AnsweredAssumed Answered

i.mx6ull vs i.mx6ul HAB issues

Question asked by courk on May 9, 2017
Latest reply on Feb 28, 2018 by Yuri Muhin

Hi,

 

I'm trying to implement HAB on a i.mx6ull target.

 

I followed the instructions of AN4581 (http://www.nxp.com/assets/documents/data/en/application-notes/AN4581.pdf).

 

I'm using the following CSF file, the HAB Blocks being from the output of the mkimage command.

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed

[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
#        Address    Offset  Length    Data File Path
Blocks = 0x877ff400 0x0 0x60c00   "u-boot.imx"

 

The signed uboot is then generated using commands like:

./cst --o /tmp/csf-uboot.bin --i /tmp/csf-uboot
cat u-boot.imx /tmp/csf-uboot.bin > u-boot-signed.imx

 

This u-boot is next flashed on the eMMC of my target device.

 

The resulting u-boot-signed.imx doesn't work. The following events are generated:

 

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x18 0xc0 0x00
        0xca 0x00 0x0c 0x00 0x01 0xc5 0x00 0x00
        0x00 0x00 0x07 0xdc

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
        0x00 0x00 0x02 0x08

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
        0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

 

By reading the "High Assurance Boot Version 4 Application Programming Interface Reference Manual", I can understand there is probably something wrong with the CSF validation. Can you confirm this ?

 

What is weird is that the way I'm signing my u-boot seems to work when I'm using the imx_usb_loader tool (GitHub - boundarydevices/imx_usb_loader: Usb loader for imx51/53/6x). No HAB events are generated. The only difference is that I need to clear the DCD pointer from the IVT before running ./cst as imx_usb_loader will clear it. Maybe my issue is related to the way the code in the on-chip ROM is reading data from the eMMC ?

 

Finally, it's interesting to notice this u-boot signing procedure was working on an older revision of our hardware which was using a i.mx6ul instead of the i.mx6ull. Can it be related to a HAB update between the two ICs ?

 

What I tried (without success) so far:

  • Padding the CSF file to 0x2000 bytes using (my imximage.cfg does contain CSF 0x2000):

    objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 /tmp/csf-uboot.bin /tmp/csf-uboot-padded.bin

  • Following the procedure described here: https://community.nxp.com/thread/428505#comment-805847 which highlights an potential issue linked with block devices (which may explain why I can make my u-boot to work by booting from the Serial Download Mode and not from the eMMC ?)

 

Thanks for you help !

Outcomes