hab_auth_img problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

hab_auth_img problem

5,421 Views
antonio_santagi
Contributor IV

Hello,

I am using imx8mm-evk.

I am trying to sign a Kernel image and verify its signature from u-boot with command hab_auth_img.

I followed the instruction at mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot  , chapter 2.

I am not sure I interpreted correctly what in that page they call  "load Address" in the genIVT.pl script , is that meaning the Image load address or the IVT load address ? 

I filled it in with my image load address. So my genIVT.pl is now : 

#! /usr/bin/perl -w
use strict;
open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";
print $out pack("V", 0x412000D1); # Signature
print $out pack("V", 0x40480000); # Load Address (*load_address)
print $out pack("V", 0x0); # Reserved
print $out pack("V", 0x0); # DCD pointer
print $out pack("V", 0x0); # Boot Data
print $out pack("V", 0x41AF6000); # Self Pointer (*ivt)
print $out pack("V", 0x41AF6020); # CSF Pointer (*csf)
print $out pack("V", 0x0); # Reserved
close($out);

I considered self pointer to be set to 0x41AF6000 because I calculated that as Load Address + Image size after padding (0x01676000 ) .

+32 bit and I get also CSF pointer . 

Is this interpretation correct ?

 

Now I have the csf_additional.txt : 

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks =
0x40480000 0x00000000 0x01676000 "Image-imx8mmevk_pad_ivt.bin"

Is this correct ? I put length of file excluding IVT table but including padding. Or should I put length including ivt.bin ( length of the full Image-imx8mmevk_pad_ivt.bin file ) here ? OT excluding both IVT and padding ?

 

at u-boot prompt then :

 

 u-boot=> fatload mmc 1:1 0x40480000 Image-imx8mmevk_signed.bin

23555936 bytes read in 275 ms (81.7 MiB/s)

u-boot=> hab_auth_img 0x40480000 0x1676000 0x41AF6000 

hab fuse not enabled

 

Authenticate image from DDR location 0x40480000...

bad magic magic=0x0 length=0x00 version=0x0

bad length magic=0x0 length=0x00 version=0x0

bad version magic=0x0 length=0x00 version=0x0

Error: Invalid IVT structure

 

Allowed IVT structure:

IVT HDR       = 0x4X2000D1

IVT ENTRY     = 0xXXXXXXXX

IVT RSV1      = 0x0

IVT DCD       = 0x0

IVT BOOT_DATA = 0xXXXXXXXX

IVT SELF      = 0xXXXXXXXX

IVT CSF       = 0xXXXXXXXX

IVT RSV2      = 0x0

I tried also with 

u-boot=> hab_auth_img 0x40480000 0x1676F60  0x41AF6000 ( 0x1676F60   is the full file size including ivt part ).

But I got same error

Please see also attachments 

Tags (2)
7 Replies

1,860 Views
gaurav_bankar
Contributor II

Hello,

    I am using a customized board of i.MX8MP and I am stuck at the same point

    The loadaddr for imx8mp is 0x40480000

    I have the following files generated   

gaurav_bankar_0-1697031603475.png

I am trying to authenticate the image with

hab_auth_img <kernel load address> <size image+ivt+csf> <ivt offset>

hab_auth_img 0x4048000 0x1471960 0x418f000

where

0x40480000 - loadaddr

0x1471960 - hex value of Image_signed ( Image + ivt + csf )

0x1470000 - hex value of ivt offset ( Image + pad ) 

But I am still getting error of invalid IVT structure.

Where am I going wrong?

0 Kudos
Reply

2,880 Views
mukunda9g
Contributor II

hab_auth_img <kernel load address> <size image+ivt+csf> <ivt offset>

u-boot=> hab_auth_img 0x40400000 0x1df0f68 0x1df0000

Authenticate image from DDR location 0x40400000...

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!

0 Kudos
Reply

5,137 Views
Yuri
NXP Employee
NXP Employee

Hello,

1.
  The "load Address" in the genIVT.pl is the Image load address.

2.
  The diagram below illustrate the Image layout:

            ------- +-----------------------------+ <-- *load_address
                ^     |                                       |
                |     |                                        |
                |     |                                        |
                |     |                                        |
                |     |            Image                  |
         Signed  |                                        |
          Data    |                                        |
                |     |                                        |
                |     +-----------------------------+
                |      |  Padding to Image size  |
                |      |        in header                 |
                |      +-----------------------------+ <-- *ivt
                v   |     Image Vector Table      |
            ------- +-----------------------------+ <-- *csf
                    |                                        |
                    | Command Sequence    |

                    |  File (CSF)                     |
                    |                                       |
                    +-----------------------------+
                    |     Padding (optional)      |
                    +-----------------------------+  
 
   Pay attention on the Signed Data - Image, Padding to Image size in header,
and IVT are included in the signed area.   
   

Regards,

Yuri.

5,138 Views
antonio_santagi
Contributor IV

Ok I made it working, I had missed the diagram.

3,824 Views
wangzheng1
Contributor I

hello, i have the same problem, could you tell me how you soved it?

0 Kudos
Reply

5,138 Views
manjunath_bentu
Contributor I

Hi..it would be helpful If you could let me know the solution...I followed exactly like in document... secure boot is fine but cannot get signed kernel image working... could you please share what you did to make it work...(like csf and genivt file)

0 Kudos
Reply

5,138 Views
antonio_santagi
Contributor IV

just following correctly the document at mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot ,that has the same diagram that was posted up here, should make it working. Following correctly both when signing and when verifying the signatures, I haven't modified anything on that document to make it working.

0 Kudos
Reply