AnsweredAssumed Answered

i.MX6ULL HAB authenticate_image() events

Question asked by Stephen Bialkowski on Sep 24, 2018
Latest reply on Sep 25, 2018 by Stephen Bialkowski

Hi,

I have two concerns:

I'm targeting a custom i.MX6ULL-based board with a bare bones loader pulled in from SPI FLASH.  I have not blown the fuses to closed it, nor written the public keys.  Instead I write the shadow register to indicate secure mode, and set the public keys (that should be used to verify the image signature) in the shadow registers.  

 

1) What I find odd starts by calling the HAB RVT authenticate_image().  It returns a valid address.  But, when I later call report_status(), it returns HAB_FAILURE.  Subsequent calls to report_event(HAB_STS_ANY, ...) never return HAB_SUCCESS.  This seems contrary to HAB_FAILURE returned by report_status().  If I look at the contents of memory @ 0x00904070: I see 42F402DB 00C02233 04EC02CC (big endian).  I believe this indicates two events that are not returned by report_event()...although I'm not sure what they mean.  

 

I realize I may be assuming that writing to the shadow registers should allow for proper authentication.  Is this accurate?  If not, would this alone explain what I'm seeing?

 

2) I have been avoiding blowing fuses thus far, because I haven't been able to clarify how to setup the OCOTP timing registers (there are 2 for the mx6ull).  It's easy enough to infer what should happen by reading the u-boot source for the first timing register only.  I have struggled to figure out what to do with OCOTP_TIMING2.  The only mention I have found is in the RM.  It only says it specifies the time to add to read/write OTP for complement address enable cycle time.  Can anyone clarify the timing requirements here?  

 

Thanks,
Stephen

 

 

For your reference:

[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine = SW #Engine = SW required for iMX6ull
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

 

[Install SRK]
File = "./crts/SRK_1_2_3_4_table.bin"
Source index = 0 #index of the key location in the SRK table to be installed

 

[Install CSFK]
File = "./crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

 

[Authenticate CSF]

 

[Install Key]
Verification index = 0
Target index = 2
File = "./crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

 

[Authenticate Data]
Verification index = 2 #key slot used to authenticate the image data
Blocks = 0x00907400 0x400 0x3000 "./crts/testBin/image.bin"

Outcomes