Hi,
we are trying to add secureboot to our i.MX6UL-Board. The verification of the linux-image and u-boot seems to work just fine, but loading the SPL from SPI-Flash still generates 2 HAB-Events:
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x00 0x90 0x68 0xe8
0x10 0x00 0x00 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_TARGET (0x33)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x00 0x90 0x68 0xe8
0x00 0x01 0x10 0x60
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_TARGET (0x33)
ENG = HAB_ENG_ANY (0x00)
However, loading SPL + u-boot to RAM using SDP works fine (Secureboot-Fuse still disabled):
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
The address in the HAB-Events (0x00, 0x90, 0x68, 0xe8) looks like the first data of SPL:
hexdump -C SPL.signed | head -n 4
00000000 d1 00 20 40 00 80 90 00 00 00 00 00 00 00 00 00 |.. @............|
00000010 08 79 90 00 e8 78 90 00 e8 58 91 00 00 00 00 00 |.y...x...X......|
00000020 e8 68 90 00 60 10 01 00 00 00 00 00 d2 00 04 40 |.h..`..........@|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
...
The corresponding CSF:
[Header]
Version = 4.1
Hash Algorithm = sha256
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
Engine Configuration = 0
[Install SRK]
File = "SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target Index = 2
File= "IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x009078e8 0x00000000 0x0000e000 "SPL"
[Unlock]
Engine = CAAM
Features = RNG
Any idea, why the HAB-Events occur?
Thanks
Try this address and range, and then align the entry address to make sure it is in a valid ocram area.
Which boot media you use, SPI? - the signed SDP SPL-image (created the same way, only other configuration) does not generate any HAB-Events when booting over serial.
Regards
Harvey
The boot media is QSPI-Flash.
After changing the location and size:
hab fuse not enabled
Authenticate image from DDR location 0x90000000...
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x22 0x33 0x00
0x00 0x00 0x00 0x0f 0x00 0x90 0x70 0x00
0x10 0x00 0x00 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_TARGET (0x33)
ENG = HAB_ENG_ANY (0x00)
## Loading kernel from FIT Image at 90000000 ...
Still one message, which says (if I'm right): Invalid size of 256Mb at location 0x907000? Why 256Mb