After following the AN4581 instructions, we've hit a blocking issue that we can't seem to diagnose. We do not generate events until the fuses are blown for booting from eMMC and our image has been loaded. It's important to note that the image does boot like normal and the Linux system works. We are not currently attempting to diagnose the Linux kernel signing, just the u-boot signing process.
We have generated the u-boot-mfg-signed.imx by removing the DCD address, signed with CST, and replaced the DCD block. When booting the u-boot-mfg-signed.imx we get no events before flashing.
Before flashing, imx_usb loading u-boot-mfg-signed.imx
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
After flashing our .SDIMG that's generated in Yocto to eMMC and flashing u-boot to mmcblk1boot0, we get HAB events. There are two sets of fuses that are burned for booting from fuses to go with our resistor configuration.
Fuses we burn to boot from eMMC:
echo "0x0000486c" > /sys/fsl_otp/HW_OCOTP_CFG4
echo "0x00000010" > /sys/fsl_otp/HW_OCOTP_CFG5
Normal boot interrupted:
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x11 0xcf 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CSF (0x11)
CTX = HAB_CTX_CSF (0xCF)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
Booting with imx_usb again with the same u-boot-mfg-signed.imx after flashing:
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x05 0x0a 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_IVT (0x05)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)
I've attached our scripts, CSF configurations and the generated keys in hopes that someone will see what we are missing here. The event messages are fairly cryptic, but the following is a list of things we have tried.
- Signing without removing DCD
- Removing DCD entirely as was suggested in another post
- Padding/not padding u-boot/CSF and combinations of the two
- Adding a script to rewrite u-boot IVT with the updated, padded CSF Pointer
- Burning/not burning fuses for signature
- Loading u-boot-mfg-signed.imx and u-boot-signed.imx (DCD not replaced)
- Modifying CSF in a number of ways to test different options and engines
- Using different versions of CST (2.3.3, 3.2.0, 3.3.0)
And for what it's worth, the header information of u-boot looks like this:
$ od -X -N 0x20 ../output/u-boot-signed.imx
0000000 402000d1 87800000 00000000 877ff42c
0000020 877ff420 877ff400 87870400 00000000
0000040
And our CSF looks like this:
[Header]
Target = HAB
Version = 4.2
Hash Algorithm = sha256
Certificate Format = X509
Engine = CAAM
Engine Configuration = 0
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
Engine = CAAM
Engine Configuration = 0
Signature Format = CMS
[Install Key]
Verification index = 0
Target Index = 2
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x00000000 0x71000 "../input/u-boot.imx"
[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x0000002c 0x000001e8 "../input/u-boot.imx"
[Unlock]
Engine = CAAM
Features = RNG
Hi Alex
2017.03 is very old version and not more supported, may be suggested try
more new like 2018.03 and follow guidelines provided on
habv4\imx\doc - uboot-imx - i.MX U-Boot
use nxp uboot from source.codeaurora.org/external/imx/uboot-imx repository
Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------