i.MX 6 HAB Operation With SDP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX 6 HAB Operation With SDP

Jump to solution
3,651 Views
toddgoodman
Contributor II

Hi,

I'm working on HAB (Secure Boot) and have managed to get it working successfully (so far) with the "regular" booting of the i.MX 6 from eMMC and the signed u-boot on eMMC.

However, our own manufacturing tool uses the Serial Download Protocol (SDP) of the i.MX 6 for initial programming (we don't use the Freescale mfgtool) and I'm running into problems with HAB and signing our manufacturing u-boot image.

Bootstrapping the i.MX 6 for our manufacturing is done quite similarly to the imx_usb Linux tool on this site.  It uses libusb to use SDP commands (mostly WRITE_REGISTER, WRITE_FILE, and JUMP_ADDRESS commands) to manually push the DCD settings from u-boot, load the Linux kernel and initramfs and then load u-boot and jump to the entry.

I think part of my problems with HAB are the processing of the DCD locally and using write_register to write out the required DCD values to the addresses.

I look at the mfgtool code and see that it uses the SDP DCD_WRITE to transfer the entire DCD table to OCRAM (0x00910000) and then have the ROM process it from there.

In the CSF examples I've seen for u-boot with mfgtool there needs to be a 0x00910000 block defined in the CSF.

What I'm trying to understand is what SDP commands cause something HAB related to run in the ROM and what that is.

In other words, what SDP commands cause the ROM to begin HAB processing?  JUMP_ADDRESS?  WRITE_FILE?  When using the SDP commands, how does the HAB ROM code find the IVT?

I haven't found this information in the HABv4 API manual or the i.MX 6 Reference Manual.  It looks like HAB can reject the address of a WRITE_FILE since the i.MX 6 Reference Manual text regarding the WRITE_FILE SDP command indicates the host sends an ERROR_STATUS command to query if HAB has rejected the address.

When using SDP, how does HAB find the IVT and when does it process the CSF?

Thank you,

Todd

Labels (1)
Tags (1)
0 Kudos
1 Solution
2,492 Views
toddgoodman
Contributor II

When trying to use HAB with SDP, HAB ROM runs authenticate_image() when you send the JUMP SDP command and the JUMP address is the address of the IVT (it calls authenticate_image() with start of the JUMP address and offset of 0.)

View solution in original post

0 Kudos
8 Replies
2,493 Views
toddgoodman
Contributor II

When trying to use HAB with SDP, HAB ROM runs authenticate_image() when you send the JUMP SDP command and the JUMP address is the address of the IVT (it calls authenticate_image() with start of the JUMP address and offset of 0.)

0 Kudos
2,492 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Please refer to section 6.2 (Signing Code Downloadable with Manufacturing

Tool) of app note AN4581 "Secure Boot on i.MX50, i.MX53, and i.MX 6 Series

using HABv4".

http://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf

Also, the following may be helpful :

Mx6 HAB (High Assurance Boot) 

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
2,492 Views
toddgoodman
Contributor II

Hi Yuri,

I appreciate the reply and have looked at both of those previously.

AN4581 is why I believe I have to use DCD_WRITE to write the DCD to OCRAM and then add the block in the CSF.

But what triggers HAB with SDP?

How does the HAB ROM code find the IVT if one uses an SDP WRITE_FILE command?  The HAB ROM needs the IVT to find the CSF does it not?

When does the HAB ROM code run?

What triggers it when the chip is in SDP mode?

Thank you,

Todd

0 Kudos
2,492 Views
Yuri
NXP Employee
NXP Employee

Hi,

  Generally the HAB is always working, please take a look at Figure 8-1

(Boot Flow) of the i.MX6 RM (“Authenticate Image” block).

  Another way, that if SEC_CONFIG (fuse) is the Open (default) configuration,

the boot ROM/HAB performs image authentication, but all authentication errors
are ignored and the image is still allowed to execute.

  Also, for SDP, the IVT should be sent first. It is provided by MFG.

Regards,
Yuri.

0 Kudos
2,492 Views
toddgoodman
Contributor II

Thank you again for your quick reply.

I'm sorry, but I'm just not understanding it.

I know that in Open mode of the SEC_CONFIG fuse it reports errors but ignores them.  I'm looking at the reported errors once my u-boot is running.

I look at Figure 8-1 (Boot Flow) in the i.MX 6 RM.

We don't get to the "Authenticate Image" block because the boot mode is being forced to Serial.

So it should be "Download and Authenticate Image via USB."

You say for SDP, the IVT should be sent first.  But where should it be sent?  What address?  Using which SDP commands?  WRITE_REGISTER commands? 

I looked at the source code for mfgtool (mfgtool.v2.3.2.SRC, downloaded from this site.)

I don't see where it sends the IVT when processing the mfgtool boot command (<CMD state="BootStrap" type="boot" body="BootStrap" file ="u-boot-mx6q-sabresd.bin" >Loading U-boot</CMD>)

It sends the DCD to OCRAM using the DCD_WRITE SDP command and then does a WRITE_FILE SDP command to send the file over (u-boot-mx6q-sabresd.bin in the example line above.)

Again, I apologize for not understanding what's going on.  I've been through all of the documentation I can find and believe I have a good understanding of what happens during a "regular" boot (eMMC in our case.)  I am just not understanding how it all fits together when using SDP.


Thank you,

Todd

0 Kudos
2,492 Views
Yuri
NXP Employee
NXP Employee

Hi,

You may try writing the IVT to OCRAM free area (at 0x00907000).

Regards,

Yuri.

0 Kudos
2,492 Views
toddgoodman
Contributor II

Can you please tell me how the HAB ROM code knows where to find the IVT when loading an image via SDP?

0 Kudos
2,492 Views
Yuri
NXP Employee
NXP Employee

Hello,

For the closed state - please refer to section E.1 (Signing code downloadable
with the manufacturing tool) of the recent release of app note AN4581.

http://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf

Regards,

Yuri.

0 Kudos