imx8mp HAB

splkwill · ‎10-31-2022

Hello,

I am trying to integrate HAB with our iMX8MP SoM. I have followed instructions using:

- https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/introduction_habv4.txt?h=imx...

and

- https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_secure_boot.txt?...

However, I am seeing HAB events:

Verdin iMX8MP #  hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
	0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
	0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
	0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
	0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
	0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
	0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
	0xdb 0x00 0x34 0x45 0x33 0x18 0xc0 0x00
	0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
	0x00 0x00 0x16 0x54 0x40 0x1f 0xcd 0xc0
	0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
	0x00 0x0c 0x02 0xc8 0x40 0x2c 0x02 0xc8
	0x00 0x00 0x79 0xa8 0x00 0x97 0x00 0x00
	0x00 0x00 0xb2 0xa0

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
	0xdb 0x00 0x34 0x45 0x33 0x18 0xc0 0x00
	0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
	0x00 0x00 0x16 0x54 0x40 0x1f 0xcd 0xc0
	0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
	0x00 0x0c 0x02 0xc8 0x40 0x2c 0x02 0xc8
	0x00 0x00 0x79 0xa8 0x00 0x97 0x00 0x00
	0x00 0x00 0xb2 0xa0

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

For troubleshooting, I decided to sign each binary one step at a time:

signing SPL only -> no HAB events
+ signing FIT IVT -> no HAB events
+ signing u-boot (u-boot-nodtb.bin) -> start getting HAB events

So it looks like the FIT image is having troubles being authenticated. Since SPL and first part of FIT (IVT) passes shows no issues, I assume my fuses are programmed correctly. My guess is the Authenticate Data block portion for u-boot and beyond is incorrect. Could there be an issue with the values generated from print_fit_hab?

This is my build log:

# make SOC=iMX8MP  dtbs=imx8mp-verdin.dtb flash_evk_emmc_fastboot
....
========= OFFSET dump =========
Loader IMAGE:
 header_image_off       0x0
 dcd_off                0x0
 image_off              0x40
 csf_off                0x25200
 spl hab block:         0x91ffc0 0x0 0x25200

Second Loader IMAGE:
 sld_header_off         0x60000
 sld_csf_off            0x61020
 sld hab block:         0x401fcdc0 0x60000 0x1020

# make SOC=iMX8MP  dtbs=imx8mp-verdin.dtb print_fit_hab
./../scripts/pad_image.sh tee.bin
Pad file tee.bin NOT found
./../scripts/pad_image.sh bl31.bin
./../scripts/pad_image.sh u-boot-nodtb.bin imx8mp-verdin.dtb
u-boot-nodtb.bin + imx8mp-verdin.dtb are padded to 818288
TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 VERSION=v2 ./print_fit_hab.sh 0x60000 imx8mp-verdin.dtb
0x40200000 0x5B000 0xC02C8
0x402C02C8 0x11B2C8 0x79A8
0x970000 0x122C70 0xB2A0

Corresponding CSF authenticate blocks:

CSF SPL:
[Authenticate Data]
    # Key slot index used to authenticate the image data
    Verification index = 2
    # Authenticate Start Address, Offset, Length and file
    Blocks = 0x91ffc0 0x0 0x25200 "/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot"

CSF FIT:
[Authenticate Data]
    # Key slot index used to authenticate the image data
    Verification index = 2
    # Authenticate Start Address, Offset, Length and file
    Blocks = 0x401fcdc0 0x60000 0x1020 "/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot", \
             0x40200000 0x5B000 0xC02C8 "/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot", \
             0x402C02C8 0x11B2C8 0x79A8 "/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot", \
             0x970000 0x122C70 0xB2A0 "/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot"

and commands to write to final binary:

SPL:
dd if=/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/flash_evk_emmc_fastboot-csf-spl.bin of=/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot-signed seek=152064 bs=1 conv=notrun

FIT
dd if=/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/flash_evk_emmc_fastboot-csf-fit.bin of=/home/dfedgebuild/repos/lc-edge/yocto-torizon2/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot-signed seek=397344 bs=1 conv=notrunc

I'm wondering if there is an issue with the print_fit_hab that could result in incorrect CSF for fit image?

Any help is appreciated.

Thanks

EDIT: update logs

splkwill · ‎11-01-2022

I changed make target to flash_evk instead of flash_evk_emmc_fastboot and no there's no HAB events when I check via hab_status.

However, once I closed the device, I fail to boot/load kernel?:

Authenticate image from DDR location 0x401fcdc0...
NOTICE:  BL31: v2.2(release):toradex_imx_5.4.70_2.3.0-g2fa8c6349e
NOTICE:  BL31: Built : 00:00:00, Jan  1 1970


U-Boot 2020.04-5.7.0-devel+git.33bb8e968332 (Jan 01 1970 - 00:00:00 +0000)

CPU:   i.MX8MP[8] rev1.1 1600 MHz (running at 1200 MHz)
CPU:   Industrial temperature grade (-40C to 105C) at 60C
Reset cause: POR
DRAM:  8 GiB
MMC:   FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMC... OK
In:    serial
Out:   serial
Err:   serial
Model: Toradex Verdin iMX8M Plus Quad 8GB Wi-Fi / BT V1.0A, Serial# 06900814
Carrier: Toradex Dahlia V1.0C, Serial# 00000000

 BuildInfo:
  - ATF 2fa8c63
  - U-Boot 2020.04-5.7.0-devel+git.33bb8e968332

flash target is MMC:2
Net:   eth1: ethernet@30be0000, eth0: ethernet@30bf0000 [PRIME]
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot:  0
switch to partitions #0, OK
mmc2(part 0) is current device
Scanning mmc 2:1...
Found U-Boot script /boot.scr
973 bytes read in 6 ms (158.2 KiB/s)
## Executing script at 47000000
4541 bytes read in 12 ms (369.1 KiB/s)
89209 bytes read in 15 ms (5.7 MiB/s)
323 bytes read in 13 ms (23.4 KiB/s)
Applying Overlay: verdin-imx8mp-enable-bmi270.dtbo
878 bytes read in 16 ms (52.7 KiB/s)
Applying Overlay: verdin-imx8mp-enable-pca9533.dtbo
792 bytes read in 18 ms (43 KiB/s)
Applying Overlay: verdin-imx8mp-enable-tsl2591.dtbo
588 bytes read in 19 ms (29.3 KiB/s)
Applying Overlay: verdin-imx8mp-enable-gpio.dtbo
2315 bytes read in 19 ms (118.2 KiB/s)
Applying Overlay: verdin-imx8mp-enable-user-button-key.dtbo
1039 bytes read in 20 ms (49.8 KiB/s)
Applying Overlay: verdin-imx8mp-enable-touchscreen.dtbo
2770 bytes read in 19 ms (141.6 KiB/s)
Applying Overlay: verdin-imx8mp-enable-bme688.dtbo
466 bytes read in 15 ms (30.3 KiB/s)
Applying Overlay: verdin-imx8mp-enable-sht3x.dtbo
486 bytes read in 17 ms (27.3 KiB/s)
Applying Overlay: verdin-imx8mp-disable-uart1.dtbo
403 bytes read in 16 ms (24.4 KiB/s)
12231950 bytes read in 54 ms (216 MiB/s)
Uncompressed size: 30726656 = 0x1D4DA00
11843304 bytes read in 51 ms (221.5 MiB/s)

Authenticate image from DDR location 0x40000000...
bad magic magic=0x0 length=0x00 version=0x0
bad length magic=0x0 length=0x00 version=0x0
bad version magic=0x0 length=0x00 version=0x0
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR       = 0x4X2000D1
IVT ENTRY     = 0xXXXXXXXX
IVT RSV1      = 0x0
IVT DCD       = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF      = 0xXXXXXXXX
IVT CSF       = 0xXXXXXXXX
IVT RSV2      = 0x0
Authenticate Image Fail, Please check

Does enabling CONFIG_IMX_HAB require the kernel to be signed as well?

元の投稿で解決策を見る

atbnoei · ‎12-27-2024

I am working on a project which based on iMX8MP. Your solution help me save much time.

Thanks

Harvey021 · ‎11-02-2022

Hi @splkwill

Yes, but you can disable its authentication in u-boot.

diff --git a/cmd/booti.c b/cmd/booti.c
index a132949091..b66dfbff0e 100644
--- a/cmd/booti.c
+++ b/cmd/booti.c
@@ -42,7 +42,7 @@ static int booti_start(cmd_tbl_t *cmdtp, int flag, int argc,
if (ret != 0)
return 1;

-#if defined(CONFIG_IMX_HAB) && !defined(CONFIG_AVB_SUPPORT)
+#if 0
extern int authenticate_image(
uint32_t ddr_start, uint32_t raw_image_size);
if (authenticate_image(ld, image_size) != 0) {

Best regards

Harvey

splkwill · ‎11-01-2022

I'm digging through the Hab4_API document to understand the hab events.

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
  0xdb 0x00 0x14 0x45 
  0x33 0x0c 0xa0 0x00 (hab_rvt.assert() API, Engine ANY)
  0x00 0x00 0x00 0x00 
  0x40 0x1f 0xdd 0xc0 (Address 0x401fddc0)
  0x00 0x00 0x00 0x20 (Length 0x20 = 32 bytes)

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
  0xdb 0x00 0x14 0x45 
  0x33 0x0c 0xa0 0x00 (hab_rvt.assert() API, Engine ANY)
  0x00 0x00 0x00 0x00
  0x40 0x1f 0xcd 0xc0 (Address 0x401fcdc0)
  0x00 0x00 0x00 0x04 (Length 0x04 = 4 bytes)

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
  0xdb 0x00 0x34 0x45
  0x33 0x18 0xc0 0x00 (Invalid Signature, CTX command, Engine ANY)
  0xca 0x00 0x2c 0x00 (Authenticate Data command, Engine ANY?)
  0x02 0xc5 0x1d 0x00 (Image Key, Engine CAAM)
  0x00 0x00 0x16 0x54 (Signature start addr)
  0x40 0x1f 0xcd 0xc0 (Starting addr data block)
  0x00 0x00 0x10 0x20 (length of data block)
  0x40 0x20 0x00 0x00 (Starting addr data block)
  0x00 0x0c 0x02 0xc8 (length of data block)
  0x40 0x2c 0x02 0xc8 (Starting addr data block)
  0x00 0x00 0x79 0xa8 (length of data block)
  0x00 0x97 0x00 0x00 (Starting addr data block)
  0x00 0x00 0xb2 0xa0 (length of data block)

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
  0xdb 0x00 0x34 0x45
  0x33 0x18 0xc0 0x00
  0xca 0x00 0x2c 0x00
  0x02 0xc5 0x1d 0x00
  0x00 0x00 0x16 0x54
  0x40 0x1f 0xcd 0xc0
  0x00 0x00 0x10 0x20
  0x40 0x20 0x00 0x00
  0x00 0x0c 0x02 0xc8
  0x40 0x2c 0x02 0xc8
  0x00 0x00 0x79 0xa8
  0x00 0x97 0x00 0x00
  0x00 0x00 0xb2 0xa0

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

This HAB event 1 is interesting to me because it's saying region 0x401fddc0 with length 0x20 is not signed. I don't recall seeing this address in any of the make logs. What is this region?

splkwill · ‎11-01-2022

I changed make target to flash_evk instead of flash_evk_emmc_fastboot and no there's no HAB events when I check via hab_status.

However, once I closed the device, I fail to boot/load kernel?:

Authenticate image from DDR location 0x401fcdc0...
NOTICE:  BL31: v2.2(release):toradex_imx_5.4.70_2.3.0-g2fa8c6349e
NOTICE:  BL31: Built : 00:00:00, Jan  1 1970


U-Boot 2020.04-5.7.0-devel+git.33bb8e968332 (Jan 01 1970 - 00:00:00 +0000)

CPU:   i.MX8MP[8] rev1.1 1600 MHz (running at 1200 MHz)
CPU:   Industrial temperature grade (-40C to 105C) at 60C
Reset cause: POR
DRAM:  8 GiB
MMC:   FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMC... OK
In:    serial
Out:   serial
Err:   serial
Model: Toradex Verdin iMX8M Plus Quad 8GB Wi-Fi / BT V1.0A, Serial# 06900814
Carrier: Toradex Dahlia V1.0C, Serial# 00000000

 BuildInfo:
  - ATF 2fa8c63
  - U-Boot 2020.04-5.7.0-devel+git.33bb8e968332

flash target is MMC:2
Net:   eth1: ethernet@30be0000, eth0: ethernet@30bf0000 [PRIME]
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot:  0
switch to partitions #0, OK
mmc2(part 0) is current device
Scanning mmc 2:1...
Found U-Boot script /boot.scr
973 bytes read in 6 ms (158.2 KiB/s)
## Executing script at 47000000
4541 bytes read in 12 ms (369.1 KiB/s)
89209 bytes read in 15 ms (5.7 MiB/s)
323 bytes read in 13 ms (23.4 KiB/s)
Applying Overlay: verdin-imx8mp-enable-bmi270.dtbo
878 bytes read in 16 ms (52.7 KiB/s)
Applying Overlay: verdin-imx8mp-enable-pca9533.dtbo
792 bytes read in 18 ms (43 KiB/s)
Applying Overlay: verdin-imx8mp-enable-tsl2591.dtbo
588 bytes read in 19 ms (29.3 KiB/s)
Applying Overlay: verdin-imx8mp-enable-gpio.dtbo
2315 bytes read in 19 ms (118.2 KiB/s)
Applying Overlay: verdin-imx8mp-enable-user-button-key.dtbo
1039 bytes read in 20 ms (49.8 KiB/s)
Applying Overlay: verdin-imx8mp-enable-touchscreen.dtbo
2770 bytes read in 19 ms (141.6 KiB/s)
Applying Overlay: verdin-imx8mp-enable-bme688.dtbo
466 bytes read in 15 ms (30.3 KiB/s)
Applying Overlay: verdin-imx8mp-enable-sht3x.dtbo
486 bytes read in 17 ms (27.3 KiB/s)
Applying Overlay: verdin-imx8mp-disable-uart1.dtbo
403 bytes read in 16 ms (24.4 KiB/s)
12231950 bytes read in 54 ms (216 MiB/s)
Uncompressed size: 30726656 = 0x1D4DA00
11843304 bytes read in 51 ms (221.5 MiB/s)

Authenticate image from DDR location 0x40000000...
bad magic magic=0x0 length=0x00 version=0x0
bad length magic=0x0 length=0x00 version=0x0
bad version magic=0x0 length=0x00 version=0x0
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR       = 0x4X2000D1
IVT ENTRY     = 0xXXXXXXXX
IVT RSV1      = 0x0
IVT DCD       = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF      = 0xXXXXXXXX
IVT CSF       = 0xXXXXXXXX
IVT RSV2      = 0x0
Authenticate Image Fail, Please check

Does enabling CONFIG_IMX_HAB require the kernel to be signed as well?

jfs17 · ‎12-06-2024

Hi

I am having same error right now and eventually show kernel panic. I am working with i.MX8MP device, what was your solutions to boot up the kernel correctly?

Thanks.

KadirY · ‎12-23-2024

Hello,

Could you fix the issue? I'm having similar problems here

chen-wust1 · ‎12-23-2024

If you are FitImage, you need to modify the verification code of U-Boot. By default, only the verification of Image is supported.

KadirY · ‎12-23-2024

Yes, I do have a fit image. What is the modification for the u-boot verification code? Can you please explain a little bit?
So far, I could only get the SPL to run, u-boot won't start from my fitImage. Ty

chen-wust1 · ‎12-23-2024

https://community.nxp.com/t5/i-MX-Processors/Patch-for-u-boot-imx-Using-FIT-and-HAB-in-bootm-command...

Check out this post

imx8mp HAB

imx8mp HAB

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano