AnsweredAssumed Answered

mx6ul, hab, secureboot and fuse progr

Question asked by Giulio Dominutti on Aug 8, 2017
Latest reply on Aug 28, 2017 by Yuri Muhin
Branched to a new discussion

Hi everybody, I'm new in this field, so please be patient if my questions will be too easy for you.

I started working on secure boot HAB and I have a few questions about this argument and u-boot signature.

 

1) many tutorial spoke about "fuse prog" for the SRK, I was wandering if it exists a different way to validate an u-boot image maybe only writing in the shadow memory before u-boot starts (via JTAG)? ( I wasn't able to understand if in the validation phase HAB uses values in shadows memory or not. (other way to debug a secure boot without prog the OTP fuse are appreciated)

 

2)When we create the signature using the tool ./cst I use the following csf file:

[Header]
    Version = 4.2
    Security Configuration = Open
    Hash Algorithm = sha256
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS
[Install SRK]
    File = "../crts/SRK_1_2_3_4_table.bin"
    Source index = 0
   [Install CSFK]
     File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
    Verification index = 0
    Target Index = 2
    # Key to install
    File= "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
     Verification index = 2
    #AddressOffset     Length        Data     File         Path
    Blocks =        0x177FB000     0x000     0x87C00    "../../u-boot/u-boot.imx"

 

Can someone explain me exactly what the Blocks value are discovered?

2.1) is correct to sign all the .imx image? including IVT

2.2) where exactly can I find (understand) the first value of length ?

 

Thanks everybody.

Outcomes