Trying to validate HAB signatures on the i.MX8MM EVK board I am getting these errors
u-boot=> hab_status Secure boot disabled HAB Configuration: 0xf0, HAB State: 0x66 --------- HAB Event 1 ----------------- event data: 0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0 0x00 0x00 0x00 0x20 STS = HAB_FAILURE (0x33) RSN = HAB_INV_ASSERTION (0x0C) CTX = HAB_CTX_ASSERT (0xA0) ENG = HAB_ENG_ANY (0x00) --------- HAB Event 2 ----------------- event data: 0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0 0x00 0x00 0x00 0x04 STS = HAB_FAILURE (0x33) RSN = HAB_INV_ASSERTION (0x0C) CTX = HAB_CTX_ASSERT (0xA0) ENG = HAB_ENG_ANY (0x00) --------- HAB Event 3 ----------------- event data: 0xdb 0x00 0x34 0x43 0x33 0x18 0xc0 0x00 0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00 0x00 0x00 0x0d 0x54 0x40 0x1f 0xcd 0xc0 0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00 0x00 0x0a 0x25 0x40 0x00 0x92 0x00 0x00 0x00 0x00 0xb1 0x70 0xbe 0x00 0x00 0x00 0x00 0x04 0xf4 0xb8 STS = HAB_FAILURE (0x33) RSN = HAB_INV_SIGNATURE (0x18) CTX = HAB_CTX_COMMAND (0xC0) ENG = HAB_ENG_ANY (0x00)
They come from this development environment
U-Boot 2018.03-imx_v2018.03_4.14.98_2.0.0_ga+g87a19df5e4 (Oct 23 2020 - 10:57:37 +0000) CPU: Freescale i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)
P.D.: On SUMO I have no HAB events if I only sign the SPL image section
Also, I get similar errors when I use a more recent BSP
U-Boot 2020.04-5.4.24-2.1.0+g4979a99482 (Oct 23 2020 - 11:10:40 +0000) CPU: i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)
P.D.: On ZEUS I also have HAB events if I only sign the SPL image section, which differs from the previous SUMO behavior
This topic has already been treated in https://community.nxp.com/t5/i-MX-Processors/i-MX8M-secure-boot-HAB-FIT-image/m-p/1062078 and https://freescale.jiveon.com/message/1309301 threads, and some others, but with a no public solution
Can someone give me an advice on this topic ?
Thanks in advance
Having studied the information supplied in detail it seams to me it does not apply to the problem I have
That information talks about the CPU entering into SDP, but I do not have that behavior actually
More details on my environment are:
P.D.: All the steps I am trying to put in operation work pretty well in a iMX7DSABRE board, but know with the differences introduced in the new iMX8MM architecture
Could you please give me some more feedback ?
please check if You follow the U-boot example:
Following with this topic, I went forward now extending the root of trust for the Linux kernel image
Only SPL is signed in the chain of trust, no FIT signature, just to avoid those HAB errors I presented before
On this new testing I get the same HAB errors between both BSP releases, as well
But, only in automatic power-on boot. If I do check the kernel signature by hand, from UBoot command line, everything is fine and no HAB errors are reported
Also, comparing the open imx8mmevk board to my closed imx7dsabre board behavior, the former works as it was running a non-signed kernel image, which is actually not true
Please, find attached new archives for this kernel signature testing
I did follow all that information and also the newer present in https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_secure_boot.txt?...
Latest https://www.nxp.com/docs/en/application-note/AN4581.pdf release document was revised as well
Please, find attached archives with scripts, CSF and logs files I created to sign images generated by Sumo and Zeus BSP releases
In both cases I get the same HAB errors and only when I comment the FIT section signature seams to be fine (without considering Error: CSF header command not found in Uboot log)
Could be extending the root of trust to check FIT structures signatures the cause of the problem ?
P.D.: I highlighted in my first message there were HAB errors in Zeus also while only signing SPL section, but not now after a new BSP installation !
Just following my previous answer I would like to add some more new testing results
If I only sign FDT+IVT sections in the FIT image I get NO hab_status errors
Zeus BSP FIT CSF file:
[Authenticate Data] Blocks = 0x401fcdc0 0x57c00 0x1020 "/opt/microsoft/vscode-workspace/HAB_imx8mmevk/fit-test_zeus/flash.bin" Verification Index = 2
Sumo BSP FIT CSF file:
[Authenticate Data] Blocks = 0x401fcdc0 0x57c00 0x1020 "/opt/microsoft/vscode-workspace/HAB_imx8mmevk/fit-test_sumo/flash.bin" Verification Index = 2
Only when I add signature for the U-Boot, TEE and/or ATF sections in the FIT image I DO GET hab_status errors (whether I add one, two or three of them)
Same results come from both Sudo and Zeus BSPs
Those parameter values come from print_fit_hab.sh shell script called on this way
bitbake imx-boot -c devshell cd iMX8M/ TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 ./print_fit_hab.sh 0x8400
so I presume they are correct
I did double check on the translation to CSF file not to make a mistake