imx6q HAB_EVENT

rakesh3 · ‎03-19-2023

Hi team,

I am using the imx6q board and trying to use the secure boot so i signed u-boot(2021) and checking the hab_status.

i am below CSF file.

[Header]
Version = 4.2
Hash Algorithm = sha256

Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x177ff400 0x00000000 0x00092c00 "u-boot-dtb.imx"

and i am getting below hab_status o/p.

U-Boot > hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

Could someone please help me to resolve this warning.

Regards,

Rk

Harvey021 · ‎03-21-2023

Hi

Yes, it won't impact the system boot.

Best regards

Harvey

rakesh3 · ‎03-21-2023

Thanks Harvey for quick reply,

Could you please lookinto kernel signing issue which i am facing. I have stuck at this step.

https://community.nxp.com/t5/i-MX-Processors/Invalid-IVT-structure/m-p/1618489#M202981

Till now i have not fused the SRK fuse, Do i need to fuse the key before the checking the kernel secure boot.

==> hab_auth_img <load_addres> <img_size> <ivt_offset>

Regards,

Rk

Harvey021 · ‎03-20-2023

Hi @rakesh3

About the warning, u-boot(2022) won't be with this warning.

Best regards

Harvey

rakesh3 · ‎03-22-2023

Hi Harvey,

Now i am not getting any hab error events.

Below is my hab status of kernel.

MX6 HORIZON U-Boot > hab_auth_img 0x12000000 009342a8 00933348
hab fuse not enabled

Authenticate image from DDR location 0x12000000...

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
        0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
        0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
        0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

below is my hab status of checking the signed dtb.

U-Boot > hab_auth_img 0x18000000 0000e258 0000d2f8
hab fuse not enabled

Authenticate image from DDR location 0x18000000...

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
        0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
        0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
        0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

MX6 HORIZON U-Boot >

So in all i am not getting any hab error but still getting warning in all hab status checking.

1) how can we remove these warning and get no events.

2) I am still getting below logs while booting the kernel which should not get.

Authenticate image from DDR location 0x12000000...

bad magic magic=0x0 length=0xa000 version=0xe1

bad length magic=0x0 length=0xa000 version=0xe1

bad version magic=0x0 length=0xa000 version=0xe1

Error: Invalid IVT structure

Allowed IVT structure:

IVT HDR = 0x4X2000D1

IVT ENTRY = 0xXXXXXXXX

IVT RSV1 = 0x0 IVT DCD = 0x0

IVT BOOT_DATA = 0xXXXXXXXX

IVT SELF = 0xXXXXXXXX

IVT CSF = 0xXXXXXXXX

IVT RSV2 = 0x0

On checking the signed kernel hab status i am not getting any error but on booting its showing above logs.

Please help me to find the issue.

Regards,

Rk

rakesh3 · ‎03-20-2023

Hi Harvey,

Could you please conclude anything from below link.

https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/i-MXRT117x-6x-CAAM-manufacturing-protection-not-...

But we are using the uboot(2021), So we can go ahead and close the device with this warning, will it be fine.

Regards,

Rk