imx6ULL HAB events

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx6ULL HAB events

4,646 Views
parthitce
Contributor III

I am currently trying to do secure boot in my imx6ULL based variscite development kit. But even after flashing the correct key and certificates, still I see HAB events. Please find the details about my system and software I am using now.

I see that the u-boot boots fine (enforced hab checking in arch/arm/mach-imx/hab.c) without any major errors and also boots the Linux Kernel fitImage without errors. But the hab_status reports the many HAB_EVENTS. Please assist in what I am missing here. Thanks in advance.

CST version : 3.1.0

SPL.csf:

[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = SW

[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "crts/CSF1_1_sha256_secp521r1_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "crts/IMG1_1_sha256_secp521r1_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x00907400 0x00000000 0x00008c00 "SPL"

[Unlock]
Engine = CAAM
Features = RNG

uboot.csf:

[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = SW

[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "crts/CSF1_1_sha256_secp521r1_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "crts/IMG1_1_sha256_secp521r1_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x85ffffc0 0x0000 0x00065020 "u-boot-ivt.img"

[Unlock]
Engine = CAAM
Features = RNG

HAB keys:

hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < crts/SRK_1_2_3_4_fuse.bin
0x50D088B0
0x3925CD16
0xE2BBF511
0x4F701D7A
0x6E0D782F
0xE80F43E3
0xFB33850C
0x5FA332B8

Fusing keys in u-boot 2019.04:

=> fuse prog -y 3 0 0x50D088B0
Programming bank 3 word 0x00000000 to 0x50d088b0...
=> fuse prog -y 3 1 0x3925CD16
Programming bank 3 word 0x00000001 to 0x3925cd16...
=> fuse prog -y 3 2 0xE2BBF511
Programming bank 3 word 0x00000002 to 0xe2bbf511...
=> fuse prog -y 3 3 0x4F701D7A
Programming bank 3 word 0x00000003 to 0x4f701d7a...
=> fuse prog -y 3 4 0x6E0D782F
Programming bank 3 word 0x00000004 to 0x6e0d782f...
=> fuse prog -y 3 5 0xE80F43E3
Programming bank 3 word 0x00000005 to 0xe80f43e3...
=> fuse prog -y 3 6 0xFB33850C
Programming bank 3 word 0x00000006 to 0xfb33850c...
=> fuse prog -y 3 7 0x5FA332B8
Programming bank 3 word 0x00000007 to 0x5fa332b8...

HAB events:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x02 0x09 0x00 0x00 0x01
0x00 0x00 0x02 0x94

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x80 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x02 0x09 0x00 0x00 0x01
0x00 0x00 0x02 0x94

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x86 0x06 0x4f 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 7 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x86 0x00 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

u-boot boot log:
Trying to boot from MMC1
hab fuse not enabled

Authenticate image from DDR location 0x85ffffc0...

ivt_offset = 0x65000, ivt addr = 0x86064fc0
ivt entry = 0x86000000, dcd = 0x00000000, csf = 0x86064fe0
Dumping IVT
86064fc0: 402000d1 86000000 0 0 .. @............
86064fd0: 0 86064fc0 86064fe0 0 .....O...O......
Dumping CSF Header
86064fe0: 415000d4 c00be 1703 50000000 ..PA...........P
86064ff0: 20c00be 1000009 94020000 c00ca ................
86065000: ffc501 e0040000 c00be 2000009 ................
86065010: 68060000 1400ca ffc502 b4080000 ...h............

Calling authenticate_image in ROM
ivt_offset = 0x65000
start = 0x85ffffc0
bytes = 0x67020

CPU: Freescale i.MX6ULL rev1.1 900 MHz (running at 396 MHz)
CPU: Commercial temperature grade (0C to 95C) at 40C
Reset cause: POR
Model: Variscite DART-6UL Evaluation Kit
Board: Variscite DART-6UL Evaluation Kit
DRAM: 512 MiB
MMC: FSL_SDHC: 0, FSL_SDHC: 1
In: serial@02020000
Out: serial@02020000
Err: serial@02020000
Net:
Warning: ethernet@020b4000 using MAC address from ROM

Warning: ethernet@02188000 using MAC address from ROM
eth1: ethernet@020b4000, eth0: ethernet@02188000 [PRIME]
Hit any key to stop autoboot: 0

Tags (3)
0 Kudos
Reply
10 Replies

4,175 Views
Yuri
NXP Employee
NXP Employee

Hello,

 

  According to "HAB4_API.pdf" of the CST documentation, the message    HAB_INV_CERTIFICATE

means: other certificate or Super-Root Key Table verification failed (including mismatch with crt_hsh).

Do You use U-boot of NXP Linux BSP?

  Also, the srktool to generate SRK_1_2_3_4_table.bin requires:

"Certificate filenames must be separated by a ','with no spaces".

Have a great day,

Yuri

 

 

-------------------------------------------------------------------------------

Note:

- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

 

- We are following threads for 7 weeks after the last post, later replies are ignored

Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

0 Kudos
Reply

4,175 Views
parthitce
Contributor III

Dear Yuri,

Thanks for your response. Yes, I am using the srktool without spaces as below.

`../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_secp521r1_v3_ca_crt.pem,./SRK2_sha256_secp521r1_v3_ca_crt.pem,./SRK3_sha256_secp521r1_v3_ca_crt.pem,./SRK4_sha256_secp521r1_v3_ca_crt.pem`

Yes, I am using the NXP provided BSP for the board. I have also tried without elliptic curve option as also, but there isn't any differences.

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 25
How many Super Root Keys should be generated? 1
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

`../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_ca_crt.pem`

Please let me know if I am missing something.

Thanks,

Parthiban N

0 Kudos
Reply

4,175 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Please try the following:

How many Super Root Keys should be generated? 4 

Regards,

Yuri.

0 Kudos
Reply

4,175 Views
parthitce
Contributor III

Hello YuriMuhin_ng‌,

I have tried so many different attempts with different versions of CST as well. But the problem is still the same with imx6ULL. I have tried with Variscite SoM, Phytec SoM based on imx6ULL.

I have tried,

  1. 4 root key as suggested 
  2. Tried CST 3.1
  3. Tried CST version 2.3.3
  4. Different options with hab4 generation script
  5. Different key length

But no success yet. I have imx6UL based SoM's from same vendor and secure boot works fine without any HAB events. Are there any special configuration or option which needs to be used?

Thanks in advance,

Parthiban N

Error log:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x80 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x48

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x86 0x06 0x5f 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x50

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 7 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x86 0x00 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

0 Kudos
Reply

4,175 Views
prabhunath_gupt
Contributor II

Hi parthitce

I am working on enabling secure boot in imx6ul custom board and i am facing hab events as below thread.

Secure Boot on imx6ul 

Please have a look into the above link and do let me know if i missed any steps.

0 Kudos
Reply

4,175 Views
parthitce
Contributor III

Hi,

I think I haven't padded or aligned in my case. But imx6UL should be straight forward with csf appending alone.

Note: Am not really active in this community. You can reach me pn@denx.de

0 Kudos
Reply

4,175 Views
Yuri
NXP Employee
NXP Employee

Hello,

  the following may be helpful.

High Assurance Boot - Variscite Wiki 

Regards,

Yuri.

0 Kudos
Reply

4,175 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Look at "ERR010449 System Boot: HAB HAL routine hab_hal_invalidate_cache should

invalidate L1/L2 D-cache, but did not in the ROM code".

  https://www.nxp.com/docs/en/errata/IMX6ULLCE.pdf 

Regards,

Yuri.

0 Kudos
Reply

3,990 Views
Rajashree
Contributor I

I am also seeing the same issue after providing the command

fuse override  0 7 0x2

However dcache off  command  comes to u-boot prompt without printing anything as output.

Please provide solution for it..

I have not seen solutions for this in forums as of now

0 Kudos
Reply

3,658 Views
JohnKlug
Senior Contributor I

Have you been able to fix this issue?  I am seeing the same thing.

I am using Engine = SW and also setting the fuse:

=> fuse read 0 7
Reading bank 0:

Word 0x00000007: 00000002

0 Kudos
Reply