CST 3.3.0 returns Undefined error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CST 3.3.0 returns Undefined error

Jump to solution
2,086 Views
Aurelien_BOUIN
Contributor III

Hello,

I am trying to setup secure boot on my iMX8MM device

I end up with an error with cst tool versio 3.3.0 :

Error: Cannot open key file CSF1_1_sha256_4096_65537_v3_usr_key.pem
140578450752768:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:563:
140578450752768:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140578450752768:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
140578450752768:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:142:
Undefined error

The procedure I use to create the keys :

Starting from an empty folder where there is not much than the fresh download cst-3.3.0.tgz :

CERTIFICATE_SERIAL_NUMBERS='12345678'
PASS_PHRASE='Test!2020'
BASE_DIR=$PWD
tar xzf cst-3.3.0.tgz
cd $BASE_DIR/release/keys

echo "$CERTIFICATE_SERIAL_NUMBERS" > serial
echo "$PASS_PHRASE" > key_pass.txt
echo "$PASS_PHRASE" >> key_pass.txt

./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 20 -num-srk 4 -srk-ca y

cd $BASE_DIR/release/crts

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1

Then I am using these first file : csf_spl.txt

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7e0fc0 0x0 0x2c400 "flash.bin"

and the problem happen when I do :

cd $BASE_DIR/release/linux64/bin/

./cst --o csf_spl.bin --i csf_spl.txt

This is not a path problem else I would have get a different error message

I use openssl : OpenSSL 1.1.1f  31 Mar 2020

Any help would be appreciated

Thank you by advance

Best regards

Aurelien BOUIN

Tags (2)
1 Solution
1,998 Views
Aurelien_BOUIN
Contributor III

Thank you very much YuriMuhin_ng

The problem was in fact that we need to keep the file serial and key_pass.txt in the keys folder

To be sure to use an enough old version of openssl, I used a docker image, here is the procedure I used :

You need to be into a new folder where you have the file cst-3.3.0.tgz

cat << 'EOTEOT' > generate-secureboot.sh
#!/bin/sh
# Script that generate almost everything to get secure boot HAB working
# Aurelien BOUIN

VERSION="1.0.0"

#1.0.0 : Initial version

[ -z "$CERTIFICATE_SERIAL_NUMBERS" ] && CERTIFICATE_SERIAL_NUMBERS='49630111'
[ -z "$PASS_PHRASE" ] && PASS_PHRASE='!CAPTINA!captina'

if [ $(echo $CERTIFICATE_SERIAL_NUMBERS | wc -c) -ne 9 ]
then
echo "$CERTIFICATE_SERIAL_NUMBERS must contains 8-digit"
exit 1
fi

[ -z "$BASE_DIR" ] && BASE_DIR=$PWD

if [ ! -f "$BASE_DIR/cst-3.3.0.tgz" ] ; then
echo "You are missing the tgz package cst-3.3.0.tgz at $BASE_DIR"
exit 1
fi

if [ ! -x "/usr/bin/hexdump" ] ; then
echo "You are missing hexdump in /usr/bin/"
exit 1
fi

cd $BASE_DIR
rm -rf release
tar xzf cst-3.3.0.tgz

cd $BASE_DIR/release/keys

# Create serial file with an 8-digit content : OpenSSL uses the contents of this file for the certificate serial numbers
echo "$CERTIFICATE_SERIAL_NUMBERS" > serial

# Create key_pass.txt file that contains your pass phrase that will protect the HAB code signing private keys
echo "$PASS_PHRASE" > key_pass.txt
echo "$PASS_PHRASE" >> key_pass.txt

# Create the signature keys
./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 20 -num-srk 4 -srk-ca y

# Create the fuse table and binary to be flashed
cd $BASE_DIR/release/crts
../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1

# The fuse table generated in the previous section is what needs to be flashed to the device.
cd $BASE_DIR/release/crts
OUTPUT_FUSE_COMMANDS="$BASE_DIR/release/crts/fuse_uboot_commands.sh"
rm -f ${OUTPUT_FUSE_COMMANDS}
echo "# This is what need to be executed on U-Boot prompt :"
LIST_OF_FUSES=$(hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin)
PAGE=6
TABLE=0
for one in $LIST_OF_FUSES
do
echo "fuse prog -y $PAGE $TABLE $one" | tee -a ${OUTPUT_FUSE_COMMANDS}
TABLE=$(( TABLE + 1 ))
if [ $TABLE -eq 4 ]; then
TABLE=0
PAGE=7
fi
done
echo "# If No HAB Events Found!" | tee -a ${OUTPUT_FUSE_COMMANDS}
echo "#Close the device with :" | tee -a ${OUTPUT_FUSE_COMMANDS}
echo "#fuse prog 1 3 0x02000000" | tee -a ${OUTPUT_FUSE_COMMANDS}

[ -z "$OUTPUT_DIR" ] && OUTPUT_DIR=${BASE_DIR}/output
rm -rf ${OUTPUT_DIR}

cd $BASE_DIR/release/

mkdir -p ${OUTPUT_DIR}/crts
cp crts/fuse_uboot_commands.sh ${OUTPUT_DIR}/crts
cp crts/*.pem ${OUTPUT_DIR}/crts
cp crts/SRK_1_2_3_4* ${OUTPUT_DIR}/crts

mkdir -p ${OUTPUT_DIR}/keys
cp keys/serial ${OUTPUT_DIR}/keys
cp keys/key_pass.txt ${OUTPUT_DIR}/keys
cp keys/*.pem ${OUTPUT_DIR}/keys

mkdir -p ${OUTPUT_DIR}/tool
cp linux64/bin/cst ${OUTPUT_DIR}/tool/

echo "Output files here : ${OUTPUT_DIR}"
tree ${OUTPUT_DIR}

EOTEOT
chmod +x generate-secureboot.sh


# use CST (3.3.0) with OpenSSL 1.0.2. avoiding any memory leaks : https://community.nxp.com/message/1336997
# Using docker :

docker run --rm -it -v ${PWD}:/root ubuntu:14.04 bash


# Here from the docker shell : we need hexdump and tree to display results
sudo apt-get update && sudo apt-get install -y bsdmainutils tree

cd /root

export BASE_DIR=$PWD
export PASS_PHRASE='Captina!49630'
export CERTIFICATE_SERIAL_NUMBERS='19841985'

./generate-secureboot.sh

The file fuse_uboot_commands.sh provide you the command to execute in U-Boot prompt.

View solution in original post

2 Replies
1,998 Views
Yuri
NXP Employee
NXP Employee

contact@captina.dev 

Hello,

  please try to use  CST (3.3.0)  with OpenSSL 1.0.2.

https://community.nxp.com/message/1316736 

Regards,

Yuri.

0 Kudos
Reply
1,999 Views
Aurelien_BOUIN
Contributor III

Thank you very much YuriMuhin_ng

The problem was in fact that we need to keep the file serial and key_pass.txt in the keys folder

To be sure to use an enough old version of openssl, I used a docker image, here is the procedure I used :

You need to be into a new folder where you have the file cst-3.3.0.tgz

cat << 'EOTEOT' > generate-secureboot.sh
#!/bin/sh
# Script that generate almost everything to get secure boot HAB working
# Aurelien BOUIN

VERSION="1.0.0"

#1.0.0 : Initial version

[ -z "$CERTIFICATE_SERIAL_NUMBERS" ] && CERTIFICATE_SERIAL_NUMBERS='49630111'
[ -z "$PASS_PHRASE" ] && PASS_PHRASE='!CAPTINA!captina'

if [ $(echo $CERTIFICATE_SERIAL_NUMBERS | wc -c) -ne 9 ]
then
echo "$CERTIFICATE_SERIAL_NUMBERS must contains 8-digit"
exit 1
fi

[ -z "$BASE_DIR" ] && BASE_DIR=$PWD

if [ ! -f "$BASE_DIR/cst-3.3.0.tgz" ] ; then
echo "You are missing the tgz package cst-3.3.0.tgz at $BASE_DIR"
exit 1
fi

if [ ! -x "/usr/bin/hexdump" ] ; then
echo "You are missing hexdump in /usr/bin/"
exit 1
fi

cd $BASE_DIR
rm -rf release
tar xzf cst-3.3.0.tgz

cd $BASE_DIR/release/keys

# Create serial file with an 8-digit content : OpenSSL uses the contents of this file for the certificate serial numbers
echo "$CERTIFICATE_SERIAL_NUMBERS" > serial

# Create key_pass.txt file that contains your pass phrase that will protect the HAB code signing private keys
echo "$PASS_PHRASE" > key_pass.txt
echo "$PASS_PHRASE" >> key_pass.txt

# Create the signature keys
./hab4_pki_tree.sh -existing-ca n -use-ecc n -kl 4096 -duration 20 -num-srk 4 -srk-ca y

# Create the fuse table and binary to be flashed
cd $BASE_DIR/release/crts
../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1

# The fuse table generated in the previous section is what needs to be flashed to the device.
cd $BASE_DIR/release/crts
OUTPUT_FUSE_COMMANDS="$BASE_DIR/release/crts/fuse_uboot_commands.sh"
rm -f ${OUTPUT_FUSE_COMMANDS}
echo "# This is what need to be executed on U-Boot prompt :"
LIST_OF_FUSES=$(hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin)
PAGE=6
TABLE=0
for one in $LIST_OF_FUSES
do
echo "fuse prog -y $PAGE $TABLE $one" | tee -a ${OUTPUT_FUSE_COMMANDS}
TABLE=$(( TABLE + 1 ))
if [ $TABLE -eq 4 ]; then
TABLE=0
PAGE=7
fi
done
echo "# If No HAB Events Found!" | tee -a ${OUTPUT_FUSE_COMMANDS}
echo "#Close the device with :" | tee -a ${OUTPUT_FUSE_COMMANDS}
echo "#fuse prog 1 3 0x02000000" | tee -a ${OUTPUT_FUSE_COMMANDS}

[ -z "$OUTPUT_DIR" ] && OUTPUT_DIR=${BASE_DIR}/output
rm -rf ${OUTPUT_DIR}

cd $BASE_DIR/release/

mkdir -p ${OUTPUT_DIR}/crts
cp crts/fuse_uboot_commands.sh ${OUTPUT_DIR}/crts
cp crts/*.pem ${OUTPUT_DIR}/crts
cp crts/SRK_1_2_3_4* ${OUTPUT_DIR}/crts

mkdir -p ${OUTPUT_DIR}/keys
cp keys/serial ${OUTPUT_DIR}/keys
cp keys/key_pass.txt ${OUTPUT_DIR}/keys
cp keys/*.pem ${OUTPUT_DIR}/keys

mkdir -p ${OUTPUT_DIR}/tool
cp linux64/bin/cst ${OUTPUT_DIR}/tool/

echo "Output files here : ${OUTPUT_DIR}"
tree ${OUTPUT_DIR}

EOTEOT
chmod +x generate-secureboot.sh


# use CST (3.3.0) with OpenSSL 1.0.2. avoiding any memory leaks : https://community.nxp.com/message/1336997
# Using docker :

docker run --rm -it -v ${PWD}:/root ubuntu:14.04 bash


# Here from the docker shell : we need hexdump and tree to display results
sudo apt-get update && sudo apt-get install -y bsdmainutils tree

cd /root

export BASE_DIR=$PWD
export PASS_PHRASE='Captina!49630'
export CERTIFICATE_SERIAL_NUMBERS='19841985'

./generate-secureboot.sh

The file fuse_uboot_commands.sh provide you the command to execute in U-Boot prompt.