[imx6] Cannot open key file when CST tool generate csf data.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[imx6] Cannot open key file when CST tool generate csf data.

2,760 Views
melchang
Contributor I

Hi,
I use CST tools 2.2 to generate HAB key and certificate. The following is my procedures.

cd keys
creat serial and key_pass.txt.
./hab4_pki_tree.sh  (n,2048,10,4,y)

cd ../crts
../linux/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_ca_crt.pem,SRK2_sha256_2048_65537_v3_ca_crt.pem,SRK3_sha256_2048_65537_v3_ca_crt.pem,SRK4_sha256_2048_65537_v3_ca_crt.pem

cd ../u-boot
objcopy -I binary -O binary --pad-to 0x6B000 --gap-fill=0x5A u-boot.bin u-boot-pad.bin
../linux/cst --o u-boot_csf.bin < u-boot.csf

When I generate csf data, cst tool return an error message as below.
Error: Cannot open key file ../keys/CSF1_1_sha256_2048_65537_v3_usr_key.pem
4149528200:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:467:
4149528200:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:97:
4149528200:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:123:
4149528200:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:

Any suggestions on error message ?


My u-boot.csf,
[Header]
    Version = 4.1
    Security Configuration = Open
    Hash Algorithm = sha256
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS

[Install SRK]
    File = "../crts/SRK_1_2_3_4_table.bin"
    Source index = 0

[Install CSFK]
    File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
    Verification index = 0
    Target index = 2
    File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with
# length = 0x6AC00
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
#    Image block start address on i.MX, Offset from start of image file,
#    Length of block in bytes, image data file
[Authenticate Data]
    Verification index = 2
    Blocks = 0x27800400 0x400 0x6AC00 "u-boot-pad.bin"

Thanks/Mel.

Labels (1)
0 Kudos
6 Replies

1,748 Views
melchang
Contributor I

Hi,

Thanks for your support.

I have fixed this issue. Root cause is a wrong format of "key_pass.txt".

Mel.

0 Kudos

1,748 Views
tuyennguyen
Contributor I

Hi, would you mind sharing me what is the correct format of key_pass.txt since I have the same problem even though with the same key_pass.txt the keys are generated well... Thanks a lot

0 Kudos

1,748 Views
melchang
Contributor I

Hi ,

My issue is because I use windows text editor to create "key_pass.txt" file. It can be fixed if I use Linux text editor to create file.

I'm not sure,but I think the root cause is the different line endings format between Windows and Linux text file.

/Mel.

0 Kudos

1,748 Views
Yuri
NXP Employee
NXP Employee

  If You use Yocto BSP, please check its specifics on the following :


"Mx6 HAB (High Assurance Boot)"

https://community.freescale.com/docs/DOC-96451


Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

1,748 Views
raulcardenas-b4
Contributor III

Hi Mel,

CST works with relative paths to the path where the command was executed. And it is expecting to be called from the linux folder, like this:

./cst --o u-boot_csf.bin < u-boot.csf

In this case you will have to make a change to your csf:

[Authenticate Data]

    Verification index = 2

    Blocks = 0x27800400 0x400 0x6AC00 "<ABSOULTE PATH>/u-boot-pad.bin"

However, it is possible to execute it the way you want

../linux/cst --o u-boot_csf.bin < u-boot.csf

Then you will have to give absolute paths in the csf.

[Header]
    Version = 4.1
    Security Configuration = Open
    Hash Algorithm = sha256
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS

[Install SRK]
    File = "<ABSOULTE PATH>/crts/SRK_1_2_3_4_table.bin"
    Source index = 0

[Install CSFK]
    File = "<ABSOULTE PATH>/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
    Verification index = 0
    Target index = 2
    File = "<ABSOULTE PATH>/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with
# length = 0x6AC00
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
#    Image block start address on i.MX, Offset from start of image file,
#    Length of block in bytes, image data file
[Authenticate Data]
    Verification index = 2
    Blocks = 0x27800400 0x400 0x6AC00 "u-boot-pad.bin"

Regards,

Raul

1,748 Views
melchang
Contributor I

Fix typos as below.


cd ../crts

../linux/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_ca_crt.pem,SRK2_sha256_2048_65537_v3_ca_crt.pem,SRK3_sha256_2048_65537_v3_ca_crt.pem,SRK4_sha256_2048_65537_v3_ca_crt.pem


Mel.

0 Kudos