AnsweredAssumed Answered

i.MX6 HAB secure boot fuse problem

Question asked by Mikkel Holm Olsen on Apr 29, 2016

I am trying to finalize setting up secure boot on our custom board with i.MX6.

I have generated certificates with hab4_pki_tree.sh and built a signed U-boot. Attached the CSF source.

Programmed the SRK hash fuses from U-boot, hab_status returned "No HAB events".

Tried to modify a single byte in the U-boot image, hab_status returned events (failure).

Reverted to good U-boot image, and closed the configuration (burn SEC_CONFIG[1] fuse):

=> fuse prog 0 6 0x02

Then I tried to reset, and board does not boot now.

 

And just to ensure the signed U-boot has the CSF pointer set:

$ dd if=./u-boot_csf.imx bs=4 count=12 2>/dev/null | hexdump -v -e '/4 "%04_ax: "' -e '/4 "%08X" "\n"'

0000: 402000D1

0004: 17800000

0008: 00000000

000c: 177FF42C

0010: 177FF420

0014: 177FF400

0018: 1784F000

001c: 00000000

0020: 177FF000

0024: 00052000

0028: 00000000

002c: 401003D2

 

This is the second board i "brick", the first one I burned a lot of different fuses regarding disabling JTAG etc. at the same time, so I was not sure what caused the board not to boot. I write "brick" in quotes because I hope by making a new signed U-boot I will be able to resurrect the boards. However, since U-boot is in SPI flash, I need to use a programmer to change U-boot, so not as easy as changing an SD-card.

 

I welcome any suggestions for how to proceed.

 

Best regards,

Mikkel Holm Olsen

Original Attachment has been moved to: u-boot.csf.zip

Outcomes