AnsweredAssumed Answered

hab_auth_image with IVT offset 0 possible ?

Question asked by Andreas Schuler on Nov 7, 2017
Latest reply on Nov 8, 2017 by Yuri Muhin

Hello,

I try to authenticate a encrypted image with 'hab_auth_image'.

This is working perfectly when I have the IVT in memory behind the encrypted binary. Now I want to have it at offset 0, so I don't need to change anything in u-boot configuration when the images changes.

 

Is this generally possible ?

 

My csf:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

 

[Install SRK]
File = "/done/crts/SRK_1_2_3_4_table.bin"
Source index = 0

 

[Install CSFK]
File = "/done/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

 

[Authenticate CSF]

 

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "/done/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

 

[Authenticate Data]
Verification index = 2
Blocks = 0x12000000 0 0x20 "zImage_ivt"

 

[Install Secret Key]
Verification index = 0
Target index = 0
Key = "./zImage_dek.bin"
Key Length = 128
Blob address = 0x12671000

 

[Decrypt Data]
Verification index = 0
Mac Bytes = 16
Blocks = 0x12001000 0x1000 0x0066d930 "zImage_ivt"

 

Layout of my encrypted image:

 

Offset 0: IVT

0000 0000: D1 00 20 41 00 10 00 12  00 00 00 00 00 00 00 00  .. A.... ........  
0000 0010: 00 00 00 00 00 00 00 12  00 F0 66 12 00 00 00 00  ........ ..f..... 

 

Offset 0x1000: encrypted binary

 

Offset 0x66f000: signature

0066 F000: D4 00 70 41 BE 00 0C 00  03 17 00 00 00 00 00 70  ..pA.... .......p  
0066 F010: BE 00 0C 02 09 00 00 01  00 00 08 B0 CA 00 0C 00  ........ ........ 

...

Offset 0x671000: keyblob

0067 1000: 81 00 48 41 66 55 10 00  C8 D7 50 C7 A1 01 8E 3D  ..HAfU.. ..P....=  
0067 1010: 8A DA C1 87 E0 A7 D2 B8  32 88 C7 1C E3 C1 3B F2  ........ 2.....;.  
0067 1020: FA 6F 4A 4B 97 76 EB D1  23 AC 4E 01 69 88 A0 6F  .oJK.v.. #.N.i..o  
0067 1030: C5 A0 CC 52 42 B7 04 1B  34 78 2A 61 29 D9 79 5D  ...RB... 4x*a).y]  
0067 1040: 14 38 F2 A7 B5 E6 65 4D                           .8....eM           
0067 1050:

 

 

When I try to authenticate the image I get:

=> ext4load usb 0:1 0x12000000 zImage_encblob
6754376 bytes read in 271 ms (23.8 MiB/s)
=> hab_auth_img 0x12000000 0

 

Authenticate image from DDR location 0x12000000...

 

Secure boot enabled

 

HAB Configuration: 0xcc, HAB State: 0x99

 

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

 

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)

 

 

 

Is there any need for a new DCD when I have the IVT before the encrypted image ?

I have no problems with the other layout, so it can't be a problem of keys or hardware-configuration.

My device is closed and the u-boot is signed correct.

Outcomes