- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
Dear NXP community,
I have a board with an imx6 processor set in closed configuration (for secure boot).
Signing an image (or more) works perfectly fine.
Now I want to encrypt an image. That's where all the trouble begins.
First of all, I have to mention, that I don't want to encrypt the first image loaded after the ROM boot loader, but that shouldn't be a problem (or am I wrong?).
In order to use the encryption with the Code Signing Tool provided by nxp, I linked the tool with following commands:
cd ~/cst-2.3.2
gcc -o cst_encrypt -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto
There were no errors reported.
Now the tool is able to encrypt my image.
After this I created a command sequence file with following content:
----- Beginn file.csf -----
[Header]
Version = 4.1
Hash Algorithm = sha256
Certificate Format = X509
Signature Format = CMS
Engine = ANY
Engine Configuration = 0
[Install SRK]
File = "./crts/SRK_Table.bin"
Source index = 0
[Install CSFK]
File = "./crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
File = "./crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
Verification index = 0
Target index = 2
[Authenticate Data]
Verification index = 2
Blocks = 0x10100000 0x0 0x1000 "image_to_be_encrypted"
[Install Secret Key]
Verification index = 0
Target index = 0
Key = "dek.bin"
Key Length = 256
Blob address = 0x1017FFA0
[Decrypt Data]
Verification index = 0
Mac Bytes = 16
Blocks = 0x10101000 0x1000 0xF000 "image_to_be_encrypted"
----- end file.csf -----
Now I am running:
./linux64/cst_encrypt --o encrypted.bin --i file.csf --cert ./crts/dek_protection_key.pem
The output is my signed and encrypted image. After this, I transfer the generated dek.bin to the imx6 board and create the key using the dek_blob function provided by uboot.
This output is attached to the image at the address 0x1017FFA0 and then padded to 0x80000.
When I transfer the image to my board, I have a little check function which checks whether the image is signed or not.
For this function I use the HAB function hab_status_t(* hab_rvt::run_csf)(const uint8_t *csf, uint8_t cid).
Using this function, I get no errors, but when I want to save the image I get this HAB event:
HAB Configuration: 0xcc HAB State: 0x99
---------- HAB EVENT 1 ----------
event data:
0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x1d
0xca 0x00 0x14 0x00 0x00 0xa3 0x00 0x00
0x00 0x00 0x0f 0x64 0x10 0x10 0x10 0x00
0x00 0x00 0xf0 0x00
I am pretty lost right now, I don't have any more ideas what I can do.
The image has a length of 0x80000 and is loaded to 0x10100000 in the boards RAM.
I have to mention, everything works smootly when I only use signed images.
I hope someone can help me.
Best wishes,
Frieder
已解决! 转到解答。
Hello,
Please create request to get more details about the issue.
https://community.nxp.com/docs/DOC-329745
Regards,
Yuri.
So for all of those in need, I share my solution to given problem:
First of all I checked the IVT if all the entries are correct.
Then I switched from using the function run_csf to authenticate_image.
Last but not least it is important to know, that (when using encryption) once the image is authentcated it is decrypted. So my error was that I checked the encrypted image bevor saving to NAND flash.
So I always saved an decrypted image to my flash and during boot there was an other function call of authenticate image.
This gave me HAB events, because the image which was loaded from nand flash was already decrypted.
Solution:
bevor testing the transmitted image I copied the image to an other address in RAM and tested the image. When there were no errers detected I copied the original (encrypted) image back to my loadaddress and saved this image.
=> Problem solved.
I hope this helps someone.
Regards Frieder
Hello,
The following may be helpful :
Encrypted boot loader on SabreSD i.MX6q board
https://boundarydevices.com/high-assurance-boot-hab-dummies/
Please use Appendix A (Interpreting HAB Event Data from Report_Event() API) of the
“HAB4_API.pdf” in the CST package to define the HAB event reason.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hello YuriMuhin_ng,
I worked all of your information through and I still get this HAB event mentioned eralier.
With the help of "HAB4_API.pdf" I identificated the error.
So most likely my error says that I use a "Proprietary AEAD MAC format"...
Can you please explain, what this means?
Thanks in advance and have a grat day,
Frieder
Hello,
unfortunately the error still occurs....
The only thing that changed is the engine in the engine field (from 0x00 = ANY to 0x1d =CAAM)
I do have an other question:
Is i possible to encrypt more than one image or is the encryption limited to the first image after the ROM bootloader?
Regards,
Frieder
Hello Yuri,
I already saw these examples and read them carefully.
What I forgot to mention earlier,
encrypting the first image after the ROM boot loader works perfectly fine. My only problem is encrypting a second image.
Have a great day,
Frieder
