AnsweredAssumed Answered

Signing image with second SRK1 does not work for me, while first SRK0 works fine.

Question asked by Abid Khan on Apr 8, 2019
Latest reply on Apr 12, 2019 by Abid Khan
Branched from an earlier discussion

I have same problem, signing image with second SRK1 does not work for me, while first SRK0 works fine.

Here are my CSF file to make sign image.

####For SRK0 ( which works)####

[Header]
Version = 4.0
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed

 

 

[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]


[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Unlock]
Engine = CAAM
Features = RNG

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Sign padded SPL starting at the IVT through to the end with
# length = $FILESIZE (padded SPL length)
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file

# Address Offset Length Data File Path
Blocks = 0x00907400 0x000 0x6c00 "SPL-pad.bin"

 

#####CSF file for SRK1, it does not work,######

 

[Header]
Version = 4.0
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 1 # Index of the key location in the SRK table to be installed

 

 

[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF2_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]


[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../crts/IMG2_1_sha256_4096_65537_v3_usr_crt.pem"

[Unlock]
Engine = CAAM
Features = RNG

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Sign padded SPL starting at the IVT through to the end with
# length = $FILESIZE (padded SPL length)
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file

# Address Offset Length Data File Path
Blocks = 0x00907400 0x000 0x6c00 "SPL-pad.bin"

 

Is any thing missing or incorrect in CSF file for SRK1? Thanks.

 

Here are HAB events report return by "hab_status".

U-Boot > hab_status

Secure boot disabled

Reporting HAB events HAB_STS_ANY

HAB Configuration[0xf0]: HAB_CFG_OPEN
HAB State[0x66]: HAB_STATE_NONSECURE
0: hStatus 0xf0 bytes 20

--------- HAB Event 1 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0f]: HAB_INV_INDEX
Context[0xc0]: HAB_CTX_COMMAND
Engine[0x00]: HAB_ENG_ANY
Cmd[0xbe]: HAB_CMD_INS_KEY
KeyIdx[0x03]
Protocol[0x17]: Unknown
Engine[0x01]: Unknown, Cfg[0x00]: Unknown
authentication data address relative to CSF start
0xbe 0x00 0x0c 0x00 0x03 0x17 0x01 0x00
0x00 0x00 0x00 0x50
1: hStatus 0xf0 bytes 20

--------- HAB Event 2 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0f]: HAB_INV_INDEX
Context[0xc0]: HAB_CTX_COMMAND
Engine[0x00]: HAB_ENG_ANY
Cmd[0xbe]: HAB_CMD_INS_KEY
KeyIdx[0x03]
Protocol[0x17]: Unknown
Engine[0x01]: Unknown, Cfg[0x00]: Unknown
authentication data address relative to CSF start
0xbe 0x00 0x0c 0x00 0x03 0x17 0x01 0x00
0x00 0x00 0x00 0x50
2: hStatus 0xf0 bytes 20

--------- HAB Event 3 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x00907400
Length: 0x00000020

3: hStatus 0xf0 bytes 20

--------- HAB Event 4 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x0090742c
Length: 0x00000060

4: hStatus 0xf0 bytes 20

--------- HAB Event 5 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x00907420
Length: 0x00000001

5: hStatus 0xf0 bytes 20

--------- HAB Event 6 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x00908000
Length: 0x00000004

6: hStatus 0xf0 bytes 20

--------- HAB Event 7 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x80841000
Length: 0x00000020

7: hStatus 0xf0 bytes 20

--------- HAB Event 8 -----------------
event data:
Status[0x33]: HAB_FAILURE
Reason[0x0c]: HAB_INV_ASSERTION
Context[0xa0]: HAB_CTX_ASSERT
Engine[0x00]: HAB_ENG_ANY
Event 1 Address: 0x80800000
Length: 0x00000004

Outcomes