secure boot on the imx6ul using HABv4

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

secure boot on the imx6ul using HABv4

Jump to solution
1,154 Views
dhanushkadangam
Contributor III

Hi All,

I am trying to perform a secure boot on the imx6ul using HABv4. I performed all the steps described below and I did not fuse the SRK table. When I type hab_status in the U-boot command prompt, I get the HAB Events I have listed below.

So I would like to know, if not fusing the SRK table could be the reason for these events.

Steps Performed:

Please see the steps performed below.

1. Built u-boot.imx enabling the secure mode.

2. Generated all root public key files and corresponding hash.

3. Created csf file with the following content. Content of the file is listed at the end.

4.  My u-uboot.imx file is 0x55830. I extended it to 0x56000 using the following command.

objcopy -I binary -O binary --pad-to 0x656000 --gap-fill=0x5A u-boot.imx u-boot-pad.imx

5. Then I generated csf.bin file using the command below.

./cst -o u-boot_csf.bin -i uboot.csf

6. Merged image and csf data using the command below.

cat u-boot-pad.imx u-boot_csf.bin  > u-boot-signed.imx

7. Then extended the final image to 0x57000

objcopy -I binary -O binary --pad-to 0x57000 --gap-fill=0x5A u-boot-signed.imx u-boot-signed-pad.imx

8. The length of the block is calculated as: Length = u-boot-pad.imx (0x57000) - IVT_OFFSET (0x400).

And added 400 to the starting address as shown below.

#        Address    Offset Length Data File Path

Blocks = 0x87800400 0x400 0x00055C00 "u-boot-pad.imx"

HAB Events:

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------

event data:

        0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00

        0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00

        0x00 0x00 0x0d 0x34 0x87 0x80 0x04 0x00

        0x00 0x05 0x5c 0x00

--------- HAB Event 2 -----------------

event data:

        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x87 0x7f 0xf7 0xd0

        0x00 0x00 0x00 0x20

--------- HAB Event 3 -----------------

event data:

        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x87 0x7f 0xf7 0xfc

        0x00 0x00 0x01 0xf0

--------- HAB Event 4 -----------------

event data:

        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x87 0x7f 0xf7 0xf0

        0x00 0x00 0x00 0x01

--------- HAB Event 5 -----------------

event data:

        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00

        0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00

        0x00 0x00 0x00 0x04

Command Sequency File Description:

[Header]

Version = 4.0

Security Configuration = Open

Hash Algorithm = sha256

Engine Configuration = 0

Certificate Format = X509

Signature Format = CMS

[Install SRK]

File = "../crts/SRK_1_2_3_4_table.bin"

Source index = 0

[Install CSFK]

File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]

Verification index = 0

Target index = 2

File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

# Sign padded u-boot starting at the IVT through to the end with

# length = 0x2F000 (padded u-boot length) - 0x400 (IVT offset) = 0x2EC00

# This covers the essential parts: IVT, boot data and DCD.

# Blocks have the following definition:

# Image block start address on i.MX, Offset from start of image file,

# Length of block in bytes, image data file

[Authenticate Data]

Verification index = 2

Blocks = 0x87800400 0x400 0x55C00 "u-boot-pad.imx"

Best Regards

Labels (2)
0 Kudos
Reply
1 Solution
775 Views
jamesbone
NXP TechSupport
NXP TechSupport

Hello,

Sorry, but the information you are requesting is treated as confidential info at this time and requires a signed NDA (Non-Disclosure Agreement). Naturally, we cannot discuss this with you in public anyway, this requires to be handled as a CASE. Be aware that to give you remote support through a CASE, we will still need the confirmation of a NXP employee that the NDA is in place. If you want to go this route, the next steps will be: If you have already signed a NDA agreement for this product, please contact the person who assisted you or create a SR and name us a NXP person that can confirm this. If you have not signed an agreement, please contact your local NXP Distributor Salesperson or FAE for assistance.

Have a great day,
Jaime

-------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-------------------------------------------------------------------------------

View solution in original post

0 Kudos
Reply
1 Reply
776 Views
jamesbone
NXP TechSupport
NXP TechSupport

Hello,

Sorry, but the information you are requesting is treated as confidential info at this time and requires a signed NDA (Non-Disclosure Agreement). Naturally, we cannot discuss this with you in public anyway, this requires to be handled as a CASE. Be aware that to give you remote support through a CASE, we will still need the confirmation of a NXP employee that the NDA is in place. If you want to go this route, the next steps will be: If you have already signed a NDA agreement for this product, please contact the person who assisted you or create a SR and name us a NXP person that can confirm this. If you have not signed an agreement, please contact your local NXP Distributor Salesperson or FAE for assistance.

Have a great day,
Jaime

-------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-------------------------------------------------------------------------------

0 Kudos
Reply