imx6 secure boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx6 secure boot

439 Views
rakesh3
Contributor V

Hi team, 

Currently i am workign on imx6q board. Trying to implement the HAB in that so i have concluded the CONFIG_IMX_HAB in the config file of u-boot .

Created the signed u-boot and key using the CST tool.

But while checking the status of hab_status getting below events. 

MX6 HORIZON U-Boot > hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x02 0xf8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x50

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

MX6 HORIZON U-Boot > <INTERRUPT>
MX6 HORIZON U-Boot >
MX6 HORIZON U-Boot >
MX6 HORIZON U-Boot >
MX6 HORIZON U-Boot >
MX6 HORIZON U-Boot > hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x02 0xf8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x21 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x50

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CERTIFICATE (0x21)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

Below is my csf file .

[Header]
Version = 4.2
 Hash Algorithm = sha256
 Engine Configuration = 0
 Certificate Format = X509
 Signature Format = CMS
 Engine = CAAM

 [Install SRK]
 # Index of the key location in the SRK table to be installed
 File = "../../crts/SRK_1_2_3_4_table.bin"
 Source index = 0

 [Install CSFK]
 # Key used to authenticate the CSF data
 File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

 [Authenticate CSF]

 [Install Key]
 # Key slot index used to authenticate the key to be installed
 Verification index = 0
 # Target key slot in HAB key store where key will be installed
 Target Index = 2
 # Key to install
 File= "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

 [Authenticate Data]
 # Key slot index used to authenticate the image data
 Verification index = 2
 # Authenticate Start Address, Offset, Length and file
 #Blocks = 0x177ff400 0x00000000 0x00091c00 "u-boot-dtb.imx"
 Blocks = 0x177ff400 0x00000000 0x00092c00 "u-boot-dtb.imx"

 [Unlock]
 Engine = CAAM
 Features = RNG

Below is the u-boot-dtb.imx.log file.

 Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
 Mode: DCD
 Data Size: 610400 Bytes = 596.09 KiB = 0.58 MiB
 Load Address: 177ff420
 Entry Point: 17800000
 HAB Blocks: 0x177ff400 0x00000000 0x00092c00
 DCD Blocks: 0x00910000 0x0000002c 0x000002f8

Please help me on this issue, 

 

Regards,

Rk

Labels (4)
0 Kudos
2 Replies

394 Views
Dhruvit
NXP TechSupport
NXP TechSupport

Hi @rakesh3,

I hope you are doing well
 
Please find the answer below.
 
Kindly double-check if the parameters Authenticate Start Address, Offset, and Length in [Authenticate Data] of the CSF file are correct.
 
The message HAB_INV_CERTIFICATE means: other certificate or Super-Root Key Table verification failed (including mismatch with crt_hsh)
 
For the message HAB_INV_ASSERTION: the HAB checks that all of the following data have been authenticated (using their final locations):

- IVT ;

- DCD (if provided);

- Boot Data (initial byte if provided);

- Entry point (initial word).

 Each of the above data components not covered by a valid signature will cause HAB to generate an event with reason HAB_INV_ASSERTION.
 
Kindly refer to the below document file to configure a secure boot. We will recommend you try the latest BSP version.
 
 
 

Thanks & Regards,
Dhruvit Vasavada
0 Kudos

392 Views
rakesh3
Contributor V

Thanks for reply Druvit,

 

Checked on other device , now i am getting only one warning on hab_status.

U-Boot > hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

 

Could you please help me to find the issue, can we do something for this issue or can ignore this warning.

Here I have not fused the SRK_1_2_3_4_fuse.bin in the device. does it required to fuse this SRK_1_2_3_4_fuse.bin before running the 

==>hab_status ????

 

Please help me on this

 

Regards,

Rk

0 Kudos