AnsweredAssumed Answered

Getting HAB_INV_ASSERTION on imx Kernel

Question asked by Paul Holmquist on Sep 24, 2018
Latest reply on Oct 5, 2018 by Yuri Muhin

Got authentication of u-boot.imx working but now trying to extend to authenticating uimage.imx but getting error.

I followed both Appendix G of AN4581_i_mx6_secure_boot.pdf and the Yocto Workshop (DOC332479) but getting the following HAB error:

 

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

 

=> fatload mmc 1 0x12000000 /cp.uimage
reading /cp.uimage
19759136 bytes read in 945 ms (19.9 MiB/s)
=> hab_auth_img 0x12000000 0x12D6000

 

 hab_enabled() call bypassed...
   Authenticating image from DDR location 0x12000000...
ivt_offset = 0x12d6000, ivt addr = 0x132d6000
Dumping IVT
132d6000: 402000d1 12000000 00000000 00000000    .. @............
132d6010: 00000000 132d6000 132d6020 00000000    .....`-. `-.....
Dumping CSF Header
132d6020: 415000d4 000c00be 00001703 50000000    ..PA...........P
132d6030: 020c00be 01000009 90040000 000c00ca    ................
132d6040: 001dc501 e4070000 000c00be 02000009    ................
132d6050: e8090000 001400ca 001dc502 3c0d0000    ...............<

 

Secure boot disabled

 

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

 


Calling authenticate_image in ROM
    ivt_offset = 0x12d6000
    start = 0x12000000
    bytes = 0x12d8020
=> hab_status

 

Secure boot disabled

 

HAB Configuration: 0xf0, HAB State: 0x66

 

--------- HAB Event 1 -----------------
event data:
    0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x13 0x2d 0x60 0x00
    0x00 0x00 0x00 0x20
=>

 

Decoding above follows the same error example in Appendix A of HAB4_API.pdf that came with CST 3.0.1 which I'll restate as follows:

An assertion event means that one of
the following required areas is not signed as documented in the Operation section for
authenticate_image() API:
• IVT;
• DCD (if provided);
• Boot Data (initial byte - if provided);
• Entry point (initial word).

I followed all the steps as indicated for the Yocto workshop (4.2.2) except my kernel does not have a device tree (using Green Hills Integrity OS).  Recap of the steps:

  1. Pad unsigned uimage.imx to 4K boundary
  2. Generate IVT for uimage.imx (./genIVT.pl ivt12.bin 0x12000000 0x132D6000 0x132D6020)
  3. Append IVT to unsigned image (uimage-pad-ivt.imx).

  4. Sign using CST generating csf.bin (CSF script given below)

  5. Pad csf.bin to 0x2000

  6. Append csf-pad.bin to uimage-pad-IVT.imx

 

I was assuming that the CST tool takes care signing the four areas in step 4 above since I didn't get this error for a signed u-boot-signed.img? If not, done by CST tool, where are the instructions to make sure they are signed?

 

Here is my CSF script used in step 4 above:

[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = SHA256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
File="../crts/SRK_1_2_3_4_table.bin"
Source Index = 0

[Install CSFK]
File="../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
Verification Index = 0
Target Index = 2
File="../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification Index = 2
Blocks = 0x12000000 0x00000000 0x12D6000 "uimage-pad-ivt"

Outcomes