AnsweredAssumed Answered

HAB problem with u-boot-2014 on nitrogen6x

Question asked by Aymen Boudguiga on Jan 22, 2015
Latest reply on Jan 27, 2015 by SergioSolis



I am using a Nitrogen6x and I am trying HAB authentication of u-boot and kernel images in open config.


I have activated HAB in u-boot-2009. I used HAB API to authenticate: u-boot,  6x_bootscript, a device tree and a kernel image. In fact, I added a command called authimg to u-boot. authimg takes as input the load address and verifies an image signature. authimg is based on authenticate_image() function which is provided by default in u-boot. I am using authimg command to authenticate 6x_bootscript in bootcmd and to authenticate separately .dtb and uImage in 6x_bootscript. All the authentications were successful.


Then, I tried the last u-boot version which is provided by Freescale on github (u-boot-2014). I activated secure boot option in u-boot-2014 and I tried the same 6x_bootscript, device file and kernel image authentications. I did 2 tests:

1) I put u-boot.bin with Jtag directly at address 0x17800000 and launch it. Authentications of 6x_bootscript, device tree and uImage succeed.

2) However when I copy the corresponding u-boot.imx to NOR with "sf write 12000000(=my load address) 400 $filesize" and make a reset, I get HAB errors  for the same signed 6x_bootscript, device tree and kernel image that have been successfully authenticated in test 1.

I get 5 events. Event1 is a HAB_FAILURE with a reason=HAB_INVALID_ADDRESS in HAB_AUTH_CTX. Meanwhile, the 4 other events are INVALID_ASSERTION events corresponding respectively to the following addresses: 0x177FF400 (IVT), 0x177FF42C (DCD), 0x177FF420 (boot_data) and 0x17800000 (entry). Note that when I load with Jtag u-boot.imx to 0x177ff400 and start executing instructions at the entry point 0x17800000,  6x_bootscript, device tree and kernel image authentications were successful.

Question1: Have you any idea about the origin of the problem? I don't understand why the authentication is working fine with u-boot.bin when loaded with Jtag and it is not working when u-boot.imx is copied to NOR.


Question2:  is about u-boot.imx authentication. In u-boot-2009, we can enter CSF offset directly in ./board/freescale/mx6q_sabresd/flash_header.S. However, we can not do it in u-boot-2014 (as there is no more flash_header.S). In fact, a hexdump of u-boot.imx gives:

00000000  d1 00 20 40 00 00 80 17  00 00 00 00 2c f4 7f 17 

00000010  20 f4 7f 17 00 f4 7f 17  00 00 00 00 00 00 00 00


That is, header=402000D1, entry addr=17800000, reserved1=0, dcd addr=177f4f2c, boot_data addr=177f4f20, self=177ff400, csf=0 and reserved2=0. Do we have to set manually csf pointer in set_imx_hdr_v2() function in ./tools/imximage.c?


Thank you in advance for your help,

Best regards