AnsweredAssumed Answered

Not able to enable Secure boot in imx6ull board

Question asked by Jay Kaneria on Apr 5, 2020
Latest reply on Apr 6, 2020 by igorpadykov

Hi,

I working on the enabling the secure boot on imx6ull processor. I am using menufacturBelow are the steps :

 

1) ./hab4_pki_tree.sh
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

 

2) ../linux64/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c
./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem

 

3) hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
0xB32E07F3
0xD67C7B79
0x19BB9B18
0x5A3D8DB4
0x7008B9BC
0x55C5BDC6
0x5FED6EAD
0x1ABDC16A

 

4) Programed all the byte using fuse command on board.
fuse prog 3 0 0xB32E07F3
fuse prog 3 1 0xD67C7B79
fuse prog 3 2 0x19BB9B18
fuse prog 3 3 0x5A3D8DB4
fuse prog 3 4 0x7008B9BC
fuse prog 3 5 0x55C5BDC6
fuse prog 3 6 0x5FED6EAD
fuse prog 3 7 0x1ABDC16A

 

5) Enabled secure boot option in u-boot using CONFIG_SECURE_BOOT=y flag and got block details shown below :
u-boot-imx-2017.03-r0 do_compile: Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 466944 Bytes = 456.00 KiB = 0.45 MiB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks: 877ff400 00000000 0006dc00
DCD Blocks: 00910000 0000002c 000001e8

 

6) Prepared the CSF file named "csf.txt" as below :

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = SW

[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
Engine = SW
Features = RNG

[Install Key]
Verification index = 0
Target index = 2
File = "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 0X877FF400 0x0 xxxxxxxx "u-boot-pad.bin", \
0x00910000 0x2c dcdlen "u-boot-pad.bin"

 

7) "mod_4_mfgtool.sh" script is as below :
#!/bin/bash

# DCD address must be cleared for signature, as mfgtool will clear it.
if [ "$1" == "clear_dcd_addr" ]; then
# store the DCD address
dd if=$2 of=dcd_addr.bin bs=1 count=4 skip=12
# generate a NULL address for the DCD
dd if=/dev/zero of=zero.bin bs=1 count=4
# replace the DCD address with the NULL address
dd if=zero.bin of=$2 seek=12 bs=1 conv=notrunc
fi
# DCD address must be set for mfgtool to localize the DCD table.
if [ "$1" == "set_dcd_addr" ]; then
# restore the DCD address with the original address
dd if=dcd_addr.bin of=$2 seek=12 bs=1 conv=notrunc
rm zero.bin
fi

 

8) Now signing u-boot image using "cst_sign" script :

 

#!/bin/bash
#set -xv

if [ ! -f "$1" ] ; then
echo "usage: cst_sign u-boot.bin"
exit 1
fi

file_size=0
get_size()
{
file_size=$(ls -l $1 | awk '{print $5}')
return
}

uboot=$1
#get_size $uboot
#echo "u-boot.bin: $file_size"

temp=$(od -N 4 -t x1 -j 0x14 $1 | head -1|sed -e 's/0000024//g' -e 's/ //g'|tr -d '\n')
ivt_self=$(echo $temp | tac -rs .. | echo "$(tr -d '\n')")
echo "ivt_self: $ivt_self"

temp=$(od -N 4 -t x1 -j 0x18 $1 | head -1|sed -e 's/0000030//g' -e 's/ //g'|tr -d '\n')
ivt_csf=$(echo $temp | tac -rs .. | echo "$(tr -d '\n')")
echo "ivt_csf: $ivt_csf"

temp=$(od -N 2 -t x1 -j 0x2d $1 | head -1|sed -e 's/0000055//g' -e 's/ //g'|tr -d '\n')
temp=$(echo $temp | tac -rs .. | echo "$(tr -d '\n')")
dcd_len=${temp:2:2}${temp:0:2}
echo "dcd_len: $dcd_len"

if [[ 16#$ivt_csf -le 16#$ivt_self ]]; then
echo "uboot ivt is not correct"
exit
fi

pad_size=$((16#$ivt_csf-16#$ivt_self))
echo "pad_size: $pad_size"

objcopy -I binary -O binary --pad-to $((pad_size)) --gap-fill=0xFF $uboot u-boot-pad.bin

./mod_4_mfgtool.sh clear_dcd_addr u-boot-pad.bin

cp csf.txt csf_uboot.txt

sed -i 's/xxxxxxxx/'$((pad_size))'/g' csf_uboot.txt

sed -i 's/dcdlen/'$((16#$dcd_len))'/g' csf_uboot.txt

./cst -o csf_uboot.bin -i csf_uboot.txt

./mod_4_mfgtool.sh set_dcd_addr u-boot-pad.bin

cat u-boot-pad.bin csf_uboot.bin > u-boot-signed.bin

 

9) Flashed signed u-boot image using mfgtool

10) Now, when i check hab_status, i am getting below events :
=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x33 0x18 0xc0 0x00
0xca 0x00 0x1c 0x00 0x02 0xc5 0xff 0x00
0x00 0x00 0x0d 0x44 0x87 0x7f 0xf4 0x00
0x00 0x06 0xdc 0x00 0x00 0x91 0x00 0x00
0x00 0x00 0x01 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
0x00 0x00 0x01 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

 

I have attached my u-boot image without signing it for your reference.

 

Please, help me here. I am not able to solve this issue.

Outcomes