i.MX8M secure boot HAB + FIT image

emptyfridge · ‎07-03-2020

Hi guys,

Regarding the HAB on i.MX8M.

I know that i.MX6 HAB does not check the validity of the certificate. -> good for my project.

What is about the i.MX8 Series or specially the i.MX8M. Is there a validity check for the certificate?

Thanks in advanced!

And may I ask here...

Are there any hints for setup FIT + pubkey in uboot.dtb with the "new" u-boot layout.

So fare I'm able to do the u-boot verification with HAB and it works fine.

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

u-boot=>

as well I'm able to sign the FIT image with the mkimage. the local check for the signature the FIT image is working as well.

u-boot-imx8/tools/fit_check_sign

Verifying Hash Integrity ... sha1,rsa2048:dev+
## Loading kernel from FIT Image at 7f366c0e9000 ...
Using 'conf@freescale_fsl-imx8mm-port-core-techshine.dtb' configuration
Verifying Hash Integrity ...
sha1,rsa2048:dev+
OK

Trying 'kernel@1' kernel subimage
Description: Linux kernel
Created: Thu Jun 25 14:04:04 2020
Type: Kernel Image
Compression: lzo compressed
Data Size: 8942282 Bytes = 8732.70 KiB = 8.53 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x40480000
Entry Point: 0x40480000
Hash algo: sha256
Hash value: f2a2bb34afe08591f1c7bea8866741b1dfff21fc134e61d28e1f257d8998f0db
Verifying Hash Integrity ...
sha256+
OK

Uncompressing Kernel Image ... Unimplemented compression type 4
## Loading fdt from FIT Image at 7f366c0e9000 ...
Using 'conf@freescale_fsl-imx8mm-port-core-techshine.dtb' configuration
Verifying Hash Integrity ...
sha1,rsa2048:dev+
OK

Trying 'fdt@freescale_fsl-imx8mm-port-core-techshine.dtb' fdt subimage
Description: Flattened Device Tree blob
Created: Thu Jun 25 14:04:04 2020
Type: Flat Device Tree
Compression: uncompressed
Data Size: 36093 Bytes = 35.25 KiB = 0.03 MiB
Architecture: AArch64
Hash algo: sha256
Hash value: 759cd7596fde70a1ca5eb925f5e7180e5e813d33d38bbc12b4eac3de2459b9ae
Verifying Hash Integrity ...
sha256+
OK

Loading Flat Device Tree ... OK

## Loading ramdisk from FIT Image at 7f366c0e9000 ...
Using 'conf@freescale_fsl-imx8mm-port-core-techshine.dtb' configuration
Verifying Hash Integrity ...
sha1,rsa2048:dev+
OK

Could not find subimage node

Signature check OK

Problem is now if I create the flash.bin including the pubkey in the u-boot.dtb. I guess in this step I do something wrong. On the target the u-boot is not able to find the key to verify the signed FIT image. (dtb name removed because of policy)

u-boot=> ext2load mmc 2:1 0x50480000 image_signed_yocto_portkey_rsa.fit
8980546 bytes read in 140 ms (61.2 MiB/s)
u-boot=> bootm 0x50480000
## Loading kernel from FIT Image at 50480000 ...
Using 'conf@freescale_fsl-imx8mm-x-x-x.dtb' configuration
Verifying Hash Integrity ... sha1,rsa2048:portkey- Failed to verify required signature 'key-portkey'
Bad Data Hash
ERROR: can't get kernel image!

I'm working with the doc files from u-boot.

doc/imx/habv4/guides/mx8m_mx8mm_secure_boot.txt

doc/uImage.FIT/signature.txt

doc/uImage.FIT/beaglebone_vboot.txt

unfortunately I was not able to get it work as it should...

Would be great if someone has a Hint here.

Thanks

guys

emptyfridge · ‎07-09-2020

yes, I saw it... I sent you some questions back.

unfortunately I have a new topic.

after I was able to sign the u-boot and verify the signature with hab_status,

I have now the problem, that I can not reproduce it again. unfortunately I have HAB Events all the time...

No matter what I do... always the same HAB events. I've tried with OPTEE and without....

Maybe you can give me some HINT what is wrong with the config CSF.

HAB events:

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x34 0x43 0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x0d 0x54 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x09 0xbf 0xd0 0x40 0x29 0xbf 0xd0
0x00 0x00 0x82 0x32 0x00 0x92 0x00 0x00
0x00 0x00 0xa1 0x70

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

here CSF config:

FIT:

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "/workspace/yocto-builder-warrior/meta-port/tools/cst-3.3.0/release/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "/workspace/yocto-builder-warrior/meta-port/tools/cst-3.3.0/release/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "/workspace/yocto-builder-warrior/meta-port/tools/cst-3.3.0/release/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x401fcdc0 0x60000 0x1020 "flash.bin", \
0x40200000 0x5AC00 0x9BFD0 "flash.bin", \
0x4029BFD0 0xF6BD0 0x8232 "flash.bin", \
0x920000 0xFEE04 0xA170 "flash.bin"

SPL
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "/workspace/yocto-builder-warrior/meta-port/tools/cst-3.3.0/release/crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "/workspace/yocto-builder-warrior/meta-port/tools/cst-3.3.0/release/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "/home/linderth/workspace/yocto-builder-warrior/meta-port/tools/cst-3.3.0/release/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7e1fc0 0x1000 0x2ca00 "flash.bin" # spi nor
#Blocks = 0x7e0fc0 0x0 0x2ca00 "flash_sd.bin" # sd card

srinu_inaganti1

Hi, I am facing same issue in imx8mm, May i know how you could able to solve this issue. Ran many interactions with and without tee bin and configs not helped out

tanner_oakes · ‎10-08-2020

Was there a solution to this? I am seeing the exact same errors. Everything is signed but I get

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x3c 0x43 0x33 0x18 0xc0 0x00
0xca 0x00 0x34 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x5c 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x0c 0x76 0x58 0x40 0x2c 0x76 0x58
0x00 0x00 0x8b 0x2e 0x00 0x92 0x00 0x00
0x00 0x00 0xb1 0xe0 0xbe 0x00 0x00 0x00
0x00 0x20 0x3e 0x60

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

What am I missing?

srinu_inaganti1

@tanner_oakes could you able solve this issue?

tanner_oakes

Double check all of your addresses. I had one wrong and that was what was causing the issue.

Yuri · ‎07-15-2020

thomaslinder

Hello,

I've sent You example. Hope it helps.

Regards,

Yuri.

emptyfridge · ‎07-15-2020

hi yuri,

thanks, but where did you sent it?!

don't got anything...

maybe because of our company proxy pain.

vinothkumars · ‎01-30-2021

Hi @emptyfridge ,

Pls check and provide your comments,

https://community.nxp.com/t5/i-MX-Processors/Build-FIT-image-for-IMX8MNano/m-p/1223538/highlight/fal...

Regards,
Vinothkumar Sekar

Yuri · ‎07-16-2020

thomaslinder

Hello,

Please create request

https://support.nxp.com/s/

Regards,

Yuri.

Yuri · ‎07-07-2020

thomaslinder

Hello,

I've sent You some comments.

Regards,

Yuri.

i.MX8M secure boot HAB + FIT image

i.MX8M secure boot HAB + FIT image

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano