i.MX6 HAB, getting HAB_INV_SIZE event

jdepedro · ‎04-26-2016

I am trying to make HAB work on my i.MX6Q based platform using a custom uboot based on v2015.04. This is my progress so far:

I have generated the keys, add secure boot support to uboot, also added the CSF section to uboot:

CONFIG_CSF_SIZE 0x4000

When compiling uboot, I get the following output (I manually added a printf for the ivt_offset):

Image Type: Freescale IMX Boot Image

Image Ver: 2 (i.MX53/6 compatible)

Mode: DCD

Data Size: 393216 Bytes = 384.00 kB = 0.38 MB

Load Address: 177ff420

Entry Point: 17800000

HAB Blocks: 177ff400 00000000 0005bc00

ivt_offset: 00000400

I save the compiled image in /tftpboot/sboot/uboot-compiled.imx

Then I use the following CSF file (/tftpboot/sboot/CSF.text):

#Illustrative Command Sequence File Description

[Header]

Version = 4.1

Hash Algorithm = sha256

Engine = ANY

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0 # Index of the key location in the SRK table to be installed

[Install CSFK]

# Key used to authenticate the CSF data

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]

# Key slot index used to authenticate the key to be installed

Verification index = 0

# Target key slot in HAB key store where key will be installed

Target Index = 2

# Key to install

File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]

# Key slot index used to authenticate the image data

Verification index = 2

# Address Offset Length Data File Path

Blocks = 0x177ff400 0x000000 0x5bc00 "/tftpboot/sboot/uboot-compiled.imx"

# Defer RNG Instantiation for Post HAB Software (3.3.2.2)

[Unlock]

Engine = CAAM

Features = RNG

And use it to generate the CSF binary which contains the uboot image sign and other information:

./cst --o /tftpboot/sboot/CSF.bin < /tftpboot/sboot/CSF.text

Then, according to AN4581, I just need to concatenate the CSF to the uboot file, and that should work:

cat /tftpboot/sboot/uboot-compiled.imx /tftpboot/sboot/CSF.bin > /tftpboot/sboot/uboot+CSF.imx

But when I try to boot with that uboot+CSF.imx image, I get the following HAB event:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x08 0x41 0x33 0x17 0xdd 0x00

Interpreting this event:

First confirm that the data is an event consisting of a header, an SRCE (Status, Reason, Context, Engine) word and context dependent data. The first byte is the tag field which indicates an event when set to HAB_TAG_EVENT. The next two bytes the length and the last byte is the HAB version.
- 0xdb: Tag: Event (0xDB = Event)
- 0x00, 0x08: Data length in bytes: 8 bytes
- 0x41: HAB version: 4.1
The next word is the SRCE (Status|Reason|Context|Engine) which indicates the type of event that occurred.
- 0x33: 0x33 = HAB_FAILURE: Operation failed
- 0x17: 0x17 = HAB_INV_SIZE: Invalid data size
- 0xdd: 0xDD = HAB_CTX_DCD: Event logged in hab_rvt.run_dcd()
- 0x00: 0x00 = HAB_ENG_ANY: First compatible engine will be selected automatically (no engine configuration parameters are allowed)

So basically, HAB_INV_SIZE, which I interpret as there is something wrong with the binary layout.

I then though that the CSF file size is less than the CONFIG_CSF_SIZE (0x4000) so I try padding it with FF to that length:

objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0xff /tftpboot/sboot/CSF.bin /tftpboot/sboot/CSF-padded.bin

cat /tftpboot/sboot/uboot-compiled.imx /tftpboot/sboot/CSF-padded.bin > /tftpboot/sboot/uboot+CSF-padded.imx

That does not work and outputs exactly the same HAB event.

Can anyone provide more information about how to fix that HAB_INV_SIZE error?

jdepedro · ‎04-29-2016

Hi Yuri,

I was able to solve the problem, I was using the CSF_SIZE directive after all the DATA 4, commands. Moving it to the start of the file solved the problem.

Thanks for your answer and for that detailed document anyway.

View solution in original post

Yuri · ‎04-29-2016

Hello,

Please look at my comments below.

1.

Is CONFIG_SECURE_BOOT defined in U-boot ?

2.
U-boot.imx size should be aligned ( with value of 0x1000) ; that is

U-boot.imx need to be properly padded.

3.

The following may be helpful (here only part of U-boot is signed):

“Encrypted boot loader on SabreSD i.MX6q board”

< https://community.freescale.com/docs/DOC-330622 >

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

jdepedro · ‎04-29-2016

Hi Yuri,

I was able to solve the problem, I was using the CSF_SIZE directive after all the DATA 4, commands. Moving it to the start of the file solved the problem.

Thanks for your answer and for that detailed document anyway.

kevin_silbereis · ‎07-06-2020

So was the padding, meaning objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0xff /tftpboot/sboot/CSF.bin /tftpboot/sboot/CSF-padded.bin, necessary at all?

jingyangxie · ‎08-21-2018

Hi,Jose

Could you give me the details for the solution?as you say,"using the CSF_SIZE directive after all the DATA 4, commands. Moving it to the start of the file solved the problem",how can I do this ?

jdepedro · ‎10-26-2018

Check the .cfg file that you are using to create the DCD, and verify that the CSF_SIZE directive is before all DATA 4.

jdepedro · ‎04-27-2016

I have tried with the nxp mksecureboot tool included in imx-test-linux, this is the output (I added debug):

jdiaz:~/secure_boot/cst-2.3.1/mksecureboot$ ./mk_secure_uboot

+ '[' 0 '!=' 0 ']'

+ '[' '!' -f u-boot.imx ']'

+ printf 'Make Sure Your "u-boot.imx" is up to date...\n'

Make Sure Your "u-boot.imx" is up to date...

++ hexdump -n 4 -s 32 -e '/4 "0x%08x\t" "\n"' u-boot.imx

+ let ddr_addr=0x177ff000

++ hexdump -n 4 -s 20 -e '/4 "0x%08x\t" "\n"' u-boot.imx

+ let ivt_self=0x177ff400

++ hexdump -n 4 -s 24 -e '/4 "0x%08x\t" "\n"' u-boot.imx

+ let ivt_csf=0x1785b000

++ ls -lct u-boot.imx

++ awk '{print $5}'

+ let uboot_size=375808

+ let pad_len=375808

+ let sig_len=384000

+ let ivt_offset=0x0

+ let auth_len=375808

+ let ivt_start=394261504

++ printf 0x%X 375808

+ pad_len=0x5BC00

++ printf 0x%X 384000

+ sig_len=0x5DC00

++ printf 0x%X 375808

+ auth_len=0x5BC00

++ printf 0x%X 0

+ ivt_offset=0x0

++ printf 0x%X 394261504

+ ivt_start=0x177FF400

+ sed -e s/%pad_len%/0x5BC00/g -e s/%sig_len%/0x5DC00/g ../templates/habimagegen_template

+ chmod +x habimagegen

+ sed -e s/%ram_start%/0x177FF400/g -e s/%image_offset%/0x0/g -e s/%auth_len%/0x5BC00/g ../templates/ubootcsf_template

+ ./habimagegen

+ echo 'extend u-boot to 0x5BC00...'

extend u-boot to 0x5BC00...

+ objcopy -I binary -O binary --pad-to 0x5BC00 --gap-fill=0x5A u-boot.imx u-boot-pad.imx

+ echo 'generate csf data...'

generate csf data...

+ ../linux64/cst --o u-boot_csf.bin

CSF Processed successfully and signed data available in u-boot_csf.bin

+ echo 'merge image and csf data...'

merge image and csf data...

+ cat u-boot-pad.imx u-boot_csf.bin

+ echo 'extend final image to 0x5DC00...'

extend final image to 0x5DC00...

+ objcopy -I binary -O binary --pad-to 0x5DC00 --gap-fill=0x5A u-boot-signed.imx u-boot-signed-pad.imx

+ echo 'u-boot-signed-pad.imx is ready'

u-boot-signed-pad.imx is ready

+ rm -f habimagegen u-boot.csf u-boot_csf.bin u-boot-pad.imx u-boot-signed.imx

+ printf 'U-Boot image with Signature "u-boot-signed-pad.imx" is ready to use\n'

U-Boot image with Signature "u-boot-signed-pad.imx" is ready to use

When testing this u-boot image, I get the same HAB event (invalid data size)

Could a big uboot image be the cause for that error? Is there any limitation on the size of the memory region to be verified?

i.MX6 HAB, getting HAB_INV_SIZE event

i.MX6 HAB, getting HAB_INV_SIZE event

i.MX6Quad