FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

uboot 加入Secure boot功能,且加入的CST生成的签名文件,烧写进去后仍然提示错误

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

uboot 加入Secure boot功能,且加入的CST生成的签名文件,烧写进去后仍然提示错误

‎05-22-2018 11:56 PM
1,870 Views
yongheluo_hotma
Contributor III

Dear Sir,

    我的平台是:i.mx6 solo

   uboot软件版本是:U-Boot 2013.04

   按照CST文档写入了SRK,并制作了CST文件,但是在uboot启动时仍然显示如下,请帮忙分析一下原因。谢谢!

====================================================

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xb0 0x00
0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xb0 0x2c
0x00 0x00 0x02 0x38

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xb0 0x20
0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04
MXC_ARM_CLK = 792000000Hz
MXC_DDR_CLK= 400000000Hz

==============================

     谢谢!

    Yonghe.Luo

Labels (2)
Labels
0 Kudos
Reply
4 Replies

‎05-23-2018 11:29 PM
764 Views
Yuri
NXP Employee
NXP Employee

Hello,

 

 

  Appendix A (Interpreting HAB Event Data from Report_Event() API) of the “HAB4_API.pdf”

in the CST package should be used to analyze HAB Events.

 

https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL&appType=license&location=null&fsrch...=

 

 

  HAB event 1 in Your case has "HAB_INV_ADDRESS (0x22) reason, that is -

Invalid address: access denied", please check if initialization via DCD table meet allowed addresses.

  Please take a look at Table 8-29 (Valid DCD Address Ranges) in i.MX 6Solo/6DualLite Reference Manual,

Rev. 3, 09/2017

 

Have a great day,

Yuri

 

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer

button. Thank you!

Reply

‎06-06-2018 07:38 AM
764 Views
yongheluo_hotma
Contributor III

Dear Yuri,

    我们在用CST3.0.1,运行hab4_pki_tree.sh时,得到如下结果,不知是否正常?

    unable to write 'random state'

   (运行环境: ubuntu 14.04 64Bit)

  完整的log如下,谢谢!

yonghe@yonghe-VirtualBox:~/cst/cst3.0.1-release/keys$ ./hab4_pki_tree.sh

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This script is a part of the Code signing tools for Freescale's
High Assurance Boot. It generates a basic PKI tree. The PKI
tree consists of one or more Super Root Keys (SRK), with each
SRK having two subordinate keys:
+ a Command Sequence File (CSF) key
+ Image key.
Additional keys can be added to the PKI tree but a separate
script is available for this. This this script assumes openssl
is installed on your system and is included in your search
path. Finally, the private keys generated are password
protectedwith the password provided by the file key_pass.txt.
The format of the file is the password repeated twice:
my_password
my_password
All private keys in the PKI tree are in PKCS #8 format will be
protected by the same password.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Do you want to use an existing CA key (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

+++++++++++++++++++++++++++++++++++++
+ Generating CA key and certificate +
+++++++++++++++++++++++++++++++++++++

Generating a 2048 bit RSA private key
..................................+++
..............+++
unable to write 'random state'
writing new private key to 'temp_ca.pem'
-----
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
..................+++
..................................................................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'SRK1_sha256_2048_65537_v3_ca'
Certificate is to be certified until Jun 3 14:25:16 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating CSF key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.......+++
.........................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CSF1_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 14:25:16 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating IMG key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.....+++
..............................................................................................................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'IMG1_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 14:25:16 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 2 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.....................+++
.........................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'SRK2_sha256_2048_65537_v3_ca'
Certificate is to be certified until Jun 3 14:25:16 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating CSF key and certificate 2 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
..............+++
.......+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CSF2_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 14:25:17 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating IMG key and certificate 2 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
....+++
.........................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'IMG2_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 14:25:17 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 3 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
............+++
............................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'SRK3_sha256_2048_65537_v3_ca'
Certificate is to be certified until Jun 3 14:25:17 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating CSF key and certificate 3 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
...............................................................................+++
...............................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CSF3_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 14:25:17 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating IMG key and certificate 3 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
................................................................+++
.......................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'IMG3_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 14:25:18 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 4 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
............................................................+++
....................................................................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'SRK4_sha256_2048_65537_v3_ca'
Certificate is to be certified until Jun 3 14:25:18 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating CSF key and certificate 4 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.....................................+++
..............................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CSF4_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 14:25:18 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

++++++++++++++++++++++++++++++++++++++++
+ Generating IMG key and certificate 4 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
..............+++
................................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'IMG4_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 14:25:19 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
unable to write 'random state'
unable to write 'random state'

0 Kudos
Reply

‎06-06-2018 09:10 AM
764 Views
yongheluo_hotma
Contributor III

Dear Yuri,

   我在不是virtual box到机器上试了一下,不会出现 random state错误。(可能是virtualbox的问题?)

   谢谢!

   

luoyonghe@luoyonghe-Latitude-5480:~/cst/release/keys$ ./hab4_pki_tree.sh

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This script is a part of the Code signing tools for Freescale's
High Assurance Boot. It generates a basic PKI tree. The PKI
tree consists of one or more Super Root Keys (SRK), with each
SRK having two subordinate keys:
+ a Command Sequence File (CSF) key
+ Image key.
Additional keys can be added to the PKI tree but a separate
script is available for this. This this script assumes openssl
is installed on your system and is included in your search
path. Finally, the private keys generated are password
protectedwith the password provided by the file key_pass.txt.
The format of the file is the password repeated twice:
my_password
my_password
All private keys in the PKI tree are in PKCS #8 format will be
protected by the same password.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Do you want to use an existing CA key (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
A default 'serial' file was created!
A default file 'key_pass.txt' was created with password = test!

+++++++++++++++++++++++++++++++++++++
+ Generating CA key and certificate +
+++++++++++++++++++++++++++++++++++++

Generating a 2048 bit RSA private key
................................................................................................................................................+++
.......................+++
writing new private key to 'temp_ca.pem'
-----

++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
......................................+++
.....................+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'SRK1_sha256_2048_65537_v3_ca'
Certificate is to be certified until Jun 3 16:03:50 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating CSF key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.............................................................+++
..............................+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CSF1_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating IMG key and certificate 1 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.............................+++
..+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'IMG1_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 2 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.......+++
..............................................+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'SRK2_sha256_2048_65537_v3_ca'
Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating CSF key and certificate 2 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.......................................+++
....................+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CSF2_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating IMG key and certificate 2 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.................................................+++
...........+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'IMG2_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 3 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
..............................................+++
..............................................................................................................+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'SRK3_sha256_2048_65537_v3_ca'
Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating CSF key and certificate 3 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
................................+++
............................................+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CSF3_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating IMG key and certificate 3 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.........................................+++
..........................................................................................+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'IMG3_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating SRK key and certificate 4 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.........................+++
...................................................................+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'SRK4_sha256_2048_65537_v3_ca'
Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating CSF key and certificate 4 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
................................................................+++
...................+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CSF4_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 16:03:52 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

++++++++++++++++++++++++++++++++++++++++
+ Generating IMG key and certificate 4 +
++++++++++++++++++++++++++++++++++++++++

Generating RSA private key, 2048 bit long modulus
.............................................................................................+++
......................................................................................................+++
e is 65537 (0x10001)
Using configuration from ../ca/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'IMG4_1_sha256_2048_65537_v3_usr'
Certificate is to be certified until Jun 3 16:03:52 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
luoyonghe@luoyonghe-Latitude-5480:~/cst/release/keys$

0 Kudos
Reply

‎05-23-2018 07:54 PM
764 Views
yongheluo_hotma
Contributor III

Dear Sir,

    昨天看了nxp论坛上的一下讨论,目前问题已经解决了。

    Thanks.

    Yonghe.Luo

0 Kudos
Reply