FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HAB fast authentication with i.MX 8M Mini

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HAB fast authentication with i.MX 8M Mini

‎02-01-2023 09:39 AM
639 Views
linderpi
Contributor II

I have successfully introduced secure boot with HAB on an i.MX 8M Mini. The signature of the SPL and the U-Boot FIT image, I do with the NXP code signing tool, where I followed all the recommendations of the documentation. I use fast authentication, why the verification index in the CSF file is always Zero.

Following CSF file (here for the SPL) works well and no HAB events are found:

[Header]
  Version = 4.3
  Hash Algorithm = sha256
  Engine = CAAM
  Engine Configuration = 0
  Certificate Format = X509
  Signature Format = CMS

[Install SRK]
  # Index of the key location in the SRK table to be installed
  File = "crts/SRK_1_2_3_4_table.bin"
  Source index = 0

[Install NOCAK]
  # Key used to authenticate the CSF data
  File = "crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
  # Leave Job Ring and DECO master ID registers Unlocked
  Engine = CAAM
  Features = MID

[Authenticate Data]
  # Key slot index used to authenticate the image data
  Verification index = 0
  # Authenticate Start Address, Offset, Length and file
  Blocks = 0x7e0fc0 0x0 0x39a00 "imx-boot"

 

However, the second, third, and fourth super root key (SRK) are not working. I can find several HAB events from the U-Boot console. Here is the according CSF file for the second key:

[Header]
  Version = 4.3
  Hash Algorithm = sha256
  Engine = CAAM
  Engine Configuration = 0
  Certificate Format = X509
  Signature Format = CMS

[Install SRK]
  # Index of the key location in the SRK table to be installed
  File = "crts/SRK_1_2_3_4_table.bin"
  Source index = 1

[Install NOCAK]
  # Key used to authenticate the CSF data
  File = "crts/SRK2_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
  # Leave Job Ring and DECO master ID registers Unlocked
  Engine = CAAM
  Features = MID

[Authenticate Data]
  # Key slot index used to authenticate the image data
  Verification index = 0
  # Authenticate Start Address, Offset, Length and file
  Blocks = 0x7e0fc0 0x0 0x39a00 "imx-boot"

Any suggestions, why this is not working apart from badly burned fuses, which is not the case?

PS: I know, there is a similar question here https://community.nxp.com/t5/i-MX-Processors/iMX6SoloX-fast-authentication-uImage-signing/m-p/628126..., but no valid answer is given in my opinion.

0 Kudos
Reply
3 Replies

‎02-06-2023 07:47 AM
605 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi @linderpi 

It seems no problem with your csf file, can you share hab event?  if you'd like to share signed files and un-signed files, that would be better for further troubleshooting. 

 

Best regards

Harvey

0 Kudos
Reply

‎02-16-2023 01:57 AM
579 Views
linderpi
Contributor II

Thanks for your reply @Harvey021. I will send you the HAB events next week, when I have the hardware at hand. In the meantime, can I send you the images by mail?

0 Kudos
Reply

‎02-16-2023 08:03 PM
564 Views
Harvey021
NXP TechSupport
NXP TechSupport

Yes, you can send to harvey.yu_1@nxp.com

 

Best regards

Harvey

0 Kudos
Reply