AnsweredAssumed Answered

HAB u-boot cannot boot

Question asked by Gaston Bassi on Jul 19, 2019
Latest reply on Jul 22, 2019 by igorpadykov

Hello, I am having trouble trying to boot with HAB (secure) nand u-boot.

 

I downloaded the u-boot git from official Toradex repo: git://git.toradex.com/u-boot-toradex.git (branch 2016.11-toradex)

After compiling u-boot-nand.imx succesfully for imx6ullevk, I followed all the steps and my board cannot boot and no output appears at serial debug port, so I cannot even tell what's wrong.

How can I debug u-boot to at least see what's wrong?

Note: If I compile and install without HAB features, works ok.

Environment:

Colibri iMX6ULL 512MB
Aster V1.1B

 

Steps:

(Based on AN4581.pdf and other tutorials)

 

Download u-boot-toradex from git

  1. $: cd && git clone git://git.toradex.com/u-boot-toradex.git
  2. $: cd u-boot-toradex/
  3. $: git checkout 2016.11-toradex
  4. $: export ARCH=arm
  5. $: export CROSS_COMPILE=arm-linux-gnueabihf-
  6. $: make colibri-imx6ull_defconfig
Add security features to .config file

CONFIG_SECURE_BOOT=y

Compile!

  1. $: make V=1
Take note of the output
  1. Image Type:   Freescale IMX Boot Image
  2. Image Ver:    2 (i.MX53/6/7 compatible)
  3. Mode:         DCD
  4. Data Size:    569344 Bytes = 556.00 kB = 0.54 MB
  5. Load Address: 877ff420
  6. Entry Point:  87800000
  7. HAB Blocks:   877ff400 00000000 00088c00
Check that hab_status command is present in the .imx file6
  1. $: strings u-boot-nand.imx |grep hab

  1. hab exit function fail
  2. hab entry function fail
  3. hab fuse not enabled
  4. hab_auth_img
  5. hab_status

Copy the secure u-boot to cst environment

  1. $: cp u-boot-nand.imx ~/cst/release/linux64/bin/

Create CSF file (using HAB blocks info)

  1. $: cd ~/cst/release/linux64/bin/
  2. $: nano csf-uboot

  1. [Header]
  2. Version = 4.2
  3. Hash Algorithm = sha256
  4. Engine = SW
  5. Engine Configuration = 0
  6. Certificate Format = X509
  7. Signature Format = CMS
  8. [Install SRK]
  9. File = "../../crts/SRK_1_2_3_4_table.bin"
  10. # Index of the key location in the SRK table to be installed
  11. Source index = 0
  12. [Install CSFK]
  13. # Key used to authenticate the CSF data
  14. File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
  15. [Authenticate CSF]
  16. [Install Key]
  17. # Key slot index used to authenticate the key to be installed
  18. Verification index = 0
  19. # Target key slot in HAB key store where key will be installed
  20. Target Index = 2
  21. # Key to install
  22. File= "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
  23. [Authenticate Data]
  24. # Key slot index used to authenticate the image data
  25. Verification index = 2
  26. #    Address        Offset    Length    Data File Path   
  27. Blocks = 0x877ff400    0x000    0x88c00    "u-boot-nand.imx"

  • I saw I had the IVT with an offset of 0x400, I changed that in the CSF file but still didn't worked

Generate the CSF binary signature

  1. $: ./cst --o csf-uboot.bin --i csf-uboot
Attach CSF signature to U-Boot image The CSF binary data needs to be concatenated to the image. • Use the cat command to attach the CSF binary to the end of the image:
  1. $: cat u-boot-nand.imx csf-uboot-padded.bin > u-boot-nand-signed.imx

Note: u-boot-nand-signed.imx has to be 4K multiple

Also, I did this: Pad u-boot-nand-signed.imx to 4KB multiple (4096 bytes)

 

Thanks Gaston

Outcomes