AnsweredAssumed Answered

HAB auth failure on eMMC

Question asked by Allen Ivester on Oct 24, 2017
Latest reply on Oct 25, 2017 by Victor Linnik

I'm trying to enable secure boot (no encryption at this point) for a custom i.MX6 DL board using single-stage u-boot (no SPL).  For development purposes, I started off getting secure boot working from USB using mfgtool2.  This (I thought) was the harder case, since it requires an additional signing of just the DCD.  I have that working perfectly and even extended u-boot to HAB authenticate a next-stage image loaded in u-boot.  Once all of that was working, I tried the "simple" case of signing the exact same u-boot.imx image for booting from emmc.  But although u-boot does load from emmc, when I run hab_status I get a HAB_INV_ADDRESS failure and the expected subsequent HAB_INV_ASSERTION failures for the various required signed section.  Again, I'm using the exact same u-boot.imx image for both mfgtool loading and emmc, with the only difference in signing being the mfgtool CSF script adds an auth_data block for the DCD at 0x00910000.

 

Everything about the failing emmc-loaded image looks good.  I've even read the binary back from the emmc boot block and verified the addresses in the IVT, which is exactly the same as the IVT for the mfgtool-loaded image that generates no HAB errors.  The only weird thing I see with the failing emmc-loaded u-boot is shown below.

 

First, see the IVT header of the image and note that the CSF starts at 0x17860000

=> md 177ff400
177ff400: 402000d1 17800000 00000000 177ff42c .. @........,...
177ff410: 177ff420 177ff400 17860000 00000000 ...............
177ff420: 177ff000 0006100c 00000000 403802d2 ..............8@
177ff430: 043402cc 74070e02 00000c00 54070e02 ..4....t.......T
177ff440: 00000000 ac040e02 30000000 b0040e02 ...........0....
177ff450: 30000000 64040e02 30000000 90040e02 ...0...d...0....
177ff460: 30000000 4c070e02 30000000 94040e02 ...0...L...0....
177ff470: 30000000 a0040e02 00000000 b4040e02 ...0............
177ff480: 30000000 b8040e02 30000000 6c070e02 ...0.......0...l
177ff490: 30000000 50070e02 00000200 bc040e02 ...0...P........
177ff4a0: 30000000 c0040e02 30000000 c4040e02 ...0.......0....
177ff4b0: 30000000 c8040e02 30000000 60070e02 ...0.......0...`
177ff4c0: 00000200 64070e02 30000000 70070e02 .......d...0...p
177ff4d0: 30000000 78070e02 30000000 7c070e02 ...0...x...0...|
177ff4e0: 30000000 70040e02 30000000 74040e02 ...0...p...0...t
177ff4f0: 30000000 78040e02 30000000 7c040e02 ...0...x...0...|

 

Now, let's dump the CSF and make sure it's correct.

=> md 17860000
17860000: 415000d4 000c00be 00001703 50000000 ..PA...........P
17860010: 020c00be 01000009 90080000 000c00ca ................
17860020: 001dc501 e40d0000 000c00be 02000009 ................
17860030: e8100000 001400ca 001dc502 3c160000 ...............<
17860040: 00f47f17 000c0600 1d0800b2 02000000 ................
17860050: 404008d7 210f02e1 80000000 03000002 ..@@...!........
17860060: 39cd06c9 33493af4 56654fe7 49bde4ab ...9.:I3.OeV...I
17860070: c2a1d13f c4ce48f5 55b42b7c e97c58fe ?....H..|+.U.X|.
17860080: 4856e396 e6420643 f25c8c1c 659e382f ..VHC.B...\./8.e
17860090: 70964933 c31fa267 190d1a11 23082f65 3I.pg.......e/.#
178600a0: fe81449c cc6bf06d 1a8e765f fd85da8e .D..m.k._v......
178600b0: 7be1c9bf 66b2bda4 ff82e68e 8257ce59 ...{...f....Y.W.
178600c0: 5c038885 497772e6 de36eeb4 ee1c70c0 ...\.rwI..6..p..
178600d0: 253367ff 4c1d3dfe 65851ba1 aa4e7d76 .g3%.=.L...ev}N.
178600e0: 3b0099bb 1a86b6cf 3765c5fc d2e12b3e ...;......e7>+..
178600f0: 910fb1ac 12115d8c 35a5eb93 d037fb86 .....].....5..7.
=>
17860100: 8a44f895 7ec56905 e64d49ed 4b0adf68 ..D..i.~.IM.h..K
17860110: 56a0b1dc f4b3f1e2 3acb9b29 b9690a83 ...V....)..:..i.
17860120: 9d9ccff1 e658b6aa ae674de2 a47aee14 ......X..Mg...z.
17860130: 1e40bd78 0557d7f8 5f2905ba f75f303c x.@...W...)_<0_.
17860140: 423b7325 524a4bb2 be96254d 6a702d4c %s;B.KJRM%..L-pj
17860150: f1410a9c cf160b7e ddea8d8d 18448395 ..A.~.........D.
17860160: 773466d5 53780d7c 78a6c720 ce78b75a .f4w|.xS ..xZ.x.
17860170: 985f9344 a618a85b 122eeb34 8f798e7c D._.[...4...|.y.
17860180: 97b723d6 32786a78 867d0121 30e366ed .#..xjx2!.}..f.0
17860190: 0597f1cb a30d7943 471dc9ab 29af42ff ....Cy.....G.B.)
178601a0: 03716679 f71aa23c b58db623 a4f1f3a0 yfq.<...#.......
178601b0: c9cad24b 9ac9e300 8375e47c 37366de9 K.......|.u..m67
178601c0: 97d17825 d4d924c2 3f9ab852 b82a5d96 %x...$..R..?.]*.
178601d0: 3b196d2a a289ae9d e28227a8 1a579aff *m.;.....'....W.
178601e0: bd0ce3a4 5c95043e 4e3a11c1 71ee7f77 ....>..\..:Nw..q
178601f0: 3cfdccf9 d95932b5 f6e35746 2a9fcbb5 ...<.2Y.FW.....*
=>
17860200: 00000000 00000000 00000000 00000000 ................
17860210: 00000000 00000000 00000000 00000000 ................
17860220: 00000000 00000000 00000000 00000000 ................
17860230: 00000000 00000000 00000000 00000000 ................
17860240: 00000000 00000000 00000000 00000000 ................
17860250: 00000000 00000000 00000000 00000000 ................
17860260: 00000000 00000000 00000000 00000000 ................
17860270: 00000000 00000000 00000000 00000000 ................
17860280: 00000000 00000000 00000000 00000000 ................
17860290: 00000000 00000000 00000000 00000000 ................
178602a0: 00000000 00000000 00000000 00000000 ................
178602b0: 00000000 00000000 00000000 00000000 ................
178602c0: 00000000 00000000 00000000 00000000 ................
178602d0: 00000000 00000000 00000000 00000000 ................
178602e0: 00000000 00000000 00000000 00000000 ................
178602f0: 00000000 00000000 00000000 00000000 ................

 

 

As you see, after 512 bytes, the CSF (in memory) is zeroes.  When I read the contents of the boot block from emmc, I see the full CSF, which matches the signed image on my PC.  So for some reason the i.MX6 boot ROM isn't reading the entire image from emmc.

 

Why?  I assume the CSF has a header that lets the ROM figure out how much to copy when it's loading the image, but although some fields in the first 0x60 bytes of the CSF look like lengths, nothing looks obvious.  So how is the boot ROM not loading the whole u-boot image + CSF into RAM?  Could there be something wrong in the emmc setup in the DCD?  Or am I barking up the wrong tree?

 

Thanks.

Outcomes