AnsweredAssumed Answered

imx6ULL HAB events

Question asked by Parthiban Nallathambi on Apr 21, 2019
Latest reply on Apr 25, 2019 by Yuri Muhin

I am currently trying to do secure boot in my imx6ULL based variscite development kit. But even after flashing the correct key and certificates, still I see HAB events. Please find the details about my system and software I am using now.

 

I see that the u-boot boots fine (enforced hab checking in arch/arm/mach-imx/hab.c) without any major errors and also boots the Linux Kernel fitImage without errors. But the hab_status reports the many HAB_EVENTS. Please assist in what I am missing here. Thanks in advance.

 

CST version : 3.1.0

 

SPL.csf:

[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = SW

[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "crts/CSF1_1_sha256_secp521r1_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "crts/IMG1_1_sha256_secp521r1_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x00907400 0x00000000 0x00008c00 "SPL"

[Unlock]
Engine = CAAM
Features = RNG

 

uboot.csf:

[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = SW

[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "crts/CSF1_1_sha256_secp521r1_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "crts/IMG1_1_sha256_secp521r1_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0x85ffffc0 0x0000 0x00065020 "u-boot-ivt.img"

[Unlock]
Engine = CAAM
Features = RNG

 

HAB keys:

hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < crts/SRK_1_2_3_4_fuse.bin
0x50D088B0
0x3925CD16
0xE2BBF511
0x4F701D7A
0x6E0D782F
0xE80F43E3
0xFB33850C
0x5FA332B8

 

Fusing keys in u-boot 2019.04:

=> fuse prog -y 3 0 0x50D088B0
Programming bank 3 word 0x00000000 to 0x50d088b0...
=> fuse prog -y 3 1 0x3925CD16
Programming bank 3 word 0x00000001 to 0x3925cd16...
=> fuse prog -y 3 2 0xE2BBF511
Programming bank 3 word 0x00000002 to 0xe2bbf511...
=> fuse prog -y 3 3 0x4F701D7A
Programming bank 3 word 0x00000003 to 0x4f701d7a...
=> fuse prog -y 3 4 0x6E0D782F
Programming bank 3 word 0x00000004 to 0x6e0d782f...
=> fuse prog -y 3 5 0xE80F43E3
Programming bank 3 word 0x00000005 to 0xe80f43e3...
=> fuse prog -y 3 6 0xFB33850C
Programming bank 3 word 0x00000006 to 0xfb33850c...
=> fuse prog -y 3 7 0x5FA332B8
Programming bank 3 word 0x00000007 to 0x5fa332b8...

 

HAB events:

=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x02 0x09 0x00 0x00 0x01
0x00 0x00 0x02 0x94

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x74 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x90 0x80 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x02 0x09 0x00 0x00 0x01
0x00 0x00 0x02 0x94

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x86 0x06 0x4f 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 7 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x86 0x00 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

 

u-boot boot log:
Trying to boot from MMC1
hab fuse not enabled

Authenticate image from DDR location 0x85ffffc0...

ivt_offset = 0x65000, ivt addr = 0x86064fc0
ivt entry = 0x86000000, dcd = 0x00000000, csf = 0x86064fe0
Dumping IVT
86064fc0: 402000d1 86000000 0 0 .. @............
86064fd0: 0 86064fc0 86064fe0 0 .....O...O......
Dumping CSF Header
86064fe0: 415000d4 c00be 1703 50000000 ..PA...........P
86064ff0: 20c00be 1000009 94020000 c00ca ................
86065000: ffc501 e0040000 c00be 2000009 ................
86065010: 68060000 1400ca ffc502 b4080000 ...h............

Calling authenticate_image in ROM
ivt_offset = 0x65000
start = 0x85ffffc0
bytes = 0x67020

 

 

 

CPU: Freescale i.MX6ULL rev1.1 900 MHz (running at 396 MHz)
CPU: Commercial temperature grade (0C to 95C) at 40C
Reset cause: POR
Model: Variscite DART-6UL Evaluation Kit
Board: Variscite DART-6UL Evaluation Kit
DRAM: 512 MiB
MMC: FSL_SDHC: 0, FSL_SDHC: 1
In: serial@02020000
Out: serial@02020000
Err: serial@02020000
Net:
Warning: ethernet@020b4000 using MAC address from ROM

Warning: ethernet@02188000 using MAC address from ROM
eth1: ethernet@020b4000, eth0: ethernet@02188000 [PRIME]
Hit any key to stop autoboot: 0

Outcomes