iMX6 HAB Problem

aureliencourrie · ‎03-04-2015

Hi,

I'm currently trying tu use HAB on a board specific using iMX6DL with u-boot 2014.04 ( from freescale.)

I've the following line in my board cfg file

IMAGE_VERSION 2

BOOT_FROM sd

CSF 0x2000

When I compile u-boot i've the following output

Image Type: Freescale IMX Boot Image

Image Ver: 2 (i.MX53/6 compatible)

Mode: DCD

Data Size: 290816 Bytes = 284.00 kB = 0.28 MB

Load Address: 177ff420

Entry Point: 17800000

HAB Blocks: 177ff400 00000000 00044c00

I've created the key using CST tools 2.2 (with my own serial and pass_key.txt files)

cd keys

./hab4_pki_tree.sh (n,2048,10,n)

cd ../crts

../linux/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_2048_65537_v3_usr_crt.pem,./SRK2_sha256_2048_65537_v3_usr_crt.pem,./SRK3_sha256_2048_65537_v3_usr_crt.pem,./SRK4_sha256_2048_65537_v3_usr_crt.pem -f 1

My u-boot.csf is :

[Header]

Version = 4.0

Security Configuration = Open

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = "./crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "./crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]

Verification index = 0

Target index = 2

File = "./crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with

# lenght 0x2F000 (padded u-boot lenght) - 0x400 (IVT offset) = 0x2EC00

# This covers the essential parts: IVT, boot data and DCD.

# Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x177ff400 0x000 0x44c00 ".u-boot-pad.bin"

I generate the u-boot-signed file using following commands

./linux/cst --o u-boot_csf.bin < u-boot.csf

cat u-boot-pad.bin u-boot_csf.bin > u-boot-signed.bin

I burn the SRK fuse on the iMX

and copy my u-boot signed on the eMMC

Everything is fine (no error) and when I boot up the hab_status give me the following output

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c

0x00 0x00 0x03 0x08

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00

0x00 0x00 0x00 0x04

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x1d 0xc0 0x00

0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00

0x00 0x00 0x00 0x48

Any ideas ??

Thanks in advance

raulcardenas-b4 · ‎03-04-2015

Hi Wee Do,

Looking at the log, it seems that the problem is an invalid key. And looking at your procedure, I believe the problem is here:

cd keys

./hab4_pki_tree.sh (n,2048,10,n)

cd ../crts

By answering 'n' to the last question, the PKI tree is build for "fast authentication". Your CSF file is for normal authentication.

And example of fast authentication is:

[Header]

Version = 4.1

Hash Algorithm = sha256

Engine = ANY

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = “../crts/TBL_1_sha256+tbl.bin”

Source index = 0

[Install NOCAK]

File = “../crts/SRK1_sha256_2048_65537_v3_usr_crt.pem”

[Authenticate CSF]

#whole line comment

[Authenticate Data] # part line comment

Verification index = 0

Blocks = 0x877fb000 0x000 0x48000 “signed-u-boot.bin"

By the way here is parsing of your log:

------------+----+------+----+-------------------------------------------------

Persistent | T | L | P | Contents

Memory | a | e | a |

Record | g | n | r |

Type | | g | |

| | t | |

| | h | |

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 17 7f f4 00 00 00 00 20

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 17 7f f4 2c 00 00 03 08

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 17 7f f4 20 00 00 00 01

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 17 80 00 00 00 00 00 04

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 1d c0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_KEY (0x1D)

| | | | CTX = HAB_CTX_COMMAND (0xC0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Cmd Field: 0xbe000c00

| | | | CMD: HAB_CMD_INS_KEY (0xbe)

| | | | LEN: 0x000c

| | | | FLG: 0x03

| | | | FLAGS: NOTHING YET

| | | | PAST Field: 0x03170000

| | | | Crt. addr: 0x00000048

------------+----+------+----+-------------------------------------------------

Regards,

Raul Cardenas

元の投稿で解決策を見る

raulcardenas-b4 · ‎03-04-2015

Hi Wee Do,

Looking at the log, it seems that the problem is an invalid key. And looking at your procedure, I believe the problem is here:

cd keys

./hab4_pki_tree.sh (n,2048,10,n)

cd ../crts

By answering 'n' to the last question, the PKI tree is build for "fast authentication". Your CSF file is for normal authentication.

And example of fast authentication is:

[Header]

Version = 4.1

Hash Algorithm = sha256

Engine = ANY

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = “../crts/TBL_1_sha256+tbl.bin”

Source index = 0

[Install NOCAK]

File = “../crts/SRK1_sha256_2048_65537_v3_usr_crt.pem”

[Authenticate CSF]

#whole line comment

[Authenticate Data] # part line comment

Verification index = 0

Blocks = 0x877fb000 0x000 0x48000 “signed-u-boot.bin"

By the way here is parsing of your log:

------------+----+------+----+-------------------------------------------------

Persistent | T | L | P | Contents

Memory | a | e | a |

Record | g | n | r |

Type | | g | |

| | t | |

| | h | |

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 17 7f f4 00 00 00 00 20

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 17 7f f4 2c 00 00 03 08

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 17 7f f4 20 00 00 00 01

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 0c a0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_ASSERTION (0x0C)

| | | | CTX = HAB_CTX_ASSERT (0xA0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Evt Data (hex):

| | | | 00 00 00 00 17 80 00 00 00 00 00 04

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 1d c0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_KEY (0x1D)

| | | | CTX = HAB_CTX_COMMAND (0xC0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Cmd Field: 0xbe000c00

| | | | CMD: HAB_CMD_INS_KEY (0xbe)

| | | | LEN: 0x000c

| | | | FLG: 0x03

| | | | FLAGS: NOTHING YET

| | | | PAST Field: 0x03170000

| | | | Crt. addr: 0x00000048

------------+----+------+----+-------------------------------------------------

Regards,

Raul Cardenas

aureliencourrie · ‎03-05-2015

Hi,

Answering 'y' to the last question and it's work now !!!

Thank you.You've made my day.

I owe you one ;-) !!