iMX8MM HAB errors

jorge_rebollo · ‎10-23-2020

Dear all,

Trying to validate HAB signatures on the i.MX8MM EVK board I am getting these errors

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x34 0x43 0x33 0x18 0xc0 0x00
        0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
        0x00 0x00 0x0d 0x54 0x40 0x1f 0xcd 0xc0
        0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
        0x00 0x0a 0x25 0x40 0x00 0x92 0x00 0x00
        0x00 0x00 0xb1 0x70 0xbe 0x00 0x00 0x00
        0x00 0x04 0xf4 0xb8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

They come from this development environment

U-Boot 2018.03-imx_v2018.03_4.14.98_2.0.0_ga+g87a19df5e4 (Oct 23 2020 - 10:57:37 +0000)
CPU:   Freescale i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)

P.D.: On SUMO I have no HAB events if I only sign the SPL image section

Also, I get similar errors when I use a more recent BSP

U-Boot 2020.04-5.4.24-2.1.0+g4979a99482 (Oct 23 2020 - 11:10:40 +0000)
CPU:   i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)

P.D.: On ZEUS I also have HAB events if I only sign the SPL image section, which differs from the previous SUMO behavior

This topic has already been treated in https://community.nxp.com/t5/i-MX-Processors/i-MX8M-secure-boot-HAB-FIT-image/m-p/1062078 and https://freescale.jiveon.com/message/1309301 threads, and some others, but with a no public solution

Can someone give me an advice on this topic ?

Thanks in advance

jorge_rebollo · ‎12-18-2020

Hi all,

After been in contact with my local NXP FAE, I would like to share the solution we found to my problem

Following my message dated on 11-13-2020 02:45 AM, the correct lines to sign the bootcontainer FIT part are

bitbake imx-boot -c devshell
cd iMX8M
../scripts/pad_image.sh u-boot-nodtb.bin imx8mm-evk.dtb
TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 ./print_fit_hab.sh 0x60000 imx8mm-evk.dtb

Padding and version information are required and offset value was wrong

That way, values reported by print_fit_hab.sh are now correct and I do not get HAB errors

元の投稿で解決策を見る

jorge_rebollo · ‎12-18-2020

Hi all,

After been in contact with my local NXP FAE, I would like to share the solution we found to my problem

Following my message dated on 11-13-2020 02:45 AM, the correct lines to sign the bootcontainer FIT part are

bitbake imx-boot -c devshell
cd iMX8M
../scripts/pad_image.sh u-boot-nodtb.bin imx8mm-evk.dtb
TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 ./print_fit_hab.sh 0x60000 imx8mm-evk.dtb

Padding and version information are required and offset value was wrong

That way, values reported by print_fit_hab.sh are now correct and I do not get HAB errors

Yuri · ‎10-27-2020

@jorge_rebollo
Hello,

I've sent You some information directly.

Regards,
Yuri.

jorge_rebollo · ‎11-02-2020

Dear Yuri,

Having studied the information supplied in detail it seams to me it does not apply to the problem I have

That information talks about the CPU entering into SDP, but I do not have that behavior actually

More details on my environment are:

iMX8MM EVK with eMMC programmed with factory Android version
iMX8MM EVK configured to boot from uSD
Development SRK table flashed into OTP
iMX8MM EVK remain in open mode
The system boots up with Uboot (signed) and Kernel (not signed yet) and works as expected

P.D.: All the steps I am trying to put in operation work pretty well in a iMX7DSABRE board, but know with the differences introduced in the new iMX8MM architecture

Could you please give me some more feedback ?

Regards

Jorge R.

Yuri · ‎11-03-2020

@jorge_rebollo
Hello,

please check if You follow the U-boot example:

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_mx8mm_secure_boo...

Regards,
Yuri.

jorge_rebollo · ‎11-05-2020

Yuri,

Following with this topic, I went forward now extending the root of trust for the Linux kernel image

Only SPL is signed in the chain of trust, no FIT signature, just to avoid those HAB errors I presented before

On this new testing I get the same HAB errors between both BSP releases, as well

But, only in automatic power-on boot. If I do check the kernel signature by hand, from UBoot command line, everything is fine and no HAB errors are reported

Also, comparing the open imx8mmevk board to my closed imx7dsabre board behavior, the former works as it was running a non-signed kernel image, which is actually not true

Please, find attached new archives for this kernel signature testing

Thanks

jorge_rebollo · ‎11-03-2020

Yuri,

I did follow all that information and also the newer present in https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_secure_boot.txt?...

Latest https://www.nxp.com/docs/en/application-note/AN4581.pdf release document was revised as well

Please, find attached archives with scripts, CSF and logs files I created to sign images generated by Sumo and Zeus BSP releases

In both cases I get the same HAB errors and only when I comment the FIT section signature seams to be fine (without considering Error: CSF header command not found in Uboot log)

Could be extending the root of trust to check FIT structures signatures the cause of the problem ?

P.D.: I highlighted in my first message there were HAB errors in Zeus also while only signing SPL section, but not now after a new BSP installation !

Thanks

jorge_rebollo · ‎11-12-2020

Yuri,

Just following my previous answer I would like to add some more new testing results

If I only sign FDT+IVT sections in the FIT image I get NO hab_status errors

Zeus BSP FIT CSF file:

[Authenticate Data]
Blocks = 0x401fcdc0 0x57c00 0x1020 "/opt/microsoft/vscode-workspace/HAB_imx8mmevk/fit-test_zeus/flash.bin"
Verification Index = 2

Sumo BSP FIT CSF file:

[Authenticate Data]
Blocks = 0x401fcdc0 0x57c00 0x1020 "/opt/microsoft/vscode-workspace/HAB_imx8mmevk/fit-test_sumo/flash.bin"
Verification Index = 2

Only when I add signature for the U-Boot, TEE and/or ATF sections in the FIT image I DO GET hab_status errors (whether I add one, two or three of them)

Same results come from both Sudo and Zeus BSPs

Thanks

Yuri · ‎11-13-2020

@jorge_rebollo
Hello,

please double check if parameters Authenticate Start Address, Offset, Length in
[Authenticate Data] of CSF file are correct.

Regards,
Yuri.

jorge_rebollo · ‎11-13-2020

Yuri,

Those parameter values come from print_fit_hab.sh shell script called on this way

bitbake imx-boot -c devshell
cd iMX8M/
TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 ./print_fit_hab.sh 0x8400

so I presume they are correct

I did double check on the translation to CSF file not to make a mistake

Thanks

Yuri · ‎11-24-2020

@jorge_rebollo
Hello,

I've sent You more comments.

Regards,
Yuri.