AnsweredAssumed Answered

Secure boot support in imx6ul

Question asked by prabhunath Gupta on Jan 10, 2020
Latest reply on Jan 13, 2020 by Kanimozhi Thangappan

Hi NXP team,

 

I am currently working on enabling secure boot support in the imx6ul based custom board. I have read all the documents regarding secure boot support in imx6ul like. (AN4581.pdf, HAB4_API.pdf, HABCST_UG.pdf, and MX6UL Secure Boot DOC-333674.pdf, etc.).

 

I didn't get below two documents as those are mentioned in "MX6UL Secure Boot DOC-333674.pdf" for steps to enable HAB and verify the function, You can share those documents as we have NDA.

https://community.freescale.com/docs/DOC-96451 

https://community.freescale.com/docs/DOC-275249

 

I have followed the below steps as per documents but not able to get any success. Please help me to figure out the root cause.

  1. Followed CST user guide to generate PKIs tree, SRK tables and programed the SRK hash on the fuse registers as below.
    • Login on the imx6ul custom board then writes SRK hash on fuse registers.
      • echo 0xFEA39D1C > /sys/fsl_otp/HW_OCOTP_SRK0
      • echo 0x80EA23E4 > /sys/fsl_otp/HW_OCOTP_SRK1
      • echo 0x630F3E1E > /sys/fsl_otp/HW_OCOTP_SRK2
      • echo 0x6ECFC2E4 > /sys/fsl_otp/HW_OCOTP_SRK3
      • echo 0xCC8479A6 > /sys/fsl_otp/HW_OCOTP_SRK4
      • echo 0xA964111  > /sys/fsl_otp/HW_OCOTP_SRK5
      • echo 0x239A0E94 > /sys/fsl_otp/HW_OCOTP_SRK6
      • echo 0xECD0C737 > /sys/fsl_otp/HW_OCOTP_SRK7
    • Verify the hash value on u-boot console as below
      • => fuse read 3 0 8
        Reading bank 3:

        Word 0x00000000: fea39d1c 80ea23e4 630f3e1e 6ecfc2e4
        Word 0x00000004: cc8479a6 0a964111 239a0e94 ecd0c737

    • I don't update any other fuse register for the secure boot. So my question is, Do i need to update any other fuse register other than SRK hash fuse?
  2. I have added "CONFIG_SECURE_BOOT=y" in my u-boot defconfig file and build it. You can find my u-boot-compilation log as below.

    u-boot-imx-2017.03-r0 do_compile: ./tools/mkimage -n board/freescale/centauri/imximage.cfg.cfgtmp -T imximage -e 0x87800000 -d u-boot.bin u-boot.imx

    u-boot-imx-2017.03-r0 do_compile: Image Type: Freescale IMX Boot Image
    Image Ver: 2 (i.MX53/6/7 compatible)
    Mode: DCD
    Data Size: 466944 Bytes = 456.00 KiB = 0.45 MiB
    Load Address: 877ff420
    Entry Point: 87800000
    HAB Blocks: 877ff400 00000000 0006dc00
    DCD Blocks: 00910000 0000002c 000001e8

    Here, My question is Do i need other changes required in u-boot for secure boot ?
  3. Prepared CSF file as attached, You can see that, I have used both HAB and DCD blocks in "[Authenticate Data]" command. Is there anything missing in the attached CSF file?
  4. I am using mfg-tool for flashing the u-boot in eMMC. So I have prepared a signed image using the below commands.
    • ./mod_4_mfgtool.sh clear_dcd_addr u-boot.imx
    • ./cst -o u-boot-csf.bin -i u-boot.csf (CST version "2.3.2")
    • ./mod_4_mfgtool.sh set_dcd_addr u-boot.imx
    • cat u-boot.imx u-boot-csf.bin > u-boot-sec.imx
    • Then I have paded the siggned image upto "0x72000" (466944 bytes)length as "DATA size" available in u-boot compilation log.
      • objcopy -I binary -O binary --pad-to 0x72000 --gap-fill=0x00 u-boot-sec.imx u-boot-sec-pad.imx

                       Is my understanding of the padding is correct? and is I have used proper padding for my u-boot image?

  • Copy the u-boot-sec-pad.imx in mfg tool at "mfgtools-imx6ul\Profiles\Linux\OS Firmware\files\" directory and keep older u-boot in "mfgtools-imx6ul\Profiles\Linux\OS Firmware\firmware\". I didn't change anything in mfg-tool, So here is my question is, Do I need any changes in mfg-tool for the secure boot?

               You can find my u-boot.imx, u-boot-csf.bin, mod_4_mfgtool.sh,u-boot-sec-pad.imx and mfg tool script in

attachment.

5. I got below status using the hab_status command, I have tried differnt way to fix it out but not able to fix it. So please let me know what is missing in setps for secure boot.

  • => hab_status

    Secure boot disabled

    HAB Configuration: 0xf0, HAB State: 0x66

    --------- HAB Event 1 -----------------
    event data:
    0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00
    0xca 0x00 0x14 0x00 0x02 0xc5 0x1d 0x00
    0x00 0x00 0x0d 0x44 0x87 0x7f 0xf4 0x00
    0x00 0x06 0xdc 0x00

    STS = HAB_FAILURE (0x33)
    RSN = HAB_INV_SIGNATURE (0x18)
    CTX = HAB_CTX_COMMAND (0xC0)
    ENG = HAB_ENG_ANY (0x00)


    --------- HAB Event 2 -----------------
    event data:
    0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
    0x00 0x00 0x00 0x20

    STS = HAB_FAILURE (0x33)
    RSN = HAB_INV_ASSERTION (0x0C)
    CTX = HAB_CTX_ASSERT (0xA0)
    ENG = HAB_ENG_ANY (0x00)


    --------- HAB Event 3 -----------------
    event data:
    0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
    0x00 0x00 0x01 0xe8

    STS = HAB_FAILURE (0x33)
    RSN = HAB_INV_ASSERTION (0x0C)
    CTX = HAB_CTX_ASSERT (0xA0)
    ENG = HAB_ENG_ANY (0x00)


    --------- HAB Event 4 -----------------
    event data:
    0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
    0x00 0x00 0x00 0x01

    STS = HAB_FAILURE (0x33)
    RSN = HAB_INV_ASSERTION (0x0C)
    CTX = HAB_CTX_ASSERT (0xA0)
    ENG = HAB_ENG_ANY (0x00)


    --------- HAB Event 5 -----------------
    event data:
    0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
    0x00 0x00 0x00 0x04

    STS = HAB_FAILURE (0x33)
    RSN = HAB_INV_ASSERTION (0x0C)
    CTX = HAB_CTX_ASSERT (0xA0)
    ENG = HAB_ENG_ANY (0x00)

 

 

I have some more queries as below, so please resolve these queries.

  1. Do I pad both u-boot.imx and u-boot-csf.bin file in 4K alignment?
  2. I am using the same mfg tool for bot secure and unsecured images, Do I need a separate Mfg tool for the secure boot?

 

Please Note: I just want to authenticate my u-boot image only, not kernel. So I am using only signed u-boot image and want to get no HAB events found using hab_status command. I don't want an encrypted secure boot for this secure boot.

 

 

Outcomes