- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
Hi,
I'm currently trying tu use HAB on a board specific using iMX6DL with u-boot 2014.04 ( from freescale.)
I've the following line in my board cfg file
IMAGE_VERSION 2
BOOT_FROM sd
CSF 0x2000
When I compile u-boot i've the following output
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Mode: DCD
Data Size: 290816 Bytes = 284.00 kB = 0.28 MB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 177ff400 00000000 00044c00
I've created the key using CST tools 2.2 (with my own serial and pass_key.txt files)
cd keys
./hab4_pki_tree.sh (n,2048,10,n)
cd ../crts
../linux/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_2048_65537_v3_usr_crt.pem,./SRK2_sha256_2048_65537_v3_usr_crt.pem,./SRK3_sha256_2048_65537_v3_usr_crt.pem,./SRK4_sha256_2048_65537_v3_usr_crt.pem -f 1
My u-boot.csf is :
[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "./crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "./crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "./crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded u-boot starting at the IVT through to the end with
# lenght 0x2F000 (padded u-boot lenght) - 0x400 (IVT offset) = 0x2EC00
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x000 0x44c00 ".u-boot-pad.bin"
I generate the u-boot-signed file using following commands
./linux/cst --o u-boot_csf.bin < u-boot.csf
cat u-boot-pad.bin u-boot_csf.bin > u-boot-signed.bin
I burn the SRK fuse on the iMX
and copy my u-boot signed on the eMMC
Everything is fine (no error) and when I boot up the hab_status give me the following output
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x03 0x08
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x1d 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x48
Any ideas ??
Thanks in advance
已解决! 转到解答。
Hi Wee Do,
Looking at the log, it seems that the problem is an invalid key. And looking at your procedure, I believe the problem is here:
cd keys
./hab4_pki_tree.sh (n,2048,10,n)
cd ../crts
By answering 'n' to the last question, the PKI tree is build for "fast authentication". Your CSF file is for normal authentication.
And example of fast authentication is:
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = “../crts/TBL_1_sha256+tbl.bin”
Source index = 0
[Install NOCAK]
File = “../crts/SRK1_sha256_2048_65537_v3_usr_crt.pem”
[Authenticate CSF]
#whole line comment
[Authenticate Data] # part line comment
Verification index = 0
Blocks = 0x877fb000 0x000 0x48000 “signed-u-boot.bin"
By the way here is parsing of your log:
------------+----+------+----+-------------------------------------------------
Persistent | T | L | P | Contents
Memory | a | e | a |
Record | g | n | r |
Type | | g | |
| | t | |
| | h | |
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 17 7f f4 00 00 00 00 20
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 17 7f f4 2c 00 00 03 08
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 17 7f f4 20 00 00 00 01
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 17 80 00 00 00 00 00 04
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x41| SRCE Field: 33 1d c0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_KEY (0x1D)
| | | | CTX = HAB_CTX_COMMAND (0xC0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Cmd Field: 0xbe000c00
| | | | CMD: HAB_CMD_INS_KEY (0xbe)
| | | | LEN: 0x000c
| | | | FLG: 0x03
| | | | FLAGS: NOTHING YET
| | | | PAST Field: 0x03170000
| | | | Crt. addr: 0x00000048
------------+----+------+----+-------------------------------------------------
Regards,
Raul Cardenas
Hi Wee Do,
Looking at the log, it seems that the problem is an invalid key. And looking at your procedure, I believe the problem is here:
cd keys
./hab4_pki_tree.sh (n,2048,10,n)
cd ../crts
By answering 'n' to the last question, the PKI tree is build for "fast authentication". Your CSF file is for normal authentication.
And example of fast authentication is:
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = “../crts/TBL_1_sha256+tbl.bin”
Source index = 0
[Install NOCAK]
File = “../crts/SRK1_sha256_2048_65537_v3_usr_crt.pem”
[Authenticate CSF]
#whole line comment
[Authenticate Data] # part line comment
Verification index = 0
Blocks = 0x877fb000 0x000 0x48000 “signed-u-boot.bin"
By the way here is parsing of your log:
------------+----+------+----+-------------------------------------------------
Persistent | T | L | P | Contents
Memory | a | e | a |
Record | g | n | r |
Type | | g | |
| | t | |
| | h | |
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 17 7f f4 00 00 00 00 20
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 17 7f f4 2c 00 00 03 08
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 17 7f f4 20 00 00 00 01
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_ASSERTION (0x0C)
| | | | CTX = HAB_CTX_ASSERT (0xA0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Evt Data (hex):
| | | | 00 00 00 00 17 80 00 00 00 00 00 04
------------+----+------+----+-------------------------------------------------
Event |0xdb|0x0014|0x41| SRCE Field: 33 1d c0 00
| | | | STS = HAB_FAILURE (0x33)
| | | | RSN = HAB_INV_KEY (0x1D)
| | | | CTX = HAB_CTX_COMMAND (0xC0)
| | | | ENG = HAB_ENG_ANY (0x00)
| | | | Cmd Field: 0xbe000c00
| | | | CMD: HAB_CMD_INS_KEY (0xbe)
| | | | LEN: 0x000c
| | | | FLG: 0x03
| | | | FLAGS: NOTHING YET
| | | | PAST Field: 0x03170000
| | | | Crt. addr: 0x00000048
------------+----+------+----+-------------------------------------------------
Regards,
Raul Cardenas
