AnsweredAssumed Answered

HAB4 CSF Fast Authentication

Question asked by Krishnan P on Nov 27, 2014
Latest reply on Dec 1, 2014 by Yuri Muhin

Has anyone tried HAB4 Fast authentication?  Does this option lowers the authentication time?

 

I want to improve the boot time with a signed u-boot image. Below are the "csf" files prepared for without and with fast authentication.

 

1) u-boot.csf (normal authentication)

 

----------------file content start----------------

[Header]

  # CSF header and default values

  Version = 4.1

  Security Configuration = Open

  Hash Algorithm = sha256

  Engine Configuration = 0

  Certificate Format = X509

  Signature Format = CMS

[Install SRK]

  # Authenticate and install root public key

  File = "../crts/SRK_1_2_3_4_table.bin"

  Source index = 0 # Select SRK1

[Install CSFK]

  # Authenticate and install public key for use in "Authenticate CSF"

  File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

  # Authenticate the CSF (this file)

[Unlock]

  Engine = CAAM

  Features = RNG

[Install Key]

  # Authenticate and install public key for use in "Authenticate Data"

  Verification index = 0

  Target index = 2

  File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"


# Sign padded U-boot starting at the IVT through to the end with

# Blocks have the following definition:

#   Image block start address on i.MX, Offset from start of image file,

#   Length of block in bytes, image data file

[Authenticate Data]

  # Verify authenticity of pre-loaded data in memory

  Verification index = 2

  Blocks = 0x177FF400 0x0 0x48C00 "u-boot.imx"

-------file content  end------------------

 

2)1) u-boot_fast.csf (For fast authentication)

-------file content start--------------------

[Header]

  # CSF header and default values

  Version = 4.1

  Security Configuration = Open

  Hash Algorithm = sha256

  Engine Configuration = 0

  Certificate Format = X509

  Signature Format = CMS

[Install SRK]

  File = "../crts/SRK_1_2_3_4_table.bin"

  Source index = 0

[Install NOCAK]

  File = "../crts/SRK1_sha256_2048_65537_v3_ca_crt.pem"

[Authenticate CSF]

  # whole line comment

[Unlock]

  Engine = CAAM

  Features = RNG

# Sign padded U-boot starting at the IVT through to the end with

# Blocks have the following definition:

#   Image block start address on i.MX, Offset from start of image file,

#   Length of block in bytes, image data file

[Authenticate Data]

  # Verify authenticity of pre-loaded data in memory

  Verification index = 0

  Blocks = 0x177FF400 0x0 0x48C00 "u-boot.imx"

-------file content  end------------------

 

Is the u-boot_fast.csf is correct? I am getting hab failure  with Fast authentication.  In HAB CST UG  i have seen

below example  which confuses me.

[Authenticate Data] # part line comment

Verification index = 0

Blocks = 0x877fb000 0x000 0x48000 “signed-uboot.bin”

 

What is that signed-uboot.bin means?. Is it like we need to generate signed uboot using normal authentication and then  use this to create fast authentication image?

 

Any pointers will be highly appreciated.

 

thanks in advance.

Outcomes