imx8mm secure boot enable

antonio_santagi · ‎01-13-2021

Hello,

I have followed document at

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_mx8mm_secure_boo...

I have programmed SRK hash table fuses and verified after programming the values were correct.

I have tried with an unsigned image on SD card and verified that u-boot hab_status command was reporting errors in hab status.

I have then put an SD card with signed image and verified that u-boot hab_status was reporting :

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

Then I have proceeded with next step in the document : 1.9 Closing the device :

=> fuse prog 1 3 0x2000000

after this now I can't boot the device anymore from the same SD card that was reported with hab no events found and HAB state 0x66.

the board gets stuck at boot with this message :

U-Boot SPL 2019.04-imx_v2019.04_4.19.35_1.0.0+g85bdcc7 (Jan 04 2021 - 11:15:40 )
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from MMC1

Authenticate image from DDR location 0x401fcdc0..

so HAB looks is working correctly as it launches what is signed correctly.

But u-boot for some reason gets stuck.

The same image, if processor is not locked to run only in secure mode, works.

what could be wrong or missing ?

thank you

antonio_santagi · ‎01-14-2021

Hello @Yuri

apparently my problem of u-boot stuck when locked secure boot mode is enabled is solved now that I added further command to unlock the CAAM module, as per your guide this should be added and I had not added because I did not know in our particular ( non standard ) condition that was to be applied.

With the CAAM unlock additional command I can get to a working u-boot console .Now the u-boot is not stuck and instead it stops on console prompt because Kernel image is not signed. So you were correct in saying the HAB automatically tries to check the Kernel image. Is this a quite recent feature ? I could not see the Kernel Image automatic verification happening when the processor was not in locked secure mode.

antonio_santagi · ‎01-14-2021

Now I have added to the SD card the full rootfs and kernel image but still u-boot hangs at that point.

I am using U-Boot SPL 2019.04-imx_v2019.04_4.19.35_1.0.0+g85bdcc7 and I have also OPTEE in the signed_flash.bin so I am missing patch for 1.1.0 at the moment.

I see the address that is trying to authenticate image from is 0x401fcdc0, this corresponds to sld_hab_block in my build log and I have added it as required to the csf_fit.txt

antonio_santagi · ‎01-14-2021

Hello,

this is very interesting.

is this mentioned somewhere in the docs ? I thought I should have manually extend the u-boot to achieve this Kernel checking.

I have now another SD card with different u-boot version ( the one v2019.04_4.19.35_1.1.0 ) and HAB does not do this automatic checking of the Kernel image. I can reach the u-boot prompt.

What does the HAB's choice of Kernel image checking or not checking depend upon ? Does it depend on the env variables ? Or the content of the Filesystem ?

thank you

Yuri · ‎01-15-2021

@antonio_santagi
Hello,

check Your U-Boot bootcmd - it can include hab_auth_img

Regards,
Yuri.

antonio_santagi · ‎01-13-2021

could it be now some memory addresses are not suitable because used by something else ?

I have not added HAB verification of Kernel image, I have not added a Kernel image to the SD card at all.

However the message "Authenticate image from DDR location 0x401fcdc0.." sounds like HAB is trying checking the Kernel image automatically, is this possible ?

I have not called the hab_auth_img API from u-boot.

Yuri · ‎01-13-2021

@antonio_santagi
Hello,

yes, HAB is trying checking the Kernel image automatically - please try to add it.

Regards,
Yuri.