i.MX6DL - HAB4 doesn't verify signature in 'open' configuration?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX6DL - HAB4 doesn't verify signature in 'open' configuration?

Jump to solution
1,539 Views
christian_neuwi
Contributor III

Hi,

I've been working for the last couple of weeks to get secure boot in U-Boot operational on our own hardware based on the i.MX6DL. Everything seemed to work fine and according to expectations until I ran some final tests before 'closing' the device, i.e. blowing the fuse SEC_CONFIG.

It seems that the HAB4 does determine 'tampering' with a signed image as expected, but it does not determine when an image was signed with a different set of keys.

In other words:

  1. I created a set of keys using CST 2.3.2 and flashed the fuses in the i.MX6 accordingly.
  2. Booting seems to work fine, i.e. 'hab_status' reports no events.
  3. I signed an arbitrary image with the keys created in step #1.
  4. I downloaded that image to the board and it was authenticated successfully by 'hab_auth_img'.
  5. I 'tampered' with the downloaded image and authentication failed, i.e. 'hab_auth_img' and 'hab_status' report HAB events.
  6. I created a different set of keys using CST 2.3.2.
  7. I signed the same image that was used in step #3 with the keys created in step #6.
  8. I downloaded that image to the board and it was still authenticated successfully by 'hab_auth_img'.

Note that I patched authenticate_image() in <U-Boot Root>/arch/arm/imx-common/hab.c a bit so that an image is authenticated also when the SEC_CONFIG fuse is not blown.

I'm really confused by this behavior.

Does 'full' authentication work only when the device is 'closed'?

Or do you have another explanation?

Best regard,
Chris.

Labels (1)
0 Kudos
Reply
1 Solution
1,279 Views
Yuri
NXP Employee
NXP Employee

Hello,

 There is a feature regarding SRK checking, that was described in app note AN4581, Rev. 0, 10/2012.

(The recent app note release does not mention it.) 

  "There is a known limitation about the verification of the SRK table in the ROM of i.MX 6 Series devices.
In these devices, the intent was to only verify the SRK table hash, when the SRK fuse field was non-zero
for Open configuration. However, for i.MX 6 Series in Open configuration, the HAB always skips the
verification of the SRK table, regardless of whether the SRK fuse field has been provisioned or not.
This means that it is necessary to ensure that the SRK field is correctly programmed, prior to moving the
i.MX 6 Series security configuration to Closed."

  This feature can produce the issue, You described, since SRK is not really verified.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

0 Kudos
Reply
2 Replies
1,279 Views
christian_neuwi
Contributor III

Thanks for the quick reply, Yuri!

0 Kudos
Reply
1,280 Views
Yuri
NXP Employee
NXP Employee

Hello,

 There is a feature regarding SRK checking, that was described in app note AN4581, Rev. 0, 10/2012.

(The recent app note release does not mention it.) 

  "There is a known limitation about the verification of the SRK table in the ROM of i.MX 6 Series devices.
In these devices, the intent was to only verify the SRK table hash, when the SRK fuse field was non-zero
for Open configuration. However, for i.MX 6 Series in Open configuration, the HAB always skips the
verification of the SRK table, regardless of whether the SRK fuse field has been provisioned or not.
This means that it is necessary to ensure that the SRK field is correctly programmed, prior to moving the
i.MX 6 Series security configuration to Closed."

  This feature can produce the issue, You described, since SRK is not really verified.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply