AnsweredAssumed Answered

secure boot on imx6q

Question asked by brian kim on Jun 22, 2016
Latest reply on Aug 11, 2017 by Joe Duong

I am trying to finalize setting up secure boot on our custom board with i.MX6.

Now, hab_status returned events (failure) but I don't know why it returned failure message.

 

This is sequnce and log about my work.

1)

./hab4_pki_tree.sh

Do you want to use an existing CA key (y/n)?: n

Do you want to use Elliptic Curve Cryptography (y/n)?: n

Enter key length in bits for PKI tree: 2048

Enter PKI tree duration (years): 10

How many Super Root Keys should be generated? 4

Do you want the SRK certificates to have the CA flag set? (y/n)?: y

 

2)

./srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c \

./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem,\

./SRK3_sha256_2048_65537_v3_ca_crt.pem,./SRK4_sha256_2048_65537_v3_ca_crt.pem -f 1

 

3)

hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin

get 8 keys

 

4) in uboot prompt

fuse prog 3 0 key00

~

fuse prog 3 7 key07

 

5) add CONFIG_SECURE_BOOT

imx6q_uboot/include/configs$ vi xxx_config.h

/* uncomment for SECURE mode support */

#define CONFIG_SECURE_BOOT

 

 

#ifdef CONFIG_SECURE_BOOT

#ifndef CONFIG_CSF_SIZE

#define CONFIG_CSF_SIZE 0x4000

#endif

#endif

 

6) make u-boot.imx

dd if=./u-boot.imx bs=4 count=12 2>/dev/null | hexdump -v -e '/4 "%04_ax: "' -e '/4 "%08X" "\n"'

0000: 402000D1

0004: 17800000

0008: 00000000

000c: 177FF42C

0010: 177FF420

0014: 177FF400

0018: 00000000

001c: 00000000

0020: 177FF000

0024: 00070000

0028: 00000000

002c: 401803D2

 

7)

cat csf-uboot

=====================================================

#Illustrative Command Sequence File Description

[Header]

Version = 4.1

Hash Algorithm = sha256

Engine = ANY

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

 

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0 # Index of the key location in the SRK table to be installed

 

[Install CSFK]

# Key used to authenticate the CSF data

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

 

[Authenticate CSF]

 

[Unlock]

Engine = CAAM

Features = RNG

 

[Install Key]

# Key slot index used to authenticate the key to be installed

Verification index = 0

# Target key slot in HAB key store where key will be installed

Target Index = 2

# Key to install

File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

 

[Authenticate Data]

# Key slot index used to authenticate the image data

Verification index = 2

# Address Offset Length Data File Path

Blocks = 0x177FF400 0x000 0x6fc00 "./bin/u-boot.imx"

======================================================

0x6fc00 is size of u-boot.imx

 

8)

./cst -o csf-uboot.bin -i csf-uboot

 

9)

cat ./bin/u-boot.imx csf-uboot.bin > u-boot-signed.imx

 

10)

=> hab_status

 

Secure boot disabled

 

HAB Configuration: 0xf0, HAB State: 0x66

 

--------- HAB Event 1 -----------------

event data:

        0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

 

--------- HAB Event 2 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00

        0x00 0x00 0x00 0x20

 

--------- HAB Event 3 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c

        0x00 0x00 0x03 0x18

 

--------- HAB Event 4 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20

        0x00 0x00 0x00 0x01

 

--------- HAB Event 5 -----------------

event data:

        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00

        0x00 0x00 0x00 0x04

 

What is the reason of issue ?

Outcomes