Hi
I am trying to implement secure boot on an imx7dsabre and I am having a little trouble. I looked at the other posts on the forum and still couldn't resolve the issues.
Here is what I did:
- Built u-boot from this repository: https://github.com/u-boot/u-boot
I made sure the mx7dsabresd_defconfig file included CONFIG_IMX_HAB=y and built my u-boot.imx
- Generated a PKI using cst-3.3.1
I generated 4 keys of length 4096 as well as the two files fuse.bin and table.bin. But then I only fused values of the first key onto the board, wanted to make sure everything was working fine before fusing everything else.
- Generate csf file: I generated the csf file as follows:
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Unlock]
Engine = CAAM
Features = RNG
[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x00000000 0x00078c00 "u-boot.imx"
[Authenticate Data]
Verification index = 2
Blocks = 0x00910000 0x0000002c 0x000001b4 "u-boot.imx"
The log file u-boot-dtb.imb looks like this:
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 503904 Bytes = 492.09 KiB = 0.48 MiB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks: 0x877ff400 0x00000000 0x00078c00
DCD Blocks: 0x00910000 0x0000002c 0x000001b4
- Signing the image: since I'll be using imx_usb to load the image onto the board, I made sure to clear the DCD table during the signing process using mod_4_mfgtool:
cst-3.3.1/linux64/bin$ ./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx
cst-3.3.1/linux64/bin$ ./cst -i uboot.csf -o uboot_csf.bin
cst-3.3.1/linux64/bin$ ./mod_4_mfgtool.sh set_dcd_addr u-boot.imx
cst-3.3.1/linux64/bin$ cat u-boot.imx uboot_csf.bin > signed_u-boot
After loading the image, I get the following hab events:
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x01 0xb4
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x64
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Thank you for your help.
