HAB u-boot cannot boot

gbassi1 · ‎07-19-2019

Hello, I am having trouble trying to boot with HAB (secure) nand u-boot.

I downloaded the u-boot git from official Toradex repo: git://git.toradex.com/u-boot-toradex.git (branch 2016.11-toradex)

After compiling u-boot-nand.imx succesfully for imx6ullevk, I followed all the steps and my board cannot boot and no output appears at serial debug port, so I cannot even tell what's wrong.

How can I debug u-boot to at least see what's wrong?

Note: If I compile and install without HAB features, works ok.

Environment:

Colibri iMX6ULL 512MB
Aster V1.1B

Steps:

(Based on AN4581.pdf and other tutorials)

Download u-boot-toradex from git

 $: cd && git clone git://git.toradex.com/u-boot-toradex.git
 $: cd u-boot-toradex/
 $: git checkout 2016.11-toradex
 $: export ARCH=arm
 $: export CROSS_COMPILE=arm-linux-gnueabihf-
 $: make colibri-imx6ull_defconfig
Add security features to .config file

CONFIG_SECURE_BOOT=y

Compile!

 $: make V=1
Take note of the output

 Image Type:   Freescale IMX Boot Image
 Image Ver:    2 (i.MX53/6/7 compatible)
 Mode:         DCD
 Data Size:    569344 Bytes = 556.00 kB = 0.54 MB
 Load Address: 877ff420
 Entry Point:  87800000
 HAB Blocks:   877ff400 00000000 00088c00
Check that hab_status command is present in the .imx file6

 $: strings u-boot-nand.imx |grep hab

 hab exit function fail
 hab entry function fail
 hab fuse not enabled
 hab_auth_img
 hab_status

Copy the secure u-boot to cst environment

 $: cp u-boot-nand.imx ~/cst/release/linux64/bin/

Create CSF file (using HAB blocks info)

 $: cd ~/cst/release/linux64/bin/
 $: nano csf-uboot

 [Header]
 Version = 4.2
 Hash Algorithm = sha256
 Engine = SW
 Engine Configuration = 0
 Certificate Format = X509
 Signature Format = CMS
 
 [Install SRK]
 File = "../../crts/SRK_1_2_3_4_table.bin"
 # Index of the key location in the SRK table to be installed
 Source index = 0
 
 [Install CSFK]
 # Key used to authenticate the CSF data
 File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
 
 [Authenticate CSF]
 
 [Install Key]
 # Key slot index used to authenticate the key to be installed
 Verification index = 0
 # Target key slot in HAB key store where key will be installed
 Target Index = 2
 # Key to install
 File= "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
 
 [Authenticate Data]
 # Key slot index used to authenticate the image data
 Verification index = 2
 #    Address        Offset    Length    Data File Path    
 Blocks = 0x877ff400    0x000    0x88c00    "u-boot-nand.imx"

I saw I had the IVT with an offset of 0x400, I changed that in the CSF file but still didn't worked

Generate the CSF binary signature

 $: ./cst --o csf-uboot.bin --i csf-uboot
Attach CSF signature to U-Boot image The CSF binary data needs to be concatenated to the image. • Use the cat command to attach the CSF binary to the end of the image:

 $: cat u-boot-nand.imx csf-uboot-padded.bin > u-boot-nand-signed.imx

Note: u-boot-nand-signed.imx has to be 4K multiple

Also, I did this: Pad u-boot-nand-signed.imx to 4KB multiple (4096 bytes)

Thanks Gaston

igorpadykov · ‎07-22-2019

Hi Gaston

seems you are already working on that issue with toradex support:

HAB u-boot cannot boot - Toradex Community

As additional help one can look on

imx6ULL HAB events

https://community.nxp.com/thread/461171

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

HAB u-boot cannot boot

HAB u-boot cannot boot

i.MX6_All