I am trying to make HAB work on my i.MX6Q based platform using a custom uboot based on v2015.04. This is my progress so far:
I have generated the keys, add secure boot support to uboot, also added the CSF section to uboot:
When compiling uboot, I get the following output (I manually added a printf for the ivt_offset):
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6 compatible)
Data Size: 393216 Bytes = 384.00 kB = 0.38 MB
Load Address: 177ff420
Entry Point: 17800000
HAB Blocks: 177ff400 00000000 0005bc00
I save the compiled image in /tftpboot/sboot/uboot-compiled.imx
Then I use the following CSF file (/tftpboot/sboot/CSF.text):
#Illustrative Command Sequence File Description
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x177ff400 0x000000 0x5bc00 "/tftpboot/sboot/uboot-compiled.imx"
# Defer RNG Instantiation for Post HAB Software (184.108.40.206)
Engine = CAAM
Features = RNG
And use it to generate the CSF binary which contains the uboot image sign and other information:
./cst --o /tftpboot/sboot/CSF.bin < /tftpboot/sboot/CSF.text
Then, according to AN4581, I just need to concatenate the CSF to the uboot file, and that should work:
cat /tftpboot/sboot/uboot-compiled.imx /tftpboot/sboot/CSF.bin > /tftpboot/sboot/uboot+CSF.imx
But when I try to boot with that uboot+CSF.imx image, I get the following HAB event:
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
0xdb 0x00 0x08 0x41 0x33 0x17 0xdd 0x00
Interpreting this event:
- First confirm that the data is an event consisting of a header, an SRCE (Status, Reason, Context, Engine) word and context dependent data. The first byte is the tag field which indicates an event when set to HAB_TAG_EVENT. The next two bytes the length and the last byte is the HAB version.
- 0xdb: Tag: Event (0xDB = Event)
- 0x00, 0x08: Data length in bytes: 8 bytes
- 0x41: HAB version: 4.1
- The next word is the SRCE (Status|Reason|Context|Engine) which indicates the type of event that occurred.
- 0x33: 0x33 = HAB_FAILURE: Operation failed
- 0x17: 0x17 = HAB_INV_SIZE: Invalid data size
- 0xdd: 0xDD = HAB_CTX_DCD: Event logged in hab_rvt.run_dcd()
- 0x00: 0x00 = HAB_ENG_ANY: First compatible engine will be selected automatically (no engine configuration parameters are allowed)
So basically, HAB_INV_SIZE, which I interpret as there is something wrong with the binary layout.
I then though that the CSF file size is less than the CONFIG_CSF_SIZE (0x4000) so I try padding it with FF to that length:
objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0xff /tftpboot/sboot/CSF.bin /tftpboot/sboot/CSF-padded.bin
cat /tftpboot/sboot/uboot-compiled.imx /tftpboot/sboot/CSF-padded.bin > /tftpboot/sboot/uboot+CSF-padded.imx
That does not work and outputs exactly the same HAB event.
Can anyone provide more information about how to fix that HAB_INV_SIZE error?