imx8mq-evk secure boot not verifying image signature

rameshd82 · ‎09-25-2023

I am basically following the document (mx8m_secure_boot) to enable secure boot in imx8mq-evk board. I also follow the application note AN4581.

It seems I am missing some steps since the authentication does not seem to succeed irrespective of what certificates are used to sign them.

The message that i see is :

U-Boot SPL 2022.04 (Sep 25 2023 - 22:43:00 -0400)

PMIC: PFUZE100 ID=0x10

DDRINFO: start DRAM init

DDRINFO: DRAM rate 3200MTS

DDRINFO:ddrphy calibration done

DDRINFO: ddrmix config done

SEC0: RNG instantiated

Normal Boot

Trying to boot from MMC1

hab fuse not enabled

Authenticate image from DDR location 0x401fcdc0...

and then the board proceeds to boot the TEE and subsequently u-boot starts.

The hab status command also does not show any thing interesting.

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0x00, HAB State: 0x00

The board is not locked since i am waiting for some hab events to show up before i lock it.

The values from fuse.bin are properly programmed in the fuse. I verified them by reading then over using the fuse command in uboot.

eg:

u-boot=> fuse read 6 0

Reading bank 6:

Word 0x00000000: 03d20485

Please let me know if there is any additional steps to be performed. Thanks.

Harvey021 · ‎09-27-2023

Hi @rameshd82

HAB 4.1.2 and newer, if SRK FUSE is not burned, HAB EVENT will not be reported. It is recommended that before closing, burn SRK FUSE first, then restart, then verify HAB EVENT, and then close.

Best regards

Harvey

rameshd82 · ‎09-27-2023

Hello @Harvey021

I have already programmed the SRK hashes as instructed in the guide.

I can confirm their values from u-boot also.

fuse read 6 0
Reading bank 6:

Word 0x00000000: 03d20485
u-boot=> fuse read 6 1
Reading bank 6:

Word 0x00000001: 1502e2f9
u-boot=> fuse read 6 2
Reading bank 6:

Word 0x00000002: 48b8b761
u-boot=> fuse read 6 3
Reading bank 6:

Word 0x00000003: 07fd4dae
u-boot=> fuse read 7 0
Reading bank 7:

Word 0x00000000: e60b3aca
u-boot=> fuse read 7 01
Reading bank 7:

Word 0x00000001: 964b590b
u-boot=> fuse read 7 1
Reading bank 7:

Word 0x00000001: 964b590b
u-boot=> fuse read 7 2
Reading bank 7:

Word 0x00000002: ffcfda4a
u-boot=> fuse read 7 3
Reading bank 7:

Word 0x00000003: cbcee424

I still do not see any information whether the HAB authentication has succeeded or failed with images. Also in u-boot hab status i can see that both the HAB configuration and the status are 0x0

Harvey021 · ‎10-05-2023

Hi @rameshd82

If Evk Board and follow up the uboot-imx/doc/imx/habv4/guides/mx8m_secure_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub, then such issue makes confusion.

Please double check Generating a PKI tree referring to uboot-imx/doc/imx/habv4/introduction_habv4.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub

and secure boot guide (uboot-imx/doc/imx/habv4/introduction_habv4.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub), like the very step: 1.2 Enabling the secure boot support in U-Boot to by adding CONFIG_IMX_HAB=y to build.

Here is link for reference: i.MX 8MPlus(865) HAB (High Assurance Boot) - NXP Community

Best regards,

Harvey

rameshd82 · ‎09-26-2023

Enclosing the csf files for reference.

cat csf_spl.txt 
[Header]
    Version = 4.3
    Hash Algorithm = sha256
    Engine = CAAM
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS

[Install SRK]
    # Index of the key location in the SRK table to be installed
    File = "../crts/SRK_1_2_3_4_table.bin"
    Source index = 0

[Install CSFK]
    # Key used to authenticate the CSF data
    File = "../crts/CSF1_1_sha256_prime256v1_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
    # Leave Job Ring and DECO master ID registers Unlocked
    Engine = CAAM
    Features = MID

[Install Key]
    # Key slot index used to authenticate the key to be installed
    Verification index = 0
    # Target key slot in HAB key store where key will be installed
    Target index = 2
    # Key to install
    File = "../crts/IMG1_1_sha256_prime256v1_v3_usr_crt.pem"

[Authenticate Data]
    # Key slot index used to authenticate the image data
    Verification index = 2
    # Authenticate Start Address, Offset, Length and file
    Blocks = 0x7e0fc0 0x0 0x34600 "flash.bin"

and the fit csf

 csf_fit.txt 

[Header]
    Version = 4.3
    Hash Algorithm = sha256
    Engine = CAAM
    Engine Configuration = 0
    Certificate Format = X509
    Signature Format = CMS

[Install SRK]
    # Index of the key location in the SRK table to be installed
    File = "../crts/SRK_1_2_3_4_table.bin"
    Source index = 0

[Install CSFK]
   # Key used to authenticate the CSF data
    File = "../crts/CSF1_1_sha256_prime256v1_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
    # Key slot index used to authenticate the key to be installed
    Verification index = 0
    # Target key slot in HAB key store where key will be installed
    Target index = 2
    # Key to install
    File = "../crts/IMG1_1_sha256_prime256v1_v3_usr_crt.pem"

[Authenticate Data]
    # Key slot index used to authenticate the image data
    Verification index = 2
    # Authenticate Start Address, Offset, Length and file
    Blocks = 0x401fcdc0 0x057c00 0x01020 "flash.bin", \
             0x40200000 0x05AC00 0x00050 "flash.bin", \
             0x40200050 0x05AC50 0x0CDA0 "flash.bin", \
            0x00910000 0x0679F0 0x00054 "flash.bin", \
             0xFE000000 0x067A44 0x00044 "flash.bin"\

imx8mq-evk secure boot not verifying image signature

imx8mq-evk secure boot not verifying image signature

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus