Recover from incorrectly signed FIT image in i.MX8M devices

2 Kudos

Description

The secure boot process in an i.MX8M device requires the initial boot image (SPL) to be signed which authenticates a signed FIT image by calling HAB API. For more details on i.MX8M secure boot, please refer AN4581 app note and u-boot docs. When the FIT image authentication fails in a closed device, the SPL hangs forever in an infinite loop which requires a system reset. Instead, the chip can be made to enter the serial download mode (SDP) so that a correctly signed FIT image can be downloaded again to continue the boot process. The chip can be entered into SDP mode from SPL using this in-built feature.

Patch

This patch adds the capability to move the chip into Serial Download Mode so that a new FIT image can be downloaded.

diff --git a/arch/arm/mach-imx/spl.c b/arch/arm/mach-imx/spl.c

index 2320ac9..ecfed9e 100644

--- a/arch/arm/mach-imx/spl.c

+++ b/arch/arm/mach-imx/spl.c

@@ -298,11 +298,15 @@ ulong board_spl_fit_size_align(ulong size)

void board_spl_fit_post_load(ulong load_addr, size_t length)

{

 uint32_t offset = length - CONFIG_CSF_SIZE;

 if (imx_hab_authenticate_image(load_addr,

 offset + IVT_SIZE + CSF_PAD_SIZE,

 offset)) {

 puts("spl: ERROR: image authentication unsuccessful\n");

- hang();

+ g_dnl_unregister();

+ //goto SDP mode from SPL

+ spl_sdp_load_image(NULL, NULL);

 }

}



 diff --git a/common/spl/spl_sdp.c b/common/spl/spl_sdp.c

index d59ddc8..b1cdad0 100644

--- a/common/spl/spl_sdp.c

+++ b/common/spl/spl_sdp.c

@@ -18,7 +18,7 @@ void board_sdp_cleanup(void)

 board_usb_cleanup(CONFIG_SPL_SDP_USB_DEV, USB_INIT_DEVICE);

}



 -static int spl_sdp_load_image(struct spl_image_info *spl_image,

+int spl_sdp_load_image(struct spl_image_info *spl_image,

 struct spl_boot_device *bootdev)

{

 int ret;



 diff --git a/include/spl.h b/include/spl.h

index efb5833..f07e1b5 100644

--- a/include/spl.h

+++ b/include/spl.h

@@ -314,4 +314,8 @@ void spl_invoke_atf(struct spl_image_info *spl_image);

 * can implement 'board_return_to_bootrom'.

 */

void board_return_to_bootrom(void);

+

+int spl_sdp_load_image(struct spl_image_info *spl_image,

+ struct spl_boot_device *bootdev);

#endif‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Recovery image download steps

Once the patch is implemented into SPL, the chip would directly go into SDP mode once the FIT image authentication fails. Following are the steps to download a new FIT image using UUU.

UUU command to download new signed FIT:
uuu SDPV: write -f flash.bin -skipspl

UUU command to jump to new FIT:
uuu SDPV: jump

Once done, the new FIT image will be downloaded and the authentication process will continue to authenticate the FIT image and continue the boot process.

Output log

U-Boot SPL 2018.03-01236-g73af2fc-dirty (Nov 19 2019 - 14:01:)
power_bd71837_init
DDRINFO: start DRAM init
DRAM PHY training for 3000MTS
check ddr_pmu_train_imem code
check ddr_pmu_train_imem code pass
check ddr_pmu_train_dmem code
check ddr_pmu_train_dmem code pass
Training PASS
DRAM PHY training for 400MTS
check ddr_pmu_train_imem code
check ddr_pmu_train_imem code pass
check ddr_pmu_train_dmem code
check ddr_pmu_train_dmem code pass
Training PASS
DRAM PHY training for 100MTS
check ddr_pmu_train_imem code
check ddr_pmu_train_imem code pass
check ddr_pmu_train_dmem code
check ddr_pmu_train_dmem code pass
Training PASS
DRAM PHY training for 3000MTS
check ddr_pmu_train_imem code
check ddr_pmu_train_imem code pass
check ddr_pmu_train_dmem code
check ddr_pmu_train_dmem code pass
Training PASS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from MMC1

Authenticate image from DDR location 0x401fcdc0...
Error: CSF header command not found
spl: ERROR: image authentication unsuccessful <---------- FIT authentication fails
SDP: initialize... <---------- SPL pushes chip in SDP mode
SDP: handle requests...
Downloading file of size 912688 to 0x40400000... done <---------- UUU command to download new signed FIT: “./uuu SDPV: write -f flash.bin -skipspl”
Jumping to header at 0x40400000 <---------- UUU command to jump to new FIT: “./uuu SDPV: jump”
Header Tag is not an IMX image
Found header at 0x4042a200

Authenticate image from DDR location 0x401fcdc0...

U-Boot 2018.03-01236-g73af2fc-dirty (Nov 19 2019 - 14:01:23 -)

CPU:   Freescale i.MX8MMQL rev1.0 1800 MHz (running at 1200 M)
CPU:   Commercial temperature grade (0C to 95C) at 44C
Reset cause: POR
Model: FSL i.MX8MM EVK board
DRAM: 2 GiB
TCPC: Vendor ID [0x1fc9], Product ID [0x5110], Addr [I2C1 0x]
Power supply on USB2
TCPC: Vendor ID [0x1fc9], Product ID [0x5110], Addr [I2C1 0x]
MMC:   FSL_SDHC: 0, FSL_SDHC: 1
Loading Environment from MMC... *** Warning - bad CRC, using t

Failed (-5)
No panel detected: default to MIPI2HDMI
adv7535_init: Can't find device id=0x3d, on bus 1
Display: MIPI2HDMI (1920x1080)
Video: 1920x1080x24
In:    serial
Out:   serial
Err:   serial

BuildInfo:
- ATF 1355c5d
- U-Boot 2018.03-01236-g73af2fc-dirty

switch to partitions #0, OK
mmc0 is current device
flash target is MMC:0
Net:
Error: ethernet@30be0000 address not set.
No ethernet found.
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot: 0
u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 ----------------- <----------- HAB events created from initial FIT image auth failure and cannot be removed
event data:
        0xdb 0x00 0x08 0x43 0x33 0x11 0xcf 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CSF (0x11)
CTX = HAB_CTX_CSF (0xCF)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x7e 0x0f 0xc0
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x7e 0x0f 0xe0
        0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x43 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x7e 0x10 0x00
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

u-boot=>

Finale Remarks

Please note that the HAB events from the initial authentication failure of FIT image will still exist in the HAB persistent memory and thus will still be visible in the when hab_status command is called from u-boot or the HAB persistent memory is parsed using hab_log_parser. The reason being that the HAB persistent memory only gets initialized/cleaned during system reset. The HAB events from the initial authentication failure can be ignored.

P.S - This doc is updated as of 01/21/2020