Hello,
I am trying to setup secure boot on my iMX8MM device
I end up with an error with cst tool versio 3.3.0 :
Error: Cannot open key file CSF1_1_sha256_4096_65537_v3_usr_key.pem
140578450752768:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:563:
140578450752768:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140578450752768:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
140578450752768:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:142:
Undefined error
The procedure I use to create the keys :
Starting from an empty folder where there is not much than the fresh download cst-3.3.0.tgz :
CERTIFICATE_SERIAL_NUMBERS='12345678'
PASS_PHRASE='Test!2020'
BASE_DIR=$PWD
tar xzf cst-3.3.0.tgz
cd $BASE_DIR/release/keysecho "$CERTIFICATE_SERIAL_NUMBERS" > serial
echo "$PASS_PHRASE" > key_pass.txt
echo "$PASS_PHRASE" >> key_pass.txt./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 20 -num-srk 4 -srk-ca y
cd $BASE_DIR/release/crts
../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1
Then I am using these first file : csf_spl.txt
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"[Authenticate CSF]
[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7e0fc0 0x0 0x2c400 "flash.bin"
and the problem happen when I do :
cd $BASE_DIR/release/linux64/bin/
./cst --o csf_spl.bin --i csf_spl.txt
This is not a path problem else I would have get a different error message
I use openssl : OpenSSL 1.1.1f 31 Mar 2020
Any help would be appreciated
Thank you by advance
Best regards
Aurelien BOUIN
Solved! Go to Solution.
Thank you very much YuriMuhin_ng
The problem was in fact that we need to keep the file serial and key_pass.txt in the keys folder
To be sure to use an enough old version of openssl, I used a docker image, here is the procedure I used :
You need to be into a new folder where you have the file cst-3.3.0.tgz
cat << 'EOTEOT' > generate-secureboot.sh#!/bin/sh# Script that generate almost everything to get secure boot HAB working# Aurelien BOUINVERSION="1.0.0"#1.0.0 : Initial version[ -z "$CERTIFICATE_SERIAL_NUMBERS" ] && CERTIFICATE_SERIAL_NUMBERS='49630111'[ -z "$PASS_PHRASE" ] && PASS_PHRASE='!CAPTINA!captina'if [ $(echo $CERTIFICATE_SERIAL_NUMBERS | wc -c) -ne 9 ]thenecho "$CERTIFICATE_SERIAL_NUMBERS must contains 8-digit"exit 1fi[ -z "$BASE_DIR" ] && BASE_DIR=$PWDif [ ! -f "$BASE_DIR/cst-3.3.0.tgz" ] ; thenecho "You are missing the tgz package cst-3.3.0.tgz at $BASE_DIR"exit 1fiif [ ! -x "/usr/bin/hexdump" ] ; thenecho "You are missing hexdump in /usr/bin/"exit 1ficd $BASE_DIRrm -rf releasetar xzf cst-3.3.0.tgzcd $BASE_DIR/release/keys# Create serial file with an 8-digit content : OpenSSL uses the contents of this file for the certificate serial numbersecho "$CERTIFICATE_SERIAL_NUMBERS" > serial# Create key_pass.txt file that contains your pass phrase that will protect the HAB code signing private keysecho "$PASS_PHRASE" > key_pass.txtecho "$PASS_PHRASE" >> key_pass.txt# Create the signature keys./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 20 -num-srk 4 -srk-ca y# Create the fuse table and binary to be flashedcd $BASE_DIR/release/crts../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1# The fuse table generated in the previous section is what needs to be flashed to the device.cd $BASE_DIR/release/crtsOUTPUT_FUSE_COMMANDS="$BASE_DIR/release/crts/fuse_uboot_commands.sh"rm -f ${OUTPUT_FUSE_COMMANDS}echo "# This is what need to be executed on U-Boot prompt :"LIST_OF_FUSES=$(hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin)PAGE=6TABLE=0for one in $LIST_OF_FUSESdoecho "fuse prog -y $PAGE $TABLE $one" | tee -a ${OUTPUT_FUSE_COMMANDS}TABLE=$(( TABLE + 1 ))if [ $TABLE -eq 4 ]; thenTABLE=0PAGE=7fidoneecho "# If No HAB Events Found!" | tee -a ${OUTPUT_FUSE_COMMANDS}echo "#Close the device with :" | tee -a ${OUTPUT_FUSE_COMMANDS}echo "#fuse prog 1 3 0x02000000" | tee -a ${OUTPUT_FUSE_COMMANDS}[ -z "$OUTPUT_DIR" ] && OUTPUT_DIR=${BASE_DIR}/outputrm -rf ${OUTPUT_DIR}cd $BASE_DIR/release/mkdir -p ${OUTPUT_DIR}/crtscp crts/fuse_uboot_commands.sh ${OUTPUT_DIR}/crtscp crts/*.pem ${OUTPUT_DIR}/crtscp crts/SRK_1_2_3_4* ${OUTPUT_DIR}/crtsmkdir -p ${OUTPUT_DIR}/keyscp keys/serial ${OUTPUT_DIR}/keyscp keys/key_pass.txt ${OUTPUT_DIR}/keyscp keys/*.pem ${OUTPUT_DIR}/keysmkdir -p ${OUTPUT_DIR}/toolcp linux64/bin/cst ${OUTPUT_DIR}/tool/echo "Output files here : ${OUTPUT_DIR}"tree ${OUTPUT_DIR}EOTEOTchmod +x generate-secureboot.sh# use CST (3.3.0) with OpenSSL 1.0.2. avoiding any memory leaks : https://community.nxp.com/message/1336997# Using docker :docker run --rm -it -v ${PWD}:/root ubuntu:14.04 bash# Here from the docker shell : we need hexdump and tree to display resultssudo apt-get update && sudo apt-get install -y bsdmainutils treecd /rootexport BASE_DIR=$PWDexport PASS_PHRASE='Captina!49630'export CERTIFICATE_SERIAL_NUMBERS='19841985'./generate-secureboot.sh
The file fuse_uboot_commands.sh provide you the command to execute in U-Boot prompt.
Hello,
please try to use CST (3.3.0) with OpenSSL 1.0.2.
https://community.nxp.com/message/1316736
Regards,
Yuri.
Thank you very much YuriMuhin_ng
The problem was in fact that we need to keep the file serial and key_pass.txt in the keys folder
To be sure to use an enough old version of openssl, I used a docker image, here is the procedure I used :
You need to be into a new folder where you have the file cst-3.3.0.tgz
cat << 'EOTEOT' > generate-secureboot.sh#!/bin/sh# Script that generate almost everything to get secure boot HAB working# Aurelien BOUINVERSION="1.0.0"#1.0.0 : Initial version[ -z "$CERTIFICATE_SERIAL_NUMBERS" ] && CERTIFICATE_SERIAL_NUMBERS='49630111'[ -z "$PASS_PHRASE" ] && PASS_PHRASE='!CAPTINA!captina'if [ $(echo $CERTIFICATE_SERIAL_NUMBERS | wc -c) -ne 9 ]thenecho "$CERTIFICATE_SERIAL_NUMBERS must contains 8-digit"exit 1fi[ -z "$BASE_DIR" ] && BASE_DIR=$PWDif [ ! -f "$BASE_DIR/cst-3.3.0.tgz" ] ; thenecho "You are missing the tgz package cst-3.3.0.tgz at $BASE_DIR"exit 1fiif [ ! -x "/usr/bin/hexdump" ] ; thenecho "You are missing hexdump in /usr/bin/"exit 1ficd $BASE_DIRrm -rf releasetar xzf cst-3.3.0.tgzcd $BASE_DIR/release/keys# Create serial file with an 8-digit content : OpenSSL uses the contents of this file for the certificate serial numbersecho "$CERTIFICATE_SERIAL_NUMBERS" > serial# Create key_pass.txt file that contains your pass phrase that will protect the HAB code signing private keysecho "$PASS_PHRASE" > key_pass.txtecho "$PASS_PHRASE" >> key_pass.txt# Create the signature keys./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 20 -num-srk 4 -srk-ca y# Create the fuse table and binary to be flashedcd $BASE_DIR/release/crts../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1# The fuse table generated in the previous section is what needs to be flashed to the device.cd $BASE_DIR/release/crtsOUTPUT_FUSE_COMMANDS="$BASE_DIR/release/crts/fuse_uboot_commands.sh"rm -f ${OUTPUT_FUSE_COMMANDS}echo "# This is what need to be executed on U-Boot prompt :"LIST_OF_FUSES=$(hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin)PAGE=6TABLE=0for one in $LIST_OF_FUSESdoecho "fuse prog -y $PAGE $TABLE $one" | tee -a ${OUTPUT_FUSE_COMMANDS}TABLE=$(( TABLE + 1 ))if [ $TABLE -eq 4 ]; thenTABLE=0PAGE=7fidoneecho "# If No HAB Events Found!" | tee -a ${OUTPUT_FUSE_COMMANDS}echo "#Close the device with :" | tee -a ${OUTPUT_FUSE_COMMANDS}echo "#fuse prog 1 3 0x02000000" | tee -a ${OUTPUT_FUSE_COMMANDS}[ -z "$OUTPUT_DIR" ] && OUTPUT_DIR=${BASE_DIR}/outputrm -rf ${OUTPUT_DIR}cd $BASE_DIR/release/mkdir -p ${OUTPUT_DIR}/crtscp crts/fuse_uboot_commands.sh ${OUTPUT_DIR}/crtscp crts/*.pem ${OUTPUT_DIR}/crtscp crts/SRK_1_2_3_4* ${OUTPUT_DIR}/crtsmkdir -p ${OUTPUT_DIR}/keyscp keys/serial ${OUTPUT_DIR}/keyscp keys/key_pass.txt ${OUTPUT_DIR}/keyscp keys/*.pem ${OUTPUT_DIR}/keysmkdir -p ${OUTPUT_DIR}/toolcp linux64/bin/cst ${OUTPUT_DIR}/tool/echo "Output files here : ${OUTPUT_DIR}"tree ${OUTPUT_DIR}EOTEOTchmod +x generate-secureboot.sh# use CST (3.3.0) with OpenSSL 1.0.2. avoiding any memory leaks : https://community.nxp.com/message/1336997# Using docker :docker run --rm -it -v ${PWD}:/root ubuntu:14.04 bash# Here from the docker shell : we need hexdump and tree to display resultssudo apt-get update && sudo apt-get install -y bsdmainutils treecd /rootexport BASE_DIR=$PWDexport PASS_PHRASE='Captina!49630'export CERTIFICATE_SERIAL_NUMBERS='19841985'./generate-secureboot.sh
The file fuse_uboot_commands.sh provide you the command to execute in U-Boot prompt.