Hi All,
I am trying to perform a secure boot on the imx6ul using HABv4. I performed all the steps described below and I did not fuse the SRK table. When I type hab_status in the U-boot command prompt, I get the HAB Events I have listed below.
So I would like to know, if not fusing the SRK table could be the reason for these events.
Steps Performed:
Please see the steps performed below.
1. Built u-boot.imx enabling the secure mode.
2. Generated all root public key files and corresponding hash.
3. Created csf file with the following content. Content of the file is listed at the end.
4. My u-uboot.imx file is 0x55830. I extended it to 0x56000 using the following command.
objcopy -I binary -O binary --pad-to 0x656000 --gap-fill=0x5A u-boot.imx u-boot-pad.imx
5. Then I generated csf.bin file using the command below.
./cst -o u-boot_csf.bin -i uboot.csf
6. Merged image and csf data using the command below.
cat u-boot-pad.imx u-boot_csf.bin > u-boot-signed.imx
7. Then extended the final image to 0x57000
objcopy -I binary -O binary --pad-to 0x57000 --gap-fill=0x5A u-boot-signed.imx u-boot-signed-pad.imx
8. The length of the block is calculated as: Length = u-boot-pad.imx (0x57000) - IVT_OFFSET (0x400).
And added 400 to the starting address as shown below.
# Address Offset Length Data File Path
Blocks = 0x87800400 0x400 0x00055C00 "u-boot-pad.imx"
HAB Events:
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00
0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00
0x00 0x00 0x0d 0x34 0x87 0x80 0x04 0x00
0x00 0x05 0x5c 0x00
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf7 0xd0
0x00 0x00 0x00 0x20
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf7 0xfc
0x00 0x00 0x01 0xf0
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf7 0xf0
0x00 0x00 0x00 0x01
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04
Command Sequency File Description:
[Header]
Version = 4.0
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded u-boot starting at the IVT through to the end with
# length = 0x2F000 (padded u-boot length) - 0x400 (IVT offset) = 0x2EC00
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x87800400 0x400 0x55C00 "u-boot-pad.imx"
Best Regards
Solved! Go to Solution.
Hello,
Sorry, but the information you are requesting is treated as confidential info at this time and requires a signed NDA (Non-Disclosure Agreement). Naturally, we cannot discuss this with you in public anyway, this requires to be handled as a CASE. Be aware that to give you remote support through a CASE, we will still need the confirmation of a NXP employee that the NDA is in place. If you want to go this route, the next steps will be: If you have already signed a NDA agreement for this product, please contact the person who assisted you or create a SR and name us a NXP person that can confirm this. If you have not signed an agreement, please contact your local NXP Distributor Salesperson or FAE for assistance.
Have a great day,
Jaime
-------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-------------------------------------------------------------------------------
Hello,
Sorry, but the information you are requesting is treated as confidential info at this time and requires a signed NDA (Non-Disclosure Agreement). Naturally, we cannot discuss this with you in public anyway, this requires to be handled as a CASE. Be aware that to give you remote support through a CASE, we will still need the confirmation of a NXP employee that the NDA is in place. If you want to go this route, the next steps will be: If you have already signed a NDA agreement for this product, please contact the person who assisted you or create a SR and name us a NXP person that can confirm this. If you have not signed an agreement, please contact your local NXP Distributor Salesperson or FAE for assistance.
Have a great day,
Jaime
-------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-------------------------------------------------------------------------------