- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Signing image with second SRK1 does not work for me, while first SRK0 works fine.
Signing image with second SRK1 does not work for me, while first SRK0 works fine.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have same problem, signing image with second SRK1 does not work for me, while first SRK0 works fine.
Here are my CSF file to make sign image.
####For SRK0 ( which works)####
[Header]
Version = 4.0
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
[Unlock]
Engine = CAAM
Features = RNG
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Sign padded SPL starting at the IVT through to the end with
# length = $FILESIZE (padded SPL length)
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
# Address Offset Length Data File Path
Blocks = 0x00907400 0x000 0x6c00 "SPL-pad.bin"
#####CSF file for SRK1, it does not work,######
[Header]
Version = 4.0
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 1 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF2_1_sha256_4096_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../crts/IMG2_1_sha256_4096_65537_v3_usr_crt.pem"
[Unlock]
Engine = CAAM
Features = RNG
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Sign padded SPL starting at the IVT through to the end with
# length = $FILESIZE (padded SPL length)
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
# Address Offset Length Data File Path
Blocks = 0x00907400 0x000 0x6c00 "SPL-pad.bin"
Is any thing missing or incorrect in CSF file for SRK1? Thanks.
Here are HAB events report return by "hab_status".
U-Boot > hab_status
Secure boot disabled
Reporting HAB events HAB_STS_ANY
HAB Configuration[0xf0]: HAB_CFG_OPEN
HAB State[0x66]: HAB_STATE_NONSECURE
0: hStatus 0xf0 bytes 20
--------- HAB Event 1 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0f]: HAB_INV_INDEX
Context[0xc0]: HAB_CTX_COMMAND
Engine[0x00]: HAB_ENG_ANY
Cmd[0xbe]: HAB_CMD_INS_KEY
KeyIdx[0x03]
Protocol[0x17]: Unknown
Engine[0x01]: Unknown, Cfg[0x00]: Unknown
authentication data address relative to CSF start
0xbe 0x00 0x0c 0x00 0x03 0x17 0x01 0x00
0x00 0x00 0x00 0x50
1: hStatus 0xf0 bytes 20
--------- HAB Event 2 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0f]: HAB_INV_INDEX
Context[0xc0]: HAB_CTX_COMMAND
Engine[0x00]: HAB_ENG_ANY
Cmd[0xbe]: HAB_CMD_INS_KEY
KeyIdx[0x03]
Protocol[0x17]: Unknown
Engine[0x01]: Unknown, Cfg[0x00]: Unknown
authentication data address relative to CSF start
0xbe 0x00 0x0c 0x00 0x03 0x17 0x01 0x00
0x00 0x00 0x00 0x50
2: hStatus 0xf0 bytes 20
--------- HAB Event 3 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x00907400
Length: 0x00000020
3: hStatus 0xf0 bytes 20
--------- HAB Event 4 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x0090742c
Length: 0x00000060
4: hStatus 0xf0 bytes 20
--------- HAB Event 5 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x00907420
Length: 0x00000001
5: hStatus 0xf0 bytes 20
--------- HAB Event 6 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x00908000
Length: 0x00000004
6: hStatus 0xf0 bytes 20
--------- HAB Event 7 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x80841000
Length: 0x00000020
7: hStatus 0xf0 bytes 20
--------- HAB Event 8 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x80800000
Length: 0x00000004
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Yuri. The other keys SRK1-3 also work for me now.
The problem was that only first SRK0 was present in my SRK_1_2_3_4_table.bin file, reason was spaces in between SRK certificates keys files after "," in srktool cmd line to generate SRK_1_2_3_4_table.bin.
One must pay attention to the instruction in srktool --help that mention
"Certificate filenames must be separated by a ','with no spaces"
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
What is part number of the i.MX device, used in the case?
Regards,
Yuri.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for quick response.
I used IMX6Q based Solidrun HummingBoard2 and following is /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 10 (v7l)
BogoMIPS : 3.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 10
processor : 1
model name : ARMv7 Processor rev 10 (v7l)
BogoMIPS : 3.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 10
processor : 2
model name : ARMv7 Processor rev 10 (v7l)
BogoMIPS : 3.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 10
processor : 3
model name : ARMv7 Processor rev 10 (v7l)
BogoMIPS : 3.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 10
Hardware : Freescale i.MX6 Quad/DualLite (Device Tree)
Revision : 63015
Serial : 0000000000000000
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The issue was checked with 6Q Sabresd board with CST3.1 and L4.14.78_1.0.0_GA uboot. SRK2 works.
Please try using NXP SDP/B board with NXP U-boot.
Regards,
Yuri.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Yuri. The other keys SRK1-3 also work for me now.
The problem was that only first SRK0 was present in my SRK_1_2_3_4_table.bin file, reason was spaces in between SRK certificates keys files after "," in srktool cmd line to generate SRK_1_2_3_4_table.bin.
One must pay attention to the instruction in srktool --help that mention
"Certificate filenames must be separated by a ','with no spaces"
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
please double check SRK_1_2_3_4_table.bin's size; are all 4 SRK keys in the SRK table?
What is key length (maybe 2048 bit)?
Regards,
Yuri.
