secure boot issue on imx93 platform

meng_li · ‎11-28-2024

I am working on secure boot feature on imx93 platform, and my steps as below:

1. cst-3.4.1 download

https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW&appType=license

tar zxvf IMX_CST_TOOL_NEW.tgz

2. //Generating a PKI tree including a subordinate SGK key

cd cst-3.4.1/keys

./ahab_pki_tree.sh

Do you want to use an existing CA key (y/n)?: n

Key type options (confirm targeted device supports desired key type):
Select the key type (possible values: rsa, rsa-pss, ecc)?: ecc
Enter length for elliptic curve to be used for PKI tree:
Possible values p256, p384, p521: p384
Enter the digest algorithm to use: sha384
Enter PKI tree duration (years): 5
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

//Generating SRK Table and SRK Hash
cd cst-3.4.1/crts/
../linux64/bin/srktool -a -d sha256 -s sha384 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -f 1 -c SRK1_sha384_secp384r1_v3_ca_crt.pem,SRK2_sha384_secp384r1_v3_ca_crt.pem,SRK3_sha384_secp384r1_v3_ca_crt.pem,SRK4_sha384_secp384r1_v3_ca_crt.pem
Number of certificates = 4
SRK table binary filename = SRK_1_2_3_4_table.bin
SRK Fuse binary filename = SRK_1_2_3_4_fuse.bin
SRK Fuse binary dump:
SRK HASH[0] = 0xB3E92A59
SRK HASH[1] = 0xA91F3763
SRK HASH[2] = 0xD92AE6E9
SRK HASH[3] = 0xB23C81A9
SRK HASH[4] = 0x4582BFC3
SRK HASH[5] = 0x290673E9
SRK HASH[6] = 0x9FDDE87B
SRK HASH[7] = 0xCAC12EFC

3. Programming SRK Hash with u-boot command line

=> fuse prog 16 0 0xb3e92a59
=> fuse prog 16 1 0xa91f3763
=> fuse prog 16 2 0xd92ae6e9
=> fuse prog 16 3 0xb23c81a9
=> fuse prog 16 4 0x4582bfc3
=> fuse prog 16 5 0x290673e9
=> fuse prog 16 6 0x9fdde87b
=> fuse prog 16 7 0xcac12efc

4. build secure boot yocto project

repo init -u https://github.com/nxp-imx/imx-manifest -b imx-linux-mickledore -m imx-6.1.55-2.2.0_security-reference-design.xml

repo sync DISTRO=fsl-imx-xwayland MACHINE=imx93evk source imx-setup-release.sh -b build-xwayland-imx93evk-secureboot

bitbake-layers add-layer ../sources/meta-nxp-security-reference-design/meta-secure-boot

//add CST_PATH in local.conf CST_PATH = "/buildssd/mli1/wr1023-build-test/sdk-nxp-yocto-mickledore-secureboot/imx93_cst/cst-3.4.1"

//change the meta-secure-boot/recipes-secure-boot/cst-signer/cst-signer.bb to use my srk and sgk

--- a/meta-secure-boot/recipes-secure-boot/cst-signer/cst-signer.bb
+++ b/meta-secure-boot/recipes-secure-boot/cst-signer/cst-signer.bb
@@ -18,6 +18,9 @@ BOOT_TOOLS = "imx-boot-tools"
do_deploy () {
install -d ${DEPLOYDIR}/${BOOT_TOOLS}
install -m 0755 ${S}/cst_signer ${DEPLOYDIR}/${BOOT_TOOLS}
+ sed -e 's/SRK1_sha256_prime256v1_v3_ca_crt/SRK1_sha384_secp384r1_v3_ca_crt/' -i ${S}/csf_ahab.cfg.sample
+ sed -e 's/sgk_file=/sgk_file=SGK1_1_sha384_secp384r1_v3_usr_crt.pem/' -i ${S}/csf_ahab.cfg.sample
+ sed -e 's/sgk_permissions=/sgk_permissions=0x1/' -i ${S}/csf_ahab.cfg.sample
install -m 0755 ${S}/csf_ahab.cfg.sample ${DEPLOYDIR}/${BOOT_TOOLS}
install -m 0755 ${S}/csf_hab4.cfg.sample ${DEPLOYDIR}/${BOOT_TOOLS}
}

bitbake imx-boot-signature

after building bootloader image, I get the signed-imx-boot-imx93evk-sd.bin-flash_singleboot, and burn into sd card with below command

sudo dd if=xxx/signed-imx-boot-imx93evk-sd.bin-flash_singleboot of=/dev/sdd bs=1k seek=32 conv=fsync,notrunc and and then power board and run below ahab_status in u-boot, there is below error event

u-boot=> ahab_status

Lifecycle: 0x00000008, OEM Open

0x0287f0d6

IPC = MU APD (0x2)

CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)

IND = ELE_BAD_SIGNATURE_FAILURE_IND (0xF0)

STA = ELE_SUCCESS_IND (0xD6) 0x0287f0d6

IPC = MU APD (0x2)

CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)

IND = ELE_BAD_SIGNATURE_FAILURE_IND (0xF0)

STA = ELE_SUCCESS_IND (0xD6)

BUT if I don't use the SGK key, there is not error event.

during building bootloader, my csf.cfg as below

#Header
header_version=1.0
#Install SRK
srktable_file=SRK_1_2_3_4_table.bin
srk_source=SRK1_sha384_secp384r1_v3_ca_crt.pem
srk_source_index=0
srk_source_set=OEM
srk_revocations=0x0
#Install Certificate
sgk_file=SGK1_1_sha384_secp384r1_v3_usr_crt.pem
sgk_permissions=0x1

and generate container_2.csf and container_3.csf, the reason of secure boot failure is the #Install Certificate section.

Could you please to check whether there are something with my #Install Certificate configure?

How should I set the parameters in section #Install Certificate ?

thanks,

Limeng

Harvey021 · ‎12-08-2024

Hi @meng_li

Sorry to reply to you with delay, as I've just got confirmation that i.MX91/i.MX93/i.MX8ULP products do not support for SGK and as a result, the change on SRM and related documents will be reflected in next release.

So, to your question about

"Could you please to check whether there are something with my #Install Certificate configure?

How should I set the parameters in section #Install Certificate ?"

The command block for #Install Certificate won't be applicable for these products, such as, i.MX91/i.MX93/i.MX8ULP. Instead of that, please refer to the csf_boot_image.txt and csf_uboot_atf.txt

Please feel free to let know if your question has not been answered yet.

Regards

Harvey