i.mx53 HABv4

cancel
Showing results for 
Search instead for 
Did you mean: 

i.mx53 HABv4

620 Views
alexeym
Contributor III

Strange things happening to me while trying to get HAB working on mx53loco board.

I couldn't find any ready-made tutorials for mx53 boards. So I used https://boundarydevices.com/high-assurance-boot-hab-dummies/ as fulcrum.

What I did:

0. I followed HAB for dummies manual till step 2(Flashing the keys) as SRK_HASH differs from imx6 imx5 I generated fuse prog sequence by hand using SRK_1_2_3_4_fuse.bin(attached)

fuse prog -y 1 0x1 0x5a;
fuse prog -y 3 0x1 0x71;
fuse prog -y 3 0x2 0x26;
fuse prog -y 3 0x3 0x4;
fuse prog -y 3 0x4 0x22;
fuse prog -y 3 0x5 0x40;
fuse prog -y 3 0x6 0xf;
fuse prog -y 3 0x7 0x26;
fuse prog -y 3 0x8 0x49;
fuse prog -y 3 0x9 0xa2;
fuse prog -y 3 0xa 0x74;
fuse prog -y 3 0xb 0x29;
fuse prog -y 3 0xc 0xc2;
fuse prog -y 3 0xd 0xe8;
fuse prog -y 3 0xe 0x97;
fuse prog -y 3 0xf 0x64;
fuse prog -y 3 0x10 0xeb;
fuse prog -y 3 0x11 0xb6;
fuse prog -y 3 0x12 0xb6;
fuse prog -y 3 0x13 0xc7;
fuse prog -y 3 0x14 0x43;
fuse prog -y 3 0x15 0x8;
fuse prog -y 3 0x16 0x2f;
fuse prog -y 3 0x17 0x56;
fuse prog -y 3 0x18 0x8e;
fuse prog -y 3 0x19 0x77;
fuse prog -y 3 0x1a 0x18;
fuse prog -y 3 0x1b 0x93;
fuse prog -y 3 0x1c 0xd7;
fuse prog -y 3 0x1d 0xd5;
fuse prog -y 3 0x1e 0xdf;
fuse prog -y 3 0x1f 0x43;

1. I took mainline u-boot (tag v2020.10)

2. patched it to support secure boot on mx53loco. (patch attached)

3. add to config:

CONFIG_CMD_FUSE=y
CONFIG_IMX_HAB=y

4. make V=1 gives me output

Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 421984 Bytes = 412.09 KiB = 0.40 MiB
Load Address: 777ff420
Entry Point: 77800000
HAB Blocks: 0x777ff400 0x00000000 0x00064c00
DCD Blocks: 0x00910000 0x0000002c 0x000001a8

5. used attached u-boot.csf to make u-boot_csf.bin

./cst --o u-boot_csf.bin --i u-boot.csf
cat u-boot.imx u-boot_csf.bin > u-boot_signed.imx
sudo dd if=u-boot_signed.imx of=$DISK seek=2 bs=512

6. now where I am:

board starting, but hab_status command returns:

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x2d 0xc0 0x00
0xbe 0x00 0x0c 0x02 0x09 0x00 0x00 0x01
0x00 0x00 0x08 0x88

STS = HAB_FAILURE (0x33)
RSN = HAB_OVR_STORAGE (0x2D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x77 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x77 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xa8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x77 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x77 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

Please point me what am I doing wrong. I found only one topic with HAB_OVR_STORAGE event reason and it was mx28 board where somebody tried to use 4096 bit key where mx28 boards only support 2048 bit keys. But its not my case...

Labels (2)
Tags (2)
0 Kudos
3 Replies

600 Views
alexeym
Contributor III

Changing key length to 2048 fixed the problem

0 Kudos

612 Views
igorpadykov
NXP TechSupport
NXP TechSupport
0 Kudos

603 Views
alexeym
Contributor III

Thank you for reply!

I've done:
1. applied the same patch to imx_v2020.04_5.4.47_2.2.0 branch
2. signed/padded u-boot.imx with mk_secure_uboot script from imx-test/test/mxc_secureboot/V2012/u-boot/ and I still have the same result.

Maybe something with CST version, or key length?
I see that example scripts using slightly different syntax for cst tool, and for some reason all keys are 2048 lenghs.

 

 

0 Kudos