- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: imx6ull zImage authentication with hab_auth_img
imx6ull zImage authentication with hab_auth_img
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm developing on a custom board with imx6ull and we are implementing HAB secure boot. I've managed to successfully sign the u-boot binary, but I have problems with signing the kernel zImage and DTB file.
I've followed instructions in mx6_mx7_secure_boot.txt and "AN4581 - i.MX Secure Boot on HABv4 Supported Devices.pdf" and padded my zImage file to next 0x1000 boundary, appended IVT data and CSF binary.
Unfortunately, when I try to use hab_auth_img to test the signature the board resets
Colibri iMX6ULL # ubifsmount ubi0:rootfsb
Colibri iMX6ULL # ubifsload ${kernel_addr_r} /boot/zImage
Loading file '/boot/zImage' to addr 0x81000000...
Done
Colibri iMX6ULL # hab_auth_img ${kernel_addr_r} ${filesize}
Authenticate image from DDR location 0x81000000...
bad magic magic=0x0 length=0xa000 version=0xe1
bad length magic=0x0 length=0xa000 version=0xe1
bad version magic=0x0 length=0xa000 version=0xe1
Colibri iMX6ULL # md 0x81691000 8
81691000: 402000d1 81000000 00000000 00000000 .. @............
81691010: 00000000 81691000 81691020 00000000 ......i. .i.....
Colibri iMX6ULL # hab_auth_img ${kernel_addr_r} ${filesize} 0x691000
Authenticate image from DDR location 0x81000000...
data abort
pc : [<0000a8a2>] lr : [<0000ab1f>]
reloc pc : [<e78b58a2>] lr : [<e78b5b1f>]
sp : 9df2c2a8 ip : 0000e7ed fp : 00690fe0
r10: 04d3f640 r9 : 9df2c584 r8 : 00000000
r7 : 00000000 r6 : 00904cb4 r5 : 04d3f640 r4 : 00000000
r3 : 5be0cd19 r2 : 00000008 r1 : 00904cb4 r0 : 04d3f640
Flags: nZCv IRQs off FIQs off Mode SVC_32 (T)
Code: 2a08 d1ea 4605 2400 (f810) 7024
Resetting CPU ...
resetting ...In above example I first tried to use hab_auth_img without specifying IVT offset, but as you see, it didn't work. I checked offset from the binary and checked the memory with
Colibri iMX6ULL # md 0x81691000 8
81691000: 402000d1 81000000 00000000 00000000 .. @............
81691010: 00000000 81691000 81691020 00000000 ......i. .i.....To me the IVT looks correct, but perhaps I'm missing something, or the location of the IVT is somehow incorrect.
My CSF Text:
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = SW
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/srk_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 81000000 0x00000000 0x00691020 "/tmp/cst_CODE_SIGN/kernel_image.bin"
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turns out the CSF Blocks had missing '0x' in the address. Image authentication does work now.
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is ${filesize} including csf size?
Best regards
Harvey
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is kernel_image.bin including ivt?
Best regards
Harvey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, kernel_image.bin is zImage padded to next 0x1000 boundary + ivt, (hence the length in csf is 0x691020).
IVT:
0 = 0x402000d1
1 = 0x81000000
2 = 0x00000000
3 = 0x00000000
4 = 0x00000000
5 = 0x81691000
6 = 0x81691020
7 = 0x00000000
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turns out the CSF Blocks had missing '0x' in the address. Image authentication does work now.
