FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HAB problem with u-boot-2014 on nitrogen6x

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

HAB problem with u-boot-2014 on nitrogen6x

Jump to solution
‎01-22-2015 08:29 AM
4,304 Views
Aymen_IRT
Contributor III

Hi,

I am using a Nitrogen6x and I am trying HAB authentication of u-boot and kernel images in open config.

I have activated HAB in u-boot-2009. I used HAB API to authenticate: u-boot,  6x_bootscript, a device tree and a kernel image. In fact, I added a command called authimg to u-boot. authimg takes as input the load address and verifies an image signature. authimg is based on authenticate_image() function which is provided by default in u-boot. I am using authimg command to authenticate 6x_bootscript in bootcmd and to authenticate separately .dtb and uImage in 6x_bootscript. All the authentications were successful.

Then, I tried the last u-boot version which is provided by Freescale on github (u-boot-2014). I activated secure boot option in u-boot-2014 and I tried the same 6x_bootscript, device file and kernel image authentications. I did 2 tests:

1) I put u-boot.bin with Jtag directly at address 0x17800000 and launch it. Authentications of 6x_bootscript, device tree and uImage succeed.

2) However when I copy the corresponding u-boot.imx to NOR with "sf write 12000000(=my load address) 400 $filesize" and make a reset, I get HAB errors  for the same signed 6x_bootscript, device tree and kernel image that have been successfully authenticated in test 1.

I get 5 events. Event1 is a HAB_FAILURE with a reason=HAB_INVALID_ADDRESS in HAB_AUTH_CTX. Meanwhile, the 4 other events are INVALID_ASSERTION events corresponding respectively to the following addresses: 0x177FF400 (IVT), 0x177FF42C (DCD), 0x177FF420 (boot_data) and 0x17800000 (entry). Note that when I load with Jtag u-boot.imx to 0x177ff400 and start executing instructions at the entry point 0x17800000,  6x_bootscript, device tree and kernel image authentications were successful.

Question1: Have you any idea about the origin of the problem? I don't understand why the authentication is working fine with u-boot.bin when loaded with Jtag and it is not working when u-boot.imx is copied to NOR.

Question2:  is about u-boot.imx authentication. In u-boot-2009, we can enter CSF offset directly in ./board/freescale/mx6q_sabresd/flash_header.S. However, we can not do it in u-boot-2014 (as there is no more flash_header.S). In fact, a hexdump of u-boot.imx gives:

00000000  d1 00 20 40 00 00 80 17  00 00 00 00 2c f4 7f 17 

00000010  20 f4 7f 17 00 f4 7f 17  00 00 00 00 00 00 00 00

That is, header=402000D1, entry addr=17800000, reserved1=0, dcd addr=177f4f2c, boot_data addr=177f4f20, self=177ff400, csf=0 and reserved2=0. Do we have to set manually csf pointer in set_imx_hdr_v2() function in ./tools/imximage.c?

Thank you in advance for your help,

Best regards

0 Kudos
Reply
1 Solution

Jump to solution
‎01-26-2015 03:36 AM
695 Views
Aymen_IRT
Contributor III

Hi again,

I was able to solve my 2 issues: I had just to add BOOT_OFFSET FLASH_OFFSET_STANDARD and CSF 0x2000 to boards/boundary/nitrogen6x/nitrogen6q.cfg to get a valid CSF offset in my u-boot.imx (this step is documented at ./doc/README.imximage). I have also signed my u-boot.imx and now everything is working fine. That is, u-boot, 6x_bootscript, .dtb and uImage signatures are all successful.

Regards,

Aymen

View solution in original post

0 Kudos
Reply
4 Replies

Jump to solution
‎01-23-2015 12:52 AM
695 Views
Yuri
NXP Employee
NXP Employee

Please look at my comments below.

1.

  If the reason of a HAB event is HAB_INV_ADDRESS (0x22)

[Invalid address: access denied] -  please check if initialization

via DCD table meet allowed addresses.

Please take a look at Table 8-37 (Valid DCD Address Ranges) of the

i.MX6 DQ Reference Manual.

2.

Please check if  the tools/mkimage utility is from the Freescale.

"Secure boot problem on i.MX6"

https://community.freescale.com/message/449201#449201


Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Reply

Jump to solution
‎01-23-2015 07:39 AM
695 Views
Aymen_IRT
Contributor III

Hi Yuri,

Thank you for your answers.

1) It is table 8-35 :smileywink: , I have checked that all addresses are good. Any other idea?

2) I have already seen the "Secure boot problem on i.MX6" discussion and that is why I used  using u-boot-fslc that I got from freescale github. I am using the last version of u-boot-fslc  (2014.10-01193-gcfca0f7).

Best regards,

Aymen

0 Kudos
Reply

Jump to solution
‎01-26-2015 03:36 AM
696 Views
Aymen_IRT
Contributor III

Hi again,

I was able to solve my 2 issues: I had just to add BOOT_OFFSET FLASH_OFFSET_STANDARD and CSF 0x2000 to boards/boundary/nitrogen6x/nitrogen6q.cfg to get a valid CSF offset in my u-boot.imx (this step is documented at ./doc/README.imximage). I have also signed my u-boot.imx and now everything is working fine. That is, u-boot, 6x_bootscript, .dtb and uImage signatures are all successful.

Regards,

Aymen

0 Kudos
Reply

Jump to solution
‎01-27-2015 11:21 AM
695 Views
SergioSolis
NXP Employee
NXP Employee

Thank you for posting the answer Aymen, it will surely help the community!

0 Kudos
Reply