i.MX6 HAB secure boot fuse problem

spacemanspiff · ‎04-29-2016

I am trying to finalize setting up secure boot on our custom board with i.MX6.

I have generated certificates with hab4_pki_tree.sh and built a signed U-boot. Attached the CSF source.

Programmed the SRK hash fuses from U-boot, hab_status returned "No HAB events".

Tried to modify a single byte in the U-boot image, hab_status returned events (failure).

Reverted to good U-boot image, and closed the configuration (burn SEC_CONFIG[1] fuse):

=> fuse prog 0 6 0x02

Then I tried to reset, and board does not boot now.

And just to ensure the signed U-boot has the CSF pointer set:

$ dd if=./u-boot_csf.imx bs=4 count=12 2>/dev/null | hexdump -v -e '/4 "%04_ax: "' -e '/4 "%08X" "\n"'

0000: 402000D1

0004: 17800000

0008: 00000000

000c: 177FF42C

0010: 177FF420

0014: 177FF400

0018: 1784F000

001c: 00000000

0020: 177FF000

0024: 00052000

0028: 00000000

002c: 401003D2

This is the second board i "brick", the first one I burned a lot of different fuses regarding disabling JTAG etc. at the same time, so I was not sure what caused the board not to boot. I write "brick" in quotes because I hope by making a new signed U-boot I will be able to resurrect the boards. However, since U-boot is in SPI flash, I need to use a programmer to change U-boot, so not as easy as changing an SD-card.

I welcome any suggestions for how to proceed.

Best regards,

Mikkel Holm Olsen

Original Attachment has been moved to: u-boot.csf.zip

Yuri · ‎05-02-2016

Hello,

First, please check carefully if all actions for HAB boot are implemented

in Your case, using documentation in the following thread

https://community.freescale.com/servlet/JiveServlet/download/325535-1-259256/secure_boot_on_imx6.pdf

HAB on Nitrogen_6X IMX6Q board

In particular - if SRK fuses are burned correctly.

Also, You may try to load the signed U-boot (in order to check fuses, environment) via

the MFG. Please take a look at Appendix E (Freescale manufacturing tool) of the recent

release of app note AN4581 (Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4).

https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

spacemanspiff · ‎05-10-2016

Hi Yuri,

Yes, I have been very thorough regarding the SRK fuses, ensuring the correct byte order. Also, after burning the SRK fuses, before closing configuration, I get no HAB events when using signed U-boot. Modifying a single byte in U-boot image created HAB events. Then reverted back to good U-boot (checked no HAB events), before closing the configuration.

On a third board I made a new attempt, this time with 2048-bit certificates, and following the exact same procedure I was able to make it work.

Are there any reports of HAB4 on i.MX6 not working correctly with 4096-bit certificates? Is there anything I could change in my CSF, that would make this work (maybe the "Engine = Any")?

Yuri · ‎05-11-2016

Hello,

Key length in bits for PKI tree of 4096 is supported.

Engine = CAAM

Regards,

Yuri.

gary_bisson · ‎08-23-2016

Hi YuriMuhin_ng,

Thanks, it does fix the issue, but this information should appear in the documentation! Nowhere is written that you can have a different behavior between close and open configuration. Also there's no mention of a different Engine parameter when using 4096 key.

I consider it a bug that there's no HAB event reported when open and the close configuration fails.

Regards,

Gary

i.MX6 HAB secure boot fuse problem

i.MX6 HAB secure boot fuse problem

i.MX6_All

i.MX6Dual

i.MX6Quad