iMX6 secure boot HAB verification issue

Hi everyone!

I faced with strange behavior of HAB and can't figure out where the mistake is.

So, here I have an already pre-generated key infrastructure and a signed u-boot image (legacy) which is left from the previous development (lets call it IMAGE 1). This image is designed to be uploaded via Serial Downloader (USB). After burning the fuses and checking the hab_status function in u-boot IMAGE 1, I have only one hab event (a warning) which, I believe, don't relate to the problem.

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

So HAB verification seems to pass smoothly here with IMAGE 1.

I don't know how exactly IMAGE 1 was signed, so I reversed this image with csf_parser tool from cst 3.4.0 packet. 
Based on parsed output from csf_parser I've created a .csf file and signed my own u-boot image using it (lets call it IMAGE 2). 
The contents of .csf is below:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "/home/faa/Workspace/nxp/secure_boot/cst-dev/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed

[Install CSFK]
# Key used to authenticate the CSF data
File = "/home/faa/Workspace/nxp/secure_boot/cst-dev/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "/home/faa/Workspace/nxp/secure_boot/cst-dev/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x177ff400 0x000000 0x67c00 "/home/faa/Workspace/nxp/secure_boot/test_signing/u-boot.imx", \
0x910000 0x00002c 0x318 "/home/faa/Workspace/nxp/secure_boot/test_signing/u-boot.imx"

[Unlock]
Engine = CAAM
Features = RNG

After calling hab_status in u-boot IMAGE 2 I see a plenty of HAB_FAILUREs.

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x24 0x42 0x33 0x18 0xc0 0x00
0xca 0x00 0x1c 0x00 0x02 0xc5 0x00 0x00
0x00 0x00 0x13 0x40 0x17 0x7f 0xf4 0x00
0x00 0x06 0x7c 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x03 0x18

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x03 0x18

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

 I reversed IMAGE 2 using csf_parser tool and compared cert0.der, cert1.der and SRKTable.bin files with IMAGE 1 output. There are no differences.

faa@anton:~/Workspace/nxp/secure_boot/csf_parser_dir$ diff ./work/SRKTable.bin ./not_work/SRKTable.bin
faa@anton:~/Workspace/nxp/secure_boot/csf_parser_dir$ diff ./work/cert0.der ./not_work/cert0.der
faa@anton:~/Workspace/nxp/secure_boot/csf_parser_dir$ diff ./work/cert1.der ./not_work/cert1.der

So I'm sure that I used exactly the same set of keys to sign IMAGE 2 that IMAGE 1 was signed.

In the debug_log.txt file for both images the only difference is in the signatures itself, but it's OK for digital signatures, as far as I know.

I checked the Fuses table too after manually generating it via srktool using SRK certificates and it matches to the fuses value.

So my question is where did I go wrong and how is it possible?