Signature Failure in HAB for u-boot on imx6

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Signature Failure in HAB for u-boot on imx6

1,851 Views
koperapune
Contributor II

Hi ,

I am trying to boot u-boot securely by implementing HAB . I have some documentation on the process.

The problem is that after booting the u-boot, when i check the HAB status , I see that i have a "Signature Failure " situation ...

here are the HAB events being reported ...

HAB Configuration: 0x00 HAB State: 0x55

*--------- HAB Event 1 -----------------*

event data:

0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00

0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00

0x00 0x00 0x0d 0x34 0x87 0x80 0x04 0x00

0x00 0x02 0xbc 0x00

*--------- HAB Event 2 -----------------*

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x87 0x80 0x04 0x00

0x00 0x00 0x00 0x20

*--------- HAB Event 3 -----------------*

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x87 0x80 0x04 0x20

0x00 0x00 0x00 0x01

*--------- HAB Event 4 -----------------*

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x87 0x80 0x06 0x80

0x00 0x00 0x00 0x04

*--------- HAB Event 5 -----------------*

event data:

0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

0x00 0x00 0x00 0x00 0x00 0x91 0x00 0x00

0x00 0x00 0x02 0x48

I know that there is another post on this website regarding the exact same issue ... HAB signature failure on i.MX6
The reply to that post points to another post related to HAB events .... Re: HAB secure serial boot on mx6 , but that post talks about a situation where you have a wrong syntax in the CSF config file and not signature failure.

I have a simple csf file .....

[Header]

        Version = 4.0

        Security Configuration = Open

        Hash Algorithm = sha256

        Engine Configuration = 0

        Certificate Format = X509

        Signature Format = CMS

[Install SRK]

        File = "../crts/SRK_1_2_3_4_table.bin"

        Source index = 0

[Install CSFK]

        File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]

        Verification index = 0

        Target index = 2

        File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]

        Verification index = 2

        Blocks = 0x87800400 0x400 0x2BC00 "U-Boot-pad.bin"

     

Pls note that my TEXT_BASE = 0x87800000

My IVT starts from TEXT_BASE + 0x400

and my CSF region starts at  TEXT_BASE + 0x2C000  and the max length of CSF region is 0x2000

The first event says that a signature failure occurs when it tries to authenticate the part of the image that starts from  0x87800400 and has a length 0x2bc00
This is the area that includes my IVT + u-boot image  . But I am not sure why I am getting the signature failure.
I have tried regenerating all the certificates as said in the AN4581.

I generate the signed images in following manner ....

# This step extends the u-boot image to address 0x2c000

objcopy -I binary -O binary --pad-to 0x2C000 --gap-fill=0xff U-Boot.bin U-Boot-pad.bin

#then i generate the CSF data using the above mentioned CSF file

../linux/cst --output U-Boot_CSF.bin < U-Boot.CSF

#then I merge the CSF binary and the u-boot image as follows

cat U-Boot-pad.bin U-Boot_CSF.bin > U-Boot-signed.bin

Can anybody, suggest something here ?

regards

Rajesh

Labels (1)
0 Kudos
1 Reply

691 Views
Yuri
NXP Employee
NXP Employee

The HAB API checks that all of the following data have been authenticated
(using their final locations):

IVT

DCD (if provided);

Boot Data (initial byte if provided);

Entry point (initial word).

Please check if each of the above data components is covered by a valid signature.

Also the following links may be useful :

https://community.freescale.com/docs/DOC-94864

https://community.freescale.com/docs/DOC-96451


Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos