AnsweredAssumed Answered

Secure boot on IMX6s, HAB_INV_SIGNATURE

Question asked by Andreas Schuler on May 11, 2017
Latest reply on May 11, 2017 by Andreas Schuler

Hello,

 

I try to start a signed U-Boot 2015.10 on a customers board.

I generated 4096bit keys for signing as described here:

High Assurance Boot (HAB) for dummies - Boundary Devices 

My SRK_1_2_3_4_fuse.bin looks like this:

root@Jessie:/work/cst-2.3.2_flashedkey/crts# hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin
0xFD441C27
0x1B9E96A8
0x3A5BD436
0xDD9D0FCB
0xA89C2AE3
0x64FA9580
0x3E64FF2C
0x35558E4D

I burned the fuses and when I read they it looks like this:

=> fuse read -y 3 0
Reading bank 3:

 

Word 0x00000000: fd441c27
=> fuse read -y 3 1
Reading bank 3:

 

Word 0x00000001: 1b9e96a8
=> fuse read -y 3 2
Reading bank 3:

 

Word 0x00000002: 3a5bd436
=> fuse read -y 3 3
Reading bank 3:

 

Word 0x00000003: dd9d0fcb
=> fuse read -y 3 4
Reading bank 3:

 

Word 0x00000004: a89c2ae3
=> fuse read -y 3 5
Reading bank 3:

 

Word 0x00000005: 64fa9580
=> fuse read -y 3 6
Reading bank 3:

 

Word 0x00000006: 3e64ff2c
=> fuse read -y 3 7
Reading bank 3:

 

Word 0x00000007: 35558e4d
=> fuse read -y 3 8
Reading bank 3:

 

My u-boot.cst:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

 

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0

 

[Install CSFK]
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

 

[Authenticate CSF]

 

[Unlock]
  Engine = CAAM
  Features = RNG

 

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

 

[Authenticate Data]
Verification index = 2
Blocks = 0x177ff400 0x000 0x6dc00 "u-boot.imx"

 

I use cst-2.3.2 to sign my u-boot.imx, added the generated file and changed the header values, but when I boot I get this events:

 

=> hab_status

 

Secure boot disabled

 

HAB Configuration: 0xf0, HAB State: 0x66

 

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x00
        0xca 0x00 0x14 0x00 0x02 0xc5 0x1d 0x00
        0x00 0x00 0x16 0x3c 0x17 0x7f 0xf4 0x00
        0x00 0x06 0xdc 0x00

 

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

 


--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
        0x00 0x00 0x00 0x20

 

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

 


--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
        0x00 0x00 0x03 0x10

 

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

 


--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
        0x00 0x00 0x00 0x01

 

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

 


--------- HAB Event 5 -----------------
event data:
        0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
        0x00 0x00 0x00 0x04

 

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

 

My u-boot_signed.imx starts with the IVT(and will be written to the eeprom at offset 0x400) and when I booted I find the following in the RAM:

IVT

=> md.b 177ff400
177ff400: d1 00 20 40 00 00 80 17 00 00 00 00 2c f4 7f 17    .. @........,...
177ff410: 20 f4 7f 17 00 f4 7f 17 00 d0 86 17 00 00 00 00     ...............
177ff420: 00 f0 7f 17 40 f9 06 00 00 00 00 00 d2 03 10 40    ....@..........@
177ff430: cc 03 0c 04 02 0e 04 bc 00 00 00 30 02 0e 04 c0    ...........0....
177ff440: 00 00 00 30 02 0e 04 c4 00 00 00 30 02 0e 04 c8    ...0.......0....
...

U-Boot

=> md.b 17800000
17800000: be 00 00 ea 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5    ................
17800010: 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5 14 f0 9f e5    ................
17800020: 60 00 80 17 c0 00 80 17 20 01 80 17 80 01 80 17    `....... .......
17800030: e0 01 80 17 40 02 80 17 a0 02 80 17 ef be ad de    ....@...........
17800040: de c0 ad 0b 00 f0 20 e3 00 f0 20 e3 00 f0 20 e3    ...... ... ... .
17800050: 00 f0 20 e3 00 f0 20 e3 00 f0 20 e3 00 f0 20 e3    .. ... ... ... .
17800060: 28 d0 1f e5 00 e0 8d e5 00 e0 4f e1 04 e0 8d e5    (.........O.....
17800070: 13 d0 a0 e3 0d f0 69 e1 0f e0 a0 e1 0e f0 b0 e1    ......i.........
17800080: 48 d0 4d e2 ff 1f 8d e8 50 20 1f e5 0c 00 92 e8    H.M.....P ......
17800090: 48 00 8d e2 34 50 8d e2 0e 10 a0 e1 0f 00 85 e8    H...4P..........

 

u-boot_csf.bin

=> md.b 1786d000
1786d000: d4 00 50 41 be 00 0c 00 03 17 00 00 00 00 00 50    ..PA...........P
1786d010: be 00 0c 02 09 00 00 01 00 00 08 90 ca 00 0c 00    ................
1786d020: 01 c5 1d 00 00 00 0d e4 b2 00 08 1d 00 00 00 02    ................
1786d030: be 00 0c 00 09 00 00 02 00 00 10 e8 ca 00 14 00    ................
1786d040: 02 c5 1d 00 00 00 16 3c 17 7f f4 00 00 06 dc 00    .......<........
1786d050: d7 08 40 40 e1 02 0f 21 00 00 00 80 02 00 00 03    ..@@...!........
1786d060: f7 af 6b 13 98 c4 78 96 76 c2 c3 92 29 9b f5 2f    ..k...x.v...)../
1786d070: 69 36 ef 18 25 f9 55 a4 be 91 46 ed e4 c5 8e ef    i6..%.U...F.....
1786d080: a1 0d 87 08 32 93 c6 4f ef 7f 55 e5 f0 d2 e7 24    ....2..O..U....$
1786d090: ae b0 e1 b1 bd 2f 2d 10 b1 46 e2 26 7f 76 b0 89    ...../-..F.&.v..

 

I checked if the u-boot_csf.bin is complete in the RAM, and it is. I checked the lenght of the U-Boot image too.

I suppose any problems because I use 4096 instead of 2048 bit keys.

 

What I'm doing wrong ?

Outcomes