FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

imx8m secure boot

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx8m secure boot

‎04-19-2020 12:37 AM
1,044 Views
jonaspersson
Contributor II

Hello,

I'm trying to get secure boot working on an imx8m board but the HAB reports a warning event. I'm _not_ using the multi stage configuration with uboot spl + uboot but only loading a first stage loader into the TCM ram.

SoC: IMX8M quad-lite, 1.0

CST: 3.3.0

imx-mkimage: rel_imx_4.14.98_2.3.0

CSF file:

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# This selects which key is used for signing: index = IMG(n-1)
File = ""pki/imx6ul_hab_testkeys/SRK_1_2_3_4_table.bin""
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = ""pki/imx6ul_hab_testkeys/CSF1_1_sha256_4096_65537_v3_usr_crt.pem""

[Authenticate CSF]
# Whole line comment

[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
# Key to install
File = ""pki/imx6ul_hab_testkeys/IMG1_1_sha256_4096_65537_v3_usr_crt.pem""


[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7E0FC0 0x1a000 0x22000 "build-pico8ml/pb_pad.imx"

HAB event:

I hab_has_no_errors: configuration: 0xf0, state: 0x66
I hab_has_no_errors: result = 105
W hab_has_no_errors: 1, event data:
0xdb 0x0 0x24 0x43 0x69 0x30 0xe1 0x1d 0x0 0x8 0x0 0x2 0x40 0x0 0x4 0xcc 0x55 0x55 0x0 0x3f 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x5

From what I understand this decodes to:

Header:
0xdb 0x0 0x24 0x43
     -Size---
Event         HAB Version: 4.3


SRCE:
0x69 0x30 0xe1 0x1d
STS  RSN  CTX  ENG
Warning
     HAB_ENG_FAIL
          HAB_CTX_ENTRY
              HAB_ENG_CAAM

0x00 0x08 0x00 0x02
0x40 0x00 0x04 0xcc
0x55 0x55 0x00 0x3f
0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x05 
What I'm seeing seems very close to something that is reported in this thread:
But no good explanation was provided beyond the suggestion that it might be related to the CAAM RNG.
I've made the following observations:
1) When loading a signed image with 'uuu' it takes approximately six seconds before the core starts executing the code, indicating that it's stuck in the boot rom for that amount of time. Loading the same code but unsigned boots in less then one second.
2) Corrupting the signature or changing the key index to not match the key results in a few HAB errors; which to me indicates that the signature verification might be working because with the proper signature, key and index I'm only seeing the hab warning.  
Questions:
1) Can someone from NXP shed some light on what's going on with the HAB event I'm seeing
I've studied and followed the relevant documentation found here:
The CST manual
Jonas
Labels (1)
0 Kudos
Reply
3 Replies

‎05-13-2020 11:32 PM
900 Views
Rita_Wang
NXP TechSupport
NXP TechSupport

Yes, you can refer to this mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot 

0 Kudos
Reply

‎05-13-2020 11:48 PM
900 Views
jonaspersson
Contributor II

Did you even read the post/question?

You're linking to a document thats in the original post, how is that supposed to be helpful?

Jonas

0 Kudos
Reply

‎05-14-2020 12:40 AM
900 Views
Rita_Wang
NXP TechSupport
NXP TechSupport

Hi Jonas,

Sorry about the last reply. For i.MX8M secure boot materials are not public, so we can not share you more. If you need you have to sign the NDA with NXP firstly.

Have a nice day

Best Regards

Rita

0 Kudos
Reply