i.MX6UL Secureboot SPL Verification

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

i.MX6UL Secureboot SPL Verification

1,656 次查看
pirors
Contributor I

Hi,

 

we are trying to add secureboot to our i.MX6UL-Board. The verification of the linux-image and u-boot seems to work just fine, but loading the SPL from SPI-Flash still generates 2 HAB-Events:

=> hab_status 

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
       0xdb 0x00 0x14 0x42 0x33 0x22 0x33 0x00
       0x00 0x00 0x00 0x0f 0x00 0x90 0x68 0xe8
       0x10 0x00 0x00 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_TARGET (0x33)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
       0xdb 0x00 0x14 0x42 0x33 0x22 0x33 0x00
       0x00 0x00 0x00 0x0f 0x00 0x90 0x68 0xe8
       0x00 0x01 0x10 0x60

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_TARGET (0x33)
ENG = HAB_ENG_ANY (0x00)

However, loading SPL + u-boot to RAM using SDP works fine (Secureboot-Fuse still disabled):

=> hab_status 

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

 

The address in the HAB-Events (0x00, 0x90, 0x68, 0xe8) looks like the first data of SPL:

hexdump -C SPL.signed | head -n 4

00000000  d1 00 20 40 00 80 90 00  00 00 00 00 00 00 00 00  |.. @............|
00000010  08 79 90 00 e8 78 90 00  e8 58 91 00 00 00 00 00  |.y...x...X......|
00000020  e8 68 90 00 60 10 01 00  00 00 00 00 d2 00 04 40  |.h..`..........@|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
...

The corresponding CSF:

[Header]
Version = 4.1
Hash Algorithm = sha256
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
Engine Configuration = 0

[Install SRK]
File = "SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
Verification index = 0
Target Index = 2
File= "IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x009078e8 0x00000000 0x0000e000 "SPL"

[Unlock]
Engine = CAAM
Features = RNG

 

Any idea, why the HAB-Events occur?

 

Thanks

标签 (3)
0 项奖励
回复
4 回复数

1,400 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @pirors 

Can you provide your image with signed and non-signed?

 

Regards

Harvey

0 项奖励
回复

1,385 次查看
pirors
Contributor I

Hi @Harvey021 ,

 

I've sent you the SPL as message.

 

Thanks

Robin

0 项奖励
回复

1,347 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Try this address and range, and then align the entry address to make sure it is in a valid ocram area.

Harvey021_0-1700820503618.png

Which boot media you use, SPI? - the signed SDP SPL-image (created the same way, only other configuration) does not generate any HAB-Events when booting over serial.

 

Regards

Harvey

0 项奖励
回复

1,339 次查看
pirors1
Contributor I

The boot media is QSPI-Flash.

 

After changing the location and size:

hab fuse not enabled 

Authenticate image from DDR location 0x90000000...

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
       0xdb 0x00 0x14 0x42 0x33 0x22 0x33 0x00
       0x00 0x00 0x00 0x0f 0x00 0x90 0x70 0x00
       0x10 0x00 0x00 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_TARGET (0x33)
ENG = HAB_ENG_ANY (0x00)

## Loading kernel from FIT Image at 90000000 ...

Still one message, which says (if I'm right): Invalid size of 256Mb at location 0x907000? Why 256Mb

 

0 项奖励
回复