i.MX8M Secure Boot not booting to U-Boot

vilsal · ‎11-05-2024

Hello!

I am trying to use the Secure boot feature on i.MX8M. I've followed the documentation guide and programmed the SEC_CONFIG[1] fuse bit to close the device but now the device seems to be bricked. This seems rather odd, as the device was booting correctly before and created no HAB-events. Now it get stuck on: "Authenticate image from DDR location 0x401fcdc0...".
And according to the documentation: "After the device successfully boots a signed image without generating any HAB events, it is safe to secure, or
close, the device".

How do I fix this?

Harvey021 · ‎11-06-2024

Hi,

Do you happen to have a chance to test the signed image for an open device?

Regards

Harvey

vilsal · ‎11-11-2024

Hi,

Yes. Trying to boot the signed image on a device (with the SRK table hash value programmed to the fuses) works correctly. Calling the HAB "hab_status" from U-Boot shell prompts the following:

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

Which is exactly the same which was printed on the now possibly bricked device, when I was confirming the authentication before closing it.

Br,

Ville

vilsal · ‎11-13-2024

Here's the full boot prompt after which I can't access for example U-Boot shell:

U-Boot SPL 2021.04-iot-gate-imx8-3.2-compulab+g263b27e076a (Oct 09 2024 - 08:11:02 +0000)
power_bd71837_init
DDRINFO(D): Samsung 2048G @ 3000 MHz
DDRINFO: start DRAM init
DDRINFO: DRAM rate 3000MTS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
DDRINFO(M): mr5-8 [ 0x1061010 ]
DDRINFO(E): mr5-8 [ 0x1061010 ]
Normal Boot
Trying to boot from MMC2
Authenticate image from DDR location 0x401fcdc0...
NOTICE: BL31: v2.4(release):lf-5.15.5-1.0.0-10-gcb51a0faa-dirty
NOTICE: BL31: Built : 07:55:25, Mar 15 2022

Harvey021 · ‎11-14-2024

What is your spl.csf? Please try to add the section under [Authenticate CSF] as below if not.

[Unlock]
Engine = CAAM
Features = MID, RNG

Regards

Harvey

vilsal · ‎11-18-2024

Hi,

Unfortunately there doesn't seem to be a way to add anything/modify to the device's eMMC, because we can't access the U-Boot shell. Any tips for that? (The device is IOT-GATE-IMX8)

Nonetheless, here's the csf that we used for the SPL (U-Boot) secure boot:

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MFG

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = \

Br,

Ville

Harvey021 · ‎11-19-2024

Try to add these features that I mentioned to command [Unlock] of your csf file.

Have you included optee in your signed image? if so, check if you have included a proper one.

By the way, please raise a case to compulab for assistance.

Regards

Harvey

vilsal · ‎11-19-2024

We're currently unable to add any features to the csf file, as we can't access the eMMC memory.

I'll contact Compulab tech support and see if they have some solution to this.

Thanks Harvey!

br,

Ville

i.MX8M Secure Boot not booting to U-Boot

i.MX8M Secure Boot not booting to U-Boot

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano

Security