Hello,
I am trying to integrate HAB with our iMX8MP SoM. I have followed instructions using:
and
However, I am seeing HAB events:
Verdin iMX8MP # hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x34 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x54 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x0c 0x02 0xc8 0x40 0x2c 0x02 0xc8
0x00 0x00 0x79 0xa8 0x00 0x97 0x00 0x00
0x00 0x00 0xb2 0xa0
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x34 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x54 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x0c 0x02 0xc8 0x40 0x2c 0x02 0xc8
0x00 0x00 0x79 0xa8 0x00 0x97 0x00 0x00
0x00 0x00 0xb2 0xa0
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
For troubleshooting, I decided to sign each binary one step at a time:
So it looks like the FIT image is having troubles being authenticated. Since SPL and first part of FIT (IVT) passes shows no issues, I assume my fuses are programmed correctly. My guess is the Authenticate Data block portion for u-boot and beyond is incorrect. Could there be an issue with the values generated from print_fit_hab?
This is my build log:
# make SOC=iMX8MP dtbs=imx8mp-verdin.dtb flash_evk_emmc_fastboot
....
========= OFFSET dump =========
Loader IMAGE:
header_image_off 0x0
dcd_off 0x0
image_off 0x40
csf_off 0x25200
spl hab block: 0x91ffc0 0x0 0x25200
Second Loader IMAGE:
sld_header_off 0x60000
sld_csf_off 0x61020
sld hab block: 0x401fcdc0 0x60000 0x1020
# make SOC=iMX8MP dtbs=imx8mp-verdin.dtb print_fit_hab
./../scripts/pad_image.sh tee.bin
Pad file tee.bin NOT found
./../scripts/pad_image.sh bl31.bin
./../scripts/pad_image.sh u-boot-nodtb.bin imx8mp-verdin.dtb
u-boot-nodtb.bin + imx8mp-verdin.dtb are padded to 818288
TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 VERSION=v2 ./print_fit_hab.sh 0x60000 imx8mp-verdin.dtb
0x40200000 0x5B000 0xC02C8
0x402C02C8 0x11B2C8 0x79A8
0x970000 0x122C70 0xB2A0
Corresponding CSF authenticate blocks:
CSF SPL:
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x91ffc0 0x0 0x25200 "/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot"
CSF FIT:
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x401fcdc0 0x60000 0x1020 "/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot", \
0x40200000 0x5B000 0xC02C8 "/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot", \
0x402C02C8 0x11B2C8 0x79A8 "/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot", \
0x970000 0x122C70 0xB2A0 "/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot"
and commands to write to final binary:
SPL:
dd if=/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/flash_evk_emmc_fastboot-csf-spl.bin of=/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot-signed seek=152064 bs=1 conv=notrun
FIT
dd if=/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/flash_evk_emmc_fastboot-csf-fit.bin of=/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot-signed seek=397344 bs=1 conv=notrunc
I'm wondering if there is an issue with the print_fit_hab that could result in incorrect CSF for fit image?
Any help is appreciated.
Thanks
EDIT: update logs
Solved! Go to Solution.
I changed make target to flash_evk instead of flash_evk_emmc_fastboot and no there's no HAB events when I check via hab_status.
However, once I closed the device, I fail to boot/load kernel?:
Authenticate image from DDR location 0x401fcdc0...
NOTICE: BL31: v2.2(release):toradex_imx_5.4.70_2.3.0-g2fa8c6349e
NOTICE: BL31: Built : 00:00:00, Jan 1 1970
U-Boot 2020.04-5.7.0-devel+git.33bb8e968332 (Jan 01 1970 - 00:00:00 +0000)
CPU: i.MX8MP[8] rev1.1 1600 MHz (running at 1200 MHz)
CPU: Industrial temperature grade (-40C to 105C) at 60C
Reset cause: POR
DRAM: 8 GiB
MMC: FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMC... OK
In: serial
Out: serial
Err: serial
Model: Toradex Verdin iMX8M Plus Quad 8GB Wi-Fi / BT V1.0A, Serial# 06900814
Carrier: Toradex Dahlia V1.0C, Serial# 00000000
BuildInfo:
- ATF 2fa8c63
- U-Boot 2020.04-5.7.0-devel+git.33bb8e968332
flash target is MMC:2
Net: eth1: ethernet@30be0000, eth0: ethernet@30bf0000 [PRIME]
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot: 0
switch to partitions #0, OK
mmc2(part 0) is current device
Scanning mmc 2:1...
Found U-Boot script /boot.scr
973 bytes read in 6 ms (158.2 KiB/s)
## Executing script at 47000000
4541 bytes read in 12 ms (369.1 KiB/s)
89209 bytes read in 15 ms (5.7 MiB/s)
323 bytes read in 13 ms (23.4 KiB/s)
Applying Overlay: verdin-imx8mp-enable-bmi270.dtbo
878 bytes read in 16 ms (52.7 KiB/s)
Applying Overlay: verdin-imx8mp-enable-pca9533.dtbo
792 bytes read in 18 ms (43 KiB/s)
Applying Overlay: verdin-imx8mp-enable-tsl2591.dtbo
588 bytes read in 19 ms (29.3 KiB/s)
Applying Overlay: verdin-imx8mp-enable-gpio.dtbo
2315 bytes read in 19 ms (118.2 KiB/s)
Applying Overlay: verdin-imx8mp-enable-user-button-key.dtbo
1039 bytes read in 20 ms (49.8 KiB/s)
Applying Overlay: verdin-imx8mp-enable-touchscreen.dtbo
2770 bytes read in 19 ms (141.6 KiB/s)
Applying Overlay: verdin-imx8mp-enable-bme688.dtbo
466 bytes read in 15 ms (30.3 KiB/s)
Applying Overlay: verdin-imx8mp-enable-sht3x.dtbo
486 bytes read in 17 ms (27.3 KiB/s)
Applying Overlay: verdin-imx8mp-disable-uart1.dtbo
403 bytes read in 16 ms (24.4 KiB/s)
12231950 bytes read in 54 ms (216 MiB/s)
Uncompressed size: 30726656 = 0x1D4DA00
11843304 bytes read in 51 ms (221.5 MiB/s)
Authenticate image from DDR location 0x40000000...
bad magic magic=0x0 length=0x00 version=0x0
bad length magic=0x0 length=0x00 version=0x0
bad version magic=0x0 length=0x00 version=0x0
Error: Invalid IVT structure
Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
Authenticate Image Fail, Please check
Does enabling CONFIG_IMX_HAB require the kernel to be signed as well?
Hi @splkwill
Yes, but you can disable its authentication in u-boot.
diff --git a/cmd/booti.c b/cmd/booti.c
index a132949091..b66dfbff0e 100644
--- a/cmd/booti.c
+++ b/cmd/booti.c
@@ -42,7 +42,7 @@ static int booti_start(cmd_tbl_t *cmdtp, int flag, int argc,
if (ret != 0)
return 1;
-#if defined(CONFIG_IMX_HAB) && !defined(CONFIG_AVB_SUPPORT)
+#if 0
extern int authenticate_image(
uint32_t ddr_start, uint32_t raw_image_size);
if (authenticate_image(ld, image_size) != 0) {
Best regards
Harvey
I'm digging through the Hab4_API document to understand the hab events.
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x45
0x33 0x0c 0xa0 0x00 (hab_rvt.assert() API, Engine ANY)
0x00 0x00 0x00 0x00
0x40 0x1f 0xdd 0xc0 (Address 0x401fddc0)
0x00 0x00 0x00 0x20 (Length 0x20 = 32 bytes)
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x45
0x33 0x0c 0xa0 0x00 (hab_rvt.assert() API, Engine ANY)
0x00 0x00 0x00 0x00
0x40 0x1f 0xcd 0xc0 (Address 0x401fcdc0)
0x00 0x00 0x00 0x04 (Length 0x04 = 4 bytes)
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x34 0x45
0x33 0x18 0xc0 0x00 (Invalid Signature, CTX command, Engine ANY)
0xca 0x00 0x2c 0x00 (Authenticate Data command, Engine ANY?)
0x02 0xc5 0x1d 0x00 (Image Key, Engine CAAM)
0x00 0x00 0x16 0x54 (Signature start addr)
0x40 0x1f 0xcd 0xc0 (Starting addr data block)
0x00 0x00 0x10 0x20 (length of data block)
0x40 0x20 0x00 0x00 (Starting addr data block)
0x00 0x0c 0x02 0xc8 (length of data block)
0x40 0x2c 0x02 0xc8 (Starting addr data block)
0x00 0x00 0x79 0xa8 (length of data block)
0x00 0x97 0x00 0x00 (Starting addr data block)
0x00 0x00 0xb2 0xa0 (length of data block)
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x34 0x45
0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00
0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x54
0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20
0x40 0x20 0x00 0x00
0x00 0x0c 0x02 0xc8
0x40 0x2c 0x02 0xc8
0x00 0x00 0x79 0xa8
0x00 0x97 0x00 0x00
0x00 0x00 0xb2 0xa0
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
This HAB event 1 is interesting to me because it's saying region 0x401fddc0 with length 0x20 is not signed. I don't recall seeing this address in any of the make logs. What is this region?
I changed make target to flash_evk instead of flash_evk_emmc_fastboot and no there's no HAB events when I check via hab_status.
However, once I closed the device, I fail to boot/load kernel?:
Authenticate image from DDR location 0x401fcdc0...
NOTICE: BL31: v2.2(release):toradex_imx_5.4.70_2.3.0-g2fa8c6349e
NOTICE: BL31: Built : 00:00:00, Jan 1 1970
U-Boot 2020.04-5.7.0-devel+git.33bb8e968332 (Jan 01 1970 - 00:00:00 +0000)
CPU: i.MX8MP[8] rev1.1 1600 MHz (running at 1200 MHz)
CPU: Industrial temperature grade (-40C to 105C) at 60C
Reset cause: POR
DRAM: 8 GiB
MMC: FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMC... OK
In: serial
Out: serial
Err: serial
Model: Toradex Verdin iMX8M Plus Quad 8GB Wi-Fi / BT V1.0A, Serial# 06900814
Carrier: Toradex Dahlia V1.0C, Serial# 00000000
BuildInfo:
- ATF 2fa8c63
- U-Boot 2020.04-5.7.0-devel+git.33bb8e968332
flash target is MMC:2
Net: eth1: ethernet@30be0000, eth0: ethernet@30bf0000 [PRIME]
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot: 0
switch to partitions #0, OK
mmc2(part 0) is current device
Scanning mmc 2:1...
Found U-Boot script /boot.scr
973 bytes read in 6 ms (158.2 KiB/s)
## Executing script at 47000000
4541 bytes read in 12 ms (369.1 KiB/s)
89209 bytes read in 15 ms (5.7 MiB/s)
323 bytes read in 13 ms (23.4 KiB/s)
Applying Overlay: verdin-imx8mp-enable-bmi270.dtbo
878 bytes read in 16 ms (52.7 KiB/s)
Applying Overlay: verdin-imx8mp-enable-pca9533.dtbo
792 bytes read in 18 ms (43 KiB/s)
Applying Overlay: verdin-imx8mp-enable-tsl2591.dtbo
588 bytes read in 19 ms (29.3 KiB/s)
Applying Overlay: verdin-imx8mp-enable-gpio.dtbo
2315 bytes read in 19 ms (118.2 KiB/s)
Applying Overlay: verdin-imx8mp-enable-user-button-key.dtbo
1039 bytes read in 20 ms (49.8 KiB/s)
Applying Overlay: verdin-imx8mp-enable-touchscreen.dtbo
2770 bytes read in 19 ms (141.6 KiB/s)
Applying Overlay: verdin-imx8mp-enable-bme688.dtbo
466 bytes read in 15 ms (30.3 KiB/s)
Applying Overlay: verdin-imx8mp-enable-sht3x.dtbo
486 bytes read in 17 ms (27.3 KiB/s)
Applying Overlay: verdin-imx8mp-disable-uart1.dtbo
403 bytes read in 16 ms (24.4 KiB/s)
12231950 bytes read in 54 ms (216 MiB/s)
Uncompressed size: 30726656 = 0x1D4DA00
11843304 bytes read in 51 ms (221.5 MiB/s)
Authenticate image from DDR location 0x40000000...
bad magic magic=0x0 length=0x00 version=0x0
bad length magic=0x0 length=0x00 version=0x0
bad version magic=0x0 length=0x00 version=0x0
Error: Invalid IVT structure
Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
Authenticate Image Fail, Please check
Does enabling CONFIG_IMX_HAB require the kernel to be signed as well?