[U-Boot] Invalid Certificate using imx28 and HAB

Per Smitt per.smitt at sbie.se
Thu Mar 10 17:23:51 CET 2016 

Hi everyone

I am having a problem with a Freescale imx28 to get HAB (High Assurance Boot)
working with U-Boot. I understand that this is a question regarding one specific
processor model but since I have seen several patches from Marek Vasut which
deal with this specific processor I am taking a chance that I can get some
help here.

What I have done is that I have started with a mainline U-Boot (v2016.01) and
I have added/modified a few hab-related items.

* board/freescale/mx28evk/sign/u-boot-spl.csf
* board/freescale/mx28evk/sign/u-boot.csf
* board/freescale/mx28evk/hab.h
* board/freescale/mx28evk/hab_types.h
* board/freescale/mx28evk/mx28evk.c

A complete patch of these files is included. I am also not certain that my csf
files are correct but I get HAB errors even before I get to that point so it
should be irrelevant at the moment.


The following files have been copied from the cst tool to the u-boot root
directory.
* CSF1_1_sha256_1024_65537_v3_usr_crt.pem
* CSF1_1_sha256_1024_65537_v3_usr_key.pem
* IMG1_1_sha256_1024_65537_v3_usr_crt.pem
* IMG1_1_sha256_1024_65537_v3_usr_key.pem
* srk_table.bin
* srk_fuses.bin
* key_pass.txt

The certificates are generated with the CST tool downloaded from Freescale. The
above example uses a 1024 bit RSA key but I have also tested with 2048 bits
without any luck. The srk_table is generated using the Freescale srktool
$ srktool -h 4 -t srk_table.bin -e srk_fuses.bin -d sha256 -c crts/SRK1_sha256_1024_65537_v3_ca_crt.pem -f 1

Once all this was in placed I built and ran it using
$ make mrproper
$ make mx28evk_nand_config
$ make u-boot-signed.sb
$ sudo mxsldr u-boot-signed.sb

I get the following result:
--------- HAB Event 1 -----------------
event data:
    0xdb 0x00 0x14 0x40 0x33 0x21 0xc0 0x00
    0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
    0x00 0x00 0x00 0x50

(HAB_INV_CERTIFICATE 0x21)


--------- HAB Event 2 -----------------
event data:
    0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x00
    0x00 0x00 0x00 0x20

(HAB_INV_ASSERTION 0x0C)


--------- HAB Event 3 -----------------
event data:
    0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x00 0x00 0x10 0x00
    0x00 0x00 0x00 0x04

(HAB_INV_ASSERTION 0x0C)


--------- HAB Event 4 -----------------
event data:
    0xdb 0x00 0x14 0x40 0x33 0x21 0xc0 0x00
    0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
    0x00 0x00 0x00 0x50

(HAB_INV_CERTIFICATE 0x21)


--------- HAB Event 5 -----------------
event data:
    0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x40 0x00 0x10 0x00
    0x00 0x00 0x00 0x20

(HAB_INV_ASSERTION 0x0C)


--------- HAB Event 6 -----------------
event data:
    0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00
    0x00 0x00 0x00 0x00 0x40 0x00 0x20 0x00
    0x00 0x00 0x00 0x04

(HAB_INV_ASSERTION 0x0C)


We get two invalid certificates. These are from u-boot-spl and u-boot. The
asserts are the execution of the unverified code. I'm at a loss what I might
have done wrong and I am hoping Marek perhaps can help me with this issue.

As I mentioned before I am not certain my csf files are correct. I suspect the
Authenticate Data part might be wrong but if I get a signature error it would
be another error code indicating a CSF verification error (HAB_INV_CSF 0x11).

Another issue I also have is that I am not certain I have burned the fuses
properly in the hardware but yet again that should cause a verification error
and not an invalid certificate error. At least that is what I believe but now
when typing this I am getting uncertain.

If Marek or anyone can shed any light on this I am thankful for any assistance.

Many thanks in advance,
Per Smitt


-------------- next part --------------
A non-text attachment was scrubbed...
Name: u-boot_hab.tar.gz
Type: application/gzip
Size: 23236 bytes
Desc: u-boot_hab.tar.gz
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20160310/fb5e463e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Baby-hab-steps.patch
Type: text/x-patch
Size: 77790 bytes
Desc: 0001-Baby-hab-steps.patch
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20160310/fb5e463e/attachment-0001.bin>

More information about the U-Boot mailing list