[U-Boot] nxp: HABv4 secure boot on iMX7 NAND broken

Bryan O'Donoghue bryan.odonoghue at linaro.org
Tue Jul 30 14:33:34 UTC 2019



On 30/07/2019 15:26, Igor Opaniuk wrote:
> Anyway, let me go through this article one more time,
> and I'll get back to you.

If I've understood you, you are using the same binary for serial 
download and flash booting.

Won't work unfortunately - there's an extra DCD directive in the 
recovery image.

Here's my recovery CSF

deckard at event-horizon:~/Development/mbl-u-boot$ cat uboot-c-s-f-recover.txt
# SPDX-License-Identifier:      GPL-2.0
[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
File = "SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = HAB_BLOCKS_REPLACE "IMAGE_IMX_HAB_NAME_REPLACE"

[Authenticate Data]
Verification index = 2
Blocks = DCD_BLOCKS_REPLACE "IMAGE_IMX_DCD_NAME_REPLACE"

and my eMMC CSF

deckard at event-horizon:~/Development/mbl-u-boot$ cat uboot-c-s-f.txt
# SPDX-License-Identifier:      GPL-2.0
[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM

[Install SRK]
File = "SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = HAB_BLOCKS_REPLACE "IMAGE_IMX_HAB_NAME_REPLACE"


More information about the U-Boot mailing list