I am using u-boot 2014.04 on a i.MX6 board (based on a nitrogen6x), I read documentation and posts here on the forum, I took multiple guides
i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf, How-to enable HAB in i.MX6.pdf, AN4581.pdf, secure_boot_on_imx6.pdf, HAB4_API.pdf, HABCST_UG.pdf, etc
Then the BLN_CST_MAIN_02.01.01.tar.gz package, I was not able to find the secureboot_scripts.tar.gz package, according to the doc I need it because my uboot is bigger than 0x2F000 so I cannot statically allocate HAB data.
I found the secure script utilities in imx-linux-test.git in /test/mxc_secureboot/V2012, there is no 2014 version but after looking at the script they look ok and automatize the job instead of doing it by hand.
I followed the guide from i.MX_6_Linux_High_Assurance_Boot_(HAB)_User's_Guide.pdf and installed the script according to the README from test/mxc_secureboot/V2012/README.
I generated the keys with hab4_pki_tree.sh then the SRK file with srktool utility, it created a SRK_1_2_3_4_fuse.bin (32 bytes) and SRK_1_2_3_4_table.bin file (1088 bytes).
I enabled CONFIG_SECURE_BOOT in u-boot and compiled it, it complained about a missing authenticate_image() but I ported a patch from
I then followed the README, copied u-boot.imx in BLN/u-boot, run ./mk_secure_uboot, it generated this u-boot.csf
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded u-boot starting at the IVT through to the end with
# length = 0x5B000
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
Verification index = 2
Blocks = 0x177FF400 0x0 0x5B000 "u-boot-pad.imx"
The script generated a u-boot_csf.bin which is 3896 bytes long, doing a hexdump on it I can see it contain various strings like "OpenSSL Generated Certificate" or "SRK1_sha256_2048_65537_v3_ca"
It also generated the habimagegen script as follow:
echo "extend u-boot to 0x5B000..."
objcopy -I binary -O binary --pad-to 0x5B000 --gap-fill=0x5A u-boot.imx u-boot-pad.imx
echo "generate csf data..."
../linux/cst --o u-boot_csf.bin < u-boot.csf
echo "merge image and csf data..."
cat u-boot-pad.imx u-boot_csf.bin > u-boot-signed.imx
echo "extend final image to 0x5D000..."
objcopy -I binary -O binary --pad-to 0x5D000 --gap-fill=0x5A u-boot-signed.imx u-boot-signed-pad.imx
echo "u-boot-signed-pad.imx is ready"
When I boot my u-boot, I have an event for invalid address
U-Boot > hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00
If I understand the IVT, it seems the CSF/hab_data is populated
00000000 d1 00 20 40 00 00 80 17 00 00 00 00 2c f4 7f 17 |.. @........,...|
00000010 20 f4 7f 17 00 f4 7f 17 00 a0 85 17 00 00 00 00 | ...............|
00000020 00 f0 7f 17 00 d0 05 00 00 00 00 00 d2 03 18 40 |...............@|
00000030 cc 03 14 04 02 0e 05 a8 00 00 00 30 02 0e 05 b0 |...........0....|
Also mkimage shows the same as before, I thought it would show "HAB Blocks: XXXXXXX" at the end
./mkimage -l u-boot-signed-pad.imx
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Data Size: 372736 Bytes = 364.00 kB = 0.36 MB
Load Address: 177ff420
Entry Point: 17800000
In a lot of doc there is change to be made to either flash_header.S or to u-boot.lds to insert the CSF or hab_data, I cannot find any info about __hab_data in my u-boot sources, nor changes in lds script.
I checked the u-boot sources from u-boot-fslc.git and u-boot-imx.git and there is no reference to hab_data anywhere.
EDIT : just saw that the CSF pointer is at 1785a000 but I think it should be at 1785b000
If I change the CSF pointer to 1785b000 however, the HAB event report 0x11 invalid CSF, so not sure if value is right or not...
Any help would be appreciated!