secure boot on sabrelite with u-boot v2013.04

ajaybande · ‎07-12-2015

Hi

I am working on secure boot with sabrelite board.(Freescale i.MX6Q rev1.0 at 792 MHz)

I am using code base "uboot-imx-imx_v2013.04_3.10.17_1.0.0_beta"

I am facing hab event issue when we issue hab_status command , Please provide your inputs.

I have provided the image, signing and event detail info below.

Image Detail:-

tools/mkimage -l u-boot.imx

Image Type: Freescale IMX Boot Image

Image Ver: 2 (i.MX53/6 compatible)

Mode: DCD

Secure Boot Mode: ON

CSF Data Address: 17850000

U-Boot Data Size: 357376 Bytes = 349.00 kB = 0.34 MB

U-Boot Load Address: 177fac00

U-Boot Entry Point: 17800000

signing Detail:-

we are using following referance link sign the image.

“https://community.freescale.com/docs/DOC-96451"

csf_u-boot_yocto.txt file:-

[Header]

Version = 4.1

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

Verification index = 0

Target index = 2

File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with

# length = 0x5D000 (padded u-boot length)

# This covers the essential parts: IVT, boot data and DCD.

# Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x177FB000 0x0 0x55000 "u-boot-pad.bin"

Command :-

/opt/tooling/codesourcery/MGC-2013.11-73-gcc-4.8.1/Sourcery_CodeBench_for_ARM_GNU_Linux/bin/arm-none-linux-gnueabi-objcopy -I binary -O binary --pad-to 0x55000 --gap-fill=0xff u-boot.imx u-boot-pad.bin

../linux/cst --output csf_u-boot.bin < csf_u-boot_yocto.txt

cat u-boot-pad.bin csf_u-boot.bin > u-boot-signed.bin

Event Detail:-

If we issue hab_status command we are getting following events:-

MX6QSABRELITE U-Boot > hab_status

iMX6 HAB status Information :

=============================

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x7f 0xb0 0x00

0x00 0x00 0x00 0x20

--------- HAB Event 2 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x7f 0xb0 0x2c

0x00 0x00 0x02 0xf0

--------- HAB Event 3 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x7f 0xb0 0x20

0x00 0x00 0x00 0x01

--------- HAB Event 4 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00

0x00 0x00 0x00 0x04

--------- HAB Event 5 -----------------

event data:

0xdb 0x00 0x14 0x41 0x33 0x21 0xc0 0x00

0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00

0x00 0x00 0x00 0x50

raulcardenas-b4 · ‎07-14-2015

Hi Ajay,

Your log indicates that your certificate is invalid:

------------+----+------+----+-------------------------------------------------

Event |0xdb|0x0014|0x41| SRCE Field: 33 21 c0 00

| | | | STS = HAB_FAILURE (0x33)

| | | | RSN = HAB_INV_CERTIFICATE (0x21)

| | | | CTX = HAB_CTX_COMMAND (0xC0)

| | | | ENG = HAB_ENG_ANY (0x00)

| | | | Cmd Field: 0xbe000c00

| | | | CMD: HAB_CMD_INS_KEY (0xbe)

| | | | LEN: 0x000c

| | | | FLG: 0x03

| | | | FLAGS: NOTHING YET

| | | | PAST Field: 0x03170000

| | | | Crt. addr: 0x00000050

------------+----+------+----+-------------------------------------------------

Since you are doing normal secure boot, your SRK need to have th CA flag set. In the questions made by the hab4_pki_tree, you need to answer : 'n',4096,'10',4,'y'.

If the last anser is 'n', then the pki will be generated for fast authentication.

You can check this using:

openssl x509 -in SRK1_sha256_4096_65537_v3_ca_crt.pem -text -noout | less

Then look for CA: True.

if its false then you will need to change your CSF to:

[Header]

Version = 4.1

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install NOCAK]

File = "../crts/SRK1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Authenticate Data]

Verification index = 0

Blocks = %load_addr% 0x00000000 %ivt_dcd_size% "u-boot.imx"

Also, it looks that your blocks are a little bit off.

"Blocks = 0x177FB000 0x0 0x55000 "u-boot-pad.bin""

I believe the first block is wrong, this should be the address of the IVT, which looks to me that it might be at 177FA000.

Regards,

Ulises

ajaybande · ‎07-15-2015

Hi Ulises,

Thanks for reply.

I have checked openssl x509 -in SRK1_sha256_4096_65537_v3_ca_crt.pem -text -noout | less . Its value is "true"

I believe the first block is correct only.

$ od -x -N 64 u-boot-signed.bin

0000000 00d1 4020 0000 1780 0000 0000 b02c 177f

0000020 b020 177f b000 177f 0000 1785 0000 0000

0000040 ac00 177f 7400 0005 0000 0000 02d2 40f0

0000060 02cc 04ec 0e02 9807 0c00 0000 0e02 5807

0000100

IVT.Self is 0x177fb000.

Best Regards

Ajay

raulcardenas-b4 · ‎07-15-2015

ok, Great.

The address is correct.

Which version of CST are you using? CST 2.3.1 was released last week and fixes some issue with the signature.

That might solve the problem

ajaybande · ‎07-15-2015

Hi Ulises,

I am using CST2.0.

I have tried with CST 2.3.1, but no luck!!

I am getting same events!!!!:smileysad:

Best Regards

Ajay

igorpadykov · ‎07-14-2015

Hi Ajay

i.MX6Q rev1.0 (preproduction parts) were not tested with

BSPs and may not work properly, refer to part of Release Notes

also on these parts OTPMK are not burned, from attached

i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf

In general recommended to use latest GA release, not beta

L3.14.28_1.0.0_iMX6QDLS_BUNDLE

Best regards

igor

-----------------------------------------------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer button. Thank you!

-----------------------------------------------------------------------------------------------------------------------

ajaybande · ‎07-14-2015

Hi Igor,

Thank you for Reply.

I have flashed OTPMK register, Still I am getting same events.

I have checked SNVS_HP Status Register, but I am not bale to interpret is it correct or some thing is wrong?

SNVS_HP Status Register log:-

MX6QSABRELITE U-Boot > md.l 0x20CC014

020cc014: 80000b00 00000000 00000000 00000000 ................

020cc024: 00000000 00000000 00000000 00000000 ................

020cc034: 00000000 00000000 00000000 00000000 ................

020cc044: 00000000 00000000 00000008 00000000 ................

020cc054: 00000000 00000000 00000000 00000000 ................

020cc064: 00000000 00000000 00000000 00000000 ................

Please find OTPMK flash success log:-

MX6Q SABRELITE U-Boot > imxotp blow --force 0x10 0x975b69a7

Current fuse at (index: 0x10) value: 0x0

Blowing fuse at index: 0x10, value: 0x975B69A7

Reloading shadow registers...

Operation succeeded fuse at (index: 0x10) value: 0x975B69A7

MX6Q SABRELITE U-Boot > imxotp blow --force 0x11 0xafae0b5d

Current fuse at (index: 0x11) value: 0x0

Blowing fuse at index: 0x11, value: 0xAFAE0B5D

Reloading shadow registers...

Operation succeeded fuse at (index: 0x11) value: 0xAFAE0B5D

MX6Q SABRELITE U-Boot > imxotp blow --force 0x12 0x6f780499

Current fuse at (index: 0x12) value: 0x0

Blowing fuse at index: 0x12, value: 0x6F780499

Reloading shadow registers...

Operation succeeded fuse at (index: 0x12) value: 0x6F780499

MX6Q SABRELITE U-Boot > imxotp blow --force 0x13 0x3dda7a47

Current fuse at (index: 0x13) value: 0x0

Blowing fuse at index: 0x13, value: 0x3DDA7A47

Reloading shadow registers...

Operation succeeded fuse at (index: 0x13) value: 0x3DDA7A47

MX6Q SABRELITE U-Boot > imxotp blow --force 0x14 0x76fcba3c

Current fuse at (index: 0x14) value: 0x0

Blowing fuse at index: 0x14, value: 0x76FCBA3C

Reloading shadow registers...

Operation succeeded fuse at (index: 0x14) value: 0x76FCBA3C

MX6Q SABRELITE U-Boot > imxotp blow --force 0x15 0x6d5c9ef6

Current fuse at (index: 0x15) value: 0x0

Blowing fuse at index: 0x15, value: 0x6D5C9EF6

Reloading shadow registers...

Operation succeeded fuse at (index: 0x15) value: 0x6D5C9EF6

MX6Q SABRELITE U-Boot > imxotp blow --force 0x16 0xb166b40a

Current fuse at (index: 0x16) value: 0x0

Blowing fuse at index: 0x16, value: 0xB166B40A

Reloading shadow registers...

Operation succeeded fuse at (index: 0x16) value: 0xB166B40A

MX6Q SABRELITE U-Boot > imxotp blow --force 0x17 0x8f449c5d

Current fuse at (index: 0x17) value: 0x0

Blowing fuse at index: 0x17, value: 0x8F449C5D

Reloading shadow registers...

Operation succeeded fuse at (index: 0x17) value: 0x8F449C5D

SNVS_HP Detail:-

Best Regards

Ajay