I am trying to finalize setting up secure boot on our custom board with i.MX6.
Now, hab_status returned events (failure) but I don't know why it returned failure message.
This is sequnce and log about my work.
1)
./hab4_pki_tree.sh
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
2)
./srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c \
./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem,\
./SRK3_sha256_2048_65537_v3_ca_crt.pem,./SRK4_sha256_2048_65537_v3_ca_crt.pem -f 1
3)
hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
get 8 keys
4) in uboot prompt
fuse prog 3 0 key00
~
fuse prog 3 7 key07
5) add CONFIG_SECURE_BOOT
imx6q_uboot/include/configs$ vi xxx_config.h
/* uncomment for SECURE mode support */
#define CONFIG_SECURE_BOOT
#ifdef CONFIG_SECURE_BOOT
#ifndef CONFIG_CSF_SIZE
#define CONFIG_CSF_SIZE 0x4000
#endif
#endif
6) make u-boot.imx
dd if=./u-boot.imx bs=4 count=12 2>/dev/null | hexdump -v -e '/4 "%04_ax: "' -e '/4 "%08X" "\n"'
0000: 402000D1
0004: 17800000
0008: 00000000
000c: 177FF42C
0010: 177FF420
0014: 177FF400
0018: 00000000
001c: 00000000
0020: 177FF000
0024: 00070000
0028: 00000000
002c: 401803D2
7)
cat csf-uboot
=====================================================
#Illustrative Command Sequence File Description
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x177FF400 0x000 0x6fc00 "./bin/u-boot.imx"
======================================================
0x6fc00 is size of u-boot.imx
8)
./cst -o csf-uboot.bin -i csf-uboot
9)
cat ./bin/u-boot.imx csf-uboot.bin > u-boot-signed.imx
10)
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x03 0x18
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04
What is the reason of issue ?
已解决! 转到解答。
Hey brian.kim, what part of the solution in that URL helped you fix your problem? I'm having the exact same HAB Events as you showed above, and I can't find a definitive answer as to how to fix this "HAB_INV_ADDRESS" (0x22) error.