i.MX6UL w/2017.03 HAB generating events after writing eMMC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX6UL w/2017.03 HAB generating events after writing eMMC

931 Views
alexmovitz
Contributor II

After following the AN4581 instructions, we've hit a blocking issue that we can't seem to diagnose. We do not generate events until the fuses are blown for booting from eMMC and our image has been loaded. It's important to note that the image does boot like normal and the Linux system works. We are not currently attempting to diagnose the Linux kernel signing, just the u-boot signing process.

We have generated the u-boot-mfg-signed.imx by removing the DCD address, signed with CST, and replaced the DCD block. When booting the u-boot-mfg-signed.imx we get no events before flashing.

Before flashing, imx_usb loading u-boot-mfg-signed.imx

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!


After flashing our .SDIMG that's generated in Yocto to eMMC and flashing u-boot to mmcblk1boot0, we get HAB events. There are two sets of fuses that are burned for booting from fuses to go with our resistor configuration.

Fuses we burn to boot from eMMC:

echo "0x0000486c" > /sys/fsl_otp/HW_OCOTP_CFG4
echo "0x00000010" > /sys/fsl_otp/HW_OCOTP_CFG5

Normal boot interrupted:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x11 0xcf 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CSF (0x11)
CTX = HAB_CTX_CSF (0xCF)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

Booting with imx_usb again with the same u-boot-mfg-signed.imx after flashing:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x05 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_IVT (0x05)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)

I've attached our scripts, CSF configurations and the generated keys in hopes that someone will see what we are missing here. The event messages are fairly cryptic, but the following is a list of things we have tried.

- Signing without removing DCD
- Removing DCD entirely as was suggested in another post
- Padding/not padding u-boot/CSF and combinations of the two
- Adding a script to rewrite u-boot IVT with the updated, padded CSF Pointer
- Burning/not burning fuses for signature

- Loading u-boot-mfg-signed.imx and u-boot-signed.imx (DCD not replaced)
- Modifying CSF in a number of ways to test different options and engines

- Using different versions of CST (2.3.3, 3.2.0, 3.3.0)

And for what it's worth, the header information of u-boot looks like this:

$ od -X -N 0x20 ../output/u-boot-signed.imx
0000000 402000d1 87800000 00000000 877ff42c
0000020 877ff420 877ff400 87870400 00000000
0000040

And our CSF looks like this:

[Header]
Target = HAB
Version = 4.2
Hash Algorithm = sha256
Certificate Format = X509
Engine = CAAM
Engine Configuration = 0
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]
Engine = CAAM
Engine Configuration = 0
Signature Format = CMS

[Install Key]
Verification index = 0
Target Index = 2
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x00000000 0x71000 "../input/u-boot.imx"

[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x0000002c 0x000001e8 "../input/u-boot.imx"

[Unlock]
Engine = CAAM
Features = RNG

Labels (2)
0 Kudos
Reply
1 Reply

890 Views
igorpadykov
NXP Employee
NXP Employee

Hi Alex

2017.03 is very old version and not more supported, may be suggested try

more new like 2018.03 and follow guidelines provided on

habv4\imx\doc - uboot-imx - i.MX U-Boot 

use nxp uboot from source.codeaurora.org/external/imx/uboot-imx repository

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply