HAB on iMX6

saisuryanarayan · ‎02-09-2015

Hello,

Currently i am working on HAB support in imx6 for u-boot and my u-boot version is 2014.04 . I have enabled HAB by defining CONFIG_SECURE_BOOT in my u-boot configuration file. I followed document provided by freescale (AN4581.pdf) . In that document mentioned that to enable HAB we need to change u-boot.lds and flash_header.S for specicfying IVT details ...etc.But my u-boot doesn't have flash_header.S file and when i added "TEXT_BASE" details to u-boot.lds it is giving error.

So what are the changed i need to do to have HAB in 2014.04 version u-boot .

I hope you guys could help me, thanks a lot !

SaiSurya

kapilruchandani · ‎11-18-2016

I am also facing same issue with exactly similar log. I tried the cache flush but it didn't work. saisuryanarayan‌: did you figure out the resolution?

here is my u-boot.csf

[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

#[Unlock]
# Engine = CAAM
# Features = RNG

[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with
# length = 0x70C00
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x177FF400 0x0 0x70C00 "u-boot-pad.imx"

and hab_status:

Secure boot disabled

HAB Configuration: 0x00, HAB State: 0x00

--------- HAB Event 1 -----------------
event data:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00
0x10 0x05 0xf7 0x17 0x1c 0x05 0xf7 0x17
0x10 0x05 0xf7 0x17 0x06 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0xd4 0x90 0xf5 0x17
0x5c 0xde 0x4b 0x17 0x08 0x08 0x08 0x20
0x30 0x20 0x00 0x20 0x6b 0x65 0x79 0x20
0x74 0x6f 0x20 0x73 0x74 0x6f 0x70 0x20
0x61 0x75 0x74 0x6f 0x62 0x6f 0x6f 0x74
0x3a 0x20 0x20 0x33 0x20 0x00 0x6c 0x65
0x64 0x0a 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x29 0x02 0x00 0x00 0x00 0x00 0x00 0x00

STS = HAB_SUCCESS (0xF0)
RSN = HAB_RSN_ANY (0x00)
CTX = HAB_CTX_ANY(0x00)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0x01 0x00 0x00 0x00
0x10 0x05 0xf7 0x17 0x1c 0x05 0xf7 0x17
0x10 0x05 0xf7 0x17 0x06 0x00 0x00 0x00
0x01 0x00 0x00 0x00 0xd4 0x90 0xf5 0x17
0x5c 0xde 0x4b 0x17 0x08 0x08 0x08 0x20
0x30 0x20 0x00 0x20 0x6b 0x65 0x79 0x20
0x74 0x6f 0x20 0x73 0x74 0x6f 0x70 0x20
0x61 0x75 0x74 0x6f 0x62 0x6f 0x6f 0x74
0x3a 0x20 0x20 0x33 0x20 0x00 0x6c 0x65
0x64 0x0a 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x29 0x02 0x00 0x00 0x00 0x00 0x00 0x00

STS = HAB_SUCCESS (0xF0)
RSN = HAB_RSN_ANY (0x00)
CTX = HAB_CTX_ANY(0x00)
ENG = HAB_ENG_ANY (0x00)

any help would be appreciated. Thanks.

Yuri · ‎12-01-2016

Hello,

U-boot should be signed for HAB.

Regards,

Yuri.

kapilruchandani · ‎12-02-2016

HI Yuri,

My u-boot was signed and it worked well for imx6Solo rev1.1 chip. However it wasn't working for rev imx6Solo 1.2 chip.

I did following changes for all HAB function pointers in my hab.c and it worked for rev imx6Solo 1.2 chip without any events.

#define hab_rvt_report_event_p \

( \

((is_cpu_type(MXC_CPU_MX6Q) || \

is_cpu_type(MXC_CPU_MX6D)) && \

(soc_rev() >= CHIP_REV_1_5)) ? \

((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT_NEW) : \

((is_cpu_type(MXC_CPU_MX6DL) || \

is_cpu_type(MXC_CPU_MX6SOLO)) && \

(soc_rev() >= CHIP_REV_1_2)) ? \

((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT_NEW) : \

((hab_rvt_report_event_t *)HAB_RVT_REPORT_EVENT) \

)

I think there have been changes in rev 1.2 chip and new HAB pointers shall be used.

Yuri · ‎12-04-2016

Hello,

Please look at EB804 (i.MX 6Solo/6DualLite Application
Processor Silicon Revision 1.1 to 1.2/1.3 Comparison)

http://www.nxp.com/docs/pcn_attachments/16558A_EB804.pdf

Regards,

Yuri.

vivek_kaushik · ‎03-20-2017

Hello Yuri,

We have developed product based on i.MX6 Solo with Andoird 6.0 release from NXP.

Our customer would like have secure HAB booting on that. Do we have HAB implemented and available in Android 6.0

Kind Regards

Vivek

Yuri · ‎03-20-2017

Hello,

I do not know about example just for Android 6.

Note, NDA is needed to get more details about implementation for other version.

Regards,

Yuri.

saisuryanarayan · ‎11-21-2016

Hi Kapil Ruchandani,

That issue didn't solve for us also we are using unsigned u-boot only

Yuri · ‎02-09-2015

The recent instructions how to treat with HAB may be found under the next

Community thread :

"Mx6 HAB (High Assurance Boot)"

https://community.freescale.com/docs/DOC-96451

Please use U-boot from Freescale BSP.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

saisuryanarayan · ‎02-09-2015

Hi Yuri,

Thanks for your reply,

I followed all the steps mentioned in that thread.I didn't made SEC_CONFIG to closed when i try hab_status from u-boot it is giving continuous hab events.

Here is my CSF file

[Header]

Version = 4.0

Security Configuration = Open

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

Engine = CAAM

Engine Configuration = 0

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

Verification index = 0

Target index = 2

File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded U-Boot starting at the IVT through to the end with

# length = 0x59C00 (padded U-Boot length) - 0x0 (IVT offset) = 0x59C00

# This covers the essential parts: IVT, boot data and DCD.

#Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x177ff400 0x00 0x59c00 "U-Boot-pad.bin"

Here my u-boot size is 0x59c00 and i am not using any padding.

Hi Yuri,

Thanks for your reply,

I followed all the steps mentioned in that thread.I didn't made SEC_CONFIG to closed when i try hab_status from u-boot it is giving continuous hab events.

Here is my CSF file

[Header]

Version = 4.0

Security Configuration = Open

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

Engine = CAAM

Engine Configuration = 0

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]

Engine = CAAM

Features = RNG

[Install Key]

Verification index = 0

Target index = 2

File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded U-Boot starting at the IVT through to the end with

# length = 0x59C00 (padded U-Boot length) - 0x0 (IVT offset) = 0x59C00

# This covers the essential parts: IVT, boot data and DCD.

#Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x177ff400 0x00 0x59c00 "U-Boot-pad.bin"

Here my u-boot size is 0x59c00 and i am not using any padding.

Here is hab_status command log:

HAB Configuration: 0x00, HAB State: 0x00

--------- HAB Event 1 -----------------

event data:

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00

0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f

0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f

0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f

0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0xa0 0x0a 0x35 0x4f 0xd8 0xf4 0x34 0x4f

0xa0 0x0a 0x35 0x4f 0x04 0x00 0x00 0x00

0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x00

0x1c 0x6f 0xf7 0x4f 0x24 0x6f 0xf7 0x4f

0x1c 0x6f 0xf7 0x4f 0xa4 0x91 0xf6 0x4f

0x00 0x00 0x02 0x02 0x3c 0x6f 0xf7 0x4f

0x8c 0xfc 0xf9 0x4f 0xc0 0x4b 0xf5 0x4f

0x37 0x02 0x00 0x00 0x00 0x00 0x00 0x00

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

--------- HAB Event 2 -----------------

event data:

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00

0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f

0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f

0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f

0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0xa0 0x0a 0x35 0x4f 0xd8 0xf4 0x34 0x4f

0xa0 0x0a 0x35 0x4f 0x04 0x00 0x00 0x00

0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x00

0x1c 0x6f 0xf7 0x4f 0x24 0x6f 0xf7 0x4f

0x1c 0x6f 0xf7 0x4f 0xa4 0x91 0xf6 0x4f

0x00 0x00 0x02 0x02 0x3c 0x6f 0xf7 0x4f

0x8c 0xfc 0xf9 0x4f 0xc0 0x4b 0xf5 0x4f

0x37 0x02 0x00 0x00 0x00 0x00 0x00 0x00

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

--------- HAB Event 3 -----------------

event data:

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00

0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f

0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f

0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f

0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0xa0 0x0a 0x35 0x4f 0xd8 0xf4 0x34 0x4f

0xa0 0x0a 0x35 0x4f 0x04 0x00 0x00 0x00

0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x00

0x1c 0x6f 0xf7 0x4f 0x24 0x6f 0xf7 0x4f

0x1c 0x6f 0xf7 0x4f 0xa4 0x91 0xf6 0x4f

0x00 0x00 0x02 0x02 0x3c 0x6f 0xf7 0x4f

0x8c 0xfc 0xf9 0x4f 0xc0 0x4b 0xf5 0x4f

0x37 0x02 0x00 0x00 0x00 0x00 0x00 0x00

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

--------- HAB Event 4 -----------------

event data:

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x00 0x00 0x00 0x00 0x07 0x00 0x00 0x00

0x9d 0x26 0xf9 0x4f 0xbc 0x80 0xf8 0x4f

0x00 0x00 0x00 0x00 0xd8 0xf4 0x34 0x4f

0x9a 0x26 0xf9 0x4f 0xe4 0xed 0x34 0x4f

0xb4 0xd9 0xf9 0x4f 0xc8 0x94 0xf5 0x4f

0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

i dis hexdump on U-boot binary it is giving:

00000000 d1 00 20 40 00 00 80 17 00 00 00 00 2c f4 7f 17 |.. @........,...|

00000010 20 f4 7f 17 00 f4 7f 17 00 90 85 17 00 00 00 00 | ...............|

00000020 00 f0 7f 17 00 b0 05 00 00 00 00 00 d2 03 18 40 |...............@|

00000030 cc 03 14 04 02 0e 05 a8 00 00 00 30 02 0e 05 b0 |...........0....|

From this i understood that IVT is at 0x00000000 and values are as follows

header:0x402000D1

Pointer to absolute Entry address : 0x17800000

Reserved:0x00000000

Pointer to absolute address of DCD:0x177F2C00

Pointer to absolute address of boot data: 0x177ff400

Start of CSF data : 0x17859000

Can you explain what's the wrong ?

So can you please help me to resolve this problem ,

Thank You

Yuri · ‎02-10-2015

Do You use U-boot from Freescale disto ?

~Yuri.

saisuryanarayan · ‎02-10-2015

Thanx for Quick reply,

Yes yuri we are using Freescle u-boot (version 2014.04).

KursadOney · ‎02-10-2015

Can you flush the cache (enable CONFIG_CMD_CACHE, use dcache flush and icache flush commands) before you use the hab_status command? The implementation of some interfaces on u-boot do not flush the cache and might cause displaying false positive HAB events.

HAB on iMX6

HAB on iMX6

i.MX2x

i.MX50

i.MX51

i.MX53

i.MX6_All

i.MX6DL

i.MX6Dual

i.MX6Quad

i.MX6S

i.MX6SL