- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: while generating HAB4 PKI Tree,hab4_pki_tree script giving error 140453821149632:error:2406F079:
while generating HAB4 PKI Tree,hab4_pki_tree script giving error 140453821149632:error:2406F079:rand
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
while generating HAB4 PKI Tree,hab4_pki_tree script giving error 140453821149632:error:2406F079:rand
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to install Softhsm for ubuntu18.4 . when I generate tree structure for HAB4 by the hab4_pki_tree.sh script it gives error random number generator:RAND_load_file:Cannot open file.
here is full log.
sudo ./hab4_pki_tree.sh
[sudo] password for acclivis:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This script is a part of the Code signing tools for Freescale's
High Assurance Boot. It generates a basic PKI tree. The PKI
tree consists of one or more Super Root Keys (SRK), with each
SRK having two subordinate keys:
+ a Command Sequence File (CSF) key
+ Image key.
Additional keys can be added to the PKI tree but a separate
script is available for this. This this script assumes openssl
is installed on your system and is included in your search
path. Finally, the private keys generated are password
protectedwith the password provided by the file key_pass.txt.
The format of the file is the password repeated twice:
my_password
my_password
All private keys in the PKI tree are in PKCS #8 format will be
protected by the same password.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
+++++++++++++++++++++++++++++++++++++
+ Generating CA key and certificate +
+++++++++++++++++++++++++++++++++++++
Generating a RSA private key
.....................................................................................................................................................................................+++++
...........................+++++
writing new private key to 'temp_ca.pem'
-----
++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................................................................................................+++++
........................................+++++
e is 65537 (0x010001)
Can't load /home/acclivis/.rnd into RNG
140080975962560:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/acclivis/.rnd
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'SRK1_sha256_2048_65537_v3_ca'
Certificate is to be certified until Nov 20 11:08:48 2031 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
++++++++++++++++++++++++++++++++++++++++
+ Generating CSF key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................................+++++
...........................................................+++++
e is 65537 (0x010001)
Can't load /home/acclivis/.rnd into RNG
140207436272064:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/acclivis/.rnd
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CSF1_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Nov 20 11:08:48 2031 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Please guide me on this.Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I have checked link you share.
my updated u-boot.cfg file is as follows.
[Header]
Version = 4.1
#Security Configuration = Open
Hash Algorithm = SHA256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = Any
[Install SRK]
File ="../../crts/SRK_1_2_3_4_table.bin"
Source index = 0
Hash Algorithm = SHA256
[Install CSFK]
File ="../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
Certificate Format = X509
[Authenticate CSF]
Engine = DCP
Engine Configuration = 0
Signature Format = CMS
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
file ="../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
Certificate Format = X509
[Authenticate Data]
Verification index = 2
Engine = DCP
Blocks = 0x01000000 0x0 0x10000 “flash.bin”
#0xf8000000 0x0 0x10000 “flash.bin”
#0xf801000 0x0 0x1000 “xyz.bin”
Engine Configuration = 0
Signature Format = CMS
here i am getting error on "Blocks = 0x01000000 0x0 0x10000 “flash.bin" " line num 35.
1) I am using ubuntu machine for sign image.which offset i need to you here?
2)To generate out.bin from input hab4.csf and public key certificate to encrypt symmetric
key(s)
cst -o out.bin --cert dek_protection_crt.pem -i example.csf
what is dek_protection_crt.pem here.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please help me with error. I am trying to generate the CSF binary signature. using " cst -i imx-boot.csf -o imx-boot.csf.bin" command.
following is log of command
PKCS#11: Initializing the engine
Found 1 slot
Format not recognized!
The certificate ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The legacy ENGINE_pkcs11 ID format is also still accepted for now
Format not recognized!
The certificate ID is not a valid PKCS#11 URI
The PKCS#11 URI format is defined by RFC7512
The legacy ENGINE_pkcs11 ID format is also still accepted for now
139987367705472:error:80064064:pkcs11 engine:ctx_load_cert:invalid id:eng_back.c:425:
Public key certificate is invalid in file ./CSF1_1_sha256_2048_65537_v3_usr_crt.pem
imx_boot.csf file is as follows
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "./SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "./CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = MID
[Unlock]
Engine = CAAM
Features = MFG
[Install Key]
Verification index = 0
Target index = 2
File = "./IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x7e0fc0 0x0 0x2bc00 "flash.bin"
Zhiming_Liu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please follow https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/introduction_habv4.txt?h=lf-...
There will be no error.
Zhiming_Liu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this ,and you will also need this https://community.nxp.com/t5/i-MX-Processors/Patch-for-u-boot-imx-Using-FIT-and-HAB-in-bootm-command...
cd ~ && openssl rand -writerand .rnd
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
