I have two concerns:
I'm targeting a custom i.MX6ULL-based board with a bare bones loader pulled in from SPI FLASH. I have not blown the fuses to closed it, nor written the public keys. Instead I write the shadow register to indicate secure mode, and set the public keys (that should be used to verify the image signature) in the shadow registers.
1) What I find odd starts by calling the HAB RVT authenticate_image(). It returns a valid address. But, when I later call report_status(), it returns HAB_FAILURE. Subsequent calls to report_event(HAB_STS_ANY, ...) never return HAB_SUCCESS. This seems contrary to HAB_FAILURE returned by report_status(). If I look at the contents of memory @ 0x00904070: I see 42F402DB 00C02233 04EC02CC (big endian). I believe this indicates two events that are not returned by report_event()...although I'm not sure what they mean.
I realize I may be assuming that writing to the shadow registers should allow for proper authentication. Is this accurate? If not, would this alone explain what I'm seeing?
2) I have been avoiding blowing fuses thus far, because I haven't been able to clarify how to setup the OCOTP timing registers (there are 2 for the mx6ull). It's easy enough to infer what should happen by reading the u-boot source for the first timing register only. I have struggled to figure out what to do with OCOTP_TIMING2. The only mention I have found is in the RM. It only says it specifies the time to add to read/write OTP for complement address enable cycle time. Can anyone clarify the timing requirements here?
For your reference:
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine = SW #Engine = SW required for iMX6ull
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
File = "./crts/SRK_1_2_3_4_table.bin"
Source index = 0 #index of the key location in the SRK table to be installed
File = "./crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
Verification index = 0
Target index = 2
File = "./crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
Verification index = 2 #key slot used to authenticate the image data
Blocks = 0x00907400 0x400 0x3000 "./crts/testBin/image.bin"