I am using u-boot 2014.04 on a i.MX6 board (based on a nitrogen6x), I read documentation and posts here on the forum, I took multiple guides
i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf, How-to enable HAB in i.MX6.pdf, AN4581.pdf, secure_boot_on_imx6.pdf, HAB4_API.pdf, HABCST_UG.pdf, etc
Then the BLN_CST_MAIN_02.01.01.tar.gz package, I was not able to find the secureboot_scripts.tar.gz package, according to the doc I need it because my uboot is bigger than 0x2F000 so I cannot statically allocate HAB data.
I found the secure script utilities in imx-linux-test.git in /test/mxc_secureboot/V2012, there is no 2014 version but after looking at the script they look ok and automatize the job instead of doing it by hand.
I followed the guide from i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf and installed the script according to the README from test/mxc_secureboot/V2012/README.
I generated the keys with hab4_pki_tree.sh then the SRK file with srktool utility, it created a SRK_1_2_3_4_fuse.bin (32 bytes) and SRK_1_2_3_4_table.bin file (1088 bytes).
I enabled CONFIG_SECURE_BOOT in u-boot and compiled it, it complained about a missing authenticate_image() but I ported a patch from
I then followed the README, copied u-boot.imx in BLN/u-boot, run ./mk_secure_uboot, it generated this u-boot.csf
[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded u-boot starting at the IVT through to the end with
# length = 0x5B000
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x177FF400 0x0 0x5B000 "u-boot-pad.imx"
The script generated a u-boot_csf.bin which is 3896 bytes long, doing a hexdump on it I can see it contain various strings like "OpenSSL Generated Certificate" or "SRK1_sha256_2048_65537_v3_ca"
It also generated the habimagegen script as follow:
#! /bin/bash
echo "extend u-boot to 0x5B000..."
objcopy -I binary -O binary --pad-to 0x5B000 --gap-fill=0x5A u-boot.imx u-boot-pad.imx
echo "generate csf data..."
../linux/cst --o u-boot_csf.bin < u-boot.csf
echo "merge image and csf data..."
cat u-boot-pad.imx u-boot_csf.bin > u-boot-signed.imx
echo "extend final image to 0x5D000..."
objcopy -I binary -O binary --pad-to 0x5D000 --gap-fill=0x5A u-boot-signed.imx u-boot-signed-pad.imx
echo "u-boot-signed-pad.imx is ready"
When I boot my u-boot, I have an event for invalid address
U-Boot > hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00
If I understand the IVT, it seems the CSF/hab_data is populated
00000000 d1 00 20 40 00 00 80 17 00 00 00 00 2c f4 7f 17 |.. @........,...|
00000010 20 f4 7f 17 00 f4 7f 17 00 a0 85 17 00 00 00 00 | ...............|
00000020 00 f0 7f 17 00 d0 05 00 00 00 00 00 d2 03 18 40 |...............@|
00000030 cc 03 14 04 02 0e 05 a8 00 00 00 30 02 0e 05 b0 |...........0....|
Also mkimage shows the same as before, I thought it would show "HAB Blocks: XXXXXXX" at the end
./mkimage -l u-boot-signed-pad.imx
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Data Size: 372736 Bytes = 364.00 kB = 0.36 MB
Load Address: 177ff420
Entry Point: 17800000
In a lot of doc there is change to be made to either flash_header.S or to u-boot.lds to insert the CSF or hab_data, I cannot find any info about __hab_data in my u-boot sources, nor changes in lds script.
I checked the u-boot sources from u-boot-fslc.git and u-boot-imx.git and there is no reference to hab_data anywhere.
EDIT : just saw that the CSF pointer is at 1785a000 but I think it should be at 1785b000
If I change the CSF pointer to 1785b000 however, the HAB event report 0x11 invalid CSF, so not sure if value is right or not...
Any help would be appreciated!
Solved! Go to Solution.
Answer to myself, I needed the tools/mkimage utility from the freescale git (I used the one from imx_v2013.04_3.10.17_1.0.0_ga), I had the one from boundary git...
Now it works, closed mode, secure boot enabled!
Answer to myself, I needed the tools/mkimage utility from the freescale git (I used the one from imx_v2013.04_3.10.17_1.0.0_ga), I had the one from boundary git...
Now it works, closed mode, secure boot enabled!
Hello,
Am trying secure boot on SabreSD (Uboot-2015.07). Even am getting the same issue as yours.
Could you please be more specific on how to use mkimage utility for getting "secure boot enabled"?
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00
Thank you in advance
-Supriya