Hi,
I've been working for the last couple of weeks to get secure boot in U-Boot operational on our own hardware based on the i.MX6DL. Everything seemed to work fine and according to expectations until I ran some final tests before 'closing' the device, i.e. blowing the fuse SEC_CONFIG.
It seems that the HAB4 does determine 'tampering' with a signed image as expected, but it does not determine when an image was signed with a different set of keys.
In other words:
Note that I patched authenticate_image() in <U-Boot Root>/arch/arm/imx-common/hab.c a bit so that an image is authenticated also when the SEC_CONFIG fuse is not blown.
I'm really confused by this behavior.
Does 'full' authentication work only when the device is 'closed'?
Or do you have another explanation?
Best regard,
Chris.
Solved! Go to Solution.
Hello,
There is a feature regarding SRK checking, that was described in app note AN4581, Rev. 0, 10/2012.
(The recent app note release does not mention it.)
"There is a known limitation about the verification of the SRK table in the ROM of i.MX 6 Series devices.
In these devices, the intent was to only verify the SRK table hash, when the SRK fuse field was non-zero
for Open configuration. However, for i.MX 6 Series in Open configuration, the HAB always skips the
verification of the SRK table, regardless of whether the SRK fuse field has been provisioned or not.
This means that it is necessary to ensure that the SRK field is correctly programmed, prior to moving the
i.MX 6 Series security configuration to Closed."
This feature can produce the issue, You described, since SRK is not really verified.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Thanks for the quick reply, Yuri!
Hello,
There is a feature regarding SRK checking, that was described in app note AN4581, Rev. 0, 10/2012.
(The recent app note release does not mention it.)
"There is a known limitation about the verification of the SRK table in the ROM of i.MX 6 Series devices.
In these devices, the intent was to only verify the SRK table hash, when the SRK fuse field was non-zero
for Open configuration. However, for i.MX 6 Series in Open configuration, the HAB always skips the
verification of the SRK table, regardless of whether the SRK fuse field has been provisioned or not.
This means that it is necessary to ensure that the SRK field is correctly programmed, prior to moving the
i.MX 6 Series security configuration to Closed."
This feature can produce the issue, You described, since SRK is not really verified.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------