iMX8MM HAB errors

cancel
Showing results for 
Search instead for 
Did you mean: 

iMX8MM HAB errors

197 Views
Contributor I

Dear all,

Trying to validate HAB signatures on the i.MX8MM EVK board I am getting these errors

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x34 0x43 0x33 0x18 0xc0 0x00
        0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
        0x00 0x00 0x0d 0x54 0x40 0x1f 0xcd 0xc0
        0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
        0x00 0x0a 0x25 0x40 0x00 0x92 0x00 0x00
        0x00 0x00 0xb1 0x70 0xbe 0x00 0x00 0x00
        0x00 0x04 0xf4 0xb8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

They come from this development environment

U-Boot 2018.03-imx_v2018.03_4.14.98_2.0.0_ga+g87a19df5e4 (Oct 23 2020 - 10:57:37 +0000)
CPU:   Freescale i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)

P.D.: On SUMO I have no HAB events if I only sign the SPL image section

Also, I get similar errors when I use a more recent BSP

U-Boot 2020.04-5.4.24-2.1.0+g4979a99482 (Oct 23 2020 - 11:10:40 +0000)
CPU:   i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)

P.D.: On ZEUS I also have HAB events if I only sign the SPL image section, which differs from the previous SUMO behavior

This topic has already been treated in https://community.nxp.com/t5/i-MX-Processors/i-MX8M-secure-boot-HAB-FIT-image/m-p/1062078 and https://freescale.jiveon.com/message/1309301 threads, and some others, but with a no public solution

Can someone give me an advice on this topic ?

Thanks in advance

0 Kudos
9 Replies

187 Views
NXP TechSupport
NXP TechSupport

@jorge_rebollo 
Hello,

  I've sent You some information directly.

Regards,
Yuri.

0 Kudos

171 Views
Contributor I

Dear Yuri,

Having studied the information supplied in detail it seams to me it does not apply to the problem I have

That information talks about the CPU entering into SDP, but I do not have that behavior actually

More details on my environment are:

  • iMX8MM EVK with eMMC programmed with factory Android version
  • iMX8MM EVK configured to boot from uSD
  • Development SRK table flashed into OTP
  • iMX8MM EVK remain in open mode
  • The system boots up with Uboot (signed) and Kernel (not signed yet) and works as expected

P.D.: All the steps I am trying to put in operation work pretty well in a iMX7DSABRE board, but know with the differences introduced in the new iMX8MM architecture

Could you please give me some more feedback ?

Regards

Jorge R.

0 Kudos

162 Views
NXP TechSupport
NXP TechSupport

@jorge_rebollo 
Hello,

  please check if You follow the U-boot example:

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_mx8mm_secure_boo...

 

Regards,
Yuri.

 

Regards,
Yuri.

0 Kudos

139 Views
Contributor I

Yuri,

Following with this topic, I went forward now extending the root of trust for the Linux kernel image

Only SPL is signed in the chain of trust, no FIT signature, just to avoid those HAB errors I presented before

On this new testing I get the same HAB errors between both BSP releases, as well

But, only in automatic power-on boot. If I do check the kernel signature by hand, from UBoot command line, everything is fine and no HAB errors are reported

Also, comparing the open imx8mmevk board to my closed imx7dsabre board behavior, the former works as it was running a non-signed kernel image, which is actually not true

Please, find attached new archives for this kernel signature testing

Thanks

0 Kudos

154 Views
Contributor I

Yuri,

I did follow all that information and also the newer present in https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_secure_boot.txt?...

Latest https://www.nxp.com/docs/en/application-note/AN4581.pdf release document was revised as well

Please, find attached archives with scripts, CSF and logs files I created to sign images generated by Sumo and Zeus BSP releases

In both cases I get the same HAB errors and only when I comment the FIT section signature seams to be fine (without considering Error: CSF header command not found in Uboot log)

Could be extending the root of trust to check FIT structures signatures the cause of the problem ?

P.D.: I highlighted in my first message there were HAB errors in Zeus also while only signing SPL section, but not now after a new BSP installation !

Thanks

0 Kudos

81 Views
Contributor I

Yuri,

Just following my previous answer I would like to add some more new testing results

If I only sign FDT+IVT sections in the FIT image I get NO hab_status errors

Zeus BSP FIT CSF file:

[Authenticate Data]
Blocks = 0x401fcdc0 0x57c00 0x1020 "/opt/microsoft/vscode-workspace/HAB_imx8mmevk/fit-test_zeus/flash.bin"
Verification Index = 2

 Sumo BSP FIT CSF file:

[Authenticate Data]
Blocks = 0x401fcdc0 0x57c00 0x1020 "/opt/microsoft/vscode-workspace/HAB_imx8mmevk/fit-test_sumo/flash.bin"
Verification Index = 2

Only when I add signature for the U-Boot, TEE and/or ATF sections in the FIT image I DO GET hab_status errors (whether I add one, two or three of them)

Same results come from both Sudo and Zeus BSPs

Thanks

0 Kudos

58 Views
NXP TechSupport
NXP TechSupport

@jorge_rebollo 
Hello,

  please double check if parameters Authenticate Start Address, Offset, Length in 
[Authenticate Data] of CSF file are correct.

Regards,
Yuri.

 

0 Kudos

50 Views
Contributor I

Yuri,

Those parameter values come from print_fit_hab.sh shell script called on this way

bitbake imx-boot -c devshell
cd iMX8M/
TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 ./print_fit_hab.sh 0x8400

so I presume they are correct

I did double check on the translation to CSF file not to make a mistake

Thanks

0 Kudos

22 Views
NXP TechSupport
NXP TechSupport

@jorge_rebollo 
Hello,

  I've sent You more comments.

Regards,
Yuri.

0 Kudos