hab_auth_img problem

antonio_santagi · ‎03-30-2020

Hello,

I am using imx8mm-evk.

I am trying to sign a Kernel image and verify its signature from u-boot with command hab_auth_img.

I followed the instruction at mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot , chapter 2.

I am not sure I interpreted correctly what in that page they call "load Address" in the genIVT.pl script , is that meaning the Image load address or the IVT load address ?

I filled it in with my image load address. So my genIVT.pl is now :

#! /usr/bin/perl -w
use strict;
open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";
print $out pack("V", 0x412000D1); # Signature
print $out pack("V", 0x40480000); # Load Address (*load_address)
print $out pack("V", 0x0); # Reserved
print $out pack("V", 0x0); # DCD pointer
print $out pack("V", 0x0); # Boot Data
print $out pack("V", 0x41AF6000); # Self Pointer (*ivt)
print $out pack("V", 0x41AF6020); # CSF Pointer (*csf)
print $out pack("V", 0x0); # Reserved
close($out);

I considered self pointer to be set to 0x41AF6000 because I calculated that as Load Address + Image size after padding (0x01676000 ) .

+32 bit and I get also CSF pointer .

Is this interpretation correct ?

Now I have the csf_additional.txt :

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x40480000 0x00000000 0x01676000 "Image-imx8mmevk_pad_ivt.bin"

Is this correct ? I put length of file excluding IVT table but including padding. Or should I put length including ivt.bin ( length of the full Image-imx8mmevk_pad_ivt.bin file ) here ? OT excluding both IVT and padding ?

at u-boot prompt then :

u-boot=> fatload mmc 1:1 0x40480000 Image-imx8mmevk_signed.bin

23555936 bytes read in 275 ms (81.7 MiB/s)

u-boot=> hab_auth_img 0x40480000 0x1676000 0x41AF6000

hab fuse not enabled

Authenticate image from DDR location 0x40480000...

bad magic magic=0x0 length=0x00 version=0x0

bad length magic=0x0 length=0x00 version=0x0

bad version magic=0x0 length=0x00 version=0x0

Error: Invalid IVT structure

Allowed IVT structure:

IVT HDR = 0x4X2000D1

IVT ENTRY = 0xXXXXXXXX

IVT RSV1 = 0x0

IVT DCD = 0x0

IVT BOOT_DATA = 0xXXXXXXXX

IVT SELF = 0xXXXXXXXX

IVT CSF = 0xXXXXXXXX

IVT RSV2 = 0x0

I tried also with

u-boot=> hab_auth_img 0x40480000 0x1676F60 0x41AF6000 ( 0x1676F60 is the full file size including ivt part ).

But I got same error

Please see also attachments

gaurav_bankar · ‎10-11-2023

Hello,

I am using a customized board of i.MX8MP and I am stuck at the same point

The loadaddr for imx8mp is 0x40480000

I have the following files generated

I am trying to authenticate the image with

hab_auth_img <kernel load address> <size image+ivt+csf> <ivt offset>

hab_auth_img 0x4048000 0x1471960 0x418f000

where

0x40480000 - loadaddr

0x1471960 - hex value of Image_signed ( Image + ivt + csf )

0x1470000 - hex value of ivt offset ( Image + pad )

But I am still getting error of invalid IVT structure.

Where am I going wrong?

mukunda9g · ‎01-17-2023

hab_auth_img <kernel load address> <size image+ivt+csf> <ivt offset>

u-boot=> hab_auth_img 0x40400000 0x1df0f68 0x1df0000

Authenticate image from DDR location 0x40400000...

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!

Yuri · ‎03-30-2020

Hello,

1.
The "load Address" in the genIVT.pl is the Image load address.

2.
The diagram below illustrate the Image layout:

                    | File (CSF)                     |
                    |                               |
                    +-----------------------------+
                    |     Padding (optional)      |
                    +-----------------------------+

   Pay attention on the Signed Data - Image, Padding to Image size in header,
and IVT are included in the signed area.

Regards,

Yuri.

antonio_santagi · ‎03-31-2020

Ok I made it working, I had missed the diagram.

wangzheng1 · ‎03-01-2022

hello, i have the same problem, could you tell me how you soved it?

manjunath_bentu · ‎06-20-2020

Hi..it would be helpful If you could let me know the solution...I followed exactly like in document... secure boot is fine but cannot get signed kernel image working... could you please share what you did to make it work...(like csf and genivt file)

antonio_santagi · ‎06-23-2020

just following correctly the document at mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot ,that has the same diagram that was posted up here, should make it working. Following correctly both when signing and when verifying the signatures, I haven't modified anything on that document to make it working.

hab_auth_img problem

hab_auth_img problem

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano

Security