Hi all,
I have custom board with iMX6Q and I need to close it.
I generate all necessary files with cst-2.3.2 and burn SRK HASH to eFuses with MFGTools.
After signing u-boot(Android 4.4.3) I have checks what No HAB event occured:
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
and I close device with command: fuse prog 0 6 0x00000002
after reset board starts and in console:
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!
I am trying different boot devices: SD, eMMC and SPI. But sometimes board doesn't boot!!!
Here is my u-boot.csf:
[Header]
Version = 4.0
Hash Algorithm = SHA256
Engine = Any
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source Index = 0
Hash Algorithm = sha256
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
Certificate Format = X509
[Authenticate CSF]
[Install Key]
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
Verification Index = 0
Target Index = 2
Certificate Format = X509
[Authenticate Data]
Blocks = 0x177FF400 0x0 0xafc00 "u-boot-pad.imx"
Verification Index = 2
Here is u-boot.imx hexdump:
00000000 d1 00 20 40 00 00 80 17 00 00 00 00 2c f4 7f 17 |.. @........,...|
00000010 20 f4 7f 17 00 f4 7f 17 00 f0 8a 17 00 00 00 00 | ...............|
00000020 00 f0 7f 17 00 20 0b 00 00 00 00 00 d2 02 f8 40 |..... .........@|
00000030 cc 02 f4 04 02 0e 07 98 00 0c 00 00 02 0e 07 58 |...............X|
00000040
header: 40 20 00 d1
entry: 17 80 00 00
reserved1: 00 00 00 00
dcd: 17 7f f4 2c
boot_data: 17 7f f4 20 - start: 177ff000, length: b2000, plugin_flag: 00000000
self: 17 7f f4 00
csf: 17 8a f0 00
size of data to be signed = csf - self = 178af000 - 177ff400 = afc00
u-boot burned to device with seek = 0x400
0xafc00 + 0x400 = 0xB0000
and my signing script:
objcopy -I binary -O binary --pad-to 0xafc00 --gap-fill=0xFF $DIR/u-boot.imx u-boot-pad.imx
./cst -o u-boot-csf.bin -i u-boot.csf
#0xB0000 + 0x2000 = 0xB20000 = boot_data->length.
objcopy -I binary -O binary --pad-to=0x2000 --gap-fill=0x00 u-boot-csf.bin u-boot-csf-pad.bin
cat u-boot-pad.imx u-boot-csf-pad.bin > u-boot-signed.imx
So, what am I doing wrong?
Hello,
You mentioned, that "trying different boot devices: SD, eMMC and SPI. But sometimes board doesn't boot!!!"
Does it mean that sometimes the board boots correctly ?
Perhaps it makes sense to check memory ?
https://community.nxp.com/docs/DOC-105652
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hello,
Yes, board booting correctly sometimes. After fixing command sequence file, board booting every time. Thanks.