AnsweredAssumed Answered

mx6ul, hab, secureboot and fuse progr

Question asked by Giulio Dominutti on Aug 8, 2017
Latest reply on Aug 21, 2017 by Yuri Muhin

Hi everybody, I'm new in this field, so please be patient if my questions will be too easy for you.

I started working on secure boot HAB and I have a few questions about this argument and u-boot signature.


1) many tutorial spoke about "fuse prog" for the SRK, I was wandering if it exists a different way to validate an u-boot image maybe only writing in the shadow memory before u-boot starts (via JTAG)? ( I wasn't able to understand if in the validation phase HAB uses values in shadows memory or not. (other way to debug a secure boot without prog the OTP fuse are appreciated)


2)When we create the signature using the tool ./cst I use the following csf file:

    Version = 4.2
    Security Configuration = Open
    Hash Algorithm = sha256
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS
[Install SRK]
    File = "../crts/SRK_1_2_3_4_table.bin"
    Source index = 0
   [Install CSFK]
     File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
    Verification index = 0
    Target Index = 2
    # Key to install
    File= "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate Data]
     Verification index = 2
    #AddressOffset     Length        Data     File         Path
    Blocks =        0x177FB000     0x000     0x87C00    "../../u-boot/u-boot.imx"


Can someone explain me exactly what the Blocks value are discovered?

2.1) is correct to sign all the .imx image? including IVT

2.2) where exactly can I find (understand) the first value of length ?


Thanks everybody.