I can succesfully boot via the mfg tool using a signed image.
But the installed u-boot signed image just hangs.
last attempt at a CSF file looks like:--
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = DCP
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../../cst-2.3.3/crts/SRK_1_2_3_4_table.bin"
Source index = 0 # Index of the key location in the SRK table to be installed
[Install CSFK]
# Key used to authenticate the CSF data
File = "../../cst-2.3.3/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../../cst-2.3.3/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x877ff400 0x00000000 0x00051c00 "boot.bin"
The defconfig has the following HAB entries:
CONFIG_ARM=y
CONFIG_ARCH_MX6=y
CONFIG_SYS_TEXT_BASE=0x87800000
CONFIG_TARGET_NAD_MX6SL=y
CONFIG_SYS_CONSOLE_OVERWRITE_ROUTINE=y
CONFIG_BOOTDELAY=0
CONFIG_SECURE_BOOT=y
CONFIG_SYS_FSL_HAS_SEC=y
CONFIG_SYS_FSL_SEC_COMPAT=4
and is pretty much identical to the mfg config apart from the MFG=Y
I have tried with Engine = Any and Engine = SW but to no avail.
The u-boot works on an Open config machine, and I did not see any hab_status errors before the board was closed.
A similar setup fir a mx6ul board is working without problems.
Hi James
one can try latest cst-3.1.0 tool
i.MX High Assurance Boot Reference Code Signing Tool
and recheck image layout using Appendix F. i.MX manufacturing tool AN4581
Secure Boot on i.MX50, i.MX53, i.MX 6 and i.MX7 Series using HABv4
https://www.nxp.com/docs/en/application-note/AN4581.pdf
Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Igor,
Thanks for the input.
I tried using 3.1.0 but it still fails.
Just to be clear the mfg_tool boot works fine. Its the "normal" boot installed at address 1024 on /dev/mmcblk0 that fails.
Some things I noticed and tried:-
The README.mxc_hab doc in u-boot/docs says to use objcopy to pad the csf bin with zeroes - tried and failed.
There is a "CAUTION" notice in section 4.1 of the HAB manual which I think is telling us to execute the
cst from the releases directory, the wording is not very clear but I think "product_code" means "linux64/bin" anyway -- tried and failed.
In the documentation the "Unlock" command is documented as "M" for mandatory, but the mx6sl DCD engine is not listed as one of the unlock options. Several of the exple CSF commands do not have the Unlock command so maybe the "M" is a typo?
Regards
James
Hi James
may be useful to look at latest uboot hab documentation
introduction_habv4.txt\habv4\imx\doc - uboot-imx - i.MX U-Boot
Best regards
igor
I found this fix:-
[U-Boot] mx6sl: hab: Fix pu_irom_mmu_enabled address - Patchwork
which may be relevant. However I applied the fix and it still failed.
Where can I find an up to date NXP repository so I can check for
any missing patches.