- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- i.MX6ULL hab_failsafe is not failsafe
i.MX6ULL hab_failsafe is not failsafe
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After patching U-Boot, and testing hab_failsafe, it does not matter if the image used for serial download is signed or not, despite the fact that the device is closed and has a key.
After bringing up USB in hab_failsafe, I booted through USB serial download without any signature. For a sanity check, signed images have the string OpenSSL Generated Certificate in them:
$strings u-boot-nand-signed-pad.imx | grep Certificate
OpenSSL Generated Certificate0
OpenSSL Generated Certificate0
$ strings u-boot.imx | grep Certificate
When using u-boot.imx, which is unsigned, and U-Boot having called hab_failsafe, I get the following result in U-Boot (which should not have booted at all):
=> hab_status
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!
For the preparation that lead to this, see:
i.MX6ULL and uboot-imx 2020.04 Does not work with hab_failsafe
Solved! Go to Solution.
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
answer from team:
-------------------
When we do the "uuu.exe SDP: write -f u-boot-dtb.imx_unsigned -ivt 0" command with unsigned image, the UUU just download the unsigned image to memory from 0x877ff400 and because our unsigned image doesn't have the CSF part, so the CSF part data still be the data which copied from SD card signed image during first boot. The scenario is
1) generate one uboot-dtb.imx(image A) and correctly sign it to get a signed image B.
2) use closed device
3) Boot a correctly signed image B by SD card <- note that image + CSF(may start from 0x8788600) is download to DDR .
4) Go into fail safe mode
5) Use UUU to download unsigned image A (note that this image has to be A). <- UUU just download the A and won't update the CSF part of image B in the DDR. Command is uuu.exe SDP: write -f A -ivt 0
6) Run command "uuu.exe -v SDP: jump -f A -ivt" and we can see the A can boot up.
The reason is that A and B are matched. And we don't change anything in A, so the CSF of B can still pass the authentication of image A.
The above scenario will fail in below cases.
1) in step 3, in uboot console, clear the CSF part data by "mw 0x87886000 0 128" , then in step 6, user can't boot up image A(HAB_INV_CSF issue) in closed state. the HAB log on open device shows below.
2) In step 5. customer won't download image A, use a new compiled unsigned uboot image C. then in step 6, customer won't see the image boot up in closed state(Invalid signature issue). HAB log in open state shows as below.
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0xff 0x00
0x00 0x00 0x0a 0x10 0x87 0x7f 0xf4 0x00
0x00 0x08 0x6c 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
=>
-------------------
Best regards
igor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I corrupted the U-Boot image (changed the banner), and it would no longer boot the unsigned image. It did not occur to me that the same signature would still be in memory.
Thanks for your clarification.
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
answer from team:
-------------------
When we do the "uuu.exe SDP: write -f u-boot-dtb.imx_unsigned -ivt 0" command with unsigned image, the UUU just download the unsigned image to memory from 0x877ff400 and because our unsigned image doesn't have the CSF part, so the CSF part data still be the data which copied from SD card signed image during first boot. The scenario is
1) generate one uboot-dtb.imx(image A) and correctly sign it to get a signed image B.
2) use closed device
3) Boot a correctly signed image B by SD card <- note that image + CSF(may start from 0x8788600) is download to DDR .
4) Go into fail safe mode
5) Use UUU to download unsigned image A (note that this image has to be A). <- UUU just download the A and won't update the CSF part of image B in the DDR. Command is uuu.exe SDP: write -f A -ivt 0
6) Run command "uuu.exe -v SDP: jump -f A -ivt" and we can see the A can boot up.
The reason is that A and B are matched. And we don't change anything in A, so the CSF of B can still pass the authentication of image A.
The above scenario will fail in below cases.
1) in step 3, in uboot console, clear the CSF part data by "mw 0x87886000 0 128" , then in step 6, user can't boot up image A(HAB_INV_CSF issue) in closed state. the HAB log on open device shows below.
2) In step 5. customer won't download image A, use a new compiled unsigned uboot image C. then in step 6, customer won't see the image boot up in closed state(Invalid signature issue). HAB log in open state shows as below.
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0xff 0x00
0x00 0x00 0x0a 0x10 0x87 0x7f 0xf4 0x00
0x00 0x08 0x6c 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
=>
-------------------
Best regards
igor
