AnsweredAssumed Answered

i.MX6DL - HAB4 doesn't verify signature in 'open' configuration?

Question asked by Christian Neuwirth on Aug 29, 2017
Latest reply on Aug 30, 2017 by Christian Neuwirth

Hi,

 

I've been working for the last couple of weeks to get secure boot in U-Boot operational on our own hardware based on the i.MX6DL. Everything seemed to work fine and according to expectations until I ran some final tests before 'closing' the device, i.e. blowing the fuse SEC_CONFIG.

 

It seems that the HAB4 does determine 'tampering' with a signed image as expected, but it does not determine when an image was signed with a different set of keys.

 

In other words:

 

  1. I created a set of keys using CST 2.3.2 and flashed the fuses in the i.MX6 accordingly.
  2. Booting seems to work fine, i.e. 'hab_status' reports no events.
  3. I signed an arbitrary image with the keys created in step #1.
  4. I downloaded that image to the board and it was authenticated successfully by 'hab_auth_img'.
  5. I 'tampered' with the downloaded image and authentication failed, i.e. 'hab_auth_img' and 'hab_status' report HAB events.
  6. I created a different set of keys using CST 2.3.2.
  7. I signed the same image that was used in step #3 with the keys created in step #6.
  8. I downloaded that image to the board and it was still authenticated successfully by 'hab_auth_img'.

 

Note that I patched authenticate_image() in <U-Boot Root>/arch/arm/imx-common/hab.c a bit so that an image is authenticated also when the SEC_CONFIG fuse is not blown.

 

I'm really confused by this behavior.

 

Does 'full' authentication work only when the device is 'closed'?

Or do you have another explanation?

 

Best regard,
Chris.

Outcomes