AnsweredAssumed Answered

IMX6s Encrypted kernel with HAB

Question asked by Andreas Schuler on May 13, 2017
Latest reply on May 13, 2017 by Andreas Schuler

Hello,

 

I try to authenticate and encrypt my kernel image with HABv4. I'm working on a customers imx6 platform with U-Boot 2005.10. U-Boot is signed, I have no hab events and my board is closed.

Now I want to load and decrypt a kernel image.

For this I generated a CSF-File as following:

 

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

 

[Install SRK]
File = "/done/crts/SRK_1_2_3_4_table.bin"
Source index = 0

 

[Install CSFK]
File = "/done/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

 

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "/done/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

 

[Authenticate Data]
Verification index = 2
Blocks = 0x1255b000 0x0055b000 0x20 "zImage_fsl_3.10.17_ivt"

 

[Install Secret Key]
Verification index = 0
Target index = 0
Key = "./dek.bin"
Key Length = 128
Blob address = 0x0055d000

 

[Decrypt Data]
Verification index = 0
Mac Bytes = 16
Blocks = 0x12000000 0x0 0x0055b000 "zImage_fsl_3.10.17_ivt"

 

I generate a signature of zImage_fsl_3.10.17 by

./cst --o zImage_fsl_3.10.17_sig --i zImage_fsl_3.10.17_ivt.csf

 

I pad the zImage to the size of 0x55b000, hang the signature behind that and pad to 0x55d000.

The generated dek.bin do I blob in U-Boot on the target with this commands:

ext2load mmc 1:1 0x18000000 dek.bin
dek_blob 0x18000000 0x18001000 128
ext4write mmc 1:1 0x18001000 /dek_blob.bin 0x48

 

Then I hang the dek_blob.bin behind on the image on offset 0x55d000.

 

When I load the image to the RAM in U-Boot I have the following IVT

=> md.b 0x1255b000
1255b000: d1 00 20 41 00 00 00 12 00 00 00 00 00 00 00 00    .. A............
1255b010: 00 00 00 00 00 b0 55 12 20 b0 55 12 00 00 00 00    ......U. .U.....

 

The signature starts here:
1255b020: d4 00 70 41 be 00 0c 00 03 17 00 00 00 00 00 70    ..pA...........p
1255b030: be 00 0c 02 09 00 00 01 00 00 08 b0 ca 00 0c 00    ................

 

The dek_blob.bin is in the RAM at

=> md.b 0x1255d000
1255d000: 81 00 48 41 66 55 10 00 91 64 60 d4 54 19 16 33    ..HAfU...d`.T..3
1255d010: 58 d0 d4 cb 7b 2e 7e 57 47 80 ff 96 64 e8 7b 3a    X...{.~WG...d.{:

1255d020: 94 ec e0 e9 75 ca 3e a0 ba db 2a 76 1c f1 e1 f3    ....u.>...*v....
1255d030: bf 2a 76 dc 85 a9 a3 0b 59 57 13 ec 5d 62 cb 08    .*v.....YW..]b..

 

But when I try to authenticate the image...

=> hab_auth_img 0x12000000 0x55b000

 

Authenticate image from DDR location 0x12000000...

 

...it will hang here and reboots 128s after that through the watchdog.

 

What I'm doing wrong ?

Outcomes