i.MX8MP HABv4 hangs when trying to run hab_auth_img on a Linux kernel image

Hi!

I'm having a problem trying to setup HABv4 authentication for additional boot images. Right now, I have the bootloader authentication setup and working up to U-boot proper. After booting to U-boot proper using a signed image, hab_status reports no errors, so everything is ok up to that point. I have also tested that authentication works up to U-boot proper on both open and closed devices.

The next step I'm trying to do is to extend the root of trust to the Kernel image. What I have done so far:

- I enabled HABv4 support in U-boot according to uboot-imx/doc/imx/habv4/mx8m_secure_boot.txt, ie. CONFIG_IMX_HAB is enabled.

- I created a signed Kernel image according to uboot-imx/doc/imx/habv4/mx8m_secure_boot.txt

- I booted the system and loaded the signed Kernel image into RAM with

fatload mmc 2:1 0x40400000 Image

- I attempted to authenticate the image with

hab_auth_img 0x40400000 0x12F2020 0x12F0000

At this point I would expect hab_auth_img to either report some HAB events or tell me that no HAB events exist. However, the problem I have is that hab_auth_img simply hangs and I'm forced to perform a hard reset on the system. Oddly, if I try to boot the image using booti instead, the HABv4 authentication built into the booti command also hangs most of the time, but sometimes it seems to succeed randomly.

The contents of my signed image are as documented in uboot-imx/doc/imx/habv4/mx8m_secure_boot.txt, ie. the signed image contains a Kernel image, an IVT and a CSF binary.

- I'm using an uncompressed Kernel image for the Kernel.

- The contents of the IVT binary are (as a hexdump):

0000000: 00d1 4120 0000 4040 0000 0000 0000 0000
0000010: 0000 0000 0000 416f 0020 416f 0000 0000

- The contents of the CSF source file are:

[Header]
Version = 4.5
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Install Super Root Key (SRK).
File = "[Path to SRK_1_2_3_4_table.bin]"
Source index = 0

[Install CSFK]
# Install Command Sequence File Key (CSFK).
File = "[Path to IMG1_1_sha256_2048_65537_v3_usr_crt.pem]"

[Authenticate CSF]
# Authenticate the Command Sequence File
# Use all defaults.

[Install Key]
# Install Image Key.
File = "[Path to CSF1_1_sha256_2048_65537_v3_usr_crt.pem]"
Verification index = 0
Target Index = 2

[Authenticate Data]
# Authenticate Image data
Blocks = 0x40400000 0x0 0x12f0020 "Image_ivt.bin"
Verification index = 2

I have also tried signing the Kernel image with a CSF file containing the contents above and this [Unlock] directive, but it did not solve the problem.

[Unlock]
Engine = CAAM
Features = MFG,MID,RNG

The SPL and FIT images for the bootloader are signed with the same CSF as above, including the [Unlock] addition, and with a different Blocks= value in [Authenticate Data]. The HABv4 authentication works just fine for the bootloader.

I have also tried to trace where exactly U-boot hangs after running hab_auth_img. It seems that the image authentication function in ROM code is called, but the function never returns.

Any help is appreciated!

Best regards,

Eero