- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: HAB_INV_IVT when booting from serial download on i.MX6Q
HAB_INV_IVT when booting from serial download on i.MX6Q
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem as https://community.nxp.com/t5/i-MX-Processors/I-met-a-problem-on-iMX6sl-HAB/m-p/430825
In that post, NXP suggests reading https://community.nxp.com/docs/DOC-96451
However, when I click the link, I get "Access Denied." Can I get access to that link?
EDIT: That link is to section 6 of AN4581.
****
To reiterate the problem, when booting from serial download mode only I see
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x05 0x0a 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_IVT (0x05)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)
Because the context is HAB_CTX_AUTHENTICATE, the error is from hab_rvt::authenticate image. The documentation that function says that HAB_INV_IVT can result from "IVT malformed" or "IVT version number is less than HAB library version". I am using version 0x40 in the IVT header, and `Version = 4.0` in my CSF. When signing, I have cleared the DCD address as described in https://community.nxp.com/t5/i-MX-Processors/i-MX6-Recovery-Mode-with-HAB-and-MFG-tool/m-p/292103/hi...
For reference, my full CSF is
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = ANY
[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target Index = 2
File= "crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = \
0x177ff400 0x00000000 0x0009bc00 "u-boot-dtb-sdp.imx", \
0x00910000 0x0000002c 0x000002f8 "u-boot-dtb-sdp.imx"
I also tried the solution from https://community.nxp.com/t5/i-MX-Processors/HAB-secure-serial-boot-on-mx6/m-p/237487 (using two Authenticate Data sections) but that did not solve the problem.
I am able to boot from eMMC without issue (no hab events).
I would also like to note that I can boot from SDP despite the error, which makes me suspect the IVT is not in fact malformed. On my host system, my IVT looks like
$ xxd -g4 -e u-boot-dtb.imx | head -2
00000000: 402000d1 17800000 00000000 177ff42c .. @........,...
00000010: 177ff420 177ff400 1789b000 00000000 ...............
and after loading the image, I can see the IVT intact at the correct address (with the DCD pointer cleared as expected):
=> md.l 0x177ff400
177ff400: 402000d1 17800000 00000000 00000000 .. @............
177ff410: 177ff420 177ff400 1789b000 00000000 ...............
I was able to use a similar process to generate secure boot images for an i.MX6ULL processor and SDP works with no hab events.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out.
I had been using the `bmode usb` command to reboot into SDP. However, when I set BOOT_MODE[1:0] pins to Serial Downloader mode (10) I was able to boot over SDP with no events.
hector_delgado
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @stadium_aquino .
I hope you're doing great! Sorry for the late reply.
Please have a look to the email I sent directly to you, it contains relevant information for your issue.
Thank you!
Best regards,
Hector.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hector,
Thank you for clarifying what that link goes to, but I have already reviewed/implemented the steps from that document. Do you have any suggestions taking into account the rest of the information in my initial question?
hector_delgado
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @stadium_aquino ,
I hope you're doing well! You mentioned that you're using version 4.0 initially in your CSF file, but in the file content you shared it looks like you're using version 4.2. Was the first one a typo? Or was this overlooked?
Please let me know so I can identify the issue.
Best regards,
Hector.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I originally used HAB v4.0, since this config was adapted from another project. However, I consulted AN4581 Appendix A and determined that the processor we are using (i.MX6Q TO 1.6) supports HAB v4.2. I have tried both versions and encountered the same problem.
****
Since last time, I also tried authenticating the image manually via the hab_authenticate_image command
=> # load DCD to 0x910000
=> # load image to 0x177ff400
=> mw.l 177ff40c 0 1 # clear DCD address
=> hab_auth_img 0x177ff400 $filesize 0
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
It works fine, which unfortunately means I can only reproduce this with SDP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out.
I had been using the `bmode usb` command to reboot into SDP. However, when I set BOOT_MODE[1:0] pins to Serial Downloader mode (10) I was able to boot over SDP with no events.
