CST v3.0.1 known issues

1 项奖励

Update October 16th 2018

i.MX High Assurance Boot Reference Code Signing Tool (REV 3.1.0) is now available and addresses all issues discussed in this thread.

Users are requested to download this latest version instead.

_________________________________________________________________________________________________________________________________

The purpose of this document is to provide a workaround for possible issues that can be found in the previous CST release v3.0.1.

- Compilation issues when using OpenSSL v.1.1.x

OpenSSL v.1.1.x users may face the following error when trying to build the CST binary, this process is usually necessary for relinking the executable to include support for generating encrypted boot images:

$ gcc -o cst -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto
adapt_layer_openssl.c: In function ‘gen_sig_data_ecdsa’:
adapt_layer_openssl.c:551:36: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
         sign_bytes = ECDSA_size(key->pkey.ec);
                                    ^
adapt_layer_openssl.c:580:28: error: dereferencing pointer to incomplete type ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
         r = get_bn(sign_dec->r, &bn_bytes);
                            ^

This issue impacts OpenSSL v.1.1.x users in both Windows and Linux OS, the current version can be checked by running the following command line:

$ openssl version

We recommend users to wait for next CST release. Alternatively it's possible to downgrade to OpenSSL v1.0.2, for more details please check link below:

GitHub - openssl/openssl at OpenSSL_1_0_2g

- Encrypted boot images cannot boot up if generated with CST v3.0.1

Due to an issue with latest CST, the protocol constant tag for Decrypt Data command is not correctly defined in the CSF binary.

CSF Example:

[Decrypt Data]
    Verification index = 0
    Mac Bytes = 16
    Blocks = 0x67800000 0xc00 0x74000 "u-boot-dtb.imx"

CSF binary generated with CST v3.0.1:

“CA 00 14 00 00 21 1D 00 00 00 0F 60 67 80 00 00 00 07 40 00”

CSF binary generated with CST v2.3.3:

“CA 00 14 00 00 A3 1D 00 00 00 0F 60 67 80 00 00 00 07 40 00”.

The HAB code expects a HAB_PCL_AEAD (0xA3) tag and receiving an unknown (0x21) tag leads to a boot fail.

From High Assurance Boot Version 4 API Document:

Definition	Value	Description
HAB_PCL_SRK	0x03	SRK certificate format
HAB_PCL_X509	0x03	X.509v3 certificate format
HAB_PCL_CMS	0xC5	CMS/PKCS#7 signature format
HAB_PCL_BLOB	0xBB	SHW-specific wrapped key format
HAB_PCL_AEAD	0xA3	Proprietary AEAD MAC format

This issue was introduced in CST v3.0.1, as a workaround we recommend users to use CST v2.3.3 until the next CST release.

NOTE: The issues mentioned above does not compromise the i.MX security.

Please let me know any suggestions/changes to this document.
Last update: 07/31/2018