i.mx6ull vs i.mx6ul HAB issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.mx6ull vs i.mx6ul HAB issues

Jump to solution
2,463 Views
courk
Contributor II

Hi,

I'm trying to implement HAB on a i.mx6ull target.

I followed the instructions of AN4581 (http://www.nxp.com/assets/documents/data/en/application-notes/AN4581.pdf).

I'm using the following CSF file, the HAB Blocks being from the output of the mkimage command.

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed

[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
#        Address    Offset  Length    Data File Path
Blocks = 0x877ff400 0x0 0x60c00   "u-boot.imx"

The signed uboot is then generated using commands like:

./cst --o /tmp/csf-uboot.bin --i /tmp/csf-uboot
cat u-boot.imx /tmp/csf-uboot.bin > u-boot-signed.imx

This u-boot is next flashed on the eMMC of my target device.

The resulting u-boot-signed.imx doesn't work. The following events are generated:

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x18 0xc0 0x00
        0xca 0x00 0x0c 0x00 0x01 0xc5 0x00 0x00
        0x00 0x00 0x07 0xdc

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
        0x00 0x00 0x02 0x08

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
        0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

By reading the "High Assurance Boot Version 4 Application Programming Interface Reference Manual", I can understand there is probably something wrong with the CSF validation. Can you confirm this ?

What is weird is that the way I'm signing my u-boot seems to work when I'm using the imx_usb_loader tool (GitHub - boundarydevices/imx_usb_loader: Usb loader for imx51/53/6x). No HAB events are generated. The only difference is that I need to clear the DCD pointer from the IVT before running ./cst as imx_usb_loader will clear it. Maybe my issue is related to the way the code in the on-chip ROM is reading data from the eMMC ?

Finally, it's interesting to notice this u-boot signing procedure was working on an older revision of our hardware which was using a i.mx6ul instead of the i.mx6ull. Can it be related to a HAB update between the two ICs ?

What I tried (without success) so far:

  • Padding the CSF file to 0x2000 bytes using (my imximage.cfg does contain CSF 0x2000):

    objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 /tmp/csf-uboot.bin /tmp/csf-uboot-padded.bin

  • Following the procedure described here: https://community.nxp.com/thread/428505#comment-805847 which highlights an potential issue linked with block devices (which may explain why I can make my u-boot to work by booting from the Serial Download Mode and not from the eMMC ?)

Thanks for you help !

Labels (1)
Tags (2)
1 Solution
1,496 Views
Yuri
NXP Employee
NXP Employee

Hello,

   Please try to set Engine to SW in CSF file as below and test again.

 
[Header]
    Version = 4.1
    Hash Algorithm = sha256
    Engine = SW
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS

  According to app note AN5350 (i.MX 6ULL Migration Guide), the i.MX6ULL does not have CAAM.

< http://www.nxp.com/assets/documents/data/en/application-notes/AN5350.pdf >

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

4 Replies
1,497 Views
Yuri
NXP Employee
NXP Employee

Hello,

   Please try to set Engine to SW in CSF file as below and test again.

 
[Header]
    Version = 4.1
    Hash Algorithm = sha256
    Engine = SW
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS

  According to app note AN5350 (i.MX 6ULL Migration Guide), the i.MX6ULL does not have CAAM.

< http://www.nxp.com/assets/documents/data/en/application-notes/AN5350.pdf >

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

1,496 Views
huzaifi
Contributor II

Hey Yuri,

I'm getting the same problem. However, the solution you have mentioned above does not work for me. Furthermore, if I use the CAAM or SW engines, my u-boot doesn't boot at all. 

The only difference I have form the example above is that I use a 4K key (4096) instead of a 2K key (2048). 

Other than that, I am using the same IMX6ULL and signed the u-boot using the instructions from AN4581. 

Thank you for the help!

0 Kudos
Reply
1,496 Views
Yuri
NXP Employee
NXP Employee

Hello,

  i.MX 6ULL HAB supports 4K key (in software).

Regards,

Yuri.

0 Kudos
Reply
1,496 Views
courk
Contributor II

Thanks ! It does work fine now.

0 Kudos
Reply