i.MX6 HAB secure boot fuse problem

cancel
Showing results for 
Search instead for 
Did you mean: 

i.MX6 HAB secure boot fuse problem

3,929 Views
spacemanspiff
Contributor II

I am trying to finalize setting up secure boot on our custom board with i.MX6.

I have generated certificates with hab4_pki_tree.sh and built a signed U-boot. Attached the CSF source.

Programmed the SRK hash fuses from U-boot, hab_status returned "No HAB events".

Tried to modify a single byte in the U-boot image, hab_status returned events (failure).

Reverted to good U-boot image, and closed the configuration (burn SEC_CONFIG[1] fuse):

=> fuse prog 0 6 0x02

Then I tried to reset, and board does not boot now.

 

And just to ensure the signed U-boot has the CSF pointer set:

$ dd if=./u-boot_csf.imx bs=4 count=12 2>/dev/null | hexdump -v -e '/4 "%04_ax: "' -e '/4 "%08X" "\n"'

0000: 402000D1

0004: 17800000

0008: 00000000

000c: 177FF42C

0010: 177FF420

0014: 177FF400

0018: 1784F000

001c: 00000000

0020: 177FF000

0024: 00052000

0028: 00000000

002c: 401003D2

 

This is the second board i "brick", the first one I burned a lot of different fuses regarding disabling JTAG etc. at the same time, so I was not sure what caused the board not to boot. I write "brick" in quotes because I hope by making a new signed U-boot I will be able to resurrect the boards. However, since U-boot is in SPI flash, I need to use a programmer to change U-boot, so not as easy as changing an SD-card.

 

I welcome any suggestions for how to proceed.

 

Best regards,

Mikkel Holm Olsen

Original Attachment has been moved to: u-boot.csf.zip

Labels (3)
4 Replies

1,288 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,

  First, please check carefully if all actions for HAB boot are implemented

in Your case, using documentation in the following thread

https://community.freescale.com/servlet/JiveServlet/download/325535-1-259256/secure_boot_on_imx6.pdf

HAB on Nitrogen_6X IMX6Q board

In particular - if SRK fuses are burned correctly.

Also, You may try to load the signed U-boot (in order to check fuses, environment) via

the MFG. Please take a look at Appendix E (Freescale manufacturing tool) of the recent

release of app note AN4581 (Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4).

https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos

1,288 Views
spacemanspiff
Contributor II

Hi Yuri,

Yes, I have been very thorough regarding the SRK fuses, ensuring the correct byte order. Also, after burning the SRK fuses, before closing configuration, I get no HAB events when using signed U-boot. Modifying a single byte in U-boot image created HAB events. Then reverted back to good U-boot (checked no HAB events), before closing the configuration.

On a third board I made a new attempt, this time with 2048-bit certificates, and following the exact same procedure I was able to make it work.

Are there any reports of HAB4 on i.MX6 not working correctly with 4096-bit certificates? Is there anything I could change in my CSF, that would make this work (maybe the "Engine = Any")?

0 Kudos

1,288 Views
Yuri
NXP TechSupport
NXP TechSupport

Hello,

Key length in bits for PKI tree of 4096 is supported.

Engine = CAAM

Regards,

Yuri.

1,288 Views
gary_bisson
Senior Contributor III

Hi YuriMuhin_ng​,

Thanks, it does fix the issue, but this information should appear in the documentation! Nowhere is written that you can have a different behavior between close and open configuration. Also there's no mention of a different Engine parameter when using 4096 key.

I consider it a bug that there's no HAB event reported when open and the close configuration fails.

Regards,

Gary