AnsweredAssumed Answered

Use HAB API from u-boot to decrypt Linux image

Question asked by Allen Ivester on Jan 23, 2018
Latest reply on Oct 3, 2018 by Yuri Muhin

Can we use HAB to decrypt a Linux image from u-boot?

 

More specifically:

I have an i.MX6DL device with secure boot enabled and I can successfully boot using HAB a signed and encrypted u-boot image.  And from that u-boot image, I can then load a signed (but NOT encrypted) app image, use hab_auth_img to authenticate the image, and then launch it.

NOW I want to encrypt that app image and have hab_auth_img authenticate and decrypt it.  I have modified the CSF script, made sure to select a new key slot (different than the one I use to auth u-boot) for the app's key, made sure to create a new dek_blob just for the app and append the blob to the app.  But when I call the HAB authentication API (which should call run_csf to authenticate, install secret key, and decrypt), I get the following HAB error:

 

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x06 0xc0 0x00
0xbe 0x00 0x0c 0x01 0xbb 0x00 0x00 0x01
0x16 0x00 0x6f 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_COMMAND (0x06)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

 

Note that this is saying the "install secret key" command is an invalid command.

 

Am I getting HAB_INV_COMMAND because HAB won't allow me to install a secret key via API?  Or can I be getting this error because something isn't configured properly in my CSF?

Outcomes