- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: iMX6SoloX - fast authentication - uImage signing.
iMX6SoloX - fast authentication - uImage signing.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
iMX6SoloX - fast authentication - uImage signing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
O have a question regarding secure boot on iMX6SoloX processor, in fast authentication mode.
I have manage to boot successfully signed u-boot image in fast authentication mode.
I have generated 4 SRK keys for HAB, as described in MX6UL HAB (High Assurance Boot) https://community.nxp.com/docs/DOC-275249.
For signing u-boot I use following file:
#Illustrative Command Sequence File Description
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install NOCAK]
File = "crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Authenticate Data]
# Key slot index 0 used to authenticate the image data
Verification index = 0
Blocks = 0x8bfff7d0 0x00000000 0x00058000 "u-boot-pad.imx"Now, I want also to check signature for uImage, but I want to use different key for that.
I tried with following configuration first:
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install NOCAK]
File = "crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Authenticate Data]
Verification index = 0
Blocks = 0x80810000 0x0 0x385020 "uImage.pad.ivt"
It works properly with "SRK1_sha256_2048_65537_v3_usr_crt.pem" key, but if I try to use different certificate (i.e. SRK2_sha256_2048_65537_v3_usr_crt.pem) I always got signature check failure.
So my question is - is it possible to sign uImage with different key than u-boot in case of fast authentication mode ?
Regards
Arek Karaś
b36401
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please create a technical case regarding to HAB issues.
Please refer this document regarding to case creation:
https://community.nxp.com/thread/381898
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Arek,
Have you tried with Source Index = 1 (for SRK2)? I think this is the reason.
Greets,
Satya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Satya,
I have tried it already, it does not work, here are logs from u-boot:
Authenticate image from DDR location 0x80810000...
ivt_offset = 0x385000, ivt addr = 0x80b95000
Dumping IVT
80b95000: 412000d1 80810000 00000000 00000000 .. A............
80b95010: 00000000 80b95000 80b95020 00000000 .....P.. P......
Dumping CSF Header
80b95020: 413800d4 000c00be 00011703 38000000 ..8A...........8
80b95030: 000c00ca 0000c501 c8070000 1d0800b2 ................
80b95040: 02000000 001400ca 0000c500 c8090000 ................
80b95050: 00008180 20503800 404004d7 210f01e1 .....8P ..@@...!
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!
Calling authenticate_image in ROM
ivt_offset = 0x385000
start = 0x80810000
bytes = 0x387020
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0f 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x01 0x00
0x00 0x00 0x00 0x38
Authenticate uImage Fail, Please check
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to analyse the error: SRCE - Status Reason Context Engine
0x33 - HAB_FAILURE
0x0F - Invalid Index
0xC0 - CSF or DCD problem. I think it is CSF here
0x00 - Any Engine
So, I can only imagine a Index Error.
"src is the source key index within the Super-Root Key Table (with 0 denoting the first key in the table)," (Pg 31, HAB4_API.pdf). This should indicate which SRK has to be used.
Unfortunately, I dont have time to check fast authentication.
Anyway Good Luck,
Satya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Satya,
should I report this through support request ?
Regards
Arek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Arek,
I wouls suggest you to wait for a day or two and then perhaps do that. There are people like Yuri and Igor who usually reply. They are the experts.
Cheers,
Satya
PS: I hope your Verfication Index is always 0 (zero) for Fast Authentication in spite of your Source index which should be the SRK key you want to use. 0 indicates SRK based authentication, 1 for CSF and 2 for Image key.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Satya,
thanks for answer.
Yes, verification index is 0.
Regards
Arek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a solution to this? I have the same problem with an i.MX8MM and HAB fast authentication enabled.
