Hi Freescale Team,
I am running into a problem trying to execute a HABv4 Signed U-Boot Image standalone from NAND Flash on a Closed Configuration i.MX6 SoC.
I can load and run Signed U-Boot Images via the USB Serial Downloader on this Closed Configuration i.MX6 SoC.
I am using the "imx_usb_loader/imx_usb" tool to download images via the USB Serial Downloader.
I am using the "cst-2.3.1" Code Signing Tool to create the Super Root Keys and to sign the U-Boot Images. The "cst" reports the following version.
Code Signing Tool release version BLN_CST_MAIN_02.03.00
Here are the fuse settings for the Closed Configuration i.MX6 SoC, dumped using U-Boot.
=> fuse read 0 0 8
Reading bank 0:
Word 0x00000000: 20220002 df668583 200b51d4 a6510081
Word 0x00000004: 00420702 00000280 00000012 00000000
=> fuse read 1 0 8
Reading bank 1:
Word 0x00000000: 00000000 00000040 00000033 00000000
Word 0x00000004: 00000000 00000000 5a451a5f 00000000
=> fuse read 2 0 8
Reading bank 2:
Word 0x00000000:mxc_ocotp fuse_read(): Access protect error
ERROR
=> fuse read 3 0 8
Reading bank 3:
Word 0x00000000: 943d1052 29e4cab4 b037569a d21bed29
Word 0x00000004: 2077e018 c002e52f 0205f92b 7894915b
=> fuse read 4 0 8
Reading bank 4:
Word 0x00000000: 00000000 00000000 00000000 00000000
Word 0x00000004: 00000000 00000000 00000000 00000000
=> fuse read 5 0 8
Reading bank 5:
Word 0x00000000: 00000000 00000000 00000000 00000000
Word 0x00000004: 00000000 00000000 00000000 00000000
After the i.MX6 fails to run the U-Boot from NAND Flash, I have been able to load a Signed U-Boot via the USB Serial Downloader and dump the HAB Events.
Here is the error I see when I run this U-Boot command.
=> hab_status
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x1e 0x0a 0x00
Here is the decoding for HAB Event 1.
Header Field:
0xdb HAB_TAG_EVENT
0x00 0x08 Length = 8 bytes
0x41 HAB Version 4.1
SRCE (Status,Reason,Context,Engine) Field:
0x33 HAB_FAILURE Operation failed
0x1e HAB_INV_RETURN Failed callback function
0x0a HAB_CTX_AUTHENTICATE Event logged in authenticate_image()
0x00 HAB_ENG_ANY
I can load the exact same Signed U-Boot Image into the NAND Flash for an Open Configuration i.MX6 SoC and the U-Boot Image runs standalone without any problems.
After the U-Boot starts running I see NO HAB Events when I run the hab_status U-Boot command.
Here are the decoded CSF Commands for the Signed U-Boot Image I am using.
This shows that the “Unlock of the CAAM RNG” is being done, even though I did not include this command in my CSF Script file.
d4 00 50 41
d4 CSF Tag
0050 Length = 80
41 HAB Verion = 4.1
be 00 0c 00 03 17 00 00 00 00 00 50
be Install Key
000c Length = 12
00 parameter
03 pcl = SRK
17 alg = SHA256
00 Verification Key Index = 0
00 Target Key Index = 0
00000050 Key Offset from CSF Start
be 00 0c 02 09 00 00 01 00 00 04 90
be Install Key
000c Length = 12
02 parameter
09 pcl = X509
00 alg = ANY
00 Verification Key Index = 0
01 Target Key Index = 1
00000490 Key Offset from CSF Start
ca 00 0c 00 01 c5 00 00 00 00 07 e4
ca Authenticate Data
000c Length = 12
00 flag
01 Verification Key Index = 1
c5 pcl = CMS
00 eng = ANY
00 eng cfg flags
000007e4 Authentication Data Offset from CSF Start
be 00 0c 00 09 00 00 02 00 00 09 e8
be Install Key
000c Length = 12
00 parameter
09 pcl = X509
00 alg = ANY
00 Verification Key Index = 0
02 Target Key Index = 2
000009e8 Key Offset from CSF Start
ca 00 14 00 02 c5 00 00 00 00 0d 3c 17 7f f4 00 00 07 8c 00
ca Authenticate Data
0014 Length = 20
00 flag
02 Verification Key Index = 2
c5 pcl = CMS
00 eng = ANY
00 eng cfg flags
00000d3c Authentication Data Offset from CSF Start
177ff400 Absolute Address of Data Block to be authenticated
00078c00 Size in bytes of Data Block to be authenticated
b2 00 08 1d 00 00 00 02
b2 Unlock
0008 Length = 8
1d eng = CAAM
00000002 val = flg = 02 = Unlock RNG
d7 04 40 40 e1 01 0f 21 00 00 00 80 01 00 00 03
d7 Certificate Tag
0440 Length = 1088
40
I have also been able to dump the DDR3 Memory where the NAND Flash U-Boot Image gets copied by the ROM Boot. I compared the DDR3 Memory dumps for both the Closed Configuration i.MX6 SoC, that fails, and the Open Configuration i.MX6 SoC, that works. The DDR3 Memory dumps are identical, this shows that all of the U-Boot Image got copied from NAND Flash to DDR3 Memory on the Closed Configuration i.MX6, it just didn't get executed.
Does the ROM Boot not allow copying and executing a Signed U-Boot Image from NAND Flash to DDR3 Memory on a Closed Configuration i.MX6 SoC?
Best Regards,
Richard Milakovich
Solved! Go to Solution.
Hello,
The HAB event (0x1e, HAB_INV_RETURN, Failed callback function) means
that secondary NAND bootloader - called in order to load the full image to
its final load address - failed. Please look at section 3.3 (Authenticate Image)
of “HAB4_API.pdf” in CST documentation for more details.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hello,
The HAB event (0x1e, HAB_INV_RETURN, Failed callback function) means
that secondary NAND bootloader - called in order to load the full image to
its final load address - failed. Please look at section 3.3 (Authenticate Image)
of “HAB4_API.pdf” in CST documentation for more details.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
The information saying the "Failed callback function" error is caused by the full image not being loaded to its final load address got me to realize that the size of the Signed U-Boot Image I was loading does not match the Length field in the "Boot Data structure", my Signed U-Boot Image was too small.
Since I allocated 0x2000 bytes for the CSF Data section when creating my U-Boot Image, the CSF Binary Data I appended to create the Signed U-Boot Image also has to be 0x2000 bytes in size.
I used the following commands to pad the CSF Binary Data file to 0x2000 bytes before appending it to the end of the built U-Boot Image. This created a Signed U-Boot Image that now works standalone from NAND Flash for my Closed Configuration i.MX6 SoC.
../linux64/cst --output u-boot-csf.bin < u-boot-csf.txt
objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x5a u-boot-csf.bin u-boot-csf-pad.bin
cat u-boot.imx u-boot-csf-pad.bin > u-boot-signed-pad.imx