i.MX6 Recovery Mode with HAB and MFG tool

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX6 Recovery Mode with HAB and MFG tool

7,349 Views
MickeyI
Contributor III

Hi,

I'm trying to boot a i.MX6 with a signed u-boot and I'm getting HAB events.

I followed the guide (AN4581 6.2) and looked at two related posts here but I still can't get to a clean events status (https://community.freescale.com/message/332405#332405, https://community.freescale.com/docs/DOC-96451).

The first HAB event reported is HAB_INV_IVT.

U-Boot > hab_status

iMX6 HAB status Information :

=============================

Checking HAB_status

HAB Configuration: 0xf0 HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

   0xdb 0x00 0x08 0x41 0x33 0x05 0x0a 0x00

--------- HAB Event 2 -----------------

event data:

   0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

--------- HAB Event 3 -----------------

event data:

   0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

--------- HAB Event 4 -----------------

event data:

   0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

--------- HAB Event 5 -----------------

event data:

   0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

   0x00 0x00 0x00 0x00 0x27 0x80 0x04 0x00

   0x00 0x00 0x00 0x20

--------- HAB Event 6 -----------------

event data:

   0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

   0x00 0x00 0x00 0x00 0x27 0x80 0x08 0x20

   0x00 0x00 0x00 0x04

Here are the steps I took and their outputs. I'd appreciate any ideas to resolve this:

I'm using two files:

* image-pad.bin                 - padded u-boot.bin

* image-pad-no-dcdptr.bin  - a copy of image-pad.bin with the DCD pointer zeroed out.

CSF file:

[Header]

        Version = 4.0

        Security Configuration = Open

        Hash Algorithm = sha256

        Engine Configuration = 0

        Certificate Format = X509

        Signature Format = CMS

[Install SRK]

        File = "../crts/SRK_1_2_3_4_table.bin"

        Source index = 0

[Install CSFK]

        File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]

        Verification index = 0

        Target index = 2

        File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]

        Verification index = 2

        Blocks = 0x27800400 0x400 0x32c00 "/home/plomba/temp/debug_mfg/image-pad-no-dcdptr.bin", \

                 0x00910000 0x42C 0x3F0 "/home/plomba/temp/debug_mfg/image-pad-no-dcdptr.bin"

image-pad-no-dcdptr.bin - IVT to DCD ptr binary:

0x00000400: D1002040 20088027 00000000 00000000     .. @ ..'........

0x00000410: 20048027 00048027 00308327 00000000      ..'...'.0.'....

0x00000420: 00008027 00500300 00000000 D203F040     ...'.P.........@

u-boot.bin (signed) - IVT to DCD ptr binary:

0x00000400: D1002040 20088027 00000000 2C048027     .. @ ..'....,..'

0x00000410: 20048027 00048027 00308327 00000000      ..'...'.0.'....

0x00000420: 00008027 00500300 00000000 D203F040     ...'.P.........@

Running Linux MFG tool:

# ./imx_usb u-boot.bin

config file <./imx_usb.conf>

config file <./mx6_usb_work.conf>

parse mx6_usb_work.conf

15a2:0054(mx6_qsb) bConfigurationValue =1

Interface 0 claimed

report 1, wrote 16 bytes, err=0

report 3, read 4 bytes, err=0

read=56 78 78 56

u-boot.bin 0 0 1 0 1 2

main dcd length 3f0

sub dcd length 3ec

dcd_ptr=0x2780042c

loading binary file(u-boot.bin) to 27800000, skip=0, fsize=35000 type=aa

<<<217088, 217088 bytes>>>

jumping to 0x27800400

Thanks,

Mickey.

Labels (2)
Tags (3)
0 Kudos
13 Replies

3,372 Views
bba
Contributor III

Hello,

I am using the mfgtool on iMX6ul and have the same issue.

If you take the signed u-boot image and download it through USB, you will get HAB events.

However, if you take the same signed u-boot image and write it to flash, NO HAB events.

Any idea what we can do? The board is not bootable with the mfgtool after closing the device with

fuse prog 0 6 0x2

Regards,

Birger

0 Kudos

3,372 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Please use Appendix E (Freescale manufacturing tool) of  app note AN4581
"Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4",
Rev. 1, 10/2015

http://www.nxp.com/assets/documents/data/en/application-notes/AN4581.pdf 

Regards,

Yuri.

0 Kudos

3,372 Views
bba
Contributor III

Hello Yuri, thanks for reply. I am still working together with my FAE on this problem. I will provide some comments if it is working.

Regards,

Birger

0 Kudos

3,372 Views
bba
Contributor III

Okey, now it works!

We erased the first address ot the DCD table instead of the dcd pointer. Please find behind some parts of the used signing script.

Regards,

Birger

uboot.csf

[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x2c 0x1e8 "u-boot-padded.imx", 0x877ff400 0x00 0x046c00 "u-boot-padded.imx"

sign.sh

temp="/tmp"

# $1 padded filename
# $2 dcd_offset (dezimal)
func_clear_dcd_addr()
{
    if [ -e $1 ]; then
        # store the DCD address
        dd if=$1 of=$temp/dcd_addr.bin bs=1 count=4 skip=$2
        # generate a NULL address for the DCD
        dd if=/dev/zero of=$temp/zero.bin bs=1 count=4
        # replace the DCD address with the NULL address
        dd if=$temp/zero.bin of=$1 seek=$2 bs=1 conv=notrunc
    else
        echo "missing $1"
        exit 1
    fi
}

# $1 padded filename
# $2 dcd_offset (dezimal)
func_set_dcd_addr()
{
    if [ -e $1 ]; then
        # restore the DCD address with the original address
        if [ -e $temp/dcd_addr.bin ]; then
            dd if=$temp/dcd_addr.bin of=$1 seek=$2 bs=1 conv=notrunc
        else
            echo "missing $temp/dcd_addr.bin"
            exit 1
        fi
    else
        echo "missing $1"
        exit 1
    fi
}

    objcopy -I binary -O binary $2/u-boot.imx $2/u-boot-padded.imx

    # DCD pointer must be cleared for signature, as mfgtool will clear it.
    func_clear_dcd_addr $2/u-boot-padded.imx 12

    echo "Run Code Signing Tool with zero DCD address"
    $1/linux64/cst -o $2/csf-uboot.bin -i $2/uboot.csf

    # DCD pointer must be set for mfgtool to localize the DCD table.
    func_set_dcd_addr $2/u-boot-padded.imx 12

    echo "Append csf Binary to the uboot image"
    cat $2/u-boot-padded.imx $2/csf-uboot.bin > $2/u-boot-signed.imx

0 Kudos

3,372 Views
bba
Contributor III

Some additional notes about the header structure of the used u-boot.imx binary:

hexdump u-boot.imx -n 48

0000000 00d1 4020 0000 8780 0000 0000 f42c 877f

0000010 f420 877f f400 877f 6000 8784 0000 0000

0000020 f000 877f 9000 0004 0000 0000 01d2 40e8

0000030

header = 0x402000d1

entry = 0x87800000

reserved = 0x00000000

dcd_ptr = 0x877ff42c

boot_data_ptr = 0x877ff420

self = 0x877ff400

csf = 0x87846000

reserved = 0x00000000

size = 0x046c00

dcd = 0x2c

hexdump u-boot-padded.imx -n 48

0000000 00d1 4020 0000 8780 0000 0000 0000 0000

0000010 f420 877f f400 877f 6000 8784 0000 0000

0000020 f000 877f 9000 0004 0000 0000 01d2 40e8

0000030

0 Kudos

3,372 Views
emptyfridge
Contributor III

Hi there,

I'm facing the same issue... I tried a lot of different ways to get my u-boot_signed.imx working over SDP load...

Here are the important parts:

Image details:

Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 274432 Bytes = 268.00 KiB = 0.26 MiB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks: 877ff400 00000000 00040c00
DCD Blocks: 00910000 0000002c 00000210

CSF:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = ANY

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"


[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x0 0x00040c00 "u-boot.imx", \
0x00910000 0x0000002c 0x00000210 "u-boot.imx"

#HAB Blocks: 877ff400 00000000 00040c00
#DCD Blocks: 00910000 0000002c 00000210

for the signing process i've done it like it is described here:

High Assurance Boot (HAB) for dummies - Boundary Devices 

so, remove the DCD pointer-> do the cst -> write back the pointer -> attache the signature.

I still got this HAB events:

U-Boot > hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

I have to say, I do no padding on the image file. But as far as I know, this is not necessary... or am I wrong?

I do not really understand this padding sizes that I've found in a example.

#!/bin/bash PROG_NAME=my_code

# ${PROG_NAME} padded up to 0x2C000 where the CSF will be added later

objcopy -I binary -O binary --pad-to 0x2C000 --gap-fill=0xff ${PROG_NAME}.bin ${PROG_NAME}_padded.bin

# DCD address must be cleared for signature, as mfgtool will clear it.

./mod_4_mfgtool.sh clear_dcd_addr ${PROG_NAME}_padded.bin

# generate the signatures, certificates, … in the CSF binary

../linux64/bin/cst --o ${PROG_NAME}_csf.bin --i ${PROG_NAME}.csf

# DCD address must be set for mfgtool to localize the DCD table.

./mod_4_mfgtool.sh set_dcd_addr ${PROG_NAME}_padded.bin

# gather ${PROG_NAME} + its CSF cat ${PROG_NAME}_padded.bin ${PROG_NAME}_csf.bin > ${PROG_NAME}_tmp.bin

# padding to get a file with size like specified in the IVT

objcopy -I binary -O binary --pad-to 0x22000 --gap-fill=0xff ${PROG_NAME}_tmp.bin ${PROG_NAME}_signed.bin

# remove temporary file

rm ${PROG_NAME}_tmp.bin

Where come this 0x2C00 and 0x22000 sizes from? How will this fit into my image?

Maybe this padding is the last point I have to fix.

And an other issue that I have. Since I have "closed" my device and flashed a signed u-boot (not over SDP).

the i.MX 6 Solo X boots not every time I do a reset or power off/on. It boots about every 3rd or 5th time up...

An other i.MX 6 Solo X board that is not "closed" boots up every time.

And I have also a i.MX 6 in "closed" mode, this one also boots normal and every time after reset.

It looks like the i.MX 6 Solo X has sometime problems to verify the signature of the u-boot and then it does not boot...

Anyone faced this problem before?

Thanks guys

0 Kudos

3,372 Views
bba
Contributor III

Made some tests with other configurations according to

https://community.nxp.com/message/600808

https://community.nxp.com/thread/307294

1.) Using:

[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x2C 0x1F0 "u-boot.imx"

[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400     0x00 0x00046c00 "u-boot.imx"

I got 4 HAB events

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00
        0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00
        0x00 0x00 0x13 0x20 0x87 0x7f 0xf4 0x00
        0x00 0x04 0x6c 0x00

--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
        0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
        0x00 0x00 0x00 0x01

--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
        0x00 0x00 0x00 0x04

2.) Using:

[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x2C 0x1F0 "u-boot.imx"

I got only 3 HAB events on RAM

3.) Using:

[Authenticate Data]

Verification index = 2
Blocks = 0x877ff400     0x00 0x00046c00 "u-boot.imx"

I got 5 HAB events, 3x RAM, 1x at 0x00910000

This is my u-boot.imx header layout:

  header        = 0x402000d1    
  entry         = 0x87800000    
  reserved      = 0x00000000    
  dcd_ptr       = 0x877ff42c    
  boot_data_ptr = 0x877ff420    
  self          = 0x877ff400    
  csf           = 0x87846000    
  reserved      = 0x00000000    

  size          = 0x00046c00

So the DCD signature at 0x00910000 seams to be ok, but why the HAB fails on RAM ?

0 Kudos

3,372 Views
Yuri
NXP Employee
NXP Employee

Hello,

Please look at my comments below.

1.
   Looks like the example in Appendix E (Freescale manufacturing tool) of AN4581 has a misprint.

Correct example is

[Authenticate Data]
Verification index = 2
Blocks = 0x27800400 0x400 0x26C00 "u-boot-pad.bin", \
0x00910000 0x42c 0x2a0 "u-boot-pad.bin"

0x42c is the pointer of DCD table, 0x2a0 is the size of DCD table, you can get it in dcd_hdr in
flash_header.S. You need to modify 0x26C00 and 0x2a0 according to your uboot.bin size and DCD table
size.


2.
   When verifying the signed image with mfgtool, BOOT_MODE[1:0] should be set to 01 to Serial
Downloader mode, otherwise, you may meet one HAB event. So, please try correct setting of the BOOT
MODE pins to serial download mode, or set them to boot from SD card and do not insert SD card when
power on.

Regards,

Yuri.

0 Kudos

3,372 Views
bba
Contributor III

Hi Yuri,

thanks but I still have the same error. I change the dcd length according to

[IMX6Q HAB issue]: Download signed images into a “close” device by using mfgtool. 

I used mfgtool source code and added some logs in the source code(MxHidDevice.cpp). So I got the SDPCmd.datacount in DCDWrite function as total DCD data count of my u-boot.imx is 0x1e8.

  1. Using

[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x2c 0x1e8 "/home/dnt/build-imx6ulevk-mfgtool/tmp/deploy/images/imx6ulevk/u-boot.imx"

[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x00 0x046c00 "/home/dnt/build-imx6ulevk-mfgtool/tmp/deploy/images/imx6ulevk/u-boot.imx"

we got

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00
        0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00
        0x00 0x00 0x13 0x20 0x87 0x7f 0xf4 0x00
        0x00 0x04 0x6c 0x00

--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
        0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
        0x00 0x00 0x00 0x01

--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
        0x00 0x00 0x00 0x04

  1. Using

[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x00 0x046c00 "/home/dnt/build-imx6ulevk-mfgtool/tmp/deploy/images/imx6ulevk/u-boot.imx", \

0x00910000 0x2c 0x1e8 "/home/dnt/build-imx6ulevk-mfgtool/tmp/deploy/images/imx6ulevk/u-boot.imx"

we got

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x24 0x42 0x33 0x18 0xc0 0x00
        0xca 0x00 0x1c 0x00 0x02 0xc5 0x00 0x00
        0x00 0x00 0x10 0x10 0x87 0x7f 0xf4 0x00
        0x00 0x04 0x6c 0x00 0x00 0x91 0x00 0x00
        0x00 0x00 0x01 0xe8

--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
        0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
        0x00 0x00 0x00 0x01

--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
        0x00 0x00 0x00 0x04

--------- HAB Event 5 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00
        0x00 0x00 0x01 0xe8

Any idea, what's wrong? We are using iMX6ul on NAND.

Regards,

Birger

0 Kudos

3,372 Views
Yuri
NXP Employee
NXP Employee

Hello,

  You may create request in order to get an example.

https://community.nxp.com/docs/DOC-329745 

Regards,

Yuri.

0 Kudos

3,372 Views
Yuri
NXP Employee
NXP Employee

  As for returning event data - how to interpret this data – please refer

to Appendix A of the HAB4 API Reference Manual included in the CST release.

The next is moderated link for CST tool :

http://www.freescale.com/webapp/sps/download/mod_download.jsp?colCode=IMX_CST__TOOL&location=null&ap...

Summary Page (section "Initialization/Boot/Device Driver Code Generation") :

http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=i.MX6DL&nodeId=018rH3ZrDRB24A&fpsp=1&...

0 Kudos

3,372 Views
MickeyI
Contributor III

Hi Yuri,

Thanks for your fast reply.

In the Appendix A of HAB4 API I see that the first event means HAB_INV_IVT. I've attached the IVT binary because it doesn't make any sense - the IVT looks just like an IVT which boots on a closed device, all of the pointers have the same values (DCD, CSF, etc..). This is where I could use your help.

As for the links, the second one contains a pointer to CST 2.0 which is the version in use. The first one is a 404 error.

I could really use a direction to tackling this issue. Any ideas?

Thanks,

Mickey.

0 Kudos

3,372 Views
fsquestion
Contributor II

Mickey,

Looks like we have continuously had the same problems.  I have also had this problem.

I think the MFG tool is the culprit.

Here is what you will notice:

If you take the signed u-boot image and download it through USB, you will get HAB events.

However, if you take the same signed u-boot image and write it to flash, NO HAB events.

The MFG tool must be changing things (DCD? IVT?) on the fly, however there are NO settings in the .xml file for this.

What if I am not using a development board and my addresses are different.  How would the MFG tool know where to locate the image if it is changing things and I have no settings to fiddle with?

I have setup the linux version, just haven't had time to look into this yet.

Thanks...

0 Kudos