- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- imx8mq-evk secure boot not verifying image signature
imx8mq-evk secure boot not verifying image signature
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
imx8mq-evk secure boot not verifying image signature
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am basically following the document (mx8m_secure_boot) to enable secure boot in imx8mq-evk board. I also follow the application note AN4581.
It seems I am missing some steps since the authentication does not seem to succeed irrespective of what certificates are used to sign them.
The message that i see is :
U-Boot SPL 2022.04 (Sep 25 2023 - 22:43:00 -0400)
PMIC: PFUZE100 ID=0x10
DDRINFO: start DRAM init
DDRINFO: DRAM rate 3200MTS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
SEC0: RNG instantiated
Normal Boot
Trying to boot from MMC1
hab fuse not enabled
Authenticate image from DDR location 0x401fcdc0...
and then the board proceeds to boot the TEE and subsequently u-boot starts.
The hab status command also does not show any thing interesting.
u-boot=> hab_status
Secure boot disabled
HAB Configuration: 0x00, HAB State: 0x00
The board is not locked since i am waiting for some hab events to show up before i lock it.
The values from fuse.bin are properly programmed in the fuse. I verified them by reading then over using the fuse command in uboot.
eg:
u-boot=> fuse read 6 0
Reading bank 6:
Word 0x00000000: 03d20485
Please let me know if there is any additional steps to be performed. Thanks.
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rameshd82
HAB 4.1.2 and newer, if SRK FUSE is not burned, HAB EVENT will not be reported. It is recommended that before closing, burn SRK FUSE first, then restart, then verify HAB EVENT, and then close.
Best regards
Harvey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Harvey021
I have already programmed the SRK hashes as instructed in the guide.
I can confirm their values from u-boot also.
fuse read 6 0
Reading bank 6:
Word 0x00000000: 03d20485
u-boot=> fuse read 6 1
Reading bank 6:
Word 0x00000001: 1502e2f9
u-boot=> fuse read 6 2
Reading bank 6:
Word 0x00000002: 48b8b761
u-boot=> fuse read 6 3
Reading bank 6:
Word 0x00000003: 07fd4dae
u-boot=> fuse read 7 0
Reading bank 7:
Word 0x00000000: e60b3aca
u-boot=> fuse read 7 01
Reading bank 7:
Word 0x00000001: 964b590b
u-boot=> fuse read 7 1
Reading bank 7:
Word 0x00000001: 964b590b
u-boot=> fuse read 7 2
Reading bank 7:
Word 0x00000002: ffcfda4a
u-boot=> fuse read 7 3
Reading bank 7:
Word 0x00000003: cbcee424
I still do not see any information whether the HAB authentication has succeeded or failed with images. Also in u-boot hab status i can see that both the HAB configuration and the status are 0x0
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rameshd82
If Evk Board and follow up the uboot-imx/doc/imx/habv4/guides/mx8m_secure_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub, then such issue makes confusion.
Please double check Generating a PKI tree referring to uboot-imx/doc/imx/habv4/introduction_habv4.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub
and secure boot guide (uboot-imx/doc/imx/habv4/introduction_habv4.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub), like the very step: 1.2 Enabling the secure boot support in U-Boot to by adding CONFIG_IMX_HAB=y to build.
Here is link for reference: i.MX 8MPlus(865) HAB (High Assurance Boot) - NXP Community
Best regards,
Harvey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enclosing the csf files for reference.
cat csf_spl.txt
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_prime256v1_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../crts/IMG1_1_sha256_prime256v1_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7e0fc0 0x0 0x34600 "flash.bin"and the fit csf
csf_fit.txt
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_prime256v1_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../crts/IMG1_1_sha256_prime256v1_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x401fcdc0 0x057c00 0x01020 "flash.bin", \
0x40200000 0x05AC00 0x00050 "flash.bin", \
0x40200050 0x05AC50 0x0CDA0 "flash.bin", \
0x00910000 0x0679F0 0x00054 "flash.bin", \
0xFE000000 0x067A44 0x00044 "flash.bin"\