i.MX6ULL HAB authenticate_image() events

stephenbialkows · ‎09-24-2018

Hi,

I have two concerns:

I'm targeting a custom i.MX6ULL-based board with a bare bones loader pulled in from SPI FLASH. I have not blown the fuses to closed it, nor written the public keys. Instead I write the shadow register to indicate secure mode, and set the public keys (that should be used to verify the image signature) in the shadow registers.

1) What I find odd starts by calling the HAB RVT authenticate_image(). It returns a valid address. But, when I later call report_status(), it returns HAB_FAILURE. Subsequent calls to report_event(HAB_STS_ANY, ...) never return HAB_SUCCESS. This seems contrary to HAB_FAILURE returned by report_status(). If I look at the contents of memory @ 0x00904070: I see 42F402DB 00C02233 04EC02CC (big endian). I believe this indicates two events that are not returned by report_event()...although I'm not sure what they mean.

I realize I may be assuming that writing to the shadow registers should allow for proper authentication. Is this accurate? If not, would this alone explain what I'm seeing?

2) I have been avoiding blowing fuses thus far, because I haven't been able to clarify how to setup the OCOTP timing registers (there are 2 for the mx6ull). It's easy enough to infer what should happen by reading the u-boot source for the first timing register only. I have struggled to figure out what to do with OCOTP_TIMING2. The only mention I have found is in the RM. It only says it specifies the time to add to read/write OTP for complement address enable cycle time. Can anyone clarify the timing requirements here?

Thanks,
Stephen

For your reference:

[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine = SW #Engine = SW required for iMX6ull
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "./crts/SRK_1_2_3_4_table.bin"
Source index = 0 #index of the key location in the SRK table to be installed

[Install CSFK]
File = "./crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
Verification index = 0
Target index = 2
File = "./crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2 #key slot used to authenticate the image data
Blocks = 0x00907400 0x400 0x3000 "./crts/testBin/image.bin"

Yuri · ‎09-24-2018

Hello,

1.

You may create request to get HAB boot log analyzer.

Support|NXP

2.

Please try to run signed U-boot without closing the device and analyze log of hab_status command,

at least to clarify signing process and issues. According to section 4.1 (HAB events) of

https://www.nxp.com/docs/en/application-note/AN4581.pdf :

U-Boot supplies the hab_status command to read these events and feed them to the console.

3.

Use section 3.3 (Fuse programming) of the app note how to work with fuses under U-boot.

Have a great day,

Yuri

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer

button. Thank you!

stephenbialkows · ‎09-25-2018

Yuri,

I am using the hab portion of u-boot. I understand how to program fuses except for the second opt timing register. Can you please answer my questions?

Stephen

Also, I got a response (per your first suggestion). The response is:

Please apply to local NXP representative, so that they provide You information  from NXP internal resource, linked below.  https://community.nxp.com/docs/DOC-275249
https://community.nxp.com/docs/DOC-96451

https://community.nxp.com/docs/DOC-332726

Are you a "local NXP representative"?

i.MX6ULL HAB authenticate_image() events

i.MX6ULL HAB authenticate_image() events

i.MX6_All