i.mx6SoloX HAB development steps

Hi everyone~

After I implemented HAB according to the steps of HAB implementation on the Internet, there were no HAB events, but after changing to Closed mode, U-boot could not be started and MFgTool could not start.

I have a question: Mfgtool uses the u-boot.imx file, while HAB steps talks about the u-boot.bin file. Is it the wrong step I find? 

So I would like to ask if there is the latest dedicated HAB step for I.M x6Solox?

Here are the steps:

1. IMX_CST_TOOL
The CST tool can be downloaded from www.freescale.com. It provides software code signing support designed for use with Freescale processors that integrate the HAB library in the internal boot ROM.
The version in this example is 2.0, it can only run in Linux PC, the package name is “BLN_CST_MAIN_02.00.00.zip”.

2. Generate HAB4 Keys and Certificates
2.1. Unpack the CST package, there are six folders: ca, code, crts, docs, keys, linux. Create "serial" file and "key_pass.txt" file in the "keys" folder.
In this example, the content in "serial" file is
12345684
The content in "key_pass.txt" file is
freescale_mx6
freescale_mx6

2.2 Prior to running the hab4_pki_tree.sh ensure that OpenSSL is included in your search path by running
$ openssl version
OpenSSL 1.0.1 14 Mar 2012

2.3 Run the hab4_pki_tree.sh script to generate hab4 keys and certificates.
$ cd keys
$ ./hab4_pki_tree.sh
Do you want to use an existing CA key (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 15
How many Super Root Keys should be generated? 4
If you meet “unable to write 'random state' error”, change the ownership of ~/.rnd by command "sudo chown adam.adam ~/.rnd" and re-run step 2.2. adam is your user name.
Please note there should be no error during the keys/certificates generation.

2.4 Generating HAB4 SRK tables and efuse Hash
$ cd ../crts
$ ../linux/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_4096_65537_v3_ca_crt.pem,SRK2_sha256_4096_65537_v3_ca_crt.pem,SRK3_sha256_4096_65537_v3_ca_crt.pem,SRK4_sha256_4096_65537_v3_ca_crt.pem
SRK table binary file SRK_1_2_3_4_table.bin and SRK efuse binary file SRK_1_2_3_4_fuse.bin are generated in crts folder.

3. Modify u-boot for HAB and sign u-boot image
3.1 0001-u-boot-enable-mx6-hab.patch is the hab patch based on Android 4.2.2_1.1.0 uboot-imx. Apply the patch and build u-boot.bin. Create u-boot folder in BLN_CST_MAIN_02.00.00, copy u-boot.bin to u-boot folder.
In this example, the u-boot.bin size is 0x70320. Since in u-boot.lds, __hab_data is placed to the end of u-boot.bin and aligned to 0x1000, pad u-boot.bin to 0x71000.
$ cd ../u-boot
$ objcopy -I binary -O binary --pad-to 0x71000 --gap-fill=0xff u-boot.bin u-boot-pad.bin

3.2 Create CSF description file csf_u-boot.txt in u-boot folder, and then sign the boot image.
You need to modify the [Authenticate Data] field according to your u-boot-pad.bin size.
$ ../linux/cst --output csf_u-boot.bin < csf_u-boot.txt

3.3 Assemble CSF data with boot image.
$ cat u-boot-pad.bin csf_u-boot.bin > u-boot-signed.bin

4. Blow SRK_HASH fuse
4.1 Get the SRK HASH value.
The SRK HASH value is generated by srkroot in step 2.4. Can dump the value by command
$ od -t x4 ../crts/SRK_1_2_3_4_fuse.bin
0000000 d7dd02f7 596a91bd b7fb2ec3 09525b17
0000020 6fe30579 0bb67f9e 7e53c7e4 44f06a93

4.2 Program SRK_HASH fuse by mfgtool.
Modify ucl2.xml of mfgtool to program the SRK_HASH fuse, here is the example
<LIST name="MX6Q-SabreSD-SRK-Hash" desc="SRK hash fuse programming">
<CMD state="BootStrap" type="boot" body="BootStrap" file ="u-boot-mx6q-sabresd.bin" >Loading U-boot</CMD>
<CMD state="BootStrap" type="load" file="uImage" address="0x10800000"
loadSection="OTH" setSection="OTH" HasFlashHeader="FALSE" >Loading Kernel.</CMD>
<CMD state="BootStrap" type="load" file="initramfs.cpio.gz.uboot" address="0x10C00000"
loadSection="OTH" setSection="OTH" HasFlashHeader="FALSE" >Loading Initramfs.</CMD>
<CMD state="BootStrap" type="jump" > Jumping to OS image. </CMD>
<!-- Begin to burn SRK_HASH fuse -->
<CMD state="Updater" type="push" body="$ echo 0xd7dd02f7 > /sys/fsl_otp/HW_OCOTP_SRK0">Burn Word 0 of SRK hash field in OTP </CMD>
<CMD state="Updater" type="push" body="$ echo 0x596a91bd > /sys/fsl_otp/HW_OCOTP_SRK1">Burn Word 1 of SRK hash field in OTP </CMD>
<CMD state="Updater" type="push" body="$ echo 0xb7fb2ec3 > /sys/fsl_otp/HW_OCOTP_SRK2">Burn Word 2 of SRK hash field in OTP </CMD>
<CMD state="Updater" type="push" body="$ echo 0x09525b17 > /sys/fsl_otp/HW_OCOTP_SRK3">Burn Word 3 of SRK hash field in OTP </CMD>
<CMD state="Updater" type="push" body="$ echo 0x6fe30579 > /sys/fsl_otp/HW_OCOTP_SRK4">Burn Word 4 of SRK hash field in OTP </CMD>
<CMD state="Updater" type="push" body="$ echo 0x0bb67f9e > /sys/fsl_otp/HW_OCOTP_SRK5">Burn Word 5 of SRK hash field in OTP </CMD>
<CMD state="Updater" type="push" body="$ echo 0x7e53c7e4 > /sys/fsl_otp/HW_OCOTP_SRK6">Burn Word 6 of SRK hash field in OTP </CMD>
<CMD state="Updater" type="push" body="$ echo 0x44f06a93 > /sys/fsl_otp/HW_OCOTP_SRK7">Burn Word 7 of SRK hash field in OTP </CMD>
<CMD state="Updater" type="push" body="$ echo Update Complete!">Done</CMD>
</LIST>

5. Verify the signed image
During development phase, do not program the SEC_CONFIG fuse to close mode except you have verified all the HAB function. In open configuration, If there is error event, you can see the event log after the signed image bootup. If see the log of "No HAB Events Found!”, the signature are verified successfully.
If see the log of "--------- HAB Event 1 -----------------", something wrong during the signature, please go back and check your step.

6. Download and execute signed image with mfgtool
6.1 Section 6.2 in AN4581.pdf describe the behavior when mfgtool download and execute code, here is the copy.
Parse the file to load in order to find the IVT and its DCD table pointer.
If there is a DCD table, it is loaded to the address, 0x00910000, in the OCRAM with the SDP command, DCD_WRITE. The DCD table must always be signed, which implies that this area in OCRAM must be signed.
The pointer to the DCD table is cleared in the IVT, in order to prevent the HAB library from processing the DCD table again during the authentication process. There is no need to re-initialize some memory, such as DDR3, when it already contains valid data.
The code is loaded to the boot_data address defined in the boot image structure.

6.2 Build uboot.bin with mfg config, create u-boot-mfg folder in BLN_CST_MAIN_02.00.00, copy u-boot.bin to u-boot-mfg folder. The u-boot.bin size in this example is 0x26F50, pad it to 0x27000. The CSF description file is similar to the one in step 3, except [Authenticate Data] field since the special mfgtool behavior in step 6.1. The example in AN4581 has one typo error, the correct example is
[Authenticate Data]
Verification index = 2
Blocks = 0x27800400 0x400 0x26C00 "u-boot-pad.bin", \
0x00910000 0x42c 0x2a0 "u-boot-pad.bin"
0x42c is the pointer of DCD table, 0x2a0 is the size of DCD table, you can get it in dcd_hdr in flash_header.S. You need to modify 0x26C00 and 0x2a0 according to your uboot.bin size and DCD table size.

6.3 Sign uboot.bin for mfgtool
$ objcopy -I binary -O binary --pad-to 0x27000 --gap-fill=0xff u-boot.bin u-boot-pad.bin
$ ./mod_4_mfgtool.sh clear_dcd_addr u-boot-pad.bin
$ ../linux/cst --output csf_u-boot.bin < csf_u-boot_mfg.txt
$ ./mod_4_mfgtool.sh set_dcd_addr u-boot-pad.bin
$ cat u-boot-pad.bin csf_u-boot.bin > u-boot-signed.bin

6.4 Boot mode setting
When verify the signed image with mfgtool, BOOT_MODE[1:0] should be set to 01 to Serial Downloader mode, otherwise, you may meet one HAB event, the event data is “0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00”.
In Mx6 SDP board, if follow android user guide to set the boot switch SW6 to 00001100, you will get above HAB event. The correct setting is rework the BOOT MODE pin to serial download mode, or set SW6 to boot from SD card and do not insert SD card when power on.

7 After verify all the HAB function, blow SEC_CONFIG fuse to close mode.
$ echo 0x2 > /sys/fsl_otp/HW_OCOTP_CFG5

8 If there is no HAB event in open mode, but your board cannot bootup after program SEC_CONFIG to close mode, please check if you have unlocked RNG in CSF script.
[Unlock]
Engine = CAAM
Features = RNG
For the reason to unlock RNG, pleases refer to Q&A: HAB on i.MX6