Hi team,
I am using the imx6q board and trying to use the secure boot so i signed u-boot(2021) and checking the hab_status.
i am below CSF file.
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x177ff400 0x00000000 0x00092c00 "u-boot-dtb.imx"
and i am getting below hab_status o/p.
U-Boot > hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01
STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)
Could someone please help me to resolve this warning.
Regards,
Rk
Hi
Yes, it won't impact the system boot.
Best regards
Harvey
Thanks Harvey for quick reply,
Could you please lookinto kernel signing issue which i am facing. I have stuck at this step.
https://community.nxp.com/t5/i-MX-Processors/Invalid-IVT-structure/m-p/1618489#M202981
Till now i have not fused the SRK fuse, Do i need to fuse the key before the checking the kernel secure boot.
==> hab_auth_img <load_addres> <img_size> <ivt_offset>
Regards,
Rk
Hi Harvey,
Now i am not getting any hab error events.
Below is my hab status of kernel.
MX6 HORIZON U-Boot > hab_auth_img 0x12000000 009342a8 00933348
hab fuse not enabled
Authenticate image from DDR location 0x12000000...
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01
STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)
below is my hab status of checking the signed dtb.
U-Boot > hab_auth_img 0x18000000 0000e258 0000d2f8
hab fuse not enabled
Authenticate image from DDR location 0x18000000...
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01
STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)
MX6 HORIZON U-Boot >
So in all i am not getting any hab error but still getting warning in all hab status checking.
1) how can we remove these warning and get no events.
2) I am still getting below logs while booting the kernel which should not get.
Authenticate image from DDR location 0x12000000...
bad magic magic=0x0 length=0xa000 version=0xe1
bad length magic=0x0 length=0xa000 version=0xe1
bad version magic=0x0 length=0xa000 version=0xe1
Error: Invalid IVT structure
Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0 IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
On checking the signed kernel hab status i am not getting any error but on booting its showing above logs.
Please help me to find the issue.
Regards,
Rk
Hi Harvey,
Could you please conclude anything from below link.
But we are using the uboot(2021), So we can go ahead and close the device with this warning, will it be fine.
Regards,
Rk