[U-Boot] nxp: HABv4 secure boot on iMX7 NAND broken
Bryan O'Donoghue
bryan.odonoghue at linaro.org
Tue Jul 30 14:33:34 UTC 2019
On 30/07/2019 15:26, Igor Opaniuk wrote:
> Anyway, let me go through this article one more time,
> and I'll get back to you.
If I've understood you, you are using the same binary for serial
download and flash booting.
Won't work unfortunately - there's an extra DCD directive in the
recovery image.
Here's my recovery CSF
deckard at event-horizon:~/Development/mbl-u-boot$ cat uboot-c-s-f-recover.txt
# SPDX-License-Identifier: GPL-2.0
[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
File = "SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = HAB_BLOCKS_REPLACE "IMAGE_IMX_HAB_NAME_REPLACE"
[Authenticate Data]
Verification index = 2
Blocks = DCD_BLOCKS_REPLACE "IMAGE_IMX_DCD_NAME_REPLACE"
and my eMMC CSF
deckard at event-horizon:~/Development/mbl-u-boot$ cat uboot-c-s-f.txt
# SPDX-License-Identifier: GPL-2.0
[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
File = "SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = HAB_BLOCKS_REPLACE "IMAGE_IMX_HAB_NAME_REPLACE"
More information about the U-Boot
mailing list