- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
i.MX6Q - Problem with secure boot
Dear NXP community,
I am developing a custom board based on the imx6qsabresd board.
I tried to apply a secure boot, but a problem has occurred.
I referred to the following documents and URLs.
AN4581,IMX6HABUG
https://boundarydevices.com/high-assurance-boot-hab-dummies/
The operations and results I did are as follows.
1. Generate PKI tree and SRK table
...
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
...
~/cst-2.3.2/crts$ ../linux32/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem,./
2. Write SRK table to Fuse
3. Build secure boot supported u-boot
4. Sign a u-boot image
objcopy -I binary -O binary --pad-to 0x51C00 --gap-fill=0x5A u-boot.imx u-boot-pad.imx
../linux32/cst --o u-boot_csf.bin --i u-boot.csf
cat u-boot-pad.imx u-boot_csf.bin > u-boot-signed.imx
objcopy -I binary -O binary --pad-to 0x53C00 --gap-fill=0x5A u-boot-signed.imx u-boot-signed-pad.imx
5. Create an image and start board
6. Display authentication status
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
I got the results as expected.
Then, I tried it with an incorrect image.
Pattern1 Without signature
As a result, an error occurred as follows
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x11 0xcf 0x00
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x02 0xf8
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04
Pattern2 Corrupted image
Use the binary editor and edit parts that are not signatures
Pattern3 Different keys
Generate key using different passphrase
Patterns 2 and 3 were the same result
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
The result was different from what I expected.
I found the following description.
https://community.nxp.com/message/937925
From the description, I thought SRK authentication was skipped for open setting.
However, I do not know why Pattern 2 does not cause an error.
What does the pattern 1 error indicate?
Why does not error occur in pattern 2?
Is something wrong with my operation?
The board remains at the OPEN setting.
Best regard,
Tasuku.
igorpadykov
Hi Tasuku
>What does the pattern 1 error indicate?
please look at description of events in sect.6.7 Audit Events document HAB4_API.pdf
included in CST Tool package
>Why does not error occur in pattern 2?
as you correctly noted SRK authentication was skipped for open setting.
Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
