AnsweredAssumed Answered

Secure Boot on imx6ul

Question asked by prabhunath Gupta on Jan 7, 2020
Latest reply on Jan 7, 2020 by prabhunath Gupta

Hi NXP team,

 

I am currently working on enabling a secure boot in the imx6ul using HABv4. I have followed all the steps which are mentioned in https://www.nxp.com/docs/en/application-note/AN4581.pdf.

 

Please find the following detailed steps which I have performed to get a secure boot to enable.

1. I am using cst-2.3.2 for generating the PKI tree as below.

      go into key directory and run below script

     ./hab4_pki_tree.sh
      Do you want to use an existing CA key (y/n)?: n
      Do you want to use Elliptic Curve Cryptography (y/n)?: n
      Enter key length in bits for PKI tree: 4096
      Enter PKI tree duration (years): 4
      How many Super Root Keys should be generated? 4
      Do you want the SRK certificates to have the CA flag set? (y/n)?: y

 

2. Go into the crts directory and followed the below step to generate the SRK table.

      ../linux64/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem

 

3. Fuse the hash value of the SRK table on-chip as below.

         hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin

         0x9D60B98F
         0xAB246CEF
         0x7B02E64A
         0x7B5FA5DD
         0x885CAEEF
         0x7D09B391
         0x79B8B60D
         0xBBB2A18

 

         fuse prog 3 0 0x9D60B98F

         fuse prog 3 1 0xAB246CEF 

         fuse prog 3 2 0x7B02E64A

         fuse prog 3 3 0x7B5FA5DD

         fuse prog 3 4 0x885CAEEF

         fuse prog 3 5 0x7D09B391

         fuse prog 3 6 0x79B8B60D

         fuse prog 3 7 0xBBB2A18

 

4.  Added CONFIG_SECURE_BOOT=y in u-boot (imx_v2017.03_4.9.11_1.0.0_ga) defconfig file, Compiled the u-boot and got below details form compilation log.

         u-boot-imx-2017.03-r0 do_compile: Image Type: Freescale IMX Boot Image
         Image Ver: 2 (i.MX53/6/7 compatible)
         Mode: DCD
         Data Size: 466944 Bytes = 456.00 KiB = 0.45 MiB
         Load Address: 877ff420
         Entry Point: 87800000
         HAB Blocks: 877ff400 00000000 0006dc00
         DCD Blocks: 00910000 0000002c 000001e8

 

5. Prepared the CSF file as below.

      [Header]
      Version = 4.1
      Security Configuration = Open
      Hash Algorithm = sha256
      Engine Configuration = 0
      Certificate Format = X509
      Signature Format = CMS
      Engine = CAAM

      [Install SRK]
      File = "../crts/SRK_1_2_3_4_table.bin"
      Source index = 0

      [Install CSFK]
      File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

      [Authenticate CSF]

      [Install Key]
      # Key slot index used to authenticate the key to be installed
      Verification index = 0
      # Key to install
      Target index = 2
      File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

      [Authenticate Data]
      Verification index = 2
      #_ivt_self offset _ad_size
      Blocks = 0x877ff400 0x00000000 0x0006DC00 "./u-boot-pad.imx", \
                     0x00910000 0x0000002c 0x000001e8 "./u-boot-pad.imx"

 

6. I have tried following different approaches for a secure boot but not able to get any success.

First approach

  •  As my  "u-boot.imx" file size is 449536 bytes (0x6DC00) so I have padded up to 450560 bytes (0x6E000) as

                  objcopy -I binary -O binary --pad-to=0x6E000 --gap-fill=0x00 u-boot.imx u-boot-pad.imx

  •  Clear DCD address using "./mod_4_mfgtool.sh" availbale in "AN4581.pdf" file.

                     ./mod_4_mfgtool.sh clear_dcd_addr u-boot-pad.imx

  •  Genrating csf bin file as below

                     ./cst -o u-boot-csf.bin -i u-boot.csf

  • Set DCD address

                     ./mod_4_mfgtool.sh set_dcd_addr u-boot-pad.imx

  • Padded csf binary upto 0x4000 as per "AN4581.pdf and imximage.cfg" files.

                     objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x00 u-boot-csf.bin u-boot-csf-pad.bin

  • Append CSF binary to u-boot image.

                     cat u-boot-pad.imx u-boot-csf-pad.bin > u-boot-sec.imx

  • Flashed this "u-boot-sec.imx" on the emmc using mfgtool.

Got below HAB events using hab_status command.      

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x50

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

 

Second approach

  • Change the Authenticate data command in the CSF file.

         [Authenticate Data] 
         Verification index = 2 
         #_ivt_self offset _ad_size 
         Blocks = 0x877ff400 0x00000000 0x0006DC00 "./u-boot.imx", \ 
                         0x00910000 0x0000002c 0x000001e8 "./u-boot.imx" 

  •  Clear DCD address using "./mod_4_mfgtool.sh" availbale in "AN4581.pdf" file.

                     ./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx

  •  Genrating csf bin file as below

                     ./cst -o u-boot-csf.bin -i u-boot.csf

  • Set DCD address

                     ./mod_4_mfgtool.sh set_dcd_addr u-boot.imx

  •  Append CSF binary to u-boot image.

      cat u-boot.imx u-boot-csf.bin > u-boot-intmed.imx

    • Padded final signed image upto 

                         objcopy -I binary -O binary --pad-to 0x72000 --gap-fill=0x00 u-boot-intmed.imx u-boot-sec.imx

    • Flashed this "u-boot-sec.imx" on the emmc using mfgtool.

    Got the same HAB events as per approach #1

     

    Actually, I have gone through the HAB and CST user guide to debugging the above issue but not able to fix it out. So please help me to fix this issue.

     

    I am using the Mfg tool for flashing the u-boot binary in the eMMc please find the Mfg tool script is attached.

    Do I need any changes in the MFG tool script for the secure boot?

    Do I need to set any other fuse bit or register for the secure boot?

    Can we update the new hash values of the SRK table on SRK fuses?

    What I missed in the above two approaches?

     

    After compilation of u-boot got below images

    3449176 Jan 7 21:57 u-boot
    445213 Jan 7 21:57 u-boot.bin
    12462 Jan 7 21:57 u-boot.cfg
    445213 Jan 7 21:57 u-boot-dtb.bin
    449536 Jan 7 21:57 u-boot.imx
    559946 Jan 7 21:57 u-boot.map
    414768 Jan 7 21:57 u-boot-nodtb.bin
    449536 Jan 7 21:57 u-boot-sd.imx

    Attachments

    Outcomes