AnsweredAssumed Answered

IMX6UL HAB encryption

Question asked by Omar Aberkan on Jan 19, 2019
Latest reply on Mar 7, 2019 by igorpadykov

I followed every single step of the following guide, but my device doesn't boot. My device is closed and signing works perfect but when i try to encrypt it just doesn't work. Can somebody help me out please?


in doc/imx/hab/habv4/guides/mx6_mx7_encrypted_boot.txt ( i skipped some parts ):


+   i.MX6, i.MX7 U-Boot Encrypted Boot guide using HABv4   +
- Kconfig   
File systems -> Enable FAT filesystem support-> Enable FAT filesystem   write support  
ARM architecture -> Support the 'dek_blob' command  
ARM architecture -> Support the set_priblob_bitfield command  
1.3 Compile the CST to enable the encrypting feature
The encrypting feature is not enabled by default.
You need to execute the following commands to enable it:   
$ sudo apt-get install libssl-dev openssl  
$ cd <CST install directory>/code/back_end/src  
$ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c     -lfrontend -lcrypto  
$ cp cst_encrypted ../../../<where your original CST executable is>   

1.4.1 csf_u-boot_enc.txt
- Modify the Authenticate Data command to only cover IVT and DCD:   
Blocks = 0x877ff400 0x00000000 0x00000c00 "u-boot-dtb.imx"   
Blob Address = Authenticate Start Address + Padding + length               
= 0x877ff400 + 0x2000 + 0x9ec00 = 0x878a0000     
$ cp u-boot-dtb.imx u-boot-dtb.imx-enc  
Block = (Authenticate start addr + 0xc00) 0xc00 (length - 0xc00) u-boot-dtb.imx-enc
      = (0x877ff400 + 0xc00) 0xc00 (0x9ec00 - 0xc00) u-boot-dtb.imx-enc
      = 0x87800000 0xc00 0x9e000 u-boot-dtb.imx-enc 

1.4.2 csf_u-boot_sign_enc.txt
Blocks = 0x877ff400 0x000 0x0009ec00 "u-boot-dtb.imx-enc"   
Key = "dek-dummy.bin"   Blocks = 0x87800000 0x00000c00 0x9e000 "u-boot-dtb.imx-dummy" 
1.5 Encrypt the U-Boot image
The image is encrypted using the Code Signing Tool.
It generates also a CSF binary and a dek.bin file, which will be used on the future steps below. 
- Create the CSF binary file and encrypt the U-Boot image   
$ ./cst_encrypted -i csf_u-boot_enc.txt -o csf_u-boot_enc.bin
1.6 Sign the encrypted U-Boot image
$ ./cst_encrypted -i csf_u-boot_sign_enc.txt -o csf_u-boot_sign_enc.bin

1.7 Swap Nonce/MAC from csf_u-boot_enc.bin to csf_u-boot_sign_enc.bin
First, calculate Nonce/MAC size based on MAC bytes value in CSF.
As Mac bytes is 16:   
Nonce/MAC size = Nonce size + MAC bytes + CSF header for Nonce/Mac
                  = 12 + 16 + 8 = 36 bytes 
Then, calculate Nonce/MAC offset in CSF:   
MAC offset = csf_u-boot-enc.bin size - Nonce/MAC size             
= 3972 - 36 = 3936 Bytes 
In the next step, extract Nonce/NAC from the first CSF:   
$ dd if=csf_u-boot_enc.bin of=noncemac.bin bs=1 skip=3936 count=36
Finally, replace the MAC of csf_u-boot_sign_enc.bin with the extracted one:
$ dd if=noncemac.bin of=csf_u-boot_sign_enc.bin bs=1 seek=3936 count=36

1.8 Generate encryptedu-boot with no dek
First, pad the CSF to 0x2000:
$ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0xff
csf_u-boot_sign_enc.bin csf_u-boot_sign_enc_padded.bin
Then, append this file to the encrypted U-Boot image:
$ cat u-boot-dtb.imx-enc csf_u-boot_sign_enc_padded.bin >   u-boot_encrypted_no_dek.bin
Pad this new file to width+offset (0x9ec00 + 0x2000 = 0xa0c00):
$ objcopy -I binary -O binary --pad-to 0xa0c00 --gap-fill=0x00 
u-boot_encrypted_no_dek.bin u-boot_encrypted_no_dek_padded.bin

1.9 Generate the DEK Blob
Run the following commands:   
=> mmc list   FSL_SDHC: 0 (SD)   #index to use for mmc in following commands  
=> fatload mmc 0 0x80800000 dek.bin   => dek_blob 0x80800000 0x80801000 128  
=> fatwrite mmc 0 0x80801000 dek_blob.bin 0x48 

1.10 Finalize the encrypted U-Boot image
$ cat u-boot_encrypted_no_dek_padded.bin dek_blob.bin > u-boot_encrypted.bin
If the image does not boot, please verify the size of your U-Boot image,
the length specified into CSF and the padding values.