i.MX6UL